starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-03-23 09:31:00 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

/dev/urandom should not be used for secure key generation

phloggu
2019-03-04 12:30:02 +01:00
parent e9f4bb4ebe
commit d48c035e10
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
example-dns-01-nsupdate-script.md

@@ -75,7 +75,7 @@ zone "_acme-challenge.<domain>" {
};
~~~
This is the most secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for.
This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further.
An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script: