Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1100,7 +1100,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1136,7 +1136,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1233,12 +1233,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1260,7 +1260,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1275,27 +1275,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1310,14 +1310,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1339,7 +1339,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1350,7 +1350,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1424,7 +1424,7 @@ $ dnssec-signzone -S -K keys example.net<
Debian Linux, Solaris x86 and Windows Server 2003.
See the HSM vendor documentation for information about
installing, initializing, testing and troubleshooting the
HSM.
@@ -1557,7 +1557,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
interface to a virtual HSM, implemented in the form of encrypted
@@ -1617,12 +1617,12 @@ $ ./Configure linux-x86_64 -pthread \
When building BIND 9, the location of the custom-built
OpenSSL library must be specified via configure.
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
The PKCS #11 library for the AEP Keyper is currently
@@ -1638,7 +1638,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.
@@ -1656,7 +1656,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1673,7 +1673,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
pkcs11-keygen to generate a new key pair
@@ -1691,7 +1691,7 @@ $ ./configure --enable-threads \
First, we must set up the runtime environment so the
OpenSSL and PKCS #11 libraries can be loaded:
@@ -1779,7 +1779,7 @@ example.net.signed
The OpenSSL engine can be specified in
named and all of the BIND
dnssec-* tools by using the "-E
@@ -1800,7 +1800,7 @@ $ dnssec-signzone -E '' -S example.net
If you want
named to dynamically re-sign zones using HSM
keys, and/or to to sign new records inserted via nsupdate, then
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index ea7607946c..48a038466c 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -92,12 +92,12 @@
Statement Grammar
- zone Statement Definition and Usage
zone_name [
The zone's name may optionally be followed by a class. If
a class is not specified, class
@@ -8491,7 +8493,7 @@ example.com. NS ns2.example.net.
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -9241,7 +9243,7 @@ example.com. NS ns2.example.net.
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -9444,7 +9446,7 @@ example.com. NS ns2.example.net.
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -9699,7 +9701,7 @@ example.com. NS ns2.example.net.
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -10295,7 +10297,7 @@ HOST-127.EXAMPLE. MX 0 .
Table of Contents
On UNIX servers, it is possible to run BIND
@@ -140,7 +140,7 @@ zone "example.com" {
In order for a chroot environment
to
@@ -168,7 +168,7 @@ zone "example.com" {
Prior to running the named daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 326c62228f..c680ec5493 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
The Internet Systems Consortium
(ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index a096451405..62f0410b7e 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,7 +45,7 @@
Table of Contents
+ Adjusted max-recursion-queries to better accommodate empty
+ caches.
+ GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
@@ -863,7 +867,7 @@
Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
@@ -940,7 +944,7 @@ $ The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
@@ -958,14 +962,14 @@ $ Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
@@ -1029,7 +1033,7 @@ $
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
@@ -1070,7 +1074,7 @@ $
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
@@ -1111,7 +1115,7 @@ $
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -1128,7 +1132,7 @@ $
It accepts a single update command as a
command-line argument, sends an update request message to the
@@ -1223,7 +1227,7 @@ $
It checks a set
of domains to see the name servers of the domains behave
@@ -1280,7 +1284,7 @@ $ As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 5c1185ed76..e377c82d2d 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -114,33 +114,33 @@
arpaname translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen
generates a key for use by nsupdate
and named. It simplifies configuration
@@ -77,7 +77,7 @@
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -99,7 +99,7 @@
The dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -618,7 +618,7 @@
The BIND 9 implementation of dig
supports
@@ -664,7 +664,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -678,14 +678,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
host(1),
named(8),
dnssec-keygen(8),
@@ -693,7 +693,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
There are probably too many query options.
dnssec-checkds
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
dnssec-coverage
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
The keyfile can be designed by the key identification
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
dnssec-keyfromlabel
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
@@ -66,7 +66,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -281,7 +281,7 @@
When dnssec-keyfromlabel completes
successfully,
@@ -320,7 +320,7 @@
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -328,7 +328,7 @@
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -352,7 +352,7 @@
To generate a 768-bit DSA key for the domain
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
@@ -428,7 +428,7 @@
dnssec-revoke
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -201,7 +201,7 @@
dnssec-settime can also be used to print the
timing metadata associated with a key.
@@ -227,7 +227,7 @@
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -235,7 +235,7 @@
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
The following command signs the dnssec-verify
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
genrandom
generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -206,7 +206,7 @@
If host has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -220,12 +220,12 @@
dig(1),
named(8).
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
Secrets that have been converted by isc-hmac-fixup
are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
named-checkconf
checks the syntax, but not the semantics, of a
named configuration file. The file is parsed
@@ -70,7 +70,7 @@
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
named-journalprint
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -279,7 +279,7 @@
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -296,7 +296,7 @@
nsec3hash generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -220,7 +220,7 @@
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index ae519fe2e2..2b3a28e835 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
rndc-confgen
generates configuration files
for rndc. It can be used as a
@@ -66,7 +66,7 @@
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc
controls the operation of a name
server. It supersedes the ndc utility
@@ -79,7 +79,7 @@
A list of commands supported by rndc can
be seen by running rndc without arguments.
@@ -498,7 +498,7 @@
+ Adjusted max-recursion-queries to better accommodate empty
+ caches.
+ IN (for Internet),
@@ -7574,7 +7576,7 @@ zone zone_name [
$
./configure --enable-exportlib
$ [other flags]make
@@ -878,7 +882,7 @@ $ make
$
cd lib/export
$ make install
@@ -900,7 +904,7 @@ $ make install
make
make
make
make
make
make
sample-update -a sample-update -k Kxxx.+nnn+mm
sample-update -a sample-update -k Kxxx.+nnn+mm
-
-
@@ -202,12 +202,12 @@
Statement Grammar
arpaname {ipaddress ...}DESCRIPTION
+DESCRIPTION
ddns-confgen [-a ] [algorithm-h] [-k ] [keyname-r ] [ -s randomfilename | -z zone ] [-q] [name]DESCRIPTION
+DESCRIPTION
dig [global-queryopt...] [query...]DESCRIPTION
+DESCRIPTION
OPTIONS
+OPTIONS
-b option sets the source IP address of the query
to address. This must be a valid
@@ -260,7 +260,7 @@
QUERY OPTIONS
+QUERY OPTIONS
MULTIPLE QUERIES
+MULTIPLE QUERIES
IDN SUPPORT
+IDN SUPPORT
SEE ALSO
+SEE ALSO
BUGS
+BUGS
dnssec-dsfromkey [-l ] [domain-f ] [file-d ] [dig path-D ] {zone}dsfromkey pathDESCRIPTION
+DESCRIPTION
dnssec-coverage [-K ] [directory-f ] [file-d ] [DNSKEY TTL-m ] [max TTL-r ] [interval-c ] [zone]compilezone pathDESCRIPTION
+DESCRIPTION
dnssec-dsfromkey [-h] [-V]DESCRIPTION
+DESCRIPTION
FILES
+FILES
Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
SEE ALSO
+SEE ALSO
dnssec-keyfromlabel {-l label} [-3] [-a ] [algorithm-A ] [date/offset-c ] [class-D ] [date/offset-E ] [engine-f ] [flag-G] [-I ] [date/offset-i ] [interval-k] [-K ] [directory-L ] [ttl-n ] [nametype-P ] [date/offset-p ] [protocol-R ] [date/offset-S ] [key-t ] [type-v ] [level-V] [-y] {name}DESCRIPTION
+DESCRIPTION
TIMING OPTIONS
+TIMING OPTIONS
GENERATED KEY FILES
+GENERATED KEY FILES
SEE ALSO
+SEE ALSO
dnssec-keygen [-a ] [algorithm-b ] [keysize-n ] [nametype-3] [-A ] [date/offset-C] [-c ] [class-D ] [date/offset-E ] [engine-f ] [flag-G] [-g ] [generator-h] [-I ] [date/offset-i ] [interval-K ] [directory-L ] [ttl-k] [-P ] [date/offset-p ] [protocol-q] [-R ] [date/offset-r ] [randomdev-S ] [key-s ] [strength-t ] [type-v ] [level-V] [-z] {name}DESCRIPTION
+DESCRIPTION
TIMING OPTIONS
+TIMING OPTIONS
EXAMPLE
+EXAMPLE
example.com, the following command would be
@@ -419,7 +419,7 @@
SEE ALSO
+SEE ALSO
dnssec-revoke [-hr] [-v ] [level-V] [-K ] [directory-E ] [engine-f] [-R] {keyfile}DESCRIPTION
+DESCRIPTION
dnssec-settime [-f] [-K ] [directory-L ] [ttl-P ] [date/offset-A ] [date/offset-R ] [date/offset-I ] [date/offset-D ] [date/offset-h] [-V] [-v ] [level-E ] {keyfile}engineDESCRIPTION
+DESCRIPTION
-P, -A,
@@ -76,7 +76,7 @@
TIMING OPTIONS
+TIMING OPTIONS
PRINTING OPTIONS
+PRINTING OPTIONS
SEE ALSO
+SEE ALSO
dnssec-signzone [-a] [-c ] [class-d ] [directory-D] [-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-L ] [serial-l ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-P] [-p] [-R] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-V] [-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]DESCRIPTION
+DESCRIPTION
EXAMPLE
+EXAMPLE
example.com
zone with the DSA key generated by dnssec-keygen
@@ -513,14 +513,14 @@ db.example.com.signed
%
dnssec-verify [-c ] [class-E ] [engine-I ] [input-format-o ] [origin-v ] [level-V] [-x] [-z] {zonefile}DESCRIPTION
+DESCRIPTION
genrandom [-n ] {numbersize} {filename}DESCRIPTION
+DESCRIPTION
host [-aCdlnrsTwv] [-c ] [class-N ] [ndots-R ] [number-t ] [type-W ] [wait-m ] [flag-4] [-6] [-v] [-V] {name} [server]DESCRIPTION
+DESCRIPTION
IDN SUPPORT
+IDN SUPPORT
SEE ALSO
+SEE ALSO
isc-hmac-fixup {algorithm} {secret}DESCRIPTION
+DESCRIPTION
SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
named-checkconf [-h] [-v] [-j] [-t ] {filename} [directory-p] [-x] [-z]DESCRIPTION
+DESCRIPTION
RETURN VALUES
+RETURN VALUES
named-compilezone [-d] [-j] [-q] [-v] [-c ] [class-C ] [mode-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-n ] [mode-L ] [serial-r ] [mode-s ] [style-t ] [directory-T ] [mode-w ] [directory-D] [-W ] {mode-o } {zonename} {filename}filenameDESCRIPTION
+DESCRIPTION
RETURN VALUES
+RETURN VALUES
named-journalprint {journal}DESCRIPTION
+DESCRIPTION
named [-4] [-6] [-c ] [config-file-d ] [debug-level-E ] [engine-name-f] [-g] [-m ] [flag-n ] [#cpus-p ] [port-s] [-S ] [#max-socks-t ] [directory-U ] [#listeners-u ] [user-v] [-V] [-x ]cache-fileDESCRIPTION
+DESCRIPTION
SIGNALS
+SIGNALS
CONFIGURATION
+CONFIGURATION
nsec3hash {salt} {algorithm} {iterations} {domain}DESCRIPTION
+DESCRIPTION
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y ] | [[hmac:]keyname:secret-k ]] [keyfile-t ] [timeout-u ] [udptimeout-r ] [udpretries-R ] [randomdev-v] [-V] [filename]DESCRIPTION
+DESCRIPTION
BUGS
+BUGS
rndc-confgen [-a] [-b ] [keysize-c ] [keyfile-h] [-k ] [keyname-p ] [port-r ] [randomfile-s ] [address-t ] [chrootdir-u ]userDESCRIPTION
+DESCRIPTION
rndc.conf DESCRIPTION
+DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
rndc.conf
@@ -219,7 +219,7 @@
rndc [-b ] [source-address-c ] [config-file-k ] [key-file-s ] [server-p ] [port-V] [-y ] {command}key_idDESCRIPTION
+DESCRIPTION
COMMANDS
+COMMANDS