diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index f619222877..8ab9872195 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -1406,11 +1406,11 @@ allow-update { key host1-host2. ;}; SIG(0) - BIND 9 partially supports DNSSEC SIG(0) transaction - signatures as specified in RFC 2535. SIG(0) uses public/private - keys to authenticate messages. Access control is performed in the - same manner as TSIG keys; privileges can be granted or denied - based on the key name. + BIND 9 partially supports DNSSEC SIG(0) + transaction signatures as specified in RFC 2535 and RFC2931. SIG(0) + uses public/private keys to authenticate messages. Access control + is performed in the same manner as TSIG keys; privileges can be + granted or denied based on the key name. When a SIG(0) signed message is received, it will only be verified if the key is known and trusted by the server; the server @@ -1419,8 +1419,8 @@ allow-update { key host1-host2. ;}; SIG(0) signing of multiple-message TCP streams is not supported. - BIND 9 does not ship with any tools that generate SIG(0) - signed messages. + The only tool shipped with BIND 9 that + generates SIG(0) signed messages is nsupdate. @@ -1435,9 +1435,10 @@ allow-update { key host1-host2. ;}; of steps which must be followed. BIND 9 ships with several tools that are used in this process, which are explained in more detail - below. In all cases, the "" option prints a + below. In all cases, the option prints a full list of parameters. Note that the DNSSEC tools require the - keyset and signedkey files to be in the working directory, and + keyset and signedkey files to be in the working directory or the + directory specified by the option, and that the tools shipped with BIND 9.0.x are not fully compatible with the current ones.