Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1111,7 +1111,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1147,7 +1147,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1210,7 +1210,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1251,12 +1251,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1278,7 +1278,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1293,27 +1293,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1328,14 +1328,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1357,7 +1357,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1368,7 +1368,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1465,7 +1465,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1474,7 +1474,7 @@ $ dnssec-signzone -S -K keys example.net<
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
@@ -1507,7 +1507,7 @@ $ ./configure --enable-native-pkcs11 \
SoftHSMv2, the latest development version of SoftHSM, is available
from
@@ -1545,7 +1545,7 @@ $ /opt/pkcs11/usr/bin/softhsm-util --init-token
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1603,7 +1603,7 @@ $ /opt/pkcs11/usr/bin/softhsm-util --init-token
$ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
@@ -1636,7 +1636,7 @@ $ patch -p1 -d openssl-0.9.8zc \
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1678,7 +1678,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1707,7 +1707,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM (version 1) is a software library developed by the
OpenDNSSEC project
@@ -1782,7 +1782,7 @@ $ ./Configure linux-x86_64 -pthread \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1802,7 +1802,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1824,7 +1824,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1845,7 +1845,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1868,7 +1868,7 @@ $ ./configure --enable-threads \
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1989,7 +1989,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -2021,7 +2021,7 @@ $ dnssec-signzone -E '' -S example.net
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2108,7 +2108,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -2157,7 +2157,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
@@ -2232,7 +2232,7 @@ $ dnssec-signzone -E '' -S example.net
A DynDB database is configured with a dyndb
statement in named.conf:
@@ -2260,7 +2260,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DynDB modules, the directory
bin/tests/system/dyndb/driver.
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 9c09bbe2e3..c3b1badef9 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -78,28 +78,28 @@
- server Statement Definition and
Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and
+
- statistics-channels Statement Definition and
Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition
+
- trusted-keys Statement Definition
and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition
and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone
Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
hostname_string; ]
[ server-id server_id_string; ]
[ directory path_name; ]
+ [ dnstap { message_type; ... }; ]
+ [ dnstap-output ( file | unix ) path_name; ]
+ [ dnstap-identity ( string | hostname | none ); ]
+ [ dnstap-version ( string | none ); ]
[ geoip-directory path_name; ]
[ key-directory path_name; ]
[ managed-keys-directory path_name; ]
@@ -2645,6 +2649,109 @@ badresp:1,adberr:0,findfail:0,valfail:0]
was started. The directory specified should be an absolute
path.
++ dnstap is a fast, flexible method + for capturing and logging DNS traffic. Developed by + Robert Edmonds at Farsight Security, Inc., and supported + by multiple DNS implementations, dnstap + uses + libfstrm (a lightweight high-speed + framing library, see + https://github.com/farsightsec/fstrm) to send + event payloads which are encoded using Protocol Buffers + (libprotobuf-c, a mechanism for + serializing structured data developed + by Google, Inc.; see + https://developers.google.com/protocol-buffers). +
+
+ To enable dnstap at compile time,
+ the fstrm and protobuf-c
+ libraries must be available, and BIND must be configured with
+ --enable-dnstap.
+
+ The dnstap option is a bracketed list
+ of message types to be logged. These may be set differently
+ for each view. Supported types are client,
+ auth, resolver, and
+ forwarder. Specifying type
+ all will cause all dnstap
+ messages to be logged, regardless of type.
+
+ Each type may take an additional argument to indicate whether
+ to log query messages or
+ response messages; if not specified,
+ both queries and responses are logged.
+
+ Example: To log all authoritative queries and responses, + recursive client responses, and upstream queries sent by + the resolver, use: +
+dnstap {
+ auth;
+ client response;
+ resolver query;
+};
+
++
++ Logged dnstap messages can be parsed + using the dnstap-read utility (see + dnstap-read(1) for details). +
++ For more information on dnstap, see + http://dnstap.info. +
++ Configures the path to which the dnstap + frame stream will be sent if dnstap + is enabled at compile time and active. +
+
+ The first argument is either file or
+ unix, indicating whether the destination
+ is a file or a UNIX domain socket. The second argument
+ is the path of the file or socket. (Note: when using a
+ socket, dnstap messages will
+ only be sent if another process such as
+ fstrm_capture
+ (provided with libfstrm) is listening on
+ the socket.)
+
+ dnstap-output can only be set globally + in options. Currently, it can only be + set once while named is running; + once set, it cannot be changed by + rndc reload or + rndc reconfig. +
+
+ Specifies an identity string to send in
+ dnstap messages. If set to
+ hostname, which is the default, the
+ server's hostname will be sent. If set to
+ none, no identity string will be sent.
+
+ Specifies a version string to send in
+ dnstap messages. The default is the
+ version number of the BIND release. If set to
+ none, no version string will be sent.
+
Specifies the directory containing GeoIP @@ -4360,7 +4467,7 @@ options {
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -4404,7 +4511,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -4682,7 +4789,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -5159,7 +5266,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports, avoid-v4-udp-ports, @@ -5201,7 +5308,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -5549,7 +5656,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
@@ -6597,7 +6704,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -6720,7 +6827,7 @@ deny-answer-aliases { "example.net"; };
BIND 9 includes a limited mechanism to modify DNS responses for requests @@ -7098,7 +7205,7 @@ example.com CNAME rpz-tcp-only.
Excessive almost identical UDP responses can be controlled by configuring a @@ -7649,7 +7756,7 @@ example.com CNAME rpz-tcp-only.
The statistics-channels statement @@ -7769,7 +7876,7 @@ example.com CNAME rpz-tcp-only.
The trusted-keys statement defines @@ -7813,7 +7920,7 @@ example.com CNAME rpz-tcp-only.
managed-keys {nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] @@ -7951,7 +8058,7 @@ example.com CNAME rpz-tcp-only.The view statement is a powerful feature @@ -8273,10 +8380,10 @@ zone
zone_name[The type keyword is required for the zone configuration unless @@ -8604,7 +8711,7 @@ zone
zone_name[The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), @@ -8626,7 +8733,7 @@ zonezone_name[
- allow-notify
@@ -9509,7 +9616,7 @@ example.com. NS ns2.example.net.
When multiple views are in use, a zone may be referenced by more than one of them. Often, the views @@ -9571,7 +9678,7 @@ view external {
@@ -9584,7 +9691,7 @@ view external {A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -10757,7 +10864,7 @@ view external {
RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -10960,7 +11067,7 @@ view external {
As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -11215,7 +11322,7 @@ view external {
Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -11276,7 +11383,7 @@ view external {
The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -11291,7 +11398,7 @@ view external {
When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -11302,7 +11409,7 @@ view external {
Syntax: $ORIGIN
domain-name@@ -11331,7 +11438,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -11367,7 +11474,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -11386,7 +11493,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -11835,7 +11942,7 @@ HOST-127.EXAMPLE. MX 0 .-
@@ -12458,7 +12565,7 @@ HOST-127.EXAMPLE. MX 0 . diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index ada68a35c2..4634693068 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -51,7 +51,7 @@
@@ -12612,7 +12719,7 @@ HOST-127.EXAMPLE. MX 0 . @@ -50,20 +50,20 @@
@@ -12995,7 +13102,7 @@ HOST-127.EXAMPLE. MX 0 . Socket I/O statistics counters are defined per socket types, which are @@ -13150,7 +13257,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index dab373638b..2651fc48db 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -46,10 +46,10 @@
Table of Contents
@@ -245,7 +245,7 @@ allow-query { !{ !10/8; any; }; key example; };On UNIX servers, it is possible to run BIND @@ -271,7 +271,7 @@ allow-query { !{ !10/8; any; }; key example; };
In order for a chroot environment to @@ -299,7 +299,7 @@ allow-query { !{ !10/8; any; }; key example; };
Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index b57ef2cace..0d5067c0f5 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@
The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 8f3000a4a2..183a24f84e 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -50,7 +50,7 @@
@@ -140,17 +140,17 @@ @@ -158,42 +158,42 @@Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-@@ -202,19 +202,19 @@[RFC3645] Generic Security Service Algorithm for Secret +
[RFC3645] Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-@@ -222,146 +222,146 @@[RFC4035] Protocol Modifications for the DNS +
[RFC4035] Protocol Modifications for the DNS Security Extensions. March 2005.
Other Important RFCs About DNS Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely +
[RFC1535] A Security Problem and Proposed Correction With Widely Deployed DNS Software. October 1993.
-[RFC1536] Common DNS Implementation +
[RFC1536] Common DNS Implementation Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS +
[RFC4074] Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using +
[RFC2168] Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the +
[RFC1876] A Means for Expressing Location Information in the Domain Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the +
[RFC2052] A DNS RR for Specifying the Location of Services. October 1996.
-[RFC2163] Using the Internet DNS to +
[RFC2163] Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names +
[RFC1101] DNS Encoding of Network Names and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and +
[RFC1123] Requirements for Internet Hosts - Application and Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide. November 1987.
+[RFC1033] Domain administrators operations guide. November 1987.
-[RFC1912] Common DNS Operational and +
[RFC1912] Common DNS Operational and Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names, +
[RFC2825] A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.
-@@ -377,47 +377,47 @@[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
-[RFC1464] Using the Domain Name System To Store Arbitrary String +
[RFC1464] Using the Domain Name System To Store Arbitrary String Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via +
[RFC3258] Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
@@ -431,39 +431,39 @@Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical +
[RFC1712] DNS Encoding of Geographical Location. November 1994.
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC) +
[RFC3008] Domain Name System Security (DNSSEC) Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record +
[RFC3757] Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.
-@@ -484,14 +484,14 @@[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
-diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index b7b08a7b22..17ea046360 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -47,13 +47,13 @@ @@ -89,7 +89,7 @@DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@
$./configure --enable-exportlib$[other flags]make@@ -113,7 +113,7 @@ $make$cd lib/export$make install@@ -135,7 +135,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -175,7 +175,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -193,14 +193,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -264,7 +264,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -305,7 +305,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -346,7 +346,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -363,7 +363,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the @@ -458,7 +458,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmIt checks a set of domains to see the name servers of the domains behave @@ -515,7 +515,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmAs of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html index 987240e035..bba891993f 100644 --- a/doc/arm/Bv9ARM.ch13.html +++ b/doc/arm/Bv9ARM.ch13.html @@ -127,12 +127,21 @@ arpaname — translate IP addresses to the corresponding ARPA names
+dnstap-read — print dnstap data in human-readable form + +genrandom — generate a file containing random data isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND +named-journalprint — print zone journal in human-readable form + ++named-rrchecker — A syntax checker for individual DNS resource records + +nsec3hash — generate NSEC3 hash diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 9968bc5288..8f3ba783c9 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -114,44 +114,44 @@DNSSEC, Dynamic Zones, and Automatic Signing -
- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Converting from insecure to secure
+- Dynamic DNS update method
+- Fully automatic zone signing
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
+- Periodic re-signing
+- NSEC3 and OPTOUT
Dynamic Trust Anchor Management PKCS#11 (Cryptoki) support -
- Prerequisites
-- Native PKCS#11
-- OpenSSL-based PKCS#11
-- PKCS#11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Native PKCS#11
+- OpenSSL-based PKCS#11
+- PKCS#11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones) DynDB (Dynamic Database) IPv6 Support in BIND 9 - @@ -199,28 +199,28 @@
- server Statement Definition and Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and +
- statistics-channels Statement Definition and Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition +
- trusted-keys Statement Definition and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File +Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics @@ -229,19 +229,19 @@7. BIND 9 Security Considerations 8. Troubleshooting A. Release Notes B. A Brief History of the DNS and BIND @@ -252,20 +252,20 @@D. BIND 9 DNS Library Support I. Manual pages @@ -349,12 +349,21 @@ arpaname — translate IP addresses to the corresponding ARPA names+dnstap-read — print dnstap data in human-readable form + +genrandom — generate a file containing random data isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND +named-journalprint — print zone journal in human-readable form + ++named-rrchecker — A syntax checker for individual DNS resource records + +nsec3hash — generate NSEC3 hash diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 4952e09bdb..4227241328 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -23,7 +23,7 @@ - +
arpaname{ipaddress...}-@@ -75,14 +75,14 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
Prev Up -Next + Next ddns-confgen Home -genrandom + dnstap-read
ddns-confgen[-a] [algorithm-h] [-k] [keyname-q] [-r] [ -srandomfilename| -zzone]-diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 9988791bf6..71c3e22307 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -53,7 +53,7 @@DESCRIPTION
+DESCRIPTION
tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -87,7 +87,7 @@
delv[queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the same internal @@ -96,7 +96,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed. @@ -471,12 +471,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8), RFC4034, diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 1092956fc1..e799299f50 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -735,7 +735,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -781,7 +781,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -795,14 +795,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -810,7 +810,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 09dc10510f..0dc4371629 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@
dnssec-dsfromkey[-l] [domain-f] [file-d] [dig path-D] {zone}dsfromkey path-diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index ef2ca69747..a80ef77c13 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@
dnssec-coverage[-K] [directory-l] [length-f] [file-d] [DNSKEY TTL-m] [max TTL-r] [interval-c] [compilezone path-k] [-z] [zone]-diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index ce8efe90f2..8a5c84e083 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -52,14 +52,14 @@DESCRIPTION
+DESCRIPTION
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@
dnssec-dsfromkey[-h] [-V]-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -179,13 +179,13 @@-diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index d4065c6cab..5399c47bf7 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -51,7 +51,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -195,7 +195,7 @@
dnssec-importkey{-f} [filename-K] [directory-L] [ttl-P] [date/offset-D] [date/offset-h] [-v] [level-V] [dnsname]-DESCRIPTION
+DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -71,7 +71,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@
-FILES
+FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -151,7 +151,7 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index dd98d6b4ad..ee3d939204 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -159,7 +159,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-i] [interval-k] [-K] [directory-L] [ttl-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-S] [key-t] [type-v] [level-V] [-y] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -315,7 +315,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index acdb5427aa..3bd69d424c 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -363,7 +363,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-g] [generator-h] [-I] [date/offset-i] [interval-K] [directory-L] [ttl-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-S] [key-s] [strength-t] [type-v] [level-V] [-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -361,7 +361,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -428,7 +428,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 401e2060b4..e361c64958 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -437,7 +437,7 @@
dnssec-revoke[-hr] [-v] [level-V] [-K] [directory-E] [engine-f] [-R] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 82e9fbc872..d13cd06a8c 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-L] [ttl-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-V] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -76,7 +76,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -212,7 +212,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -238,7 +238,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index cbaee21789..8e6f56ca25 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -246,7 +246,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-D] [-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-L] [serial-l] [domain-M] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-P] [-p] [-Q] [-R] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-V] [-X] [extended end-time-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index c78a2ff5d6..ac7b1b580e 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -542,14 +542,14 @@ db.example.com.signed %
dnssec-verify[-c] [class-E] [engine-I] [input-format-o] [origin-v] [level-V] [-x] [-z] {zonefile}-diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 2e917979dc..04a3e8351f 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -19,8 +19,8 @@DESCRIPTION
+DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
dnstap-read - - + + @@ -39,7 +39,7 @@
+-Name
@@ -49,47 +49,47 @@Synopsis
dnstap-read[-m] [-p] [-y] {file}-DESCRIPTION
++-DESCRIPTION
- dnstap-read - reads dnstap data from a specified file + dnstap-read + reads dnstap data from a specified file and prints it in a human-readable format. By default, - dnstap data is printed in a short summary + dnstap data is printed in a short summary format, but if the
-yoption is specified, then a longer and more detailed YAML format is used instead.-OPTIONS
-+
+-OPTIONS
+
- -m
Trace memory allocations; used for debugging memory leaks.
- -p
- After printing the dnstap data, print + After printing the dnstap data, print the text form of the DNS message that was encapsulated in the - dnstap frame. + dnstap frame.
- -y
- Print dnstap data in a detailed YAML + Print dnstap data in a detailed YAML format. Implies
-p.-SEE ALSO
+ --AUTHOR
+ diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 73f2085e57..ede82daae8 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -22,7 +22,7 @@ - + @@ -31,7 +31,7 @@genrandom -Prev +PrevManual pages Next @@ -50,7 +50,7 @@
genrandom[-n] {numbersize} {filename}-@@ -94,14 +94,14 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
@@ -50,7 +50,7 @@
-Prev +PrevUp Next -arpaname +dnstap-readHome isc-hmac-fixup diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index b173fde470..4682986f5c 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] [-v] [-V] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -214,7 +214,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-@@ -106,14 +106,14 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
Prev Up -Next + Next diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html index 586f9d016c..d571d96041 100644 --- a/doc/arm/man.lwresd.html +++ b/doc/arm/man.lwresd.html @@ -50,7 +50,7 @@ genrandom Home -nsec3hash + named-journalprint
lwresd[-c] [config-file-C] [config-file-d] [debug-level-f] [-g] [-i] [pid-file-m] [flag-n] [#cpus-P] [port-p] [port-s] [-t] [directory-u] [user-v] [-4] [-6]-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 8947b5e821..8fc9ff9453 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
lwresd is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver @@ -85,7 +85,7 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-x] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index d5310e9d75..8c9615ffc1 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-J] [filename-i] [mode-k] [mode-m] [mode-n] [mode-l] [ttl-L] [serial-r] [mode-s] [style-t] [directory-T] [mode-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 13edcced3b..9c100918f5 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -22,7 +22,7 @@ - + @@ -31,7 +31,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint -Prev +PrevManual pages Next @@ -50,7 +50,7 @@
named-journalprint{journal}-@@ -94,14 +94,14 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
@@ -50,7 +50,7 @@
-Prev +PrevUp Next -lwresd +isc-hmac-fixupHome named-rrchecker diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 35dba46086..6c9a2eb980 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -23,7 +23,7 @@ - +
named-rrchecker[-h] [-o] [origin-p] [-u] [-C] [-T] [-P]diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index f6f19e65a6..11f78aac13 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -50,7 +50,7 @@ named-journalprint Home -nsupdate + nsec3hash
named.conf-DESCRIPTION
+DESCRIPTION
named.confis the configuration file for named. Statements are enclosed @@ -69,14 +69,14 @@-MASTERS
+MASTERS
mastersstring[ portinteger] {
(masters|ipv4_address[portinteger] |
@@ -94,7 +94,7 @@ masters-SERVER
+SERVER
server (ipv4_address[/prefixlen]|ipv6_address[/prefixlen]) {
bogusboolean;
@@ -117,7 +117,7 @@ server-TRUSTED-KEYS
+TRUSTED-KEYS
trusted-keys {
domain_nameflagsprotocolalgorithmkey; ...
@@ -125,7 +125,7 @@ trusted-keys-MANAGED-KEYS
+MANAGED-KEYS
managed-keys {
domain_nameinitial-keyflagsprotocolalgorithmkey; ...
@@ -133,7 +133,7 @@ managed-keys-CONTROLS
+CONTROLS
controls {
inet (ipv4_address|ipv6_address| * )
@@ -145,7 +145,7 @@ controls-VIEW
+VIEW
viewstringoptional_class{
match-clients {address_match_element; ... };
@@ -561,7 +561,7 @@ view-ZONE
+ZONE
zonestringoptional_class{
type ( master | slave | stub | hint | redirect |
@@ -658,12 +658,12 @@ zone-SEE ALSO
+SEE ALSO
named(8), named-checkconf(8), rndc(8), diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 877abc43c5..010b11f07f 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-D] [string-E] [engine-name-f] [-g] [-L] [logfile-M] [option-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-U] [#listeners-u] [user-v] [-V] [-X] [lock-file-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -320,7 +320,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index c679aca66e..f69cd9a56a 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -22,7 +22,7 @@ - +CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -337,7 +337,7 @@
-@@ -97,13 +97,13 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
-Prev +PrevUp diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 0f14adaf10..19044c10fb 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@ -isc-hmac-fixup +named-rrcheckerHome
nsupdate[-d] [-D] [-L] [[level-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [-T] [-P] [-V] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -108,7 +108,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index e3d943bf65..6f44761730 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen[-a] [-A] [algorithm-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index f504b84fc8..e682b035ec 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 22f1aff653..321597def1 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -220,7 +220,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-q] [-r] [-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@
-COMMANDS
+COMMANDS
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -744,7 +744,7 @@
-diff --git a/doc/misc/options b/doc/misc/options index 753bf12d1d..6e6ac785c2 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -134,6 +134,12 @@ options { dnssec-secure-to-insecureLIMITATIONS
+LIMITATIONS
There is currently no way to provide the shared secret for a
key_idwithout using the configuration file. @@ -754,7 +754,7 @@; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); + dnstap { ( client | resolver | auth | forwarder | + all ) [ ( query | response ) ]; ... }; // not configured + dnstap-identity ( | none | + hostname ); // not configured + dnstap-output ( file | unix ) ; // not configured + dnstap-version ( | none ); // not configured dscp ; dual-stack-servers [ port ] { ( [ port ] [ dscp ] | [ port @@ -429,6 +435,8 @@ view [ ] { dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); + dnstap { ( client | resolver | auth | forwarder | + all ) [ ( query | response ) ]; ... }; // not configured dual-stack-servers [ port ] { ( [ port ] [ dscp ] | [ port ] [ dscp ] | [ port