mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 15:45:25 +00:00
Code Issues Releases Wiki Activity

[master] improved doc for "rndc signing -list"

Browse Source 
3769.   [doc]           Improved documentation of "rndc signing -list".
                        [RT #30652]
This commit is contained in:
Evan Hunt
2014-02-28 21:29:19 -08:00
parent 72aa3b2a4e
commit 3ef4b7383a
3 changed files with 108 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
3769. [doc] Improved documentation of "rndc signing -list".
[RT #30652]
3768. [bug] "dnssec-checkds" was missing the SHA-384 digest 3768. [bug] "dnssec-checkds" was missing the SHA-384 digest
algorithm. [RT #34000] algorithm. [RT #34000]

4
bin/rndc/rndc.docbook
View File

@@ -672,8 +672,8 @@
<term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term> <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
<listitem> <listitem>
<para> <para>
List, edit, or remove the DNSSEC signing state for List, edit, or remove the DNSSEC signing state records
the specified zone. The status of ongoing DNSSEC for the specified zone. The status of ongoing DNSSEC
operations (such as signing or generating operations (such as signing or generating
NSEC3 chains) is stored in the zone in the form NSEC3 chains) is stored in the zone in the form
of DNS resource records of type of DNS resource records of type

199
doc/arm/Bv9ARM-book.xml
View File

@@ -5704,34 +5704,34 @@ options {
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><command>max-zone-ttl</command></term> <term><command>max-zone-ttl</command></term>
<listitem> <listitem>
<para> <para>
Specifies a maximum permissible TTL value. Specifies a maximum permissible TTL value.
When loading a zone file using a When loading a zone file using a
<option>masterfile-format</option> of <option>masterfile-format</option> of
<constant>text</constant> or <constant>raw</constant>, <constant>text</constant> or <constant>raw</constant>,
any record encountered with a TTL higher than any record encountered with a TTL higher than
<option>max-zone-ttl</option> will cause the zone to <option>max-zone-ttl</option> will cause the zone to
be rejected. be rejected.
</para> </para>
<para> <para>
This is useful in DNSSEC-signed zones because when This is useful in DNSSEC-signed zones because when
rolling to a new DNSKEY, the old key needs to remain rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from available until RRSIG records have expired from
caches. The<option>max-zone-ttl</option> option guarantees caches. The<option>max-zone-ttl</option> option guarantees
that the largest TTL in the zone will be no higher that the largest TTL in the zone will be no higher
the set value. the set value.
</para> </para>
<para> <para>
(NOTE: Because <constant>map</constant>-format files (NOTE: Because <constant>map</constant>-format files
load directly into memory, this option cannot be load directly into memory, this option cannot be
used with them.) used with them.)
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><command>zone-statistics</command></term> <term><command>zone-statistics</command></term>
<listitem> <listitem>
<para> <para>
@@ -6273,17 +6273,17 @@ options {
<para> <para>
If <userinput>yes</userinput>, then a SIT (Source Identity If <userinput>yes</userinput>, then a SIT (Source Identity
Token) EDNS option is sent along with the query. If the Token) EDNS option is sent along with the query. If the
resolver has previously talked to the server, the SIT resolver has previously talked to the server, the SIT
returned in the previous transaction is sent. This returned in the previous transaction is sent. This
is used by the server to determine whether the resolver is used by the server to determine whether the resolver
has talked to it before. A resolver sending the correct has talked to it before. A resolver sending the correct
SIT is assumed not to be an off-path attacker sending a SIT is assumed not to be an off-path attacker sending a
spoofed-source query; the query is therefore unlikely to spoofed-source query; the query is therefore unlikely to
be part of a reflection/amplification attack, so resolvers be part of a reflection/amplification attack, so resolvers
sending a correct SIT option are not subject to response sending a correct SIT option are not subject to response
rate limiting (RRL). Resolvers which do not send a correct rate limiting (RRL). Resolvers which do not send a correct
SIT option may be limited to receiving smaller responses SIT option may be limited to receiving smaller responses
via the <command>nosit-udp-size</command> option. via the <command>nosit-udp-size</command> option.
</para> </para>
</varlistentry> </varlistentry>
@@ -7271,53 +7271,53 @@ options {
<varlistentry> <varlistentry>
<term><command>no-case-compress</command></term> <listitem> <term><command>no-case-compress</command></term> <listitem>
<para> <para>
Specifies a list of addresses which require responses Specifies a list of addresses which require responses
to use case-insensitive compression. This ACL can be to use case-insensitive compression. This ACL can be
used when <command>named</command> needs to work with used when <command>named</command> needs to work with
clients that do not comply with the requirement in RFC clients that do not comply with the requirement in RFC
1034 to use case-insensitive name comparisons when 1034 to use case-insensitive name comparisons when
checking for matching domain names. checking for matching domain names.
</para> </para>
<para> <para>
If left undefined, the ACL defaults to If left undefined, the ACL defaults to
<command>none</command>: case-insensitive compression <command>none</command>: case-insensitive compression
will be used for all clients. If the ACL is defined and will be used for all clients. If the ACL is defined and
matches a client, then case will be ignored when matches a client, then case will be ignored when
compressing domain names in DNS responses sent to that compressing domain names in DNS responses sent to that
client. client.
</para> </para>
<para> <para>
This can result in slightly smaller responses: if This can result in slightly smaller responses: if
a response contains the names "example.com" and a response contains the names "example.com" and
"example.COM", case-insensitive compression would treat "example.COM", case-insensitive compression would treat
the second one as a duplicate. It also ensures the second one as a duplicate. It also ensures
that the case of the query name exactly matches the that the case of the query name exactly matches the
case of the owner names of returned records, rather case of the owner names of returned records, rather
than matching the case of the records entered in than matching the case of the records entered in
the zone file. This allows responses to exactly the zone file. This allows responses to exactly
match the query, which is required by some clients match the query, which is required by some clients
due to incorrect use of case-sensitive comparisions. due to incorrect use of case-sensitive comparisions.
</para> </para>
<para> <para>
Case-insensitive compression is <emphasis>always</emphasis> Case-insensitive compression is <emphasis>always</emphasis>
used in AXFR and IXFR responses, regardless of whether used in AXFR and IXFR responses, regardless of whether
the client matches this ACL. the client matches this ACL.
</para> </para>
<para> <para>
There are circusmstances in which <command>named</command> There are circusmstances in which <command>named</command>
will not preserve the case of owner names of records: will not preserve the case of owner names of records:
if a zone file defines records of different types with if a zone file defines records of different types with
the same name, but the capitalization of the name is the same name, but the capitalization of the name is
different (e.g., "www.example.com/A" and different (e.g., "www.example.com/A" and
"WWW.EXAMPLE.COM/AAAA"), then all resposnes for that "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that
name will use the <emphasis>first</emphasis> version name will use the <emphasis>first</emphasis> version
of the name that was used in the zone file. This of the name that was used in the zone file. This
limitation may be addressed in a future release. However, limitation may be addressed in a future release. However,
domain names specified in the rdata of resource records domain names specified in the rdata of resource records
(i.e., records of type NS, MX, CNAME, etc) will always (i.e., records of type NS, MX, CNAME, etc) will always
have their case preserved unless the client matches this have their case preserved unless the client matches this
ACL. ACL.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -8675,7 +8675,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem> <listitem>
<para> <para>
Specify a private RDATA type to be used when generating Specify a private RDATA type to be used when generating
key signing records. The default is signing state records. The default is
<literal>65534</literal>. <literal>65534</literal>.
</para> </para>
<para> <para>
@@ -8683,13 +8683,20 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
in a future version once there is a standard type. in a future version once there is a standard type.
</para> </para>
<para> <para>
These records can be removed from the zone once named Signing state records are used to internally by
has completed signing the zone with the matching key <command>named</command> to track the current state of
using <command>nsupdate</command> or a zone-signing process, i.e., whether it is still active
<command>rndc signing -clear</command>. or has been completed. The records can be inspected
<command>rndc signing -clear</command> is the only supported using the command
way to remove these records from <command>rndc signing -list <replaceable>zone</replaceable></command>.
<command>inline-signing</command> zones. Once <command>named</command> has finished signing
a zone with a particular key, the signing state
record associated with that key can be removed from
the zone by running
<command>rndc signing -clear <replaceable>keyid/algorithm</replaceable> <replaceable>zone</replaceable></command>.
To clear all of the completed signing state
records for a zone, use
<command>rndc signing -clear all <replaceable>zone</replaceable></command>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -9847,9 +9854,9 @@ deny-answer-aliases { "example.net"; };
DNSSEC requests (DO=1) unless <command>break-dnssec yes</command> DNSSEC requests (DO=1) unless <command>break-dnssec yes</command>
is in use, because the response would depend on whether or not is in use, because the response would depend on whether or not
RRSIG records were found during resolution. RRSIG records were found during resolution.
Using this option can cause error responses such as SERVFAIL to Using this option can cause error responses such as SERVFAIL to
appear to be rewritten, since no recursion is being done to appear to be rewritten, since no recursion is being done to
discover problems at the authoritative server. discover problems at the authoritative server.
</para> </para>
<para> <para>