dnssec-dsfromkey {-s} [-v ] [level-1] [-2] [-a ] [alg-c ] [class-d ] {dnsname}dir
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -115,13 +116,13 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -130,7 +131,7 @@
dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c ] [class-e] [-f ] [flag-g ] [generator-h] [-k] [-p ] [protocol-r ] [randomdev-s ] [strength-t ] [type-v ] {name}level
dnssec-keygen [-a ] [algorithm-b ] [keysize-n ] [nametype-c ] [class-e] [-f ] [flag-g ] [generator-h] [-k] [-p ] [protocol-r ] [randomdev-s ] [strength-t ] [type-v ] {name}level
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -40,7 +40,7 @@
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -221,7 +221,7 @@
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -230,7 +230,7 @@
yes
- and creating a ddns.key file (see
- ddns-confgen.)
+ ddns-autconf option to yes.
- If the zone's dynamic option is set to
- yes, and if a ddns.key
- file exists and contains a valid TSIG key, and if no other dynamic
- update policy has been set for the zone, then updates to the zone
- will be permitted for the key ddns.key.
+ If the zone's ddns-autoconf option is set to
+ yes, then updates to the zone
+ will be permitted for the key ddns.key,
+ which will be generated by named at startup.
The tkey-gssapi-credential and @@ -222,7 +219,7 @@
Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -252,7 +249,7 @@
Let's say a company named Example, Inc.
(example.com)
@@ -509,7 +506,7 @@ nameserver 172.16.72.4
A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must @@ -517,7 +514,7 @@ nameserver 172.16.72.4
The following command will generate a 128-bit (16 byte) HMAC-MD5 key as described above. Longer keys are better, but shorter keys @@ -542,7 +539,7 @@ nameserver 172.16.72.4
The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming @@ -557,7 +554,7 @@ nameserver 172.16.72.4
This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. @@ -565,7 +562,7 @@ nameserver 172.16.72.4
Imagine host1 and host 2 are @@ -594,7 +591,7 @@ key host1-host2. {
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the named.conf file
@@ -626,7 +623,7 @@ server 10.1.2.3 {
BIND allows IP addresses and ranges to be specified in ACL @@ -654,7 +651,7 @@ allow-update { key host1-host2. ;};
The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware @@ -680,7 +677,7 @@ allow-update { key host1-host2. ;};
TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of @@ -716,7 +713,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -777,7 +774,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to generate keys. @@ -833,7 +830,7 @@ allow-update { key host1-host2. ;};
The dnssec-signzone program is used to sign a zone. @@ -875,7 +872,7 @@ allow-update { key host1-host2. ;};
To enable named to respond appropriately to DNS requests from DNSSEC aware clients, @@ -1013,7 +1010,7 @@ options {
BIND 9 fully supports all currently defined forms of IPv6 name to address and address to name @@ -1051,7 +1048,7 @@ options {
The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire @@ -1070,7 +1067,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 1afba738be..26a0100ab3 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,13 +45,13 @@Table of Contents
Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index cc8f243d9a..569aafb1ff 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -48,55 +48,55 @@address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | @@ -483,7 +483,7 @@Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -567,7 +567,7 @@
The BIND 9 comment syntax allows for comments to appear @@ -577,7 +577,7 @@
/* This is a BIND comment as in C */@@ -593,7 +593,7 @@Comments may appear anywhere that whitespace may appear in a BIND configuration file. @@ -834,7 +834,7 @@
acl acl-name { address_match_list }; @@ -916,7 +916,7 @@controls { [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} @@ -1040,12 +1040,12 @@includefilename;The include statement inserts the @@ -1060,7 +1060,7 @@
keykey_id{ algorithmstring; secretstring; @@ -1069,7 +1069,7 @@The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) @@ -1116,7 +1116,7 @@
logging { [ channelchannel_name{ ( filepath_name@@ -1140,7 +1140,7 @@The logging statement configures a @@ -1174,7 +1174,7 @@
All log output goes to one or more channels; you can make as many of them as you want. @@ -1738,7 +1738,7 @@ category notify { null; };
The query-errors category is specifically intended for debugging purposes: To identify @@ -1966,7 +1966,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the lwres statement in the
named.conffile: @@ -1982,7 +1982,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]The lwres statement configures the name @@ -2033,7 +2033,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; @@ -2041,7 +2041,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]masters lists allow for a common set of masters to be easily used by @@ -2050,7 +2050,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options statement in the
named.conffile: @@ -3311,7 +3311,7 @@ options {The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3355,7 +3355,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -3552,7 +3552,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4004,7 +4004,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports, avoid-v4-udp-ports, @@ -4046,7 +4046,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4208,7 +4208,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -4988,7 +4988,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5318,7 +5318,7 @@ deny-answer-aliases { "example.net"; };
The statistics-channels statement @@ -5369,7 +5369,7 @@ deny-answer-aliases { "example.net"; };
trusted-keys {stringnumbernumbernumberstring; [stringnumbernumbernumberstring; [...]] @@ -5378,7 +5378,7 @@ deny-answer-aliases { "example.net"; };The trusted-keys statement defines @@ -5437,7 +5437,7 @@ deny-answer-aliases { "example.net"; };
The view statement is a powerful feature @@ -5714,10 +5714,10 @@ zone
zone_name[
@@ -5928,7 +5928,7 @@ zone zone_name[The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), @@ -5950,7 +5950,7 @@ zonezone_name[
- allow-notify
- -
@@ -6093,14 +6093,13 @@ zone
zone_name[root-delegation-only.- dynamic
+- ddns-autoconf
If this flag is set to
yesin - a master zone, named will - automatically generate a TSIG session key for use + a master zone, the zone will be set to allow dynamic + updates using a TSIG session key generated by + named and stored in a file for use by nsupdate -l on the local system, - and the zone will be marked to allow dynamic updates - using this key.- forward
@@ -6562,7 +6561,7 @@ zone
zone_name[@@ -6575,7 +6574,7 @@ zonezone_name[A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -7312,7 +7311,7 @@ zone
zone_name[RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -7515,7 +7514,7 @@ zone
zone_name[As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -7771,7 +7770,7 @@ zone
zone_name[Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -7832,7 +7831,7 @@ zone
zone_name[The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -7847,7 +7846,7 @@ zone
zone_name[When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -7858,7 +7857,7 @@ zone
zone_name[Syntax: $ORIGIN
domain-name@@ -7887,7 +7886,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -7923,7 +7922,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -7942,7 +7941,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -8366,7 +8365,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -8923,7 +8922,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -9077,7 +9076,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -9460,7 +9459,7 @@ HOST-127.EXAMPLE. MX 0 . Socket I/O statistics counters are defined per socket types, which are @@ -9615,7 +9614,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index bba83d055a..3aa6f18fab 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -46,10 +46,10 @@Table of Contents
@@ -122,7 +122,7 @@ zone "example.com" {On UNIX servers, it is possible to run BIND @@ -148,7 +148,7 @@ zone "example.com" {
In order for a chroot environment to @@ -176,7 +176,7 @@ zone "example.com" {
Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index c6577e3314..16ba346f08 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,18 +45,18 @@Table of Contents
The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@
The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index c90cd300ec..f62a0333fd 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,21 +45,21 @@Table of Contents
@@ -268,42 +268,42 @@Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-@@ -312,19 +312,19 @@[RFC3645] Generic Security Service Algorithm for Secret +
[RFC3645] Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-@@ -332,146 +332,146 @@[RFC4035] Protocol Modifications for the DNS +
[RFC4035] Protocol Modifications for the DNS Security Extensions. March 2005.
Other Important RFCs About DNS Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely +
[RFC1535] A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.
-[RFC1536] Common DNS Implementation +
[RFC1536] Common DNS Implementation Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS +
[RFC4074] Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using +
[RFC2168] Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the +
[RFC1876] A Means for Expressing Location Information in the Domain Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the +
[RFC2052] A DNS RR for Specifying the Location of Services.. October 1996.
-[RFC2163] Using the Internet DNS to +
[RFC2163] Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names +
[RFC1101] DNS Encoding of Network Names and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and +
[RFC1123] Requirements for Internet Hosts - Application and Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide.. November 1987.
-[RFC1912] Common DNS Operational and +
[RFC1912] Common DNS Operational and Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names, +
[RFC2825] A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.
-@@ -487,47 +487,47 @@[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
-[RFC1464] Using the Domain Name System To Store Arbitrary String +
[RFC1464] Using the Domain Name System To Store Arbitrary String Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via +
[RFC3258] Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
@@ -541,39 +541,39 @@Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical +
[RFC1712] DNS Encoding of Geographical Location. November 1994.
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC) +
[RFC3008] Domain Name System Security (DNSSEC) Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record +
[RFC3757] Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.
-@@ -594,14 +594,14 @@[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
-diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 2387f0cd33..e1b54ef630 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -92,34 +92,34 @@DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
Dynamic Update Incremental Zone Transfers (IXFR) -Split DNS -+ Split DNS +TSIG - -
- Generate Shared Keys for Each Pair of Hosts
-- Copying the Shared Secret to Both Machines
-- Informing the Servers of the Key's Existence
-- Instructing the Server to Use the Key
-- TSIG Key Based Access Control
-- Errors
+- Generate Shared Keys for Each Pair of Hosts
+- Copying the Shared Secret to Both Machines
+- Informing the Servers of the Key's Existence
+- Instructing the Server to Use the Key
+- TSIG Key Based Access Control
+- Errors
TKEY -SIG(0) +TKEY +SIG(0) DNSSEC - IPv6 Support in BIND 9 +IPv6 Support in BIND 9 5. The BIND 9 Lightweight Resolver 6. BIND 9 Configuration Reference @@ -127,55 +127,55 @@Configuration File Elements Configuration File Grammar - -
- acl Statement Grammar
+- acl Statement Grammar
- acl Statement Definition and Usage
-- controls Statement Grammar
+- controls Statement Grammar
- controls Statement Definition and Usage
-- include Statement Grammar
-- include Statement Definition and +
- include Statement Grammar
+- include Statement Definition and Usage
-- key Statement Grammar
-- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and +
- key Statement Grammar
+- key Statement Definition and Usage
+- logging Statement Grammar
+- logging Statement Definition and Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and +
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and Usage
- server Statement Grammar
- server Statement Definition and Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and +
- statistics-channels Statement Definition and Usage
-- trusted-keys Statement Grammar
-- trusted-keys Statement Definition +
- trusted-keys Statement Grammar
+- trusted-keys Statement Definition and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File +Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics @@ -184,31 +184,31 @@7. BIND 9 Security Considerations 8. Troubleshooting A. Appendices I. Manual pages diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 3b8b3ec25b..c689b3b68c 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -48,7 +48,7 @@
ddns-confgen[-a] [algorithm-h] [-k] [keyname-r] [randomfile-s name | -z zone] [-q] [name]-diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 54c6691f62..961452c317 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -52,7 +52,7 @@DESCRIPTION
+DESCRIPTION
ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -75,7 +75,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -248,7 +248,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -573,7 +573,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index d442f3c4f0..26e78ec944 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,14 +51,14 @@
dnssec-dsfromkey{-s} [-v] [level-1] [-2] [-a] [alg-c] [class-d] {dnsname}dir-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-OPTIONS
+OPTIONS
- -1
@@ -79,6 +79,12 @@
- +
Sets the debugging level.
- -l
+domain+ Generate a DLV set instead of a DS set. The specified +
domainis appended to the name for each + record in the set. +- -s
Keyset mode: in place of the keyfile name, the argument is @@ -99,7 +105,7 @@
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -128,13 +134,13 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 630a2798f4..3c653d2007 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -143,7 +149,7 @@
dnssec-keyfromlabel{-aalgorithm} {-llabel} [-c] [class-f] [flag-k] [-n] [nametype-p] [protocol-t] [type-v] {name}level-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -58,7 +58,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -172,7 +172,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 260d0f4f22..bba170e055 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -47,10 +47,10 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -182,7 +182,7 @@
Synopsis
-+
dnssec-keygen{-aalgorithm} {-bkeysize} {-nnametype} [-c] [class-e] [-f] [flag-g] [generator-h] [-k] [-p] [protocol-r] [randomdev-s] [strength-t] [type-v] {name}level
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-c] [class-e] [-f] [flag-g] [generator-h] [-k] [-p] [protocol-r] [randomdev-s] [strength-t] [type-v] {name}level-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -58,7 +58,7 @@
-OPTIONS
+OPTIONS
- -a
algorithm- @@ -66,7 +66,8 @@ Selects the cryptographic algorithm. The value of
algorithmmust be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5. - These values are case insensitive. + These values are case insensitive. The default is RSASHA1 for + DNSSEC key generation.Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement @@ -78,15 +79,20 @@
- -b
-keysize+
- +
+ + When generating a DNSSEC key with the default algorithm, this + value defaults to 1024, or 2048 if the KSK flag is set. +Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be - between - 512 and 2048 bits. Diffie Hellman keys must be between + between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be between 1 and 512 bits. -
+
+- -n
nametypeSpecifies the owner type of the key. The value of @@ -109,7 +115,7 @@
- -f
flagSet the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. + The only recognized flag is KSK (Key Signing Key) DNSKEY.
- -g
generator@@ -166,7 +172,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -233,7 +239,7 @@-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 4c6aa9685a..9852237e30 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -242,7 +248,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-e] [end-time-f] [output-file-g] [-h] [-k] [key-l] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-p] [-P] [-r] [randomdev-s] [start-time-t] [-v] [level-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index c9573bd9ba..b716e4a19d 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -318,14 +318,14 @@ db.example.com.signed %
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 93866c6077..2c05d0a0da 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file.
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 8348504f7a..832cc92bfb 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-i] [mode-k] [mode-m] [mode-n] [mode-o] [filename-s] [style-t] [directory-w] [directory-D] [-W] {zonename} {filename}mode-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 83dfc2e6b5..25417369d5 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named[-4] [-6] [-c] [config-file-d] [debug-level-f] [-g] [-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -259,7 +259,7 @@
-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index d6cced99be..f17ac60c0e 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -276,7 +276,7 @@
nsupdate[-d] [-D] [[-g] | [-o] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -205,7 +205,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 521d8c62e2..1b98ab2794 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -50,7 +50,7 @@
rndc-confgen[-a] [-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 6af58040c9..79c1dbd5e3 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 4bdbc997e6..6c9812b341 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -219,7 +219,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-V] [-y] {command}key_id