From f5cbbc1a87d188bfaf3b6b5c32a58241fc92db10 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik@redhat.com>
Date: Tue, 31 Oct 2017 17:37:27 +0100
Subject: Use hmac-sha256 for new RNDC keys (#1508003)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Petr Menšík <pemensik@redhat.com>
---
 bind.spec            | 5 +++--
 generate-rndc-key.sh | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/bind.spec b/bind.spec
index ecd14a9..3a9b750 100644
--- a/bind.spec
+++ b/bind.spec
@@ -1155,9 +1155,10 @@ rm -rf ${RPM_BUILD_ROOT}
 
 %changelog
 * Mon Oct 23 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-2
-- build against mariadb-connector-c-devel (#1493615)
-- include DNSKEY 20326 also in trusted-key.key (#1505476)
+- Build against mariadb-connector-c-devel (#1493615)
+- Include DNSKEY 20326 also in trusted-key.key (#1505476)
 - Fix dynamic symbols conflict with ldap (#1205168)
+- Use hmac-sha256 for new RNDC keys (#1508003)
 
 * Wed Aug 02 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-1
 - Update to 9.11.2
diff --git a/generate-rndc-key.sh b/generate-rndc-key.sh
index 194e65b..dde7f70 100755
--- a/generate-rndc-key.sh
+++ b/generate-rndc-key.sh
@@ -6,9 +6,10 @@
 
 if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
   echo -n $"Generating /etc/rndc.key:"
-  if /usr/sbin/rndc-confgen -a -r /dev/urandom > /dev/null 2>&1; then
+  if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1
+  then
     chmod 640 /etc/rndc.key
-    chown root.named /etc/rndc.key
+    chown root:named /etc/rndc.key
     [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
     success $"/etc/rndc.key generation"
     echo
-- 
cgit