mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 18:19:42 +00:00
regen master
This commit is contained in:
Tinderbox User
parent
5399337474
commit
a7bc00e413
@ -1,4 +1,4 @@
|
||||
.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\"
|
||||
.\" This Source Code Form is subject to the terms of the Mozilla Public
|
||||
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
@ -44,7 +44,8 @@ dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
|
||||
.PP
|
||||
The
|
||||
\fBdnssec\-cds\fR
|
||||
command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&.
|
||||
command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&. This enables a child zone to inform its parent of upcoming changes to its key\-signing keys; by polling periodically with
|
||||
\fBdnssec\-cds\fR, the parent can keep the DS records up to date and enable automatic rolling of KSKs\&.
|
||||
.PP
|
||||
Two input files are required\&. The
|
||||
\fB\-f \fR\fB\fIchild\-file\fR\fR
|
||||
@ -57,6 +58,10 @@ file generated by
|
||||
\fBdnssec\-dsfromkey\fR, or the output of a previous run of
|
||||
\fBdnssec\-cds\fR\&.
|
||||
.PP
|
||||
The
|
||||
\fBdnssec\-cds\fR
|
||||
command uses special DNSSEC validation logic specified by RFC 7344\&. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records\&. This will typicially be the pre\-existing key\-signing key (KSK)\&.
|
||||
.PP
|
||||
For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
|
||||
\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
|
||||
dsset\-
|
||||
@ -288,5 +293,5 @@ RFC 7344\&.
|
||||
.RE
|
||||
.SH "COPYRIGHT"
|
||||
.br
|
||||
Copyright \(co 2017 Internet Systems Consortium, Inc. ("ISC")
|
||||
Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<!--
|
||||
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
@ -55,7 +55,11 @@
|
||||
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
|
||||
a delegation point based on CDS or CDNSKEY records published in
|
||||
the child zone. If both CDS and CDNSKEY records are present in
|
||||
the child zone, the CDS is preferred.
|
||||
the child zone, the CDS is preferred. This enables a child zone
|
||||
to inform its parent of upcoming changes to its key-signing keys;
|
||||
by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
|
||||
parent can keep the DS records up to date and enable automatic
|
||||
rolling of KSKs.
|
||||
</p>
|
||||
<p>
|
||||
Two input files are required. The
|
||||
@ -70,6 +74,13 @@
|
||||
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
|
||||
run of <span class="command"><strong>dnssec-cds</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
|
||||
validation logic specified by RFC 7344. It requires that the CDS
|
||||
and/or CDNSKEY records are validly signed by a key represented in the
|
||||
existing DS records. This will typicially be the pre-existing
|
||||
key-signing key (KSK).
|
||||
</p>
|
||||
<p>
|
||||
For protection against replay attacks, the signatures on the
|
||||
child records must not be older than they were on a previous run
|
||||
|
||||
@ -73,7 +73,11 @@
|
||||
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
|
||||
a delegation point based on CDS or CDNSKEY records published in
|
||||
the child zone. If both CDS and CDNSKEY records are present in
|
||||
the child zone, the CDS is preferred.
|
||||
the child zone, the CDS is preferred. This enables a child zone
|
||||
to inform its parent of upcoming changes to its key-signing keys;
|
||||
by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
|
||||
parent can keep the DS records up to date and enable automatic
|
||||
rolling of KSKs.
|
||||
</p>
|
||||
<p>
|
||||
Two input files are required. The
|
||||
@ -88,6 +92,13 @@
|
||||
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
|
||||
run of <span class="command"><strong>dnssec-cds</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
|
||||
validation logic specified by RFC 7344. It requires that the CDS
|
||||
and/or CDNSKEY records are validly signed by a key represented in the
|
||||
existing DS records. This will typicially be the pre-existing
|
||||
key-signing key (KSK).
|
||||
</p>
|
||||
<p>
|
||||
For protection against replay attacks, the signatures on the
|
||||
child records must not be older than they were on a previous run
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user