diff --git a/CHANGES b/CHANGES index 7a28800429..7c02d40f4c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,47 @@ +4257. [cleanup] Python scripts reported incorrect version. [RT #41080] + +4256. [bug] Allow rndc command arguments to be quoted so as + to allow spaces. [RT #36665] + +4255. [func] Add 'message-compression' option to disable DNS + compression in responses. [RT #40726] + +4254. [bug] Address missing lock when getting zone's serial. + [RT #41072] + +4253. [bug] Address fetch context reference count handling error + on socket error. [RT#40945] + +4252. [func] Add support for automating the generation CDS and + CDNSKEY rrsets to named and dnssec-signzone. + [RT #40424] + +4251. [bug] NTAs were deleted when the server was reconfigured + or reloaded. [RT #41058] + +4250. [func] Log the TSIG key in use during inbound zone + transfers. [RT #41075] + +4249. [func] Improve error reporting of TSIG / SIG(0) records in + the wrong location. [RT #41030] + +4248. [func] Add an isc_atomic_storeq() function, use it in + stats counters to improve performance. + [RT #39972] [RT #39979] + +4247. [port] Require both HAVE_JSON and JSON_C_VERSION to be + defined to report json library version. [RT #41045] + +4246. [test] Ensure the statschannel system test runs when BIND + is not built with libjson. [RT #40944] + +4245. [placeholder] + +4244. [bug] The parser was not reporting that use-ixfr is obsolete. + [RT #41010] + +4243. [func] Improved stats reporting from Timothe Litt. [RT #38941] + 4242. [bug] Replace the client if not already replaced when prefetching. [RT #41001] diff --git a/Makefile.in b/Makefile.in index e6d2699df0..b5a0b2ad62 100644 --- a/Makefile.in +++ b/Makefile.in @@ -19,7 +19,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_VERSION@ +VERSION=@BIND9_VERSION@ SUBDIRS = make unit lib bin doc TARGETS = diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in index b88be3cb85..5db667186d 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -19,7 +19,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_VERSION@ +VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in index 409dffd1c6..176ce54af7 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -18,7 +18,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_VERSION@ +VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in index 7569bd7fe4..5a59cf5392 100644 --- a/bin/delv/Makefile.in +++ b/bin/delv/Makefile.in @@ -16,7 +16,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_VERSION@ +VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in index 730f1b57ef..b5f2344931 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -19,7 +19,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_VERSION@ +VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index 4f1bf9095d..4409100fbe 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -19,7 +19,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_VERSION@ +VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index 1237c362d0..85cec76882 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -96,85 +96,85 @@ - -1 - - - Use SHA-1 as the digest algorithm (the default is to use - both SHA-1 and SHA-256). - - + -1 + + + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + + - -2 - - - Use SHA-256 as the digest algorithm. - - + -2 + + + Use SHA-256 as the digest algorithm. + + - -a algorithm - - - Select the digest algorithm. The value of - must be one of SHA-1 (SHA1), - SHA-256 (SHA256), GOST or SHA-384 (SHA384). - These values are case insensitive. - - + -a algorithm + + + Select the digest algorithm. The value of + must be one of SHA-1 (SHA1), + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. + + - -C - - - Generate CDS records rather than DS records. This is mutually + -C + + + Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records. - - + + - -T TTL - - - Specifies the TTL of the DS records. - + -T TTL + + + Specifies the TTL of the DS records. + - -K directory - - - Look for key files (or, in keyset mode, - keyset- files) in - . - - + -K directory + + + Look for key files (or, in keyset mode, + keyset- files) in + . + + - -f file - - - Zone file mode: in place of the keyfile name, the argument is - the DNS domain name of a zone master file, which can be read - from . If the zone name is the same as - , then it may be omitted. - - - If is set to "-", then - the zone data is read from the standard input. This makes it - possible to use the output of the dig - command as input, as in: - - - dig dnskey example.com | dnssec-dsfromkey -f - example.com - - + -f file + + + Zone file mode: in place of the keyfile name, the argument is + the DNS domain name of a zone master file, which can be read + from . If the zone name is the same as + , then it may be omitted. + + + If is set to "-", then + the zone data is read from the standard input. This makes it + possible to use the output of the dig + command as input, as in: + + + dig dnskey example.com | dnssec-dsfromkey -f - example.com + + @@ -189,64 +189,64 @@ - -l domain - - - Generate a DLV set instead of a DS set. The specified - is appended to the name for each - record in the set. - The DNSSEC Lookaside Validation (DLV) RR is described - in RFC 4431. This is mutually exclusive with generating + -l domain + + + Generate a DLV set instead of a DS set. The specified + is appended to the name for each + record in the set. + The DNSSEC Lookaside Validation (DLV) RR is described + in RFC 4431. This is mutually exclusive with generating CDS records. - - + + - -s - - - Keyset mode: in place of the keyfile name, the argument is - the DNS domain name of a keyset file. - - + -s + + + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. + + - -c class - - - Specifies the DNS class (default is IN). Useful only - in keyset or zone file mode. - + -c class + + + Specifies the DNS class (default is IN). Useful only + in keyset or zone file mode. + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + - -h - - - Prints usage information. - - + -h + + + Prints usage information. + + - -V - - - Prints version information. - - + -V + + + Prints version information. + + @@ -292,10 +292,10 @@ SEE ALSO - dnssec-keygen8 + dnssec-keygen8 , - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 3658, diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index 269ab16cde..207527d043 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -43,52 +43,52 @@
-1

- Use SHA-1 as the digest algorithm (the default is to use - both SHA-1 and SHA-256). -

+ Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). +

-2

- Use SHA-256 as the digest algorithm. -

+ Use SHA-256 as the digest algorithm. +

-a algorithm

- Select the digest algorithm. The value of - algorithm must be one of SHA-1 (SHA1), - SHA-256 (SHA256), GOST or SHA-384 (SHA384). - These values are case insensitive. -

+ Select the digest algorithm. The value of + algorithm must be one of SHA-1 (SHA1), + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. +

-C

- Generate CDS records rather than DS records. This is mutually + Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records. -

+

-T TTL

- Specifies the TTL of the DS records. -

+ Specifies the TTL of the DS records. +

-K directory

- Look for key files (or, in keyset mode, - keyset- files) in - directory. -

+ Look for key files (or, in keyset mode, + keyset- files) in + directory. +

-f file

- Zone file mode: in place of the keyfile name, the argument is - the DNS domain name of a zone master file, which can be read - from file. If the zone name is the same as - file, then it may be omitted. -

+ Zone file mode: in place of the keyfile name, the argument is + the DNS domain name of a zone master file, which can be read + from file. If the zone name is the same as + file, then it may be omitted. +

- If file is set to "-", then - the zone data is read from the standard input. This makes it - possible to use the output of the dig - command as input, as in: -

+ If file is set to "-", then + the zone data is read from the standard input. This makes it + possible to use the output of the dig + command as input, as in: +

- dig dnskey example.com | dnssec-dsfromkey -f - example.com -

+ dig dnskey example.com | dnssec-dsfromkey -f - example.com +

-A

@@ -98,35 +98,35 @@

-l domain

- Generate a DLV set instead of a DS set. The specified - domain is appended to the name for each - record in the set. - The DNSSEC Lookaside Validation (DLV) RR is described - in RFC 4431. This is mutually exclusive with generating + Generate a DLV set instead of a DS set. The specified + domain is appended to the name for each + record in the set. + The DNSSEC Lookaside Validation (DLV) RR is described + in RFC 4431. This is mutually exclusive with generating CDS records. -

+

-s

- Keyset mode: in place of the keyfile name, the argument is - the DNS domain name of a keyset file. -

+ Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. +

-c class

- Specifies the DNS class (default is IN). Useful only - in keyset or zone file mode. -

+ Specifies the DNS class (default is IN). Useful only + in keyset or zone file mode. +

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-h

- Prints usage information. -

+ Prints usage information. +

-V

- Prints version information. -

+ Prints version information. +

diff --git a/bin/dnssec/dnssec-importkey.8 b/bin/dnssec/dnssec-importkey.8 index 2d1d0b7188..3940077200 100644 --- a/bin/dnssec/dnssec-importkey.8 +++ b/bin/dnssec/dnssec-importkey.8 @@ -18,12 +18,12 @@ .\" Title: dnssec-importkey .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-20 +.\" Date: August 21, 2015 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-IMPORTKEY" "8" "2014\-02\-20" "ISC" "BIND9" +.TH "DNSSEC\-IMPORTKEY" "8" "August 21, 2015" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,9 +47,9 @@ dnssec-importkey \- Import DNSKEY records from external systems so they can be managed\&. .SH "SYNOPSIS" .HP \w'\fBdnssec\-importkey\fR\ 'u -\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR} +\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR} .HP \w'\fBdnssec\-importkey\fR\ 'u -\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR] +\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR] .SH "DESCRIPTION" .PP \fBdnssec\-importkey\fR @@ -109,10 +109,20 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&. +.RE +.PP \-D \fIdate/offset\fR .RS 4 Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE +.PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&. +.RE .SH "FILES" .PP A keyfile can be designed by the key identification diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 9012ef3f94..b2ea6e1907 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -68,6 +68,9 @@ static isc_boolean_t setpub = ISC_FALSE, setdel = ISC_FALSE; static isc_boolean_t setttl = ISC_FALSE; static isc_stdtime_t pub = 0, del = 0; static dns_ttl_t ttl = 0; +static isc_stdtime_t syncadd = 0, syncdel = 0; +static isc_boolean_t setsyncadd = ISC_FALSE; +static isc_boolean_t setsyncdel = ISC_FALSE; static isc_result_t initname(char *setname) { @@ -236,6 +239,11 @@ emit(const char *dir, dns_rdata_t *rdata) { dst_key_settime(key, DST_TIME_PUBLISH, pub); if (setdel) dst_key_settime(key, DST_TIME_DELETE, del); + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd); + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel); + if (setttl) dst_key_setttl(key, ttl); @@ -278,8 +286,12 @@ usage(void) { fprintf(stderr, "Timing options:\n"); fprintf(stderr, " -P date/[+-]offset/none: set/unset key " "publication date\n"); + fprintf(stderr, " -P sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY publication date\n"); fprintf(stderr, " -D date/[+-]offset/none: set/unset key " "deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY deletion date\n"); exit (-1); } @@ -318,6 +330,18 @@ main(int argc, char **argv) { while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncdel) + fatal("-D sync specified more than " + "once"); + + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + break; + } + /* -Ddnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setdel) fatal("-D specified more than once"); @@ -334,6 +358,18 @@ main(int argc, char **argv) { setttl = ISC_TRUE; break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncadd) + fatal("-P sync specified more than " + "once"); + + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + break; + } + /* -Pdnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setpub) fatal("-P specified more than once"); diff --git a/bin/dnssec/dnssec-importkey.docbook b/bin/dnssec/dnssec-importkey.docbook index 098b660c00..9dd57e59b1 100644 --- a/bin/dnssec/dnssec-importkey.docbook +++ b/bin/dnssec/dnssec-importkey.docbook @@ -20,6 +20,7 @@ 2014-02-20 + August 21, 2015 ISC Internet Systems Consortium, Inc. @@ -50,7 +51,9 @@ + + @@ -62,7 +65,9 @@ + + @@ -97,68 +102,68 @@ -f filename - - - Zone file mode: instead of a public keyfile name, the argument + + + Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read - from . If the domain name is the same as - , then it may be omitted. - - - If is set to "-", then - the zone data is read from the standard input. - - + from . If the domain name is the same as + , then it may be omitted. + + + If is set to "-", then + the zone data is read from the standard input. + + - -K directory - - - Sets the directory in which the key files are to reside. - - + -K directory + + + Sets the directory in which the key files are to reside. + + - -L ttl - - - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. - - + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. + + -h - + Emit usage message and exit. - + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + -V - + Prints version information. - + @@ -180,25 +185,45 @@ - -P date/offset - - - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. - - + -P date/offset + + + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. + + - -D date/offset - - - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) - - + -P sync date/offset + + + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. + + + + + + -D date/offset + + + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + + + + + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records that match + this key are to be deleted. + + @@ -217,10 +242,10 @@ SEE ALSO - dnssec-keygen8 + dnssec-keygen8 , - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 5011. diff --git a/bin/dnssec/dnssec-importkey.html b/bin/dnssec/dnssec-importkey.html index 5417a5415b..6f1d657ffc 100644 --- a/bin/dnssec/dnssec-importkey.html +++ b/bin/dnssec/dnssec-importkey.html @@ -28,8 +28,8 @@

Synopsis

-

dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] {keyfile}

-

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

+

dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] {keyfile}

+

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

DESCRIPTION

@@ -57,37 +57,37 @@
-f filename

- Zone file mode: instead of a public keyfile name, the argument + Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read - from file. If the domain name is the same as - file, then it may be omitted. -

+ from file. If the domain name is the same as + file, then it may be omitted. +

- If file is set to "-", then - the zone data is read from the standard input. -

+ If file is set to "-", then + the zone data is read from the standard input. +

-K directory

- Sets the directory in which the key files are to reside. -

+ Sets the directory in which the key files are to reside. +

-L ttl

- Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. -

+ Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. +

-h

Emit usage message and exit.

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-V

Prints version information. @@ -110,16 +110,26 @@

-P date/offset

- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. -

+ Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. +

+
-P sync date/offset
+

+ Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

-D date/offset

- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

+ Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records that match + this key are to be deleted. +

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index 8822519e11..90aaaf78e3 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -18,12 +18,12 @@ .\" Title: dnssec-keyfromlabel .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-27 +.\" Date: August 27, 2015 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-KEYFROMLABEL" "8" "2014\-02\-27" "ISC" "BIND9" +.TH "DNSSEC\-KEYFROMLABEL" "8" "August 27, 2015" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,7 +47,7 @@ dnssec-keyfromlabel \- DNSSEC key generation tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-keyfromlabel\fR\ 'u -\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name} +\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name} .SH "DESCRIPTION" .PP \fBdnssec\-keyfromlabel\fR @@ -201,6 +201,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone\&. +.RE +.PP \-A \fIdate/offset\fR .RS 4 Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. @@ -221,6 +226,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE .PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted\&. +.RE +.PP \-i \fIinterval\fR .RS 4 Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&. diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 47ff822a10..8bf85271e5 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -104,10 +104,14 @@ usage(void) { fprintf(stderr, " -V: print version information\n"); fprintf(stderr, "Date options:\n"); fprintf(stderr, " -P date/[+-]offset: set key publication date\n"); + fprintf(stderr, " -P sync date/[+-]offset: set CDS and CDNSKEY " + "publication date\n"); fprintf(stderr, " -A date/[+-]offset: set key activation date\n"); fprintf(stderr, " -R date/[+-]offset: set key revocation date\n"); fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n"); fprintf(stderr, " -D date/[+-]offset: set key deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset: set CDS and CDNSKEY " + "deletion date\n"); fprintf(stderr, " -G: generate key only; do not set -P or -A\n"); fprintf(stderr, " -C: generate a backward-compatible key, omitting" " all dates\n"); @@ -171,6 +175,9 @@ main(int argc, char **argv) { isc_boolean_t avoid_collisions = ISC_TRUE; isc_boolean_t exact; unsigned char c; + isc_stdtime_t syncadd = 0, syncdel = 0; + isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE; + isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE; if (argc == 1) usage(); @@ -255,6 +262,19 @@ main(int argc, char **argv) { genonly = ISC_TRUE; break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncadd || setsyncadd) + fatal("-P sync specified more than " + "once"); + + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + unsetsyncadd = !setsyncadd; + break; + } + /* -Pdnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setpub || unsetpub) fatal("-P specified more than once"); @@ -287,6 +307,19 @@ main(int argc, char **argv) { unsetinact = !setinact; break; case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncdel || setsyncdel) + fatal("-D sync specified more than " + "once"); + + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + unsetsyncdel = !setsyncdel; + break; + } + /* -Ddnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setdel || unsetdel) fatal("-D specified more than once"); @@ -621,10 +654,16 @@ main(int argc, char **argv) { if (setdel) dst_key_settime(key, DST_TIME_DELETE, delete); + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd); + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel); + } else { if (setpub || setact || setrev || setinact || setdel || unsetpub || unsetact || - unsetrev || unsetinact || unsetdel || genonly) + unsetrev || unsetinact || unsetdel || genonly || + setsyncadd || setsyncdel) fatal("cannot use -C together with " "-P, -A, -R, -I, -D, or -G options"); /* diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index b05b322330..353e1a894b 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -20,6 +20,7 @@ 2014-02-27 + August 27, 2015 ISC Internet Systems Consortium, Inc. @@ -57,6 +58,7 @@ + @@ -67,6 +69,7 @@ + @@ -100,113 +103,113 @@ - -a algorithm - + -a algorithm + Selects the cryptographic algorithm. The value of - must be one of RSAMD5, RSASHA1, + must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. - - If no algorithm is specified, then RSASHA1 will be used by - default, unless the option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) - - - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. - - - Note 2: DH automatically sets the -k flag. - - + + If no algorithm is specified, then RSASHA1 will be used by + default, unless the option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) + + + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. + + + Note 2: DH automatically sets the -k flag. + + - -3 - - + -3 + + Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. - - + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. + + - -E engine - - - Specifies the cryptographic hardware to use. - - - When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". - - + -E engine + + + Specifies the cryptographic hardware to use. + + + When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". + + - -l label - - - Specifies the label for a key pair in the crypto hardware. - - - When BIND 9 is built with OpenSSL-based - PKCS#11 support, the label is an arbitrary string that - identifies a particular key. It may be preceded by an - optional OpenSSL engine name, followed by a colon, as in - "pkcs11:keylabel". - - - When BIND 9 is built with native PKCS#11 - support, the label is a PKCS#11 URI string in the format - "pkcs11:=value;=value;..." - Keywords include "token", which identifies the HSM; "object", which - identifies the key; and "pin-source", which identifies a file from - which the HSM's PIN code can be obtained. The label will be - stored in the on-disk "private" file. - - - If the label contains a - field, tools using the generated - key files will be able to use the HSM for signing and other - operations without any need for an operator to manually enter - a PIN. Note: Making the HSM's PIN accessible in this manner - may reduce the security advantage of using an HSM; be sure - this is what you want to do before making use of this feature. - - + -l label + + + Specifies the label for a key pair in the crypto hardware. + + + When BIND 9 is built with OpenSSL-based + PKCS#11 support, the label is an arbitrary string that + identifies a particular key. It may be preceded by an + optional OpenSSL engine name, followed by a colon, as in + "pkcs11:keylabel". + + + When BIND 9 is built with native PKCS#11 + support, the label is a PKCS#11 URI string in the format + "pkcs11:=value;=value;..." + Keywords include "token", which identifies the HSM; "object", which + identifies the key; and "pin-source", which identifies a file from + which the HSM's PIN code can be obtained. The label will be + stored in the on-disk "private" file. + + + If the label contains a + field, tools using the generated + key files will be able to use the HSM for signing and other + operations without any need for an operator to manually enter + a PIN. Note: Making the HSM's PIN accessible in this manner + may reduce the security advantage of using an HSM; be sure + this is what you want to do before making use of this feature. + + - -n nametype - - - Specifies the owner type of the key. The value of - must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. - - + -n nametype + + + Specifies the owner type of the key. The value of + must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. + + - -C - - + -C + + Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keyfromlabel will include the key's creation date in the metadata stored @@ -214,150 +217,150 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the option suppresses them. - - + + - -c class - - - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - - + -c class + + + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + + - -f flag - - - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. - - + -f flag + + + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. + + - -G - - - Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. - - + -G + + + Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. + + - -h - - - Prints a short summary of the options and arguments to - dnssec-keyfromlabel. - - + -h + + + Prints a short summary of the options and arguments to + dnssec-keyfromlabel. + + - -K directory - - - Sets the directory in which the key files are to be written. - - + -K directory + + + Sets the directory in which the key files are to be written. + + - -k - - - Generate KEY records rather than DNSKEY records. - - + -k + + + Generate KEY records rather than DNSKEY records. + + - -L ttl - - - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. - - + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. + + - -p protocol - - - Sets the protocol value for the key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - - + -p protocol + + + Sets the protocol value for the key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + + - -S key - - - Generate a key as an explicit successor to an existing key. + -S key + + + Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. - - + + - -t type - - - Indicates the use of the key. must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - - + -t type + + + Indicates the use of the key. must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + -V - + Prints version information. - + - -y - - - Allows DNSSEC key files to be generated even if the key ID + -y + + + Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you - are sure you won't be using RFC 5011 trust anchor maintenance - with either of the keys involved.) - - + are sure you won't be using RFC 5011 trust anchor maintenance + with either of the keys involved.) + + @@ -380,60 +383,80 @@ - -P date/offset - - - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". - - + -P date/offset + + + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". + + - -A date/offset - - - Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". - - + -P sync date/offset + + + Sets the date on which the CDS and CDNSKEY records which match + this key are to be published to the zone. + + - -R date/offset - - - Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. - - + -A date/offset + + + Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". + + - -I date/offset - - - Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. - - + -R date/offset + + + Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. + + - -D date/offset - - - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) - - + -I date/offset + + + Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. + + + + + + -D date/offset + + + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + + + + + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records which match + this key are to be deleted. + + @@ -477,18 +500,18 @@ - nnnn is the key name. - + nnnn is the key name. + - aaa is the numeric representation - of the algorithm. - + aaa is the numeric representation + of the algorithm. + - iiiii is the key identifier (or - footprint). - + iiiii is the key identifier (or + footprint). + dnssec-keyfromlabel @@ -515,10 +538,10 @@ SEE ALSO - dnssec-keygen8 + dnssec-keygen8 , - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 4034, diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 93037d9bf1..df6acbf996 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -27,7 +27,7 @@

Synopsis

-

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

+

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

DESCRIPTION

@@ -52,87 +52,87 @@

Selects the cryptographic algorithm. The value of - algorithm must be one of RSAMD5, RSASHA1, + algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.

- If no algorithm is specified, then RSASHA1 will be used by - default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - -3 is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) -

+ If no algorithm is specified, then RSASHA1 will be used by + default, unless the -3 option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) +

- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. -

+ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. +

- Note 2: DH automatically sets the -k flag. -

+ Note 2: DH automatically sets the -k flag. +

-3

Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. -

+ If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. +

-E engine

- Specifies the cryptographic hardware to use. -

+ Specifies the cryptographic hardware to use. +

- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

-l label

- Specifies the label for a key pair in the crypto hardware. -

+ Specifies the label for a key pair in the crypto hardware. +

- When BIND 9 is built with OpenSSL-based - PKCS#11 support, the label is an arbitrary string that - identifies a particular key. It may be preceded by an - optional OpenSSL engine name, followed by a colon, as in - "pkcs11:keylabel". -

+ When BIND 9 is built with OpenSSL-based + PKCS#11 support, the label is an arbitrary string that + identifies a particular key. It may be preceded by an + optional OpenSSL engine name, followed by a colon, as in + "pkcs11:keylabel". +

- When BIND 9 is built with native PKCS#11 - support, the label is a PKCS#11 URI string in the format - "pkcs11:keyword=value[;keyword=value;...]" - Keywords include "token", which identifies the HSM; "object", which - identifies the key; and "pin-source", which identifies a file from - which the HSM's PIN code can be obtained. The label will be - stored in the on-disk "private" file. -

+ When BIND 9 is built with native PKCS#11 + support, the label is a PKCS#11 URI string in the format + "pkcs11:keyword=value[;keyword=value;...]" + Keywords include "token", which identifies the HSM; "object", which + identifies the key; and "pin-source", which identifies a file from + which the HSM's PIN code can be obtained. The label will be + stored in the on-disk "private" file. +

- If the label contains a - pin-source field, tools using the generated - key files will be able to use the HSM for signing and other - operations without any need for an operator to manually enter - a PIN. Note: Making the HSM's PIN accessible in this manner - may reduce the security advantage of using an HSM; be sure - this is what you want to do before making use of this feature. -

+ If the label contains a + pin-source field, tools using the generated + key files will be able to use the HSM for signing and other + operations without any need for an operator to manually enter + a PIN. Note: Making the HSM's PIN accessible in this manner + may reduce the security advantage of using an HSM; be sure + this is what you want to do before making use of this feature. +

-n nametype

- Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. -

+ Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. +

-C

Compatibility mode: generates an old-style key, without @@ -142,84 +142,84 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

-c class

- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

+ Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. +

-f flag

- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+ Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. +

-G

- Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -

+ Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. +

-h

- Prints a short summary of the options and arguments to - dnssec-keyfromlabel. -

+ Prints a short summary of the options and arguments to + dnssec-keyfromlabel. +

-K directory

- Sets the directory in which the key files are to be written. -

+ Sets the directory in which the key files are to be written. +

-k

- Generate KEY records rather than DNSKEY records. -

+ Generate KEY records rather than DNSKEY records. +

-L ttl

- Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. -

+ Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. +

-p protocol

- Sets the protocol value for the key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

+ Sets the protocol value for the key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. +

-S key

- Generate a key as an explicit successor to an existing key. + Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

-t type

- Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

+ Indicates the use of the key. type must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. +

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-V

Prints version information.

-y

- Allows DNSSEC key files to be generated even if the key ID + Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you - are sure you won't be using RFC 5011 trust anchor maintenance - with either of the keys involved.) -

+ are sure you won't be using RFC 5011 trust anchor maintenance + with either of the keys involved.) +

@@ -238,36 +238,46 @@
-P date/offset

- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -

+ Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". +

+
-P sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records which match + this key are to be published to the zone. +

-A date/offset

- Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". -

+ Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". +

-R date/offset

- Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -

+ Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. +

-I date/offset

- Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -

+ Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. +

-D date/offset

- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

+ Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records which match + this key are to be deleted. +

-i interval

@@ -305,13 +315,13 @@

  • nnnn is the key name. -

    • +

  • aaa is the numeric representation - of the algorithm. -

    • + of the algorithm. +

  • iiiii is the key identifier (or - footprint). -

    • + footprint). +

dnssec-keyfromlabel creates two files, with names based diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 8a56cd5d25..55488e99c3 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -19,12 +19,12 @@ .\" Title: dnssec-keygen .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-06 +.\" Date: August 21, 2015 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-KEYGEN" "8" "2014\-02\-06" "ISC" "BIND9" +.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -48,7 +48,7 @@ dnssec-keygen \- DNSSEC key generation tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-keygen\fR\ 'u -\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-z\fR] {name} +\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name} .SH "DESCRIPTION" .PP \fBdnssec\-keygen\fR @@ -228,6 +228,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&. +.RE +.PP \-A \fIdate/offset\fR .RS 4 Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&. @@ -248,6 +253,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE .PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&. +.RE +.PP \-i \fIinterval\fR .RS 4 Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index ddf5ddebcc..997d606907 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -153,13 +153,18 @@ usage(void) { fprintf(stderr, "Timing options:\n"); fprintf(stderr, " -P date/[+-]offset/none: set key publication date " "(default: now)\n"); + fprintf(stderr, " -P sync date/[+-]offset/none: set CDS and CDNSKEY " + "publication date\n"); fprintf(stderr, " -A date/[+-]offset/none: set key activation date " "(default: now)\n"); fprintf(stderr, " -R date/[+-]offset/none: set key " - "revocation date\n"); + "revocation date\n"); fprintf(stderr, " -I date/[+-]offset/none: set key " - "inactivation date\n"); + "inactivation date\n"); fprintf(stderr, " -D date/[+-]offset/none: set key deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset/none: set CDS and CDNSKEY " + "deletion date\n"); + fprintf(stderr, " -G: generate key only; do not set -P or -A\n"); fprintf(stderr, " -C: generate a backward-compatible key, omitting " "all dates\n"); @@ -254,6 +259,9 @@ main(int argc, char **argv) { isc_boolean_t quiet = ISC_FALSE; isc_boolean_t show_progress = ISC_FALSE; unsigned char c; + isc_stdtime_t syncadd = 0, syncdel = 0; + isc_boolean_t setsyncadd = ISC_FALSE; + isc_boolean_t setsyncdel = ISC_FALSE; if (argc == 1) usage(); @@ -409,6 +417,17 @@ main(int argc, char **argv) { genonly = ISC_TRUE; break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncadd) + fatal("-P sync specified more than " + "once"); + + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + break; + } + (void)isoptarg("dnskey", argv, usage); if (setpub || unsetpub) fatal("-P specified more than once"); @@ -441,6 +460,17 @@ main(int argc, char **argv) { unsetinact = !setinact; break; case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncdel) + fatal("-D sync specified more than " + "once"); + + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + break; + } + (void)isoptarg("dnskey", argv, usage); if (setdel || unsetdel) fatal("-D specified more than once"); @@ -973,10 +1003,20 @@ main(int argc, char **argv) { program); dst_key_settime(key, DST_TIME_DELETE, delete); } + + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, + syncadd); + + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, + syncdel); + } else { if (setpub || setact || setrev || setinact || setdel || unsetpub || unsetact || - unsetrev || unsetinact || unsetdel || genonly) + unsetrev || unsetinact || unsetdel || genonly || + setsyncadd || setsyncdel) fatal("cannot use -C together with " "-P, -A, -R, -I, -D, or -G options"); /* diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index e5c3e540ac..09d1fa8b23 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -21,6 +21,7 @@ 2014-02-06 + August 21, 2015 ISC Internet Systems Consortium, Inc. @@ -70,6 +71,7 @@ + @@ -78,9 +80,10 @@ - + + @@ -88,8 +91,8 @@ - + name @@ -115,94 +118,94 @@ - -a algorithm - - - Selects the cryptographic algorithm. For DNSSEC keys, the value - of must be one of RSAMD5, RSASHA1, + -a algorithm + + + Selects the cryptographic algorithm. For DNSSEC keys, the value + of must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must - be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, - HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are - case insensitive. - - - If no algorithm is specified, then RSASHA1 will be used by - default, unless the option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) - - - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, + HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are + case insensitive. + + + If no algorithm is specified, then RSASHA1 will be used by + default, unless the option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) + + + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - - - Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 - automatically set the -T KEY option. - - + + + Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 + automatically set the -T KEY option. + + - -b keysize - - - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be - between 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. Elliptic curve algorithms don't need - this parameter. - - - The key size does not need to be specified if using a default - algorithm. The default key size is 1024 bits for zone signing - keys (ZSKs) and 2048 bits for key signing keys (KSKs, - generated with ). However, if an - algorithm is explicitly specified with the , - then there is no default key size, and the - must be used. - - + -b keysize + + + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSA keys must be + between 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC keys must be + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. + + + The key size does not need to be specified if using a default + algorithm. The default key size is 1024 bits for zone signing + keys (ZSKs) and 2048 bits for key signing keys (KSKs, + generated with ). However, if an + algorithm is explicitly specified with the , + then there is no default key size, and the + must be used. + + - -n nametype - - - Specifies the owner type of the key. The value of - must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. Defaults to ZONE for DNSKEY + -n nametype + + + Specifies the owner type of the key. The value of + must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. Defaults to ZONE for DNSKEY generation. - - + + - -3 - - + -3 + + Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. - - + + - -C - - + -C + + Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keygen will include the key's creation date in the metadata stored @@ -210,231 +213,231 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the option suppresses them. - - + + - -c class - - - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - - + -c class + + + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + + - -E engine - - - Specifies the cryptographic hardware to use, when applicable. - - - When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". - - + -E engine + + + Specifies the cryptographic hardware to use, when applicable. + + + When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". + + - -f flag - - - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. - - + -f flag + + + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. + + - -G - - - Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. - - + -G + + + Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. + + - -g generator - - - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. - - + -g generator + + + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + + - -h - - - Prints a short summary of the options and arguments to - dnssec-keygen. - - + -h + + + Prints a short summary of the options and arguments to + dnssec-keygen. + + - -K directory - - - Sets the directory in which the key files are to be written. - - + -K directory + + + Sets the directory in which the key files are to be written. + + - -k - - - Deprecated in favor of -T KEY. - - + -k + + + Deprecated in favor of -T KEY. + + - -L ttl - - - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. If this value is not set and there - is no existing DNSKEY RRset, the TTL will default to the - SOA TTL. Setting the default TTL to 0 - or none is the same as leaving it unset. - - + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. If this value is not set and there + is no existing DNSKEY RRset, the TTL will default to the + SOA TTL. Setting the default TTL to 0 + or none is the same as leaving it unset. + + - -p protocol - - - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - - + -p protocol + + + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + + - -q - - - Quiet mode: Suppresses unnecessary output, including - progress indication. Without this option, when - dnssec-keygen is run interactively - to generate an RSA or DSA key pair, it will print a string - of symbols to stderr indicating the - progress of the key generation. A '.' indicates that a - random number has been found which passed an initial - sieve test; '+' means a number has passed a single - round of the Miller-Rabin primality test; a space - means that the number has passed all the tests and is - a satisfactory key. - - + -q + + + Quiet mode: Suppresses unnecessary output, including + progress indication. Without this option, when + dnssec-keygen is run interactively + to generate an RSA or DSA key pair, it will print a string + of symbols to stderr indicating the + progress of the key generation. A '.' indicates that a + random number has been found which passed an initial + sieve test; '+' means a number has passed a single + round of the Miller-Rabin primality test; a space + means that the number has passed all the tests and is + a satisfactory key. + + - -r randomdev - - - Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. - - + -r randomdev + + + Specifies the source of randomness. If the operating + system does not provide a /dev/random + or equivalent device, the default source of randomness + is keyboard input. randomdev + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + keyboard indicates that keyboard + input should be used. + + - -S key - - - Create a new key which is an explicit successor to an - existing key. The name, algorithm, size, and type of the - key will be set to match the existing key. The activation - date of the new key will be set to the inactivation date of - the existing one. The publication date will be set to the - activation date minus the prepublication interval, which - defaults to 30 days. - - + -S key + + + Create a new key which is an explicit successor to an + existing key. The name, algorithm, size, and type of the + key will be set to match the existing key. The activation + date of the new key will be set to the inactivation date of + the existing one. The publication date will be set to the + activation date minus the prepublication interval, which + defaults to 30 days. + + - -s strength - - - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. - - + -s strength + + + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + + - -T rrtype - - - Specifies the resource record type to use for the key. - must be either DNSKEY or KEY. The - default is DNSKEY when using a DNSSEC algorithm, but it can be - overridden to KEY for use with SIG(0). - - - Using any TSIG algorithm (HMAC-* or DH) forces this option - to KEY. - - + -T rrtype + + + Specifies the resource record type to use for the key. + must be either DNSKEY or KEY. The + default is DNSKEY when using a DNSSEC algorithm, but it can be + overridden to KEY for use with SIG(0). + + + Using any TSIG algorithm (HMAC-* or DH) forces this option + to KEY. + + - -t type - - - Indicates the use of the key. must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - - + -t type + + + Indicates the use of the key. must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + -V - + Prints version information. - + @@ -457,62 +460,82 @@ - -P date/offset - - - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". - - + -P date/offset + + + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". + + - -A date/offset - - - Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". If set, if and -P is not set, then - the publication date will be set to the activation date - minus the prepublication interval. - - + -P sync date/offset + + + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. + + - -R date/offset - - - Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. - - + -A date/offset + + + Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". If set, if and -P is not set, then + the publication date will be set to the activation date + minus the prepublication interval. + + - -I date/offset - - - Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. - - + -R date/offset + + + Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. + + - -D date/offset - - - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) - - + -I date/offset + + + Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. + + + + + + -D date/offset + + + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + + + + + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + + @@ -557,19 +580,19 @@ - nnnn is the key name. - + nnnn is the key name. + - aaa is the numeric representation - of the - algorithm. - + aaa is the numeric representation + of the + algorithm. + - iiiii is the key identifier (or - footprint). - + iiiii is the key identifier (or + footprint). + dnssec-keygen @@ -624,7 +647,7 @@ SEE ALSO - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 2539, diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 2aeda3c217..c39b274697 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -28,7 +28,7 @@

Synopsis

-

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

+

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-k] [-L ttl] [-P date/offset] [-P sync date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-V] [-v level] [-z] {name}

DESCRIPTION

@@ -50,72 +50,72 @@
-a algorithm

- Selects the cryptographic algorithm. For DNSSEC keys, the value - of algorithm must be one of RSAMD5, RSASHA1, + Selects the cryptographic algorithm. For DNSSEC keys, the value + of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must - be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, - HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are - case insensitive. -

+ be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, + HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are + case insensitive. +

- If no algorithm is specified, then RSASHA1 will be used by - default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - -3 is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) -

+ If no algorithm is specified, then RSASHA1 will be used by + default, unless the -3 option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) +

- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. -

+

- Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 - automatically set the -T KEY option. -

+ Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 + automatically set the -T KEY option. +

-b keysize

- Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be - between 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. Elliptic curve algorithms don't need - this parameter. -

+ Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSA keys must be + between 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC keys must be + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. +

- The key size does not need to be specified if using a default - algorithm. The default key size is 1024 bits for zone signing - keys (ZSKs) and 2048 bits for key signing keys (KSKs, - generated with -f KSK). However, if an - algorithm is explicitly specified with the -a, - then there is no default key size, and the -b - must be used. -

+ The key size does not need to be specified if using a default + algorithm. The default key size is 1024 bits for zone signing + keys (ZSKs) and 2048 bits for key signing keys (KSKs, + generated with -f KSK). However, if an + algorithm is explicitly specified with the -a, + then there is no default key size, and the -b + must be used. +

-n nametype

- Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. Defaults to ZONE for DNSKEY + Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. Defaults to ZONE for DNSKEY generation. -

+

-3

Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. -

+

-C

Compatibility mode: generates an old-style key, without @@ -125,142 +125,142 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

-c class

- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

+ Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. +

-E engine

- Specifies the cryptographic hardware to use, when applicable. -

+ Specifies the cryptographic hardware to use, when applicable. +

- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

-f flag

- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+ Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. +

-G

- Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -

+ Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. +

-g generator

- If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. -

+ If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. +

-h

- Prints a short summary of the options and arguments to - dnssec-keygen. -

+ Prints a short summary of the options and arguments to + dnssec-keygen. +

-K directory

- Sets the directory in which the key files are to be written. -

+ Sets the directory in which the key files are to be written. +

-k

- Deprecated in favor of -T KEY. -

+ Deprecated in favor of -T KEY. +

-L ttl

- Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. If this value is not set and there - is no existing DNSKEY RRset, the TTL will default to the - SOA TTL. Setting the default TTL to 0 - or none is the same as leaving it unset. -

+ Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. If this value is not set and there + is no existing DNSKEY RRset, the TTL will default to the + SOA TTL. Setting the default TTL to 0 + or none is the same as leaving it unset. +

-p protocol

- Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

+ Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. +

-q

- Quiet mode: Suppresses unnecessary output, including - progress indication. Without this option, when - dnssec-keygen is run interactively - to generate an RSA or DSA key pair, it will print a string - of symbols to stderr indicating the - progress of the key generation. A '.' indicates that a - random number has been found which passed an initial - sieve test; '+' means a number has passed a single - round of the Miller-Rabin primality test; a space - means that the number has passed all the tests and is - a satisfactory key. -

+ Quiet mode: Suppresses unnecessary output, including + progress indication. Without this option, when + dnssec-keygen is run interactively + to generate an RSA or DSA key pair, it will print a string + of symbols to stderr indicating the + progress of the key generation. A '.' indicates that a + random number has been found which passed an initial + sieve test; '+' means a number has passed a single + round of the Miller-Rabin primality test; a space + means that the number has passed all the tests and is + a satisfactory key. +

-r randomdev

- Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

+ Specifies the source of randomness. If the operating + system does not provide a /dev/random + or equivalent device, the default source of randomness + is keyboard input. randomdev + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + keyboard indicates that keyboard + input should be used. +

-S key

- Create a new key which is an explicit successor to an - existing key. The name, algorithm, size, and type of the - key will be set to match the existing key. The activation - date of the new key will be set to the inactivation date of - the existing one. The publication date will be set to the - activation date minus the prepublication interval, which - defaults to 30 days. -

+ Create a new key which is an explicit successor to an + existing key. The name, algorithm, size, and type of the + key will be set to match the existing key. The activation + date of the new key will be set to the inactivation date of + the existing one. The publication date will be set to the + activation date minus the prepublication interval, which + defaults to 30 days. +

-s strength

- Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. -

+ Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. +

-T rrtype

- Specifies the resource record type to use for the key. - rrtype must be either DNSKEY or KEY. The - default is DNSKEY when using a DNSSEC algorithm, but it can be - overridden to KEY for use with SIG(0). -

+ Specifies the resource record type to use for the key. + rrtype must be either DNSKEY or KEY. The + default is DNSKEY when using a DNSSEC algorithm, but it can be + overridden to KEY for use with SIG(0). +

-

+

- Using any TSIG algorithm (HMAC-* or DH) forces this option - to KEY. -

+ Using any TSIG algorithm (HMAC-* or DH) forces this option + to KEY. +

-t type

- Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

+ Indicates the use of the key. type must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. +

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-V

Prints version information. @@ -283,38 +283,48 @@

-P date/offset

- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -

+ Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". +

+
-P sync date/offset
+

+ Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

-A date/offset

- Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". If set, if and -P is not set, then - the publication date will be set to the activation date - minus the prepublication interval. -

+ Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". If set, if and -P is not set, then + the publication date will be set to the activation date + minus the prepublication interval. +

-R date/offset

- Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -

+ Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. +

-I date/offset

- Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -

+ Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. +

-D date/offset

- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

+ Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. +

-i interval

@@ -352,14 +362,14 @@

  • nnnn is the key name. -

    • +

  • aaa is the numeric representation - of the - algorithm. -

    • + of the + algorithm. +

  • iiiii is the key identifier (or - footprint). -

    • + footprint). +

dnssec-keygen creates two files, with names based diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8 index af1cfd9d76..599eca4776 100644 --- a/bin/dnssec/dnssec-settime.8 +++ b/bin/dnssec/dnssec-settime.8 @@ -18,12 +18,12 @@ .\" Title: dnssec-settime .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-06 +.\" Date: 2015-08-21 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-SETTIME" "8" "2014\-02\-06" "ISC" "BIND9" +.TH "DNSSEC\-SETTIME" "8" "2015\-08\-21" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,7 +47,7 @@ dnssec-settime \- Set the key timing metadata for a DNSSEC key .SH "SYNOPSIS" .HP \w'\fBdnssec\-settime\fR\ 'u -\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile} +\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile} .SH "DESCRIPTION" .PP \fBdnssec\-settime\fR @@ -121,6 +121,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&. +.RE +.PP \-A \fIdate/offset\fR .RS 4 Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. @@ -141,6 +146,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE .PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&. +.RE +.PP \-S \fIpredecessor key\fR .RS 4 Select a key for which the key being modified will be an explicit successor\&. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified\&. The activation date of the successor key will be set to the inactivation date of the predecessor\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&. @@ -164,23 +174,27 @@ can also be used to print the timing metadata associated with a key\&. Print times in UNIX epoch format\&. .RE .PP -\-p \fIC/P/A/R/I/D/all\fR +\-p \fIC/P/Psync/A/R/I/D/Dsync/all\fR .RS 4 Print a specific metadata value or set of metadata values\&. The \fB\-p\fR -option may be followed by one or more of the following letters to indicate which value or values to print: +option may be followed by one or more of the following letters or strings to indicate which value or values to print: \fBC\fR for the creation date, \fBP\fR for the publication date, +\fBPsync\fR +for the CDS and CDNSKEY publication date, \fBA\fR for the activation date, \fBR\fR for the revocation date, \fBI\fR -for the inactivation date, or +for the inactivation date, \fBD\fR -for the deletion date\&. To print all of the metadata, use +for the deletion date, and +\fBDsync\fR +for the CDS and CDNSKEY deletion date To print all of the metadata, use \fB\-p all\fR\&. .RE .SH "SEE ALSO" diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 8d784a624b..c5bd3ae6a7 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -78,6 +78,8 @@ usage(void) { fprintf(stderr, "Timing options:\n"); fprintf(stderr, " -P date/[+-]offset/none: set/unset key " "publication date\n"); + fprintf(stderr, " -P sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY publication date\n"); fprintf(stderr, " -A date/[+-]offset/none: set/unset key " "activation date\n"); fprintf(stderr, " -R date/[+-]offset/none: set/unset key " @@ -86,9 +88,11 @@ usage(void) { "inactivation date\n"); fprintf(stderr, " -D date/[+-]offset/none: set/unset key " "deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY deletion date\n"); fprintf(stderr, "Printing options:\n"); - fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time " - "value or values\n"); + fprintf(stderr, " -p C/P/Psync/A/R/I/D/Dsync/all: print a " + "particular time value or values\n"); fprintf(stderr, " -u: print times in unix epoch " "format\n"); fprintf(stderr, "Output:\n"); @@ -161,6 +165,10 @@ main(int argc, char **argv) { isc_boolean_t epoch = ISC_FALSE; isc_boolean_t changed = ISC_FALSE; isc_log_t *log = NULL; + isc_stdtime_t syncadd = 0, syncdel = 0; + isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE; + isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE; + isc_boolean_t printsyncadd = ISC_FALSE, printsyncdel = ISC_FALSE; if (argc == 1) usage(); @@ -198,6 +206,8 @@ main(int argc, char **argv) { printrev = ISC_TRUE; printinact = ISC_TRUE; printdel = ISC_TRUE; + printsyncadd = ISC_TRUE; + printsyncdel = ISC_TRUE; break; } @@ -207,6 +217,11 @@ main(int argc, char **argv) { printcreate = ISC_TRUE; break; case 'P': + if (!strncmp(p, "sync", 3)) { + p += 3; + printsyncadd = ISC_TRUE; + break; + } printpub = ISC_TRUE; break; case 'A': @@ -219,6 +234,11 @@ main(int argc, char **argv) { printinact = ISC_TRUE; break; case 'D': + if (!strncmp(p, "sync", 3)) { + p += 3; + printsyncdel = ISC_TRUE; + break; + } printdel = ISC_TRUE; break; case ' ': @@ -254,6 +274,19 @@ main(int argc, char **argv) { fatal("-v must be followed by a number"); break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncadd || setsyncadd) + fatal("-P sync specified more than " + "once"); + + changed = ISC_TRUE; + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + unsetsyncadd = !setsyncadd; + break; + } + (void)isoptarg("dnskey", argv, usage); if (setpub || unsetpub) fatal("-P specified more than once"); @@ -290,6 +323,20 @@ main(int argc, char **argv) { unsetinact = !setinact; break; case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncdel || setsyncdel) + fatal("-D sync specified more than " + "once"); + + changed = ISC_TRUE; + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + unsetsyncdel = !setsyncdel; + break; + } + /* -Ddnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setdel || unsetdel) fatal("-D specified more than once"); @@ -533,6 +580,16 @@ main(int argc, char **argv) { else if (unsetdel) dst_key_unsettime(key, DST_TIME_DELETE); + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd); + else if (unsetsyncadd) + dst_key_unsettime(key, DST_TIME_SYNCPUBLISH); + + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel); + else if (unsetsyncdel) + dst_key_unsettime(key, DST_TIME_SYNCDELETE); + if (setttl) dst_key_setttl(key, ttl); @@ -570,6 +627,14 @@ main(int argc, char **argv) { if (printdel) printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout); + if (printsyncadd) + printtime(key, DST_TIME_SYNCPUBLISH, "SYNC Publish", + epoch, stdout); + + if (printsyncdel) + printtime(key, DST_TIME_SYNCDELETE, "SYNC Delete", + epoch, stdout); + if (changed) { isc_buffer_init(&buf, newname, sizeof(newname)); result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook index 4c5aebb146..a77d801eea 100644 --- a/bin/dnssec/dnssec-settime.docbook +++ b/bin/dnssec/dnssec-settime.docbook @@ -17,7 +17,7 @@ - 2014-02-06 + 2015-08-21 ISC @@ -53,10 +53,13 @@ + - + + + @@ -97,10 +100,10 @@ - -f + -f - - Force an update of an old-format key with no metadata fields. + + Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the @@ -108,7 +111,7 @@ set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time. - + @@ -138,20 +141,20 @@ - -h + -h - - Emit usage message and exit. - + + Emit usage message and exit. + - -V + -V - - Prints version information. - + + Prints version information. + @@ -208,6 +211,16 @@ + + -P sync date/offset + + + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. + + + + -A date/offset @@ -252,6 +265,16 @@ + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + + + + -S predecessor key @@ -305,29 +328,32 @@ - -u + -u - - Print times in UNIX epoch format. - + + Print times in UNIX epoch format. + - -p C/P/A/R/I/D/all + -p C/P/Psync/A/R/I/D/Dsync/all - - Print a specific metadata value or set of metadata values. + + Print a specific metadata value or set of metadata values. The option may be followed by one or more - of the following letters to indicate which value or values to print: + of the following letters or strings to indicate which value + or values to print: for the creation date, for the publication date, + for the CDS and CDNSKEY publication date, for the activation date, for the revocation date, - for the inactivation date, or - for the deletion date. + for the inactivation date, + for the deletion date, and + for the CDS and CDNSKEY deletion date To print all of the metadata, use . - + diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index e366fb215c..509cf1190c 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -27,7 +27,7 @@

Synopsis

-

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

+

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D sync date/offset] [-D sync date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

DESCRIPTION

@@ -60,7 +60,7 @@
-f

- Force an update of an old-format key with no metadata fields. + Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the @@ -68,7 +68,7 @@ set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time. -

+

-K directory

Sets the directory in which the key files are to reside. @@ -86,12 +86,12 @@

-h

- Emit usage message and exit. -

+ Emit usage message and exit. +

-V

- Prints version information. -

+ Prints version information. +

-v level

Sets the debugging level. @@ -131,6 +131,11 @@ After that date, the key will be included in the zone but will not be used to sign it.

+
-P sync date/offset
+

+ Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

-A date/offset

Sets the date on which the key is to be activated. After that @@ -155,6 +160,11 @@ date, the key will no longer be included in the zone. (It may remain in the key repository, however.)

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. +

-S predecessor key

Select a key for which the key being modified will be an @@ -200,21 +210,24 @@

-u

- Print times in UNIX epoch format. -

-
-p C/P/A/R/I/D/all
+ Print times in UNIX epoch format. +

+
-p C/P/Psync/A/R/I/D/Dsync/all

- Print a specific metadata value or set of metadata values. + Print a specific metadata value or set of metadata values. The -p option may be followed by one or more - of the following letters to indicate which value or values to print: + of the following letters or strings to indicate which value + or values to print: C for the creation date, P for the publication date, + Psync for the CDS and CDNSKEY publication date, A for the activation date, R for the revocation date, - I for the inactivation date, or - D for the deletion date. + I for the inactivation date, + D for the deletion date, and + Dsync for the CDS and CDNSKEY deletion date To print all of the metadata, use -p all. -

+

diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 42936414ab..0e25e6733b 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -27,15 +27,16 @@ #include #include +#include #include #include #include #include #include +#include #include #include #include -#include #include #include @@ -1834,3 +1835,20 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver, } } } + +isc_boolean_t +isoptarg(const char *arg, char **argv, void(*usage)(void)) { + if (!strcasecmp(isc_commandline_argument, arg)) { + if (argv[isc_commandline_index] == NULL) { + fprintf(stderr, "%s: missing argument -%c %s\n", + program, isc_commandline_option, + isc_commandline_argument); + usage(); + } + isc_commandline_argument = argv[isc_commandline_index]; + /* skip to next arguement */ + isc_commandline_index++; + return (ISC_TRUE); + } + return (ISC_FALSE); +} diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 2ad83d3d86..48c4725927 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -98,4 +98,8 @@ void verifyzone(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, isc_mem_t *mctx, isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly); + +isc_boolean_t +isoptarg(const char *arg, char **argv, void (*usage)(void)); + #endif /* DNSSEC_DNSSECTOOL_H */ diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index 899756a1de..05810bcac8 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -17,7 +17,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_VERSION@ +VERSION=@BIND9_VERSION@ @BIND9_PRODUCT@ diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl index 5b1ffe8655..8ef66f9357 100644 --- a/bin/named/bind9.xsl +++ b/bin/named/bind9.xsl @@ -25,58 +25,58 @@ + + // Server Incoming Requests by opcode + graphs.push({ + 'title' : "Server Incoming Requests by DNS Opcode", + 'target': 'chart_incoming_opcodes', + 'style': 'barchart', + 'data': [['Opcode','Counter'],['',],]}); + +