diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook index 1ddadeb923..fea3c0aa6a 100644 --- a/bin/dig/nslookup.docbook +++ b/bin/dig/nslookup.docbook @@ -35,7 +35,7 @@ - SUCH DAMAGE. --> - + 2014-01-24 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 5cafc3fb6c..bee0ab3487 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18398,12 +18398,14 @@ allow-query { !{ !10/8; any; }; key example; }; + + diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html new file mode 100644 index 0000000000..c5eff266d2 --- /dev/null +++ b/doc/arm/man.dnssec-keymgr.html @@ -0,0 +1,313 @@ + + + + +dnssec-keymgr + + + + + + + +
+ + + + + + + +
dnssec-keymgr
+Prev Manual pages Next +
+
+
+
+
+
+

Name

+

dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy

+
+
+

Synopsis

+

dnssec-keymgr [-K directory] [-c file] [-f] [-k] [-q] [-v] [-z] [-g path] [-r path] [-s path] [zone...]

+
+
+

DESCRIPTION

+

+ dnssec-keymgr is a high level Python wrapper + to facilitate the key rollover process for zones handled by + BIND. It uses the BIND commands for manipulating DNSSEC key + metadata: dnssec-keygen and + dnssec-settime. +

+

+ DNSSEC policy can be read from a configuration file (default + /etc/dnssec.policy), from which the key + parameters, publication and rollover schedule, and desired + coverage duration for any given zone can be determined. This + file may be used to define individual DNSSEC policies on a + per-zone basis, or to set a default policy used for all zones. +

+

+ When dnssec-keymgr runs, it examines the DNSSEC + keys for one or more zones, comparing their timing metadata against + the policies for those zones. If key settings do not conform to the + DNSSEC policy (for example, because the policy has been changed), + they are automatically corrected. +

+

+ A zone policy can specify a duration for which we want to + ensure the key correctness (coverage). It can + also specify a rollover period (roll-period). + If policy indicates that a key should roll over before the + coverage period ends, then a successor key will automatically be + created and added to the end of the key series. +

+

+ If zones are specified on the command line, + dnssec-keymgr will examine only those zones. + If a specified zone does not already have keys in place, then + keys will be generated for it according to policy. +

+

+ If zones are not specified on the command + line, then dnssec-keymgr will search the + key directory (either the current working directory or the directory + set by the -K option), and check the keys for + all the zones represented in the directory. +

+

+ It is expected that this tool will be run automatically and + unattended (for example, by cron). +

+
+
+

OPTIONS

+
+
-c file
+

+ If -c is specified, then the DNSSEC + policy is read from file. (If not + specified, then the policy is read from + /etc/policy.conf; if that file + doesn't exist, a built-in global default policy is used.) +

+
-f
+

+ Force: allow updating of key events even if they are + already in the past. This is not recommended for use with + zones in which keys have already been published. However, + if a set of keys has been generated all of which have + publication and activation dates in the past, but the + keys have not been published in a zone as yet, then this + option can be used to clean them up and turn them into a + proper series of keys with appropriate rollover intervals. +

+
-g keygen-path
+

+ Specifies a path to a dnssec-keygen binary. + Used for testing. + See also the -s option. +

+
-h
+

+ Print the dnssec-keymgr help summary + and exit. +

+
-K directory
+

+ Sets the directory in which keys can be found. Defaults to the + current working directory. +

+
-k
+

+ Only apply policies to KSK keys. + See also the -z option. +

+
-q
+

+ Quiet: suppress printing of dnssec-keygen + and dnssec-settime. +

+
-r randomdev
+

+ Specifies a path to a file containing random data. + This is passed to the dnssec-keygen binary + using its -r option. + +

+
-s settime-path
+

+ Specifies a path to a dnssec-settime binary. + Used for testing. + See also the -g option. +

+
-v
+

+ Print the dnssec-keymgr version and exit. +

+
-z
+

+ Only apply policies to ZSK keys. + See also the -k option. +

+
+
+
+

POLICY CONFIGURATION

+

+ The policy.conf file can specify three kinds + of policies: +

+
    +

  • + Policy classes + (policy name { ... };) + can be inherited by zone policies or other policy classes; these + can be used to create sets of different security profiles. For + example, a policy class normal might specify + 1024-bit key sizes, but a class extra might + specify 2048 bits instead; extra would be + used for zones that had unusually high security needs. +

    • +

  • + Algorithm policies: + (algorithm-policy algorithm { ... }; ) + override default per-algorithm settings. For example, by default, + RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This + can be modified using algorithm-policy, and the + new key sizes would then be used for any key of type RSASHA256. +

    • +

  • + Zone policies: + (zone name { ... }; ) + set policy for a single zone by name. A zone policy can inherit + a policy class by including a policy option. +

    • +
+

+ Options that can be specified in policies: +

+
+
algorithm
+

+ The key algorithm. If no policy is defined, the default is + RSASHA256. +

+
coverage
+

+ The length of time to ensure that keys will be correct; no action + will be taken to create new keys to be activated after this time. + This can be represented as a number of seconds, or as a duration using + human-readable units (examples: "1y" or "6 months"). + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. + If no policy is configured, the default is six months. +

+
directory
+

+ Specifies the directory in which keys should be stored. +

+
key-size
+

+ Specifies the number of bits to use in creating keys. + Takes two arguments: keytype (eihter "zsk" or "ksk") and size. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. If no policy is + configured, the default is 1024 bits for DSA keys and 2048 for + RSA. +

+
keyttl
+

+ The key TTL. If no policy is defined, the default is one hour. +

+
post-publish
+

+ How long after inactivation a key should be deleted from the zone. + Note: If roll-period is not set, this value is + ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a + duration. A default value for this option can be set in algorithm + policies as well as in policy classes or zone policies. The default + is one month. +

+
pre-publish
+

+ How long before activation a key should be published. Note: If + roll-period is not set, this value is ignored. + Takes two arguments: keytype (either "zsk" or "ksk") and a duration. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. The default is + one month. +

+
roll-period
+

+ How frequently keys should be rolled over. + Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. If no policy is + configured, the default is one year for ZSK's. KSK's do not + roll over by default. +

+
standby
+

+ Not yet implemented. +

+
+
+
+

REMAINING WORK

+
    +

  • + Enable scheduling of KSK rollovers using the -P sync + and -D sync options to + dnssec-keygen and + dnssec-settime. Check the parent zone + (as in dnssec-checkds) to determine when it's + safe for the key to roll. +

    • +

  • + Allow configuration of standby keys and use of the REVOKE bit, + for keys that use RFC 5011 semantics. +

    • +
+
+
+

SEE ALSO

+

+ dnssec-coverage(8), + dnssec-keygen(8), + dnssec-settime(8), + dnssec-checkds(8) +

+
+
+
+
+ + + + + + + + + + + +
+Prev Up Next +
+dnssec-keygen Home dnssec-revoke +
+
+

BIND 9.11.0a3

+ + diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html new file mode 100644 index 0000000000..1cb49ee66a --- /dev/null +++ b/doc/arm/man.nslookup.html @@ -0,0 +1,350 @@ + + + + +nslookup + + + + + + + +
+ + + + + + + +
nslookup
+Prev Manual pages Next +
+
+
+
+
+
+

Name

+

nslookup — query Internet name servers interactively

+
+
+

Synopsis

+

nslookup [-option] [name | -] [server]

+
+
+

DESCRIPTION

+

Nslookup + is a program to query Internet domain name servers. Nslookup + has two modes: interactive and non-interactive. Interactive mode allows + the user to query name servers for information about various hosts and + domains or to print a list of hosts in a domain. Non-interactive mode + is + used to print just the name and requested information for a host or + domain. +

+
+
+

ARGUMENTS

+

+ Interactive mode is entered in the following cases: +

+
    +

  1. + when no arguments are given (the default name server will be used) +

    2. +

  2. + when the first argument is a hyphen (-) and the second argument is + the host name or Internet address of a name server. +

    3. +
+

+

+

+ Non-interactive mode is used when the name or Internet address of the + host to be looked up is given as the first argument. The optional second + argument specifies the host name or address of a name server. +

+

+ Options can also be specified on the command line if they precede the + arguments and are prefixed with a hyphen. For example, to + change the default query type to host information, and the initial + timeout to 10 seconds, type: + +

+
+nslookup -query=hinfo  -timeout=10
+
+

+ +

+

+ The -version option causes + nslookup to print the version + number and immediately exits. +

+
+
+

INTERACTIVE COMMANDS

+
+
host [server]
+
+

+ Look up information for host using the current default server or + using server, if specified. If host is an Internet address and + the query type is A or PTR, the name of the host is returned. + If host is a name and does not have a trailing period, the + search list is used to qualify the name. +

+

+ To look up a host not in the current domain, append a period to + the name. +

+
+
server domain
+

+
lserver domain
+

+ Change the default server to domain; lserver uses the initial + server to look up information about domain, while server uses + the current default server. If an authoritative answer can't be + found, the names of servers that might have the answer are + returned. +

+
root
+

+ not implemented +

+
finger
+

+ not implemented +

+
ls
+

+ not implemented +

+
view
+

+ not implemented +

+
help
+

+ not implemented +

+
?
+

+ not implemented +

+
exit
+

+ Exits the program. +

+
set + keyword[=value]
+
+

+ This command is used to change state information that affects + the lookups. Valid keywords are: +

+
+
all
+

+ Prints the current values of the frequently used + options to set. + Information about the current default + server and host is also printed. +

+
class=value
+
+

+ Change the query class to one of: +

+
+
IN
+

+ the Internet class +

+
CH
+

+ the Chaos class +

+
HS
+

+ the Hesiod class +

+
ANY
+

+ wildcard +

+
+

+ The class specifies the protocol group of the information. + +

+

+ (Default = IN; abbreviation = cl) +

+
+
+ [no]debug
+
+

+ Turn on or off the display of the full response packet and + any intermediate response packets when searching. +

+

+ (Default = nodebug; abbreviation = [no]deb) +

+
+
+ [no]d2
+
+

+ Turn debugging mode on or off. This displays more about + what nslookup is doing. +

+

+ (Default = nod2) +

+
+
domain=name
+

+ Sets the search list to name. +

+
+ [no]search
+
+

+ If the lookup request contains at least one period but + doesn't end with a trailing period, append the domain + names in the domain search list to the request until an + answer is received. +

+

+ (Default = search) +

+
+
port=value
+
+

+ Change the default TCP/UDP name server port to value. +

+

+ (Default = 53; abbreviation = po) +

+
+
querytype=value
+

+
type=value
+
+

+ Change the type of the information query. +

+

+ (Default = A; abbreviations = q, ty) +

+
+
+ [no]recurse
+
+

+ Tell the name server to query other servers if it does not + have the + information. +

+

+ (Default = recurse; abbreviation = [no]rec) +

+
+
ndots=number
+

+ Set the number of dots (label separators) in a domain + that will disable searching. Absolute names always + stop searching. +

+
retry=number
+

+ Set the number of retries to number. +

+
timeout=number
+

+ Change the initial timeout interval for waiting for a + reply to number seconds. +

+
+ [no]vc
+
+

+ Always use a virtual circuit when sending requests to the + server. +

+

+ (Default = novc) +

+
+
+ [no]fail
+
+

+ Try the next nameserver if a nameserver responds with + SERVFAIL or a referral (nofail) or terminate query + (fail) on such a response. +

+

+ (Default = nofail) +

+
+
+

+

+
+
+
+
+

RETURN VALUES

+

+ nslookup returns with an exit status of 1 + if any query failed, and 0 otherwise. +

+
+
+

FILES

+

/etc/resolv.conf +

+
+
+

SEE ALSO

+

dig(1), + host(1), + named(8). +

+
+
+
+
+ + + + + + + + + + + +
+Prev Up Next +
delv Home dnssec-checkds +
+
+

BIND 9.11.0a3

+ +