From d48c035e10462afd967a6769ca3e0f436435badf Mon Sep 17 00:00:00 2001 From: phloggu Date: Mon, 4 Mar 2019 12:30:02 +0100 Subject: [PATCH] /dev/urandom should not be used for secure key generation --- example-dns-01-nsupdate-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example-dns-01-nsupdate-script.md b/example-dns-01-nsupdate-script.md index 97436f4..ef024f8 100644 --- a/example-dns-01-nsupdate-script.md +++ b/example-dns-01-nsupdate-script.md @@ -75,7 +75,7 @@ zone "_acme-challenge." { }; ~~~ -This is the most secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. +This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further. An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script: