mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-23 18:04:10 -05:00
bd4576b3ce
Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from
BIND 9 (from named, named.conf and all the tools). The TKEY usage is
fringe at best and in all known cases, GSSAPI is being used as it should.
The draft-eastlake-dnsop-rfc2930bis-tkey specifies that:
4.2 Diffie-Hellman Exchanged Keying (Deprecated)
The use of this mode (#2) is NOT RECOMMENDED for the following two
reasons but the specification is still included in Appendix A in case
an implementation is needed for compatibility with old TKEY
implementations. See Section 4.6 on ECDH Exchanged Keying.
The mixing function used does not meet current cryptographic
standards because it uses MD5 [RFC6151].
RSA keys must be excessively long to achieve levels of security
required by current standards.
We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key
exchange mode 6 if the draft ever reaches the RFC status. Meanwhile the
insecure DH mode needs to be removed.
|
||
|---|---|---|
| .. | ||
| cfg_test.c | ||
| checkgrammar.py | ||
| delegation-only.zoneopt | ||
| dnssec-policy.default.conf | ||
| forward.zoneopt | ||
| hint.zoneopt | ||
| in-view.zoneopt | ||
| Makefile.am | ||
| mirror.zoneopt | ||
| options | ||
| parsegrammar.py | ||
| primary.zoneopt | ||
| redirect.zoneopt | ||
| rndc.grammar | ||
| secondary.zoneopt | ||
| sort-options.pl | ||
| static-stub.zoneopt | ||
| stub.zoneopt | ||