mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 22:15:20 +00:00
regen master
This commit is contained in:
Tinderbox User
@@ -91,7 +91,7 @@ command as input, as in:
|
||||
.PP
|
||||
\-A
|
||||
.RS 4
|
||||
Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
|
||||
Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
|
||||
.RE
|
||||
.PP
|
||||
\-l \fIdomain\fR
|
||||
|
||||
@@ -88,7 +88,7 @@
|
||||
</dd>
|
||||
<dt><span class="term">-A</span></dt>
|
||||
<dd><p>
|
||||
Include ZSK's when generating DS records. Without this option,
|
||||
Include ZSKs when generating DS records. Without this option,
|
||||
only keys which have the KSK flag set will be converted to DS
|
||||
records and printed. Useful only in zone file mode.
|
||||
</p></dd>
|
||||
|
||||
@@ -65,7 +65,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the
|
||||
.RS 4
|
||||
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
|
||||
.sp
|
||||
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
|
||||
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with
|
||||
\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
|
||||
\fB\-a\fR, then there is no default key size, and the
|
||||
\fB\-b\fR
|
||||
|
||||
@@ -91,7 +91,7 @@
|
||||
<p>
|
||||
The key size does not need to be specified if using a default
|
||||
algorithm. The default key size is 1024 bits for zone signing
|
||||
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
|
||||
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
|
||||
generated with <code class="option">-f KSK</code>). However, if an
|
||||
algorithm is explicitly specified with the <code class="option">-a</code>,
|
||||
then there is no default key size, and the <code class="option">-b</code>
|
||||
|
||||
@@ -337,13 +337,14 @@ to be effective. It defaults to enabled.
|
||||
Sets a DNSSEC negative trust anchor (NTA) for
|
||||
\fBdomain\fR, with a lifetime of
|
||||
\fBlifetime\fR. The default lifetime is configured in
|
||||
<file>named.conf</file>
|
||||
\fInamed.conf\fR
|
||||
via the
|
||||
\fBnta\-lifetime\fR, and defaults to one hour. The lifetime cannot exceed one week.
|
||||
\fBnta\-lifetime\fR
|
||||
option, and defaults to one hour. The lifetime cannot exceed one week.
|
||||
.sp
|
||||
A negative trust anchor selectively disables DNSSEC validation for zones that known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors),
|
||||
A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors),
|
||||
\fBnamed\fR
|
||||
will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the NTA's lifetime is elapsed, or until the server is restarted (NTA's do not persist across restarts).
|
||||
will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the NTA's lifetime is elapsed, or until the server is restarted (NTAs do not persist across restarts).
|
||||
.sp
|
||||
An existing NTA can be removed by using the
|
||||
\fB\-remove\fR
|
||||
|
||||
@@ -395,13 +395,13 @@
|
||||
Sets a DNSSEC negative trust anchor (NTA)
|
||||
for <code class="option">domain</code>, with a lifetime of
|
||||
<code class="option">lifetime</code>. The default lifetime is
|
||||
configured in <font color="red"><file>named.conf</file></font> via the
|
||||
<code class="option">nta-lifetime</code>, and defaults to
|
||||
configured in <code class="filename">named.conf</code> via the
|
||||
<code class="option">nta-lifetime</code> option, and defaults to
|
||||
one hour. The lifetime cannot exceed one week.
|
||||
</p>
|
||||
<p>
|
||||
A negative trust anchor selectively disables
|
||||
DNSSEC validation for zones that known to be
|
||||
DNSSEC validation for zones that are known to be
|
||||
failing because of misconfiguration rather than
|
||||
an attack. When data to be validated is
|
||||
at or below an active NTA (and above any other
|
||||
@@ -409,7 +409,7 @@
|
||||
abort the DNSSEC validation process and treat the data as
|
||||
insecure rather than bogus. This continues until the
|
||||
NTA's lifetime is elapsed, or until the server is
|
||||
restarted (NTA's do not persist across restarts).
|
||||
restarted (NTAs do not persist across restarts).
|
||||
</p>
|
||||
<p>
|
||||
An existing NTA can be removed by using the
|
||||
|
||||
@@ -1360,7 +1360,7 @@ options {
|
||||
<p>To set up an authoritative zone for RFC 5011 trust anchor
|
||||
maintenance, generate two (or more) key signing keys (KSKs) for
|
||||
the zone. Sign the zone with one of them; this is the "active"
|
||||
KSK. All KSK's which do not sign the zone are "stand-by"
|
||||
KSK. All KSKs which do not sign the zone are "stand-by"
|
||||
keys.</p>
|
||||
<p>Any validating resolver which is configured to use the
|
||||
active KSK as an RFC 5011-managed trust anchor will take note
|
||||
@@ -1402,8 +1402,8 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
|
||||
increasing by 128, and wrapping around at 65535. So, for
|
||||
example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
|
||||
"<code class="filename">Kexample.com.+005+10128</code>".</p>
|
||||
<p>If two keys have ID's exactly 128 apart, and one is
|
||||
revoked, then the two key ID's will collide, causing several
|
||||
<p>If two keys have IDs exactly 128 apart, and one is
|
||||
revoked, then the two key IDs will collide, causing several
|
||||
problems. To prevent this,
|
||||
<span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
|
||||
another key is present which may collide. This checking will
|
||||
@@ -1415,7 +1415,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
|
||||
multiple directories or on multiple machines.</p>
|
||||
<p>It is expected that a future release of BIND 9 will
|
||||
address this problem in a different way, by storing revoked
|
||||
keys with their original unrevoked key ID's.</p>
|
||||
keys with their original unrevoked key IDs.</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect1" lang="en">
|
||||
@@ -1468,7 +1468,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
|
||||
need. The HSM's provider library must have a complete implementation
|
||||
of the PKCS#11 API, so that all these functions are accessible. As of
|
||||
this writing, only the Thales nShield HSM and the latest development
|
||||
version of SoftHSM can be used in this fashion. For other HSM's,
|
||||
version of SoftHSM can be used in this fashion. For other HSMs,
|
||||
including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM,
|
||||
use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of
|
||||
supporting native PKCS#11, it is expected that OpenSSL-based
|
||||
|
||||
@@ -3037,7 +3037,7 @@ options {
|
||||
</p>
|
||||
<p>
|
||||
A negative trust anchor selectively disables
|
||||
DNSSEC validation for zones that known to be
|
||||
DNSSEC validation for zones that are known to be
|
||||
failing because of misconfiguration rather than
|
||||
an attack. When data to be validated is
|
||||
at or below an active NTA (and above any other
|
||||
@@ -3045,7 +3045,7 @@ options {
|
||||
abort the DNSSEC validation process and treat the data as
|
||||
insecure rather than bogus. This continues until the
|
||||
NTA's lifetime is elapsed, or until the server is
|
||||
restarted (NTA's do not persist across restarts).
|
||||
restarted (NTAs do not persist across restarts).
|
||||
</p>
|
||||
<p>
|
||||
For convenience, TTL-style time unit suffixes can be
|
||||
@@ -3075,7 +3075,7 @@ options {
|
||||
<p>
|
||||
Validity checks can be disabled for an individual
|
||||
NTA by using <span><strong class="command">rndc nta -f</strong></span>, or
|
||||
for all NTA's by setting <code class="option">nta-recheck</code>
|
||||
for all NTAs by setting <code class="option">nta-recheck</code>
|
||||
to zero.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
@@ -50,20 +50,20 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2621243"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2621245"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
|
||||
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2621258"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2621260"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2621272"></a><h2>AUTHOR</h2>
|
||||
<a name="id2621274"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -51,7 +51,7 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ]</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2665137"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2665139"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span><strong class="command">tsig-keygen</strong></span> and <span><strong class="command">ddns-confgen</strong></span>
|
||||
are invocation methods for a utility that generates keys for use
|
||||
@@ -87,7 +87,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2665240"></a><h2>OPTIONS</h2>
|
||||
<a name="id2665242"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -159,7 +159,7 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2666003"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2666005"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
@@ -167,7 +167,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2666109"></a><h2>AUTHOR</h2>
|
||||
<a name="id2666112"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -107,7 +107,7 @@
|
||||
</dd>
|
||||
<dt><span class="term">-A</span></dt>
|
||||
<dd><p>
|
||||
Include ZSK's when generating DS records. Without this option,
|
||||
Include ZSKs when generating DS records. Without this option,
|
||||
only keys which have the KSK flag set will be converted to DS
|
||||
records and printed. Useful only in zone file mode.
|
||||
</p></dd>
|
||||
|
||||
@@ -109,7 +109,7 @@
|
||||
<p>
|
||||
The key size does not need to be specified if using a default
|
||||
algorithm. The default key size is 1024 bits for zone signing
|
||||
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
|
||||
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
|
||||
generated with <code class="option">-f KSK</code>). However, if an
|
||||
algorithm is explicitly specified with the <code class="option">-a</code>,
|
||||
then there is no default key size, and the <code class="option">-b</code>
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2621369"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2666154"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span><strong class="command">genrandom</strong></span>
|
||||
generates a file or a set of files containing a specified quantity
|
||||
@@ -59,7 +59,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2666167"></a><h2>ARGUMENTS</h2>
|
||||
<a name="id2666169"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -77,14 +77,14 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2666228"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2666230"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2666254"></a><h2>AUTHOR</h2>
|
||||
<a name="id2666257"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668769"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2621462"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
|
||||
HMAC-SHA* TSIG keys which were longer than the digest length of the
|
||||
@@ -76,7 +76,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668796"></a><h2>SECURITY CONSIDERATIONS</h2>
|
||||
<a name="id2621490"></a><h2>SECURITY CONSIDERATIONS</h2>
|
||||
<p>
|
||||
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
|
||||
are shortened, but as this is how the HMAC protocol works in
|
||||
@@ -87,14 +87,14 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668812"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2621506"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 2104</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668829"></a><h2>AUTHOR</h2>
|
||||
<a name="id2668695"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -48,7 +48,7 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2621838"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2621841"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
|
||||
a set of NSEC3 parameters. This can be used to check the validity
|
||||
@@ -56,7 +56,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668889"></a><h2>ARGUMENTS</h2>
|
||||
<a name="id2668755"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">salt</span></dt>
|
||||
<dd><p>
|
||||
@@ -80,14 +80,14 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668951"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2668817"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 5155</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668968"></a><h2>AUTHOR</h2>
|
||||
<a name="id2668834"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2662932"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2662866"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">rndc-confgen</strong></span>
|
||||
generates configuration files
|
||||
for <span><strong class="command">rndc</strong></span>. It can be used as a
|
||||
@@ -66,7 +66,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2662998"></a><h2>OPTIONS</h2>
|
||||
<a name="id2662932"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-a</span></dt>
|
||||
<dd>
|
||||
@@ -180,7 +180,7 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668589"></a><h2>EXAMPLES</h2>
|
||||
<a name="id2668523"></a><h2>EXAMPLES</h2>
|
||||
<p>
|
||||
To allow <span><strong class="command">rndc</strong></span> to be used with
|
||||
no manual configuration, run
|
||||
@@ -197,7 +197,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668646"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2668580"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
@@ -205,7 +205,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2668684"></a><h2>AUTHOR</h2>
|
||||
<a name="id2668618"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2620548"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2620550"></a><h2>DESCRIPTION</h2>
|
||||
<p><code class="filename">rndc.conf</code> is the configuration file
|
||||
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
|
||||
utility. This file has a similar structure and syntax to
|
||||
@@ -136,7 +136,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2659427"></a><h2>EXAMPLE</h2>
|
||||
<a name="id2659429"></a><h2>EXAMPLE</h2>
|
||||
<pre class="programlisting">
|
||||
options {
|
||||
default-server localhost;
|
||||
@@ -210,7 +210,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2661596"></a><h2>NAME SERVER CONFIGURATION</h2>
|
||||
<a name="id2661598"></a><h2>NAME SERVER CONFIGURATION</h2>
|
||||
<p>
|
||||
The name server must be configured to accept rndc connections and
|
||||
to recognize the key specified in the <code class="filename">rndc.conf</code>
|
||||
@@ -220,7 +220,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2661622"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2661624"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
|
||||
@@ -228,7 +228,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2661660"></a><h2>AUTHOR</h2>
|
||||
<a name="id2661662"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2658477"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2658480"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">rndc</strong></span>
|
||||
controls the operation of a name
|
||||
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
|
||||
@@ -81,7 +81,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2660029"></a><h2>OPTIONS</h2>
|
||||
<a name="id2660032"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -152,7 +152,7 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2662094"></a><h2>COMMANDS</h2>
|
||||
<a name="id2662097"></a><h2>COMMANDS</h2>
|
||||
<p>
|
||||
A list of commands supported by <span><strong class="command">rndc</strong></span> can
|
||||
be seen by running <span><strong class="command">rndc</strong></span> without arguments.
|
||||
@@ -413,13 +413,13 @@
|
||||
Sets a DNSSEC negative trust anchor (NTA)
|
||||
for <code class="option">domain</code>, with a lifetime of
|
||||
<code class="option">lifetime</code>. The default lifetime is
|
||||
configured in <font color="red"><file>named.conf</file></font> via the
|
||||
<code class="option">nta-lifetime</code>, and defaults to
|
||||
configured in <code class="filename">named.conf</code> via the
|
||||
<code class="option">nta-lifetime</code> option, and defaults to
|
||||
one hour. The lifetime cannot exceed one week.
|
||||
</p>
|
||||
<p>
|
||||
A negative trust anchor selectively disables
|
||||
DNSSEC validation for zones that known to be
|
||||
DNSSEC validation for zones that are known to be
|
||||
failing because of misconfiguration rather than
|
||||
an attack. When data to be validated is
|
||||
at or below an active NTA (and above any other
|
||||
@@ -427,7 +427,7 @@
|
||||
abort the DNSSEC validation process and treat the data as
|
||||
insecure rather than bogus. This continues until the
|
||||
NTA's lifetime is elapsed, or until the server is
|
||||
restarted (NTA's do not persist across restarts).
|
||||
restarted (NTAs do not persist across restarts).
|
||||
</p>
|
||||
<p>
|
||||
An existing NTA can be removed by using the
|
||||
@@ -599,7 +599,7 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2687969"></a><h2>LIMITATIONS</h2>
|
||||
<a name="id2688041"></a><h2>LIMITATIONS</h2>
|
||||
<p>
|
||||
There is currently no way to provide the shared secret for a
|
||||
<code class="option">key_id</code> without using the configuration file.
|
||||
@@ -609,7 +609,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2687987"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2688059"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
@@ -619,7 +619,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2688110"></a><h2>AUTHOR</h2>
|
||||
<a name="id2688183"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user