dnssec-signzone -S -K keys example.net<
been tested with Debian Linux, Solaris x86 and Windows Server 2003;
the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
cryptographic acceleration board, tested with Solaris x86. In
- addition, BIND can be used with SoftHSM, a software-based HSM
- simulator produced by the OpenDNSSEC project.
+ addition, BIND can be used with all current versions of SoftHSM,
+ a software-based HSM simulator library produced by the OpenDNSSEC
+ project.
PKCS#11 makes use of a "provider library": a dynamically loadable
@@ -1452,7 +1453,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1461,18 +1462,18 @@ $
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
need. The HSM's provider library must have a complete implementation
of the PKCS#11 API, so that all these functions are accessible. As of
- this writing, only the Thales nShield HSM and the latest development
- version of SoftHSM can be used in this fashion. For other HSMs,
- including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM,
- use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of
- supporting native PKCS#11, it is expected that OpenSSL-based
- PKCS#11 will eventually be deprecated.)
+ this writing, only the Thales nShield HSM and SoftHSMv2 can be used
+ in this fashion. For other HSMs, including the AEP Keyper, Sun SCA
+ 6000 and older versions of SoftHSM, use OpenSSL-based PKCS#11.
+ (Note: Eventually, when more HSMs become capable of supporting
+ native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
+ be deprecated.)
To build BIND with native PKCS#11, configure as follows:
@@ -1492,10 +1493,47 @@ $
+ SoftHSMv2, the latest development version of SoftHSM, is available
+ from
+
+ https://github.com/opendnssec/SoftHSMv2
+ .
+ It is a software library developed by the OpenDNSSEC project
+ (
+ http://www.opendnssec.org
+ )
+ which provides a PKCS#11 interface to a virtual HSM, implemented in
+ the form of a SQLite3 database on the local filesystem. It provides
+ less security than a true HSM, but it allows you to experiment with
+ native PKCS#11 when an HSM is not available. SoftHSMv2 can be
+ configured to use either OpenSSL or the Botan library to perform
+ cryptographic functions, but when using it for native PKCS#11 in
+ BIND, OpenSSL is required.
+
+ By default, the SoftHSMv2 configuration file is
+
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1512,23 +1550,23 @@ $
- Use 'crypto-accelerator' with HSMs that have hardware
- cryptographic acceleration features, such as the SCA 6000
- board. This causes OpenSSL to run all supported
- cryptographic operations in the HSM.
-
- Use 'sign-only' with HSMs that are designed to
- function primarily as secure key storage devices, but lack
- hardware acceleration. These devices are highly secure, but
- are not necessarily any faster at cryptography than the
- system CPU — often, they are slower. It is therefore
- most efficient to use them only for those cryptographic
- functions that require access to the secured private key,
- such as zone signing, and to use the system CPU for all
- other computationally-intensive operations. The AEP Keyper
- is an example of such a device.
-
The modified OpenSSL code is included in the BIND 9 release,
@@ -1540,8 +1578,8 @@ $ Extract the tarball: Apply the patch from the BIND 9 release:
- When building OpenSSL, place it in a non-standard
- location so that it does not interfere with OpenSSL libraries
- elsewhere on the system. In the following examples, we choose
- to install into "/opt/pkcs11/usr". We will use this location
- when we configure BIND 9.
+ When building OpenSSL, place it in a non-standard
+ location so that it does not interfere with OpenSSL libraries
+ elsewhere on the system. In the following examples, we choose
+ to install into "/opt/pkcs11/usr". We will use this location
+ when we configure BIND 9.
- Later, when building BIND 9, the location of the custom-built
- OpenSSL library will need to be specified via configure.
+ Later, when building BIND 9, the location of the custom-built
+ OpenSSL library will need to be specified via configure.
- The AEP Keyper is a highly secure key storage device,
- but does not provide hardware cryptographic acceleration. It
- can carry out cryptographic operations, but it is probably
- slower than your system's CPU. Therefore, we choose the
- 'sign-only' flavor when building OpenSSL.
+ The AEP Keyper is a highly secure key storage device,
+ but does not provide hardware cryptographic acceleration. It
+ can carry out cryptographic operations, but it is probably
+ slower than your system's CPU. Therefore, we choose the
+ 'sign-only' flavor when building OpenSSL.
- The Keyper-specific PKCS#11 provider library is
- delivered with the Keyper software. In this example, we place
- it /opt/pkcs11/usr/lib:
+ The Keyper-specific PKCS#11 provider library is
+ delivered with the Keyper software. In this example, we place
+ it /opt/pkcs11/usr/lib:
- This library is only available for Linux as a 32-bit
- binary. If we are compiling on a 64-bit Linux system, it is
- necessary to force a 32-bit build, by specifying -m32 in the
- build options.
+ This library is only available for Linux as a 32-bit
+ binary. If we are compiling on a 64-bit Linux system, it is
+ necessary to force a 32-bit build, by specifying -m32 in the
+ build options.
- Finally, the Keyper library requires threads, so we
- must specify -pthread.
+ Finally, the Keyper library requires threads, so we
+ must specify -pthread.
dnssec-signzone -S -K keys example.net<
./configure --enable-native-pkcs11 \
dnssec-* tools, or the -m in
the pkcs11-* tools.)
prefix/etc/softhsm2.conf (where
+ prefix is configured at compile time).
+ This location can be overridden by the SOFTHSM2_CONF environment
+ variable. The SoftHSMv2 cryptographic store must be installed and
+ initialized before using it with BIND.
+
+$
+ cd SoftHSMv2
+$ configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost
+$ make
+$ make install
+$ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
+ ./configure --enable-native-pkcs11 \
./configure --enable-native-pkcs11 \
Note
- The latest OpenSSL versions as of this writing (January 2014)
- are 0.9.8y, 1.0.0l, and 1.0.1f.
+ The latest OpenSSL versions as of this writing (January 2015)
+ are 0.9.8zc, 1.0.0o, and 1.0.1j.
ISC will provide updated patches as new versions of OpenSSL
are released. The version number in the following examples
is expected to change.
@@ -1553,130 +1591,132 @@ $ ./configure --enable-native-pkcs11 \
-$
wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
+$ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
-$
tar zxf openssl-0.9.8y.tar.gz
+$ tar zxf openssl-0.9.8zc.tar.gz
-$
patch -p1 -d openssl-0.9.8y \
- < bind9/bin/pkcs11/openssl-0.9.8y-patch
+$ patch -p1 -d openssl-0.9.8zc \
+ < bind9/bin/pkcs11/openssl-0.9.8zc-patch
Note
- Note that the patch file may not be compatible with the
- "patch" utility on all operating systems. You may need to
- install GNU patch.
+ Note that the patch file may not be compatible with the
+ "patch" utility on all operating systems. You may need to
+ install GNU patch.
$
cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so
-$
cd openssl-0.9.8y
+$ cd openssl-0.9.8zc
$ ./Configure linux-generic32 -m32 -pthread \
- --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
- --pk11-flavor=sign-only \
- --prefix=/opt/pkcs11/usr
+ --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+ --pk11-flavor=sign-only \
+ --prefix=/opt/pkcs11/usr
- After configuring, run "make" - and "make test". If "make - test" fails with "pthread_atfork() not found", you forgot to - add the -pthread above. + After configuring, run "make" + and "make test". If "make + test" fails with "pthread_atfork() not found", you forgot to + add the -pthread above.
- The SCA-6000 PKCS#11 provider is installed as a system - library, libpkcs11. It is a true crypto accelerator, up to 4 - times faster than any CPU, so the flavor shall be - 'crypto-accelerator'. + The SCA-6000 PKCS#11 provider is installed as a system + library, libpkcs11. It is a true crypto accelerator, up to 4 + times faster than any CPU, so the flavor shall be + 'crypto-accelerator'.
- In this example, we are building on Solaris x86 on an - AMD64 system. + In this example, we are building on Solaris x86 on an + AMD64 system.
-$cd openssl-0.9.8y+$cd openssl-0.9.8zc$./Configure solaris64-x86_64-cc \ - --pk11-libname=/usr/lib/64/libpkcs11.so \ - --pk11-flavor=crypto-accelerator \ - --prefix=/opt/pkcs11/usr+ --pk11-libname=/usr/lib/64/libpkcs11.so \ + --pk11-flavor=crypto-accelerator \ + --prefix=/opt/pkcs11/usr
- (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.) + (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
- After configuring, run - make and - make test. + After configuring, run + make and + make test.
- SoftHSM is a software library provided by the OpenDNSSEC - project (http://www.opendnssec.org) which provides a PKCS#11 - interface to a virtual HSM, implemented in the form of encrypted - data on the local filesystem. SoftHSM can be configured to use - either OpenSSL or the Botan library for encryption, and SQLite3 - for data storage. Though less secure than a true HSM, it can - provide more secure key storage than traditional key files, - and can allow you to experiment with PKCS#11 when an HSM is - not available. + SoftHSM (version 1) is a software library developed by the + OpenDNSSEC project + ( + http://www.opendnssec.org + ) + which provides a + PKCS#11 interface to a virtual HSM, implemented in the form of + a SQLite3 database on the local filesystem. SoftHSM uses + the Botan library to perform cryptographic functions. Though + less secure than a true HSM, it can allow you to experiment + with PKCS#11 when an HSM is not available.
- The SoftHSM cryptographic store must be installed and - initialized before using it with OpenSSL, and the SOFTHSM_CONF - environment variable must always point to the SoftHSM configuration - file: + The SoftHSM cryptographic store must be installed and + initialized before using it with OpenSSL, and the SOFTHSM_CONF + environment variable must always point to the SoftHSM configuration + file:
-$cd softhsm-1.3.0+$cd softhsm-1.3.7$configure --prefix=/opt/pkcs11/usr$make$make install@@ -1685,21 +1725,21 @@ $echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM $/opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm
- SoftHSM can perform all cryptographic operations, but - since it only uses your system CPU, there is no advantage to using - it for anything but signing. Therefore, we choose the 'sign-only' - flavor when building OpenSSL. + SoftHSM can perform all cryptographic operations, but + since it only uses your system CPU, there is no advantage to using + it for anything but signing. Therefore, we choose the 'sign-only' + flavor when building OpenSSL.
-$cd openssl-0.9.8y+$cd openssl-0.9.8zc$./Configure linux-x86_64 -pthread \ - --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \ - --pk11-flavor=sign-only \ - --prefix=/opt/pkcs11/usr+ --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \ + --pk11-flavor=sign-only \ + --prefix=/opt/pkcs11/usr
- After configuring, run "make" - and "make test". + After configuring, run "make" + and "make test".
@@ -1710,11 +1750,11 @@ $ ./Configure linux-x86_64 -pthread \
selected:
- (pkcs11) PKCS #11 engine support (sign only) + (pkcs11) PKCS #11 engine support (sign only)
Or:
- (pkcs11) PKCS #11 engine support (crypto accelerator) + (pkcs11) PKCS #11 engine support (crypto accelerator)
Next, run
@@ -1730,54 +1770,54 @@ $ ./Configure linux-x86_64 -pthread \
- To link with the PKCS#11 provider, threads must be - enabled in the BIND 9 build. + To link with the PKCS#11 provider, threads must be + enabled in the BIND 9 build.
- The PKCS#11 library for the AEP Keyper is currently - only available as a 32-bit binary. If we are building on a - 64-bit host, we must force a 32-bit build by adding "-m32" to - the CC options on the "configure" command line. + The PKCS#11 library for the AEP Keyper is currently + only available as a 32-bit binary. If we are building on a + 64-bit host, we must force a 32-bit build by adding "-m32" to + the CC options on the "configure" command line.
$cd ../bind9$./configure CC="gcc -m32" --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so+ --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so
- To link with the PKCS#11 provider, threads must be - enabled in the BIND 9 build. + To link with the PKCS#11 provider, threads must be + enabled in the BIND 9 build.
$cd ../bind9$./configure CC="cc -xarch=amd64" --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/usr/lib/64/libpkcs11.so+ --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/usr/lib/64/libpkcs11.so
(For a 32-bit build, omit CC="cc -xarch=amd64".)
- If configure complains about OpenSSL not working, you - may have a 32/64-bit architecture mismatch. Or, you may have - incorrectly specified the path to OpenSSL (it should be the - same as the --prefix argument to the OpenSSL - Configure). + If configure complains about OpenSSL not working, you + may have a 32/64-bit architecture mismatch. Or, you may have + incorrectly specified the path to OpenSSL (it should be the + same as the --prefix argument to the OpenSSL + Configure).
$cd ../bind9$./configure --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so+ --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so
@@ -1793,7 +1833,7 @@ $
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1816,7 +1856,7 @@ $
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1977,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -1969,7 +2009,7 @@ $
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -1985,13 +2025,13 @@ $ Sample openssl.cnf:
This will also allow the dnssec-* tools to access the HSM
@@ -2002,16 +2042,16 @@ $
- Placing the HSM's PIN in a text file in this manner may reduce the
- security advantage of using an HSM. Be sure this is what you want to
- do before configuring the system in this way.
+ Placing the HSM's PIN in a text file in this manner may reduce the
+ security advantage of using an HSM. Be sure this is what you want to
+ do before configuring the system in this way.
A DLZ database is configured with a dlz
statement in
For guidance in implementation of DLZ modules, the directory
+ Built-in "empty" zones did not correctly inherit the
+ "allow-transfer" ACL from the options or view. [RT #38310]
+
arpaname translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
tsig-keygen and ddns-confgen
are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
delv
(Domain Entity Lookup & Validation) is a tool for sending
DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
delv
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
dig(1),
named(8),
RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index b15ddd6b75..8c32b57a05 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -99,7 +99,7 @@
The dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -688,7 +688,7 @@
The BIND 9 implementation of dig
supports
@@ -734,7 +734,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -748,14 +748,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
host(1),
named(8),
dnssec-keygen(8),
@@ -763,7 +763,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
There are probably too many query options.
dnssec-checkds
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
dnssec-coverage
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
The keyfile can be designed by the key identification
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
dnssec-importkey
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
A keyfile can be designed by the key identification
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
dnssec-keyfromlabel
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
@@ -66,7 +66,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
When dnssec-keyfromlabel completes
successfully,
@@ -354,7 +354,7 @@
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
To generate a 768-bit DSA key for the domain
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
@@ -435,7 +435,7 @@
dnssec-revoke
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
dnssec-settime can also be used to print the
timing metadata associated with a key.
@@ -236,7 +236,7 @@
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -244,7 +244,7 @@
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
The following command signs the dnssec-verify
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
genrandom
generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
If host has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -228,12 +228,12 @@
dig(1),
named(8).
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
Secrets that have been converted by isc-hmac-fixup
are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
named-checkconf
checks the syntax, but not the semantics, of a
named configuration file. The file is parsed
@@ -70,7 +70,7 @@
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
named-journalprint
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
named-rrchecker
read a individual DNS resource record from standard input and checks if it
is syntactically correct.
@@ -78,7 +78,7 @@
RFC 1034,
RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index e0b0ab108b..7304d6fd7f 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -309,7 +309,7 @@
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -326,7 +326,7 @@
nsec3hash generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -236,7 +236,7 @@
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 0ff735b323..729e217841 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
rndc-confgen
generates configuration files
for rndc. It can be used as a
@@ -66,7 +66,7 @@
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc
controls the operation of a name
server. It supersedes the ndc utility
@@ -81,7 +81,7 @@
A list of commands supported by rndc can
be seen by running rndc without arguments.
@@ -620,7 +620,7 @@
+ Built-in "empty" zones did not correctly inherit the
+ "allow-transfer" ACL from the options or view. [RT #38310]
+ ./configure --enable-threads \
./configure --enable-threads \
dnssec-signzone -E '' -S example.net
dnssec-signzone -E '' -S example.net
- openssl_conf = openssl_def
- [ openssl_def ]
- engines = engine_section
- [ engine_section ]
- pkcs11 = pkcs11_section
- [ pkcs11_section ]
- PIN =
<PLACE PIN HERE>
+ openssl_conf = openssl_def
+ [ openssl_def ]
+ engines = engine_section
+ [ engine_section ]
+ pkcs11 = pkcs11_section
+ [ pkcs11_section ]
+ PIN = <PLACE PIN HERE>
dnssec-signzone -E '' -S example.net
In native PKCS#11 mode, the PIN can be provided in a file specified
as an attribute of the key's label. For example, if a key had the label
- pkcs11:object=local-zsk;pin-source=/etc/hsmpin",
+ pkcs11:object=local-zsk;pin-source=/etc/hsmpin,
then the PIN would be read from the file
/etc/hsmpin.
Warning
dnssec-signzone -E '' -S example.net
named.conf:
@@ -2105,7 +2145,7 @@ $ dnssec-signzone -E '' -S example.net
contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 4cdb0687de..f074b4e80b 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -420,6 +420,10 @@
initial packet sizes used in BIND 9.10 and higher when
contacting authoritative servers for the first time.
-
@@ -268,13 +268,13 @@
arpaname {ipaddress ...}DESCRIPTION
+DESCRIPTION
ddns-confgen [-a ] [algorithm-h] [-k ] [keyname-q] [-r ] [ -s randomfilename | -z zone ]DESCRIPTION
+DESCRIPTION
delv [queryopt...] [query...]DESCRIPTION
+DESCRIPTION
QUERY OPTIONS
+QUERY OPTIONS
SEE ALSO
+SEE ALSO
dig [global-queryopt...] [query...]DESCRIPTION
+DESCRIPTION
OPTIONS
+OPTIONS
-b option sets the source IP address of the query
to address. This must be a valid
@@ -260,7 +260,7 @@
QUERY OPTIONS
+QUERY OPTIONS
MULTIPLE QUERIES
+MULTIPLE QUERIES
IDN SUPPORT
+IDN SUPPORT
SEE ALSO
+SEE ALSO
BUGS
+BUGS
dnssec-dsfromkey [-l ] [domain-f ] [file-d ] [dig path-D ] {zone}dsfromkey pathDESCRIPTION
+DESCRIPTION
dnssec-coverage [-K ] [directory-l ] [length-f ] [file-d ] [DNSKEY TTL-m ] [max TTL-r ] [interval-c ] [compilezone path-k] [-z] [zone]DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey [-h] [-V]DESCRIPTION
+DESCRIPTION
FILES
+FILES
Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
SEE ALSO
+SEE ALSO
dnssec-importkey {-f } [filename-K ] [directory-L ] [ttl-P ] [date/offset-D ] [date/offset-h] [-v ] [level-V] [dnsname]DESCRIPTION
+DESCRIPTION
TIMING OPTIONS
+TIMING OPTIONS
FILES
+FILES
Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
SEE ALSO
+SEE ALSO
dnssec-keyfromlabel {-l label} [-3] [-a ] [algorithm-A ] [date/offset-c ] [class-D ] [date/offset-E ] [engine-f ] [flag-G] [-I ] [date/offset-i ] [interval-k] [-K ] [directory-L ] [ttl-n ] [nametype-P ] [date/offset-p ] [protocol-R ] [date/offset-S ] [key-t ] [type-v ] [level-V] [-y] {name}DESCRIPTION
+DESCRIPTION
TIMING OPTIONS
+TIMING OPTIONS
GENERATED KEY FILES
+GENERATED KEY FILES
SEE ALSO
+SEE ALSO
dnssec-keygen [-a ] [algorithm-b ] [keysize-n ] [nametype-3] [-A ] [date/offset-C] [-c ] [class-D ] [date/offset-E ] [engine-f ] [flag-G] [-g ] [generator-h] [-I ] [date/offset-i ] [interval-K ] [directory-L ] [ttl-k] [-P ] [date/offset-p ] [protocol-q] [-R ] [date/offset-r ] [randomdev-S ] [key-s ] [strength-t ] [type-v ] [level-V] [-z] {name}DESCRIPTION
+DESCRIPTION
TIMING OPTIONS
+TIMING OPTIONS
EXAMPLE
+EXAMPLE
example.com, the following command would be
@@ -426,7 +426,7 @@
SEE ALSO
+SEE ALSO
dnssec-revoke [-hr] [-v ] [level-V] [-K ] [directory-E ] [engine-f] [-R] {keyfile}DESCRIPTION
+DESCRIPTION
dnssec-settime [-f] [-K ] [directory-L ] [ttl-P ] [date/offset-A ] [date/offset-R ] [date/offset-I ] [date/offset-D ] [date/offset-h] [-V] [-v ] [level-E ] {keyfile}engineDESCRIPTION
+DESCRIPTION
-P, -A,
@@ -76,7 +76,7 @@
TIMING OPTIONS
+TIMING OPTIONS
PRINTING OPTIONS
+PRINTING OPTIONS
SEE ALSO
+SEE ALSO
dnssec-signzone [-a] [-c ] [class-d ] [directory-D] [-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-L ] [serial-l ] [domain-M ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-P] [-p] [-Q] [-R] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-V] [-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]DESCRIPTION
+DESCRIPTION
EXAMPLE
+EXAMPLE
example.com
zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
%
dnssec-verify [-c ] [class-E ] [engine-I ] [input-format-o ] [origin-v ] [level-V] [-x] [-z] {zonefile}DESCRIPTION
+DESCRIPTION
genrandom [-n ] {numbersize} {filename}DESCRIPTION
+DESCRIPTION
host [-aCdlnrsTwv] [-c ] [class-N ] [ndots-R ] [number-t ] [type-W ] [wait-m ] [flag-4] [-6] [-v] [-V] {name} [server]DESCRIPTION
+DESCRIPTION
IDN SUPPORT
+IDN SUPPORT
SEE ALSO
+SEE ALSO
isc-hmac-fixup {algorithm} {secret}DESCRIPTION
+DESCRIPTION
SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
named-checkconf [-h] [-v] [-j] [-t ] {filename} [directory-p] [-x] [-z]DESCRIPTION
+DESCRIPTION
RETURN VALUES
+RETURN VALUES
named-compilezone [-d] [-j] [-q] [-v] [-c ] [class-C ] [mode-f ] [format-F ] [format-J ] [filename-i ] [mode-k ] [mode-m ] [mode-n ] [mode-l ] [ttl-L ] [serial-r ] [mode-s ] [style-t ] [directory-T ] [mode-w ] [directory-D] [-W ] {mode-o } {zonename} {filename}filenameDESCRIPTION
+DESCRIPTION
RETURN VALUES
+RETURN VALUES
named-journalprint {journal}DESCRIPTION
+DESCRIPTION
named-rrchecker [-h] [-o ] [origin-p] [-u] [-C] [-T] [-P]DESCRIPTION
+DESCRIPTION
SEE ALSO
+SEE ALSO
named [-4] [-6] [-c ] [config-file-d ] [debug-level-D ] [string-E ] [engine-name-f] [-g] [-L ] [logfile-m ] [flag-n ] [#cpus-p ] [port-s] [-S ] [#max-socks-t ] [directory-U ] [#listeners-u ] [user-v] [-V] [-X ] [lock-file-x ]cache-fileDESCRIPTION
+DESCRIPTION
SIGNALS
+SIGNALS
CONFIGURATION
+CONFIGURATION
nsec3hash {salt} {algorithm} {iterations} {domain}DESCRIPTION
+DESCRIPTION
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y ] | [[hmac:]keyname:secret-k ]] [keyfile-t ] [timeout-u ] [udptimeout-r ] [udpretries-R ] [randomdev-v] [-T] [-P] [-V] [filename]DESCRIPTION
+DESCRIPTION
BUGS
+BUGS
rndc-confgen [-a] [-A ] [algorithm-b ] [keysize-c ] [keyfile-h] [-k ] [keyname-p ] [port-r ] [randomfile-s ] [address-t ] [chrootdir-u ]userDESCRIPTION
+DESCRIPTION
rndc.conf DESCRIPTION
+DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
rndc.conf
@@ -220,7 +220,7 @@
rndc [-b ] [source-address-c ] [config-file-k ] [key-file-s ] [server-p ] [port-q] [-V] [-y ] {command}key_idDESCRIPTION
+DESCRIPTION
COMMANDS
+COMMANDS