From 5270c34dd79e2dfc28017afc152d0ec68763fbcf Mon Sep 17 00:00:00 2001 From: alexzorin Date: Tue, 18 Oct 2022 10:55:00 +1100 Subject: [PATCH] docs: use modern tsig-keygen util in certbot-dns-rfc2136 (#9424) Fixes #7206. I think it's about time we did this: - `dnssec-keygen` on new distros doesn't support the HMAC algorithms anymore, so our instructions don't work. - The oldest distros we support are Debian Buster (`9.11.5.P4+dfsg-5.1+deb10u7`) and CentOS 7 (`9.11.4-26.P2.el7_9.9`), which ship `tsig-keygen` and support `HMAC-SHA512`. --- certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py index e06cef5a7..19734d29b 100644 --- a/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py +++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py @@ -107,12 +107,11 @@ permission to issue updates on the target DNS zone. .. code-block:: bash :caption: Generate a new SHA512 TSIG key - dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname. + tsig-keygen -a HMAC-SHA512 keyname. .. note:: - There are a few tools shipped with BIND that can all generate TSIG keys; - ``dnssec-keygen``, ``rndc-confgen``, and ``ddns-confgen``. Try and use the - most secure algorithm supported by your DNS server. + Prior to BIND version 9.10.0, you will need to use ``dnssec-keygen`` to generate + TSIG keys. Try and use the most secure algorithm supported by your DNS server. .. code-block:: none :caption: Sample BIND configuration