Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1198,7 +1198,7 @@ options { configuration. If this has not been done, the configuration will fail. +Private-type recordsThe state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -1239,12 +1239,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC keys can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
+Dynamic DNS update method To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1266,7 +1266,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), if the auto-dnssec zone option is set to @@ -1281,27 +1281,27 @@ options { completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATEAdd the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.
+Converting from NSEC to NSEC3To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.
+Converting from NSEC3 to NSECTo do this, use nsupdate to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.
+Converting from secure to insecureTo convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1452,7 +1452,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1461,7 +1461,7 @@ $
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
@@ -1495,7 +1495,7 @@ $
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1553,7 +1553,7 @@ $
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1628,7 +1628,7 @@ $
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1657,7 +1657,7 @@ $
SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
@@ -1730,7 +1730,7 @@ $
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1750,7 +1750,7 @@ $
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1772,7 +1772,7 @@ $
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1816,7 +1816,7 @@ $
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1937,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -1969,7 +1969,7 @@ $
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2056,7 +2056,7 @@ $
A DLZ database is configured with a dlz
statement in
For guidance in implementation of DLZ modules, the directory
dnssec-signzone -S -K keys example.net<
./configure --enable-native-pkcs11 \
./configure --enable-native-pkcs11 \
$
@@ -1586,7 +1586,7 @@ $ wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
patch -p1 -d openssl-0.9.8y \
./Configure linux-generic32 -m32 -pthread \
./Configure solaris64-x86_64-cc \
./Configure linux-x86_64 -pthread \
./configure CC="gcc -m32" --enable-threads \
./configure CC="cc -xarch=amd64" --enable-thre
$
cd ../bind9
$ ./configure --enable-threads \
@@ -1793,7 +1793,7 @@ $ ./configure --enable-threads \
./configure --enable-threads \
dnssec-signzone -E '' -S example.net
dnssec-signzone -E '' -S example.net
named.conf:
@@ -2105,7 +2105,7 @@ $ dnssec-signzone -E '' -S example.net
contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index d8b32aa2c3..34d3662a1b 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -78,28 +78,28 @@
BIND 9 includes a limited mechanism to modify DNS responses for requests @@ -6696,7 +6698,7 @@ example.com CNAME rpz-tcp-only.
Excessive almost identical UDP responses can be controlled by configuring a @@ -7210,7 +7212,7 @@ example.com CNAME rpz-tcp-only.
The statistics-channels statement @@ -7326,7 +7328,7 @@ example.com CNAME rpz-tcp-only.
The trusted-keys statement defines @@ -7370,7 +7372,7 @@ example.com CNAME rpz-tcp-only.
managed-keys {nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] @@ -7508,7 +7510,7 @@ example.com CNAME rpz-tcp-only.The view statement is a powerful feature @@ -7830,10 +7832,10 @@ zone
zone_name[
@@ -9905,7 +9907,7 @@ view external { RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -10108,7 +10110,7 @@ view external {
As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -10439,7 +10441,7 @@ view external {
When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -10450,7 +10452,7 @@ view external {
Syntax: $ORIGIN
domain-name@@ -10479,7 +10481,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -10515,7 +10517,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -10534,7 +10536,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -10977,7 +10979,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11573,7 +11575,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11727,7 +11729,7 @@ HOST-127.EXAMPLE. MX 0 .
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 00e2a62726..93d8787391 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -46,7 +46,7 @@ Table of Contents
@@ -412,6 +412,11 @@ A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE. +
- Access Control Lists
-- Chroot and Setuid
+- Chroot and Setuid
- The chroot Environment
- Using the setuid Function
@@ -245,7 +245,7 @@ allow-query { !{ !10/8; any; }; key example; };On UNIX servers, it is possible to run BIND diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 89c9e615d3..9b56b846a2 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -47,8 +47,8 @@
@@ -68,7 +68,7 @@Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@
The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 4d42ea0595..b5d91ce2a9 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -58,7 +58,7 @@
- Acknowledgments
- -
- General DNS Reference Information
+- General DNS Reference Information
- Bibliography (and Suggested Reading)
@@ -68,13 +68,13 @@
- BIND 9 DNS Library Support
+ Adjusted max-recursion-queries to accommodate the smaller + initial packet sizes used in BIND 9.10 and higher when + contacting authoritative servers for the first time. +
@@ -539,7 +544,7 @@GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -1024,7 +1029,7 @@
$./configure --enable-exportlib$[other flags]make@@ -1039,7 +1044,7 @@ $make$cd lib/export$make install@@ -1061,7 +1066,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -1101,7 +1106,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -1119,14 +1124,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -1190,7 +1195,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -1231,7 +1236,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -1272,7 +1277,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -1289,7 +1294,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the @@ -1384,7 +1389,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmIt checks a set of domains to see the name servers of the domains behave @@ -1441,7 +1446,7 @@ $
+sample-update -a sample-update -k Kxxx.+nnn+mmAs of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 65a0506020..a08bbd6957 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -114,17 +114,17 @@
DNSSEC, Dynamic Zones, and Automatic Signing @@ -135,18 +135,18 @@ -
- Converting from insecure to secure
+- Converting from insecure to secure
- Dynamic DNS update method
- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
- Periodic re-signing
- NSEC3 and OPTOUT
PKCS#11 (Cryptoki) support -
- Prerequisites
-- Native PKCS#11
-- OpenSSL-based PKCS#11
-- PKCS#11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Native PKCS#11
+- OpenSSL-based PKCS#11
+- PKCS#11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones) IPv6 Support in BIND 9 @@ -194,28 +194,28 @@
- server Statement Definition and Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and +
- statistics-channels Statement Definition and Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition +
- trusted-keys Statement Definition and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File BIND9 Statistics @@ -224,7 +224,7 @@7. BIND 9 Security Considerations
- Access Control Lists
-- Chroot and Setuid
+- Chroot and Setuid
- The chroot Environment
- Using the setuid Function
@@ -235,8 +235,8 @@- A. Appendices
@@ -253,7 +253,7 @@
- Acknowledgments
- -
- General DNS Reference Information
+- General DNS Reference Information
- Bibliography (and Suggested Reading)
@@ -263,13 +263,13 @@
- BIND 9 DNS Library Support
- I. Manual pages
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index f4c0858074..47da5830ac 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@
arpaname{ipaddress...}-diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 0a4cac9747..b2b2846444 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -51,7 +51,7 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen[-a] [algorithm-h] [-k] [keyname-q] [-r] [ -srandomfilename| -zzone]-diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 574ab93af0..cf3f79b787 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -53,7 +53,7 @@DESCRIPTION
+DESCRIPTION
tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -87,7 +87,7 @@
delv[queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the the same internal @@ -96,7 +96,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed. @@ -471,12 +471,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8), RFC4034, diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 359530f95f..f78d39346b 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -260,7 +260,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -688,7 +688,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -734,7 +734,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -748,14 +748,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -763,7 +763,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index a5bc938045..c4afc97efa 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@
dnssec-dsfromkey[-l] [domain-f] [file-d] [dig path-D] {zone}dsfromkey path-diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index bac5d2ba24..5a58aab02e 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@
dnssec-coverage[-K] [directory-l] [length-f] [file-d] [DNSKEY TTL-m] [max TTL-r] [interval-c] [compilezone path-k] [-z] [zone]-diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index a1a04a0fec..f9e61c1193 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -52,14 +52,14 @@DESCRIPTION
+DESCRIPTION
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@
dnssec-dsfromkey[-h] [-V]-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -173,13 +173,13 @@-diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 68608e5274..2101a06758 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -51,7 +51,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -189,7 +189,7 @@
dnssec-importkey{-f} [filename-K] [directory-L] [ttl-P] [date/offset-D] [date/offset-h] [-v] [level-V] [dnsname]-DESCRIPTION
+DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -71,7 +71,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@
-FILES
+FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -151,7 +151,7 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 230cf3123e..8bb303c788 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -159,7 +159,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-i] [interval-k] [-K] [directory-L] [ttl-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-S] [key-t] [type-v] [level-V] [-y] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -315,7 +315,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 5eb96de386..2fa0758443 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -363,7 +363,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-g] [generator-h] [-I] [date/offset-i] [interval-K] [directory-L] [ttl-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-S] [key-s] [strength-t] [type-v] [level-V] [-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -359,7 +359,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -426,7 +426,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 9000ab71c7..cdb4d58190 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -435,7 +435,7 @@
dnssec-revoke[-hr] [-v] [level-V] [-K] [directory-E] [engine-f] [-R] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 0f2b4e0133..9510614164 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-L] [ttl-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-V] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -76,7 +76,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -210,7 +210,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -236,7 +236,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 701e8c45aa..8ad2772713 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -244,7 +244,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-D] [-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-L] [serial-l] [domain-M] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-P] [-p] [-Q] [-R] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-V] [-X] [extended end-time-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 49ab2988f8..bb23a75f59 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -542,14 +542,14 @@ db.example.com.signed %
dnssec-verify[-c] [class-E] [engine-I] [input-format-o] [origin-v] [level-V] [-x] [-z] {zonefile}-diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 347ce465b2..dc887f4b21 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
genrandom[-n] {numbersize} {filename}-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index e6126e93db..3c1a444054 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] [-v] [-V] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -214,7 +214,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -228,12 +228,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 297ce9f790..7f91f0eecb 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 4f71a3346c..13670c957a 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-x] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 828bb735b2..9727c4428f 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-J] [filename-i] [mode-k] [mode-m] [mode-n] [mode-l] [ttl-L] [serial-r] [mode-s] [style-t] [directory-T] [mode-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index d78e971af5..6048ab9df1 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint{journal}-diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index e3664cdd7e..a958d7b2ea 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named-rrchecker[-h] [-o] [origin-p] [-u] [-C] [-T] [-P]-DESCRIPTION
+DESCRIPTION
named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -78,7 +78,7 @@
-SEE ALSO
+SEE ALSO
RFC 1034, RFC 1035, diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index f3e9e77968..51c0d8be37 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-D] [string-E] [engine-name-f] [-g] [-L] [logfile-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-U] [#listeners-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -302,7 +302,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 83347d137d..778b57aae9 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -319,7 +319,7 @@
nsec3hash{salt} {algorithm} {iterations} {domain}-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index f9fd0189aa..d7598a9eec 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate[-d] [-D] [[-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [-T] [-P] [-V] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -236,7 +236,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 1656b68bee..700d2b79da 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen[-a] [-A] [algorithm-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 18c3f3bceb..49b5485403 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 8e4d5df6a2..556a135352 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -220,7 +220,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-q] [-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@
-diff --git a/doc/arm/notes.html b/doc/arm/notes.html index bb5416a2b0..976630aec9 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -393,6 +393,11 @@ A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE.COMMANDS
+COMMANDS
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -609,7 +609,7 @@
+ Adjusted max-recursion-queries to accommodate the smaller + initial packet sizes used in BIND 9.10 and higher when + contacting authoritative servers for the first time. +