upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 07:42:07 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[master] upgrade doc toolchain

Browse source 
4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
			and dblatex. [RT #40766]
This commit is contained in:
Evan Hunt 2015-10-05 21:59:35 -07:00
parent 09e42eb9e9
commit 14a656f94b
149 changed files with 24121 additions and 12394 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
4237. [doc] Upgraded documentation toolchain to use DocBook 5
and dblatex. [RT #40766]
4236. [func] On machines with 2 or more processors (CPU), the
default value for the number of UDP listeners
has been changed to the number of detected

71
FAQ.xml
View file

@ -1,5 +1,3 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- Copyright (C) 2004-2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
@ -16,12 +14,10 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: FAQ.xml,v 1.54 2010/01/19 23:48:55 tbox Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
<articleinfo>
<!-- Converted by db4-upgrade version 1.0 -->
<article xmlns="http://docbook.org/ns/docbook" version="5.0" class="faq">
<info>
<copyright>
<year>2004</year>
<year>2005</year>
@ -41,10 +37,10 @@
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</articleinfo>
<qandaset defaultlabel='qanda'>
</info>
<qandaset defaultlabel="qanda">
<qandadiv><title>Compilation and Installation Questions</title>
<qandadiv>
<qandaentry>
<question>
@ -96,7 +92,7 @@
</qandadiv> <!-- Compilation and Installation Questions -->
<qandadiv><title>Configuration and Setup Questions</title>
<qandadiv>
<qandaentry>
<!-- configuration, log -->
@ -501,7 +497,7 @@ Master 10.0.1.1:
You are running chrooted (-t) and have not supplied local timezone
information in the chroot area.
</para>
<simplelist>
<simplelist type="vert">
<member>FreeBSD: /etc/localtime</member>
<member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
<member>OSF: /etc/zoneinfo/localtime</member>
@ -697,7 +693,7 @@ server ::/0 { bogus yes; };
</qandadiv> <!-- Configuration and Setup Questions -->
<qandadiv><title>Operations Questions</title>
<qandadiv>
<qandaentry>
<question>
@ -767,7 +763,7 @@ server ::/0 { bogus yes; };
</qandadiv> <!-- Operations Questions -->
<qandadiv><title>General Questions</title>
<qandadiv>
<qandaentry>
<question>
@ -807,9 +803,8 @@ server ::/0 { bogus yes; };
of sending dynamic update requests to DNS servers without
being specifically configured to do so. If the update
requests are coming from a Windows 2000 machine, see
<ulink
url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
&lt;http://support.microsoft.com/support/kb/articles/q246/8/04.asp&gt;</ulink>
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
&lt;http://support.microsoft.com/support/kb/articles/q246/8/04.asp&gt;</link>
for information about how to turn them off.
</para>
</answer>
@ -959,7 +954,7 @@ serial-query-rate 5; // default 20</programlisting>
usage rules and are leaking queries to the Internet. You
should establish your own zones for these addresses to prevent
you querying the Internet's name servers for these addresses.
Please see <ulink url="http://as112.net/">&lt;http://as112.net/&gt;</ulink>
Please see <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://as112.net/">&lt;http://as112.net/&gt;</link>
for details of the problems you are causing and the counter
measures that have had to be deployed.
</para>
@ -1084,9 +1079,9 @@ empty:
</qandadiv> <!-- General Questions -->
<qandadiv><title>Operating-System Specific Questions</title>
<qandadiv>
<qandadiv><title>HPUX</title>
<qandadiv>
<qandaentry>
<question>
@ -1112,7 +1107,7 @@ configure: error: need either working unistd.h or sys/select.h</programlisting>
</qandadiv> <!-- HPUX -->
<qandadiv><title>Linux</title>
<qandadiv>
<qandaentry>
<question>
@ -1129,7 +1124,7 @@ client: UDP client handler shutting down due to fatal receive error: unexpected
</para>
<para>
See:
<ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">&lt;http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2&gt;</ulink>
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">&lt;http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2&gt;</link>
</para>
</answer>
</qandaentry>
@ -1146,9 +1141,9 @@ client: UDP client handler shutting down due to fatal receive error: unexpected
non-blocking is ignored. It is reported that setting
xfrm_larval_drop to 1 helps but this may have negative side effects.
See:
<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629">&lt;https://bugzilla.redhat.com/show_bug.cgi?id=427629&gt;</ulink>
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://bugzilla.redhat.com/show_bug.cgi?id=427629">&lt;https://bugzilla.redhat.com/show_bug.cgi?id=427629&gt;</link>
and
<ulink url="http://lkml.org/lkml/2007/12/4/260">&lt;http://lkml.org/lkml/2007/12/4/260&gt;</ulink>.
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://lkml.org/lkml/2007/12/4/260">&lt;http://lkml.org/lkml/2007/12/4/260&gt;</link>.
</para>
<para>
xfrm_larval_drop can be set to 1 by the following procedure:
@ -1244,8 +1239,7 @@ modprobe capability</programlisting>
<para>
Red Hat have adopted the National Security Agency's
SELinux security policy (see <ulink
url="http://www.nsa.gov/selinux">&lt;http://www.nsa.gov/selinux&gt;</ulink>)
SELinux security policy (see <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.nsa.gov/selinux">&lt;http://www.nsa.gov/selinux&gt;</link>)
and recommendations for BIND security , which are more
secure than running named in a chroot and make use of
the bind-chroot environment unnecessary .
@ -1403,8 +1397,8 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
</question>
<answer>
<para>
Ubuntu uses AppArmor <ulink url="http://en.wikipedia.org/wiki/AppArmor">
&lt;http://en.wikipedia.org/wiki/AppArmor&gt;</ulink> in
Ubuntu uses AppArmor <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://en.wikipedia.org/wiki/AppArmor">
&lt;http://en.wikipedia.org/wiki/AppArmor&gt;</link> in
addition to normal file system permissions to protect the system.
</para>
<para>
@ -1441,7 +1435,7 @@ proc /var/named/proc proc defaults 0 0</programlisting>
</qandadiv> <!-- Linux -->
<qandadiv><title>Windows</title>
<qandadiv>
<qandaentry>
<question>
@ -1492,7 +1486,7 @@ options {
</qandadiv> <!-- Windows -->
<qandadiv><title>FreeBSD</title>
<qandadiv>
<qandaentry>
<question>
@ -1513,15 +1507,15 @@ rand_irqs="3 14 15"</programlisting>
</informalexample>
<para>
See also
<ulink url="http://people.freebsd.org/~dougb/randomness.html">
&lt;http://people.freebsd.org/~dougb/randomness.html&gt;</ulink>.
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://people.freebsd.org/~dougb/randomness.html">
&lt;http://people.freebsd.org/~dougb/randomness.html&gt;</link>.
</para>
</answer>
</qandaentry>
</qandadiv> <!-- FreeBSD -->
<qandadiv><title>Solaris</title>
<qandadiv>
<qandaentry>
<question>
@ -1534,17 +1528,16 @@ rand_irqs="3 14 15"</programlisting>
Sun has a blog entry describing how to do this.
</para>
<para>
<ulink
url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
&lt;http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris&gt;
</ulink>
</link>
</para>
</answer>
</qandaentry>
</qandadiv>
<qandadiv><title>Apple Mac OS X</title>
<qandadiv>
<qandaentry>
<question>
@ -1558,7 +1551,7 @@ rand_irqs="3 14 15"</programlisting>
</para>
<informalexample>
<programlisting>
% sudo rndc-confgen > /etc/rndc.conf</programlisting>
% sudo rndc-confgen &gt; /etc/rndc.conf</programlisting>
</informalexample>
<para>
Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:

70
bin/check/named-checkconf.docbook
View file

@ -1,6 +1,5 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
@ -17,10 +16,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.named-checkconf">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
<info>
<date>2014-01-10</date>
</info>
<refentryinfo>
<date>January 10, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -53,21 +56,21 @@
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-checkconf</command>
<arg><option>-h</option></arg>
<arg><option>-v</option></arg>
<arg><option>-j</option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req">filename</arg>
<arg><option>-p</option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">filename</arg>
<arg choice="opt" rep="norepeat"><option>-p</option></arg>
<arg choice="opt" rep="norepeat"><option>-x</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkconf</command>
checks the syntax, but not the semantics, of a
<command>named</command> configuration file. The file is parsed
@ -85,10 +88,10 @@
successful. <command>named-checkconf</command> can be run
on these files explicitly, however.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -177,18 +180,18 @@
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>RETURN VALUES</title>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkconf</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -197,16 +200,5 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refsection>
</refentry>

157
bin/check/named-checkzone.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.named-checkzone">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
<info>
<date>2014-02-19</date>
</info>
<refentryinfo>
<date>February 19, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -59,68 +60,68 @@
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-checkzone</command>
<arg><option>-d</option></arg>
<arg><option>-h</option></arg>
<arg><option>-j</option></arg>
<arg><option>-q</option></arg>
<arg><option>-v</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req">zonename</arg>
<arg choice="req">filename</arg>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-compilezone</command>
<arg><option>-d</option></arg>
<arg><option>-j</option></arg>
<arg><option>-q</option></arg>
<arg><option>-v</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="req">zonename</arg>
<arg choice="req">filename</arg>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkzone</command>
checks the syntax and integrity of a zone file. It performs the
same checks as <command>named</command> does when loading a
@ -138,10 +139,10 @@
least be as strict as those specified in the
<command>named</command> configuration file.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -506,18 +507,18 @@
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>RETURN VALUES</title>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkzone</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -527,16 +528,6 @@
<citetitle>RFC 1035</citetitle>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

71
bin/confgen/ddns-confgen.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.ddns-confgen">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
<info>
<date>2014-03-06</date>
</info>
<refentryinfo>
<date>March 6, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,29 +43,29 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>tsig-keygen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<arg choice="opt">name</arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat">name</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>ddns-confgen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg><option>-q</option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group>
<arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="plain" rep="norepeat">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain" rep="norepeat">-z <replaceable class="parameter">zone</replaceable></arg>
</group>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>tsig-keygen</command> and <command>ddns-confgen</command>
are invocation methods for a utility that generates keys for use
@ -101,10 +102,10 @@
if <command>nsupdate</command> is to be used from a remote
system.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -209,10 +210,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
@ -224,16 +225,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

73
bin/confgen/rndc-confgen.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2009, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.rndc-confgen">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
<info>
<date>2013-03-14</date>
</info>
<refentryinfo>
<date>March 14, 2013</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -52,24 +53,24 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>rndc-confgen</command>
<arg><option>-a</option></arg>
<arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">address</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
<arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-a</option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>rndc-confgen</command>
generates configuration files
for <command>rndc</command>. It can be used as a
@ -84,10 +85,10 @@
and a <command>controls</command> statement altogether.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -253,10 +254,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>EXAMPLES</title>
<refsection><info><title>EXAMPLES</title></info>
<para>
To allow <command>rndc</command> to be used with
no manual configuration, run
@ -271,10 +272,10 @@
</para>
<para><userinput>rndc-confgen</userinput>
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -286,16 +287,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

103
bin/delv/delv.docbook
View file

@ -1,6 +1,5 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,11 +15,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.delv">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
<info>
<date>2014-04-23</date>
</info>
<refentryinfo>
<date>April 23, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -43,46 +45,46 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt">@server</arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-i</option></arg>
<arg><option>-m</option></arg>
<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt">name</arg>
<arg choice="opt">type</arg>
<arg choice="opt">class</arg>
<arg choice="opt" rep="norepeat">@server</arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option></arg>
<arg choice="opt" rep="norepeat"><option>-m</option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">type</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="opt" rep="repeat">queryopt</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="repeat">queryopt</arg>
<arg choice="opt" rep="repeat">query</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>delv</command>
(Domain Entity Lookup &amp; Validation) is a tool for sending
DNS queries and validating the results, using the same internal
@ -123,10 +125,10 @@
<command>delv</command> will perform an NS query for "."
(the root zone).
</para>
</refsect1>
</refsection>
<refsect1>
<title>SIMPLE USAGE</title>
<refsection><info><title>SIMPLE USAGE</title></info>
<para>
A typical invocation of <command>delv</command> looks like:
@ -190,10 +192,10 @@
</variablelist>
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -392,10 +394,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>QUERY OPTIONS</title>
<refsection><info><title>QUERY OPTIONS</title></info>
<para><command>delv</command>
provides a number of query options which affect the way results are
@ -662,16 +664,16 @@
</variablelist>
</para>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/bind.keys</filename></para>
<para><filename>/etc/resolv.conf</filename></para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
@ -684,9 +686,6 @@
<citetitle>RFC5074</citetitle>,
<citetitle>RFC5155</citetitle>.
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refsection>
</refentry>

119
bin/dig/dig.docbook
View file

@ -1,6 +1,5 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
@ -17,11 +16,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dig">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
<info>
<date>2014-02-19</date>
</info>
<refentryinfo>
<date>February 19, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -60,42 +62,42 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dig</command>
<arg choice="opt">@server</arg>
<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-m</option></arg>
<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v</option></arg>
<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg choice="opt">name</arg>
<arg choice="opt">type</arg>
<arg choice="opt">class</arg>
<arg choice="opt" rep="norepeat">@server</arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m</option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<arg choice="opt" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">type</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="opt" rep="repeat">queryopt</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dig</command>
<arg><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dig</command>
<arg choice="opt" rep="repeat">global-queryopt</arg>
<arg choice="opt" rep="repeat">query</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dig</command>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@ -146,10 +148,10 @@
use "IN." and "CH." when looking up these top level domains.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SIMPLE USAGE</title>
<refsection><info><title>SIMPLE USAGE</title></info>
<para>
A typical invocation of <command>dig</command> looks like:
@ -212,10 +214,10 @@
</variablelist>
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -415,10 +417,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>QUERY OPTIONS</title>
<refsection><info><title>QUERY OPTIONS</title></info>
<para><command>dig</command>
provides a number of query options which affect
@ -1154,10 +1156,10 @@
</variablelist>
</para>
</refsect1>
</refsection>
<refsect1>
<title>MULTIPLE QUERIES</title>
<refsection><info><title>MULTIPLE QUERIES</title></info>
<para>
The BIND 9 implementation of <command>dig </command>
@ -1203,10 +1205,10 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
<literal>isc.org</literal>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>IDN SUPPORT</title>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>dig</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -1218,18 +1220,18 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
The IDN support is disabled if the variable is set when
<command>dig</command> runs.
</para>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
<para><filename>${HOME}/.digrc</filename>
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
@ -1241,16 +1243,13 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</citerefentry>,
<citetitle>RFC1035</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>BUGS</title>
<refsection><info><title>BUGS</title></info>
<para>
There are probably too many query options.
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refsection>
</refentry>

74
bin/dig/host.docbook
View file

@ -1,6 +1,5 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007-2009, 2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
@ -17,11 +16,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.host">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
<info>
<date>2009-01-20</date>
</info>
<refentryinfo>
<date>January 20, 2009</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -54,26 +56,26 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>host</command>
<arg><option>-aCdlnrsTwv</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg><option>-v</option></arg>
<arg><option>-V</option></arg>
<arg choice="req">name</arg>
<arg choice="opt">server</arg>
<arg choice="opt" rep="norepeat"><option>-aCdlnrsTwv</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>host</command>
is a simple utility for performing DNS lookups.
@ -253,10 +255,10 @@
The <option>-V</option> option causes <command>host</command>
to print the version number and exit.
</para>
</refsect1>
</refsection>
<refsect1>
<title>IDN SUPPORT</title>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>host</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -268,16 +270,16 @@
The IDN support is disabled if the variable is set when
<command>host</command> runs.
</para>
</refsect1>
</refsection>
<refsection><info><title>FILES</title></info>
<refsect1>
<title>FILES</title>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsect1>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
@ -285,10 +287,6 @@
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

66
bin/dig/nslookup.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2007, 2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -45,10 +42,14 @@
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-->
<refentry>
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
<info>
<date>2014-01-24</date>
</info>
<refentryinfo>
<date>January 24, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -76,16 +77,16 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>nslookup</command>
<arg><option>-option</option></arg>
<arg choice="opt">name | -</arg>
<arg choice="opt">server</arg>
<arg choice="opt" rep="norepeat"><option>-option</option></arg>
<arg choice="opt" rep="norepeat">name | -</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>Nslookup</command>
is a program to query Internet domain name servers. <command>Nslookup</command>
has two modes: interactive and non-interactive. Interactive mode allows
@ -95,13 +96,13 @@
used to print just the name and requested information for a host or
domain.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ARGUMENTS</title>
<refsection><info><title>ARGUMENTS</title></info>
<para>
Interactive mode is entered in the following cases:
<orderedlist numeration="loweralpha">
<orderedlist numeration="loweralpha" inheritnum="ignore" continuation="restarts">
<listitem>
<para>
when no arguments are given (the default name server will be used)
@ -139,10 +140,10 @@ nslookup -query=hinfo -timeout=10
number and immediately exits.
</para>
</refsect1>
</refsection>
<refsect1>
<title>INTERACTIVE COMMANDS</title>
<refsection><info><title>INTERACTIVE COMMANDS</title></info>
<variablelist>
<varlistentry>
<term><constant>host</constant> <optional>server</optional></term>
@ -475,16 +476,16 @@ nslookup -query=hinfo -timeout=10
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
@ -495,16 +496,5 @@ nslookup -query=hinfo -timeout=10
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
<refsect1>
<title>Author</title>
<para>
Andrew Cherenson
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refsection>
</refentry>

113
bin/dnssec/dnssec-dsfromkey.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-dsfromkey">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
<info>
<date>2012-05-02</date>
</info>
<refentryinfo>
<date>May 02, 2012</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -47,50 +48,50 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-C</option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="req">keyfile</arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-1</option></arg>
<arg choice="opt" rep="norepeat"><option>-2</option></arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C</option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<arg choice="req">-s</arg>
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">dnsname</arg>
<arg choice="req" rep="norepeat">-s</arg>
<arg choice="opt" rep="norepeat"><option>-1</option></arg>
<arg choice="opt" rep="norepeat"><option>-2</option></arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req" rep="norepeat">dnsname</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<arg><option>-h</option></arg>
<arg><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-dsfromkey</command>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -247,10 +248,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>EXAMPLE</title>
<refsection><info><title>EXAMPLE</title></info>
<para>
To build the SHA-256 DS RR from the
<userinput>Kexample.com.+003+26160</userinput>
@ -263,10 +264,10 @@
</para>
<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
</para>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<para>
The keyfile can be designed by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
@ -278,17 +279,17 @@
the string <filename>keyset-</filename> and the
<option>dnsname</option>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>CAVEAT</title>
<refsection><info><title>CAVEAT</title></info>
<para>
A keyfile error can give a "file not found" even if the file exists.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -300,16 +301,6 @@
<citetitle>RFC 4431</citetitle>.
<citetitle>RFC 4509</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

93
bin/dnssec/dnssec-importkey.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-importkey">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
<info>
<date>2014-02-20</date>
</info>
<refentryinfo>
<date>February 20, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,33 +43,33 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-importkey</command>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-V</option></arg>
<arg choice="req"><option>keyfile</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat"><option>keyfile</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-importkey</command>
<arg choice="req"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-V</option></arg>
<arg><option>dnsname</option></arg>
<arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>dnsname</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-importkey</command>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
@ -86,10 +87,10 @@
public key can be added to and removed from the DNSKEY RRset
on schedule even if the true private key is stored offline.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -159,10 +160,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>TIMING OPTIONS</title>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -199,20 +200,20 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<para>
A keyfile can be designed by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
<filename>Knnnn.+aaa+iiiii.key</filename> as generated by
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -222,16 +223,6 @@
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

105
bin/dnssec/dnssec-keyfromlabel.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-keyfromlabel">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
<info>
<date>2014-02-27</date>
</info>
<refentryinfo>
<date>February 27, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -46,37 +47,37 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-keyfromlabel</command>
<arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
<arg><option>-3</option></arg>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-V</option></arg>
<arg><option>-y</option></arg>
<arg choice="req">name</arg>
<arg choice="req" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-y</option></arg>
<arg choice="req" rep="norepeat">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-keyfromlabel</command>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
@ -90,10 +91,10 @@
line. This must match the name of the zone for which the key is
being generated.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -358,10 +359,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>TIMING OPTIONS</title>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
@ -461,10 +462,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>GENERATED KEY FILES</title>
<refsection><info><title>GENERATED KEY FILES</title></info>
<para>
When <command>dnssec-keyfromlabel</command> completes
successfully,
@ -507,10 +508,10 @@
fields. For obvious security reasons, this file does not have
general read permission.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -521,16 +522,6 @@
<citetitle>RFC 4034</citetitle>,
<citetitle>The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

123
bin/dnssec/dnssec-keygen.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-keygen">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
<info>
<date>2014-02-06</date>
</info>
<refentryinfo>
<date>February 06, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -58,43 +59,43 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-keygen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-3</option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-C</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-q</option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-V</option></arg>
<arg><option>-z</option></arg>
<arg choice="req">name</arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="req" rep="norepeat">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@ -106,10 +107,10 @@
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -436,10 +437,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>TIMING OPTIONS</title>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
@ -541,11 +542,11 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>GENERATED KEYS</title>
<refsection><info><title>GENERATED KEYS</title></info>
<para>
When <command>dnssec-keygen</command> completes
successfully,
@ -595,10 +596,10 @@
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</para>
</refsect1>
</refsection>
<refsect1>
<title>EXAMPLE</title>
<refsection><info><title>EXAMPLE</title></info>
<para>
To generate a 768-bit DSA key for the domain
<userinput>example.com</userinput>, the following command would be
@ -617,10 +618,10 @@
and
<filename>Kexample.com.+003+26160.private</filename>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -629,16 +630,6 @@
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4034</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

61
bin/dnssec/dnssec-revoke.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2011, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-revoke">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<date>January 15, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -43,30 +44,30 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-revoke</command>
<arg><option>-hr</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-V</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-R</option></arg>
<arg choice="req">keyfile</arg>
<arg choice="opt" rep="norepeat"><option>-hr</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-R</option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-revoke</command>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -153,26 +154,16 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

83
bin/dnssec/dnssec-settime.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-settime">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
<info>
<date>2014-02-06</date>
</info>
<refentryinfo>
<date>February 06, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -45,26 +46,26 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-settime</command>
<arg><option>-f</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-V</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="req">keyfile</arg>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
@ -88,10 +89,10 @@
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -179,10 +180,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>TIMING OPTIONS</title>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -292,10 +293,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>PRINTING OPTIONS</title>
<refsection><info><title>PRINTING OPTIONS</title></info>
<para>
<command>dnssec-settime</command> can also be used to print the
timing metadata associated with a key.
@ -330,10 +331,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -343,16 +344,6 @@
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

131
bin/dnssec/dnssec-signzone.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-signzone">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
<info>
<date>2014-02-18</date>
</info>
<refentryinfo>
<date>February 18, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -58,53 +59,53 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-signzone</command>
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg><option>-g</option></arg>
<arg><option>-h</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-M <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
<arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
<arg><option>-P</option></arg>
<arg><option>-p</option></arg>
<arg><option>-Q</option></arg>
<arg><option>-R</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-S</option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-t</option></arg>
<arg><option>-u</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-V</option></arg>
<arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
<arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg choice="req">zonefile</arg>
<arg rep="repeat">key</arg>
<arg choice="opt" rep="norepeat"><option>-a</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-g</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-p</option></arg>
<arg choice="opt" rep="norepeat"><option>-Q</option></arg>
<arg choice="opt" rep="norepeat"><option>-R</option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S</option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t</option></arg>
<arg choice="opt" rep="norepeat"><option>-u</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="opt" rep="norepeat"><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A</option></arg>
<arg choice="req" rep="norepeat">zonefile</arg>
<arg rep="repeat" choice="opt">key</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-signzone</command>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@ -113,10 +114,10 @@
determined by the presence or absence of a
<filename>keyset</filename> file for each child zone.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -794,10 +795,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>EXAMPLE</title>
<refsection><info><title>EXAMPLE</title></info>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated by <command>dnssec-keygen</command>
@ -825,26 +826,16 @@ db.example.com.signed
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</programlisting>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4033</citetitle>, <citetitle>RFC 4641</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

63
bin/dnssec/dnssec-verify.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2012, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-verify">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<date>January 15, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,31 +43,31 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-verify</command>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-V</option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg choice="req">zonefile</arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-x</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="req" rep="norepeat">zonefile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-verify</command>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
chains are complete.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -186,10 +187,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
@ -197,16 +198,6 @@
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4033</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

83
bin/named/lwresd.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007-2009, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.lwresd">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.lwresd">
<info>
<date>2009-01-20</date>
</info>
<refentryinfo>
<date>January 20, 2009</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -53,29 +54,29 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>lwresd</command>
<arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-C <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-g</option></arg>
<arg><option>-i <replaceable class="parameter">pid-file</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
<arg><option>-v</option></arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">config-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-g</option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">pid-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>lwresd</command>
is the daemon providing name lookup
@ -110,10 +111,10 @@
queries autonomously starting at the root name servers, using
a built-in list of root server hints.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
@ -319,10 +320,10 @@
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<variablelist>
@ -346,10 +347,10 @@
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -360,16 +361,6 @@
<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

135
bin/named/named.conf.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.named.conf">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2014-01-08</date>
</info>
<refentryinfo>
<date>January 08, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -52,13 +53,13 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named.conf</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><filename>named.conf</filename> is the configuration file
for
<command>named</command>. Statements are enclosed
@ -75,39 +76,39 @@
<para>
Unix style: # to end of line
</para>
</refsect1>
</refsection>
<refsect1>
<title>ACL</title>
<literallayout>
<refsection><info><title>ACL</title></info>
<literallayout class="normal">
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>KEY</title>
<literallayout>
<refsection><info><title>KEY</title></info>
<literallayout class="normal">
key <replaceable>domain_name</replaceable> {
algorithm <replaceable>string</replaceable>;
secret <replaceable>string</replaceable>;
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>MASTERS</title>
<literallayout>
<refsection><info><title>MASTERS</title></info>
<literallayout class="normal">
masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>SERVER</title>
<literallayout>
<refsection><info><title>SERVER</title></info>
<literallayout class="normal">
server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
bogus <replaceable>boolean</replaceable>;
edns <replaceable>boolean</replaceable>;
@ -127,29 +128,29 @@ server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable>
support-ixfr <replaceable>boolean</replaceable>; // obsolete
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>TRUSTED-KEYS</title>
<literallayout>
<refsection><info><title>TRUSTED-KEYS</title></info>
<literallayout class="normal">
trusted-keys {
<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>MANAGED-KEYS</title>
<literallayout>
<refsection><info><title>MANAGED-KEYS</title></info>
<literallayout class="normal">
managed-keys {
<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>CONTROLS</title>
<literallayout>
<refsection><info><title>CONTROLS</title></info>
<literallayout class="normal">
controls {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
<optional> port ( <replaceable>integer</replaceable> | * ) </optional>
@ -158,11 +159,11 @@ controls {
unix <replaceable>unsupported</replaceable>; // not implemented
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>LOGGING</title>
<literallayout>
<refsection><info><title>LOGGING</title></info>
<literallayout class="normal">
logging {
channel <replaceable>string</replaceable> {
file <replaceable>log_file</replaceable>;
@ -177,11 +178,11 @@ logging {
category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>LWRES</title>
<literallayout>
<refsection><info><title>LWRES</title></info>
<literallayout class="normal">
lwres {
listen-on <optional> port <replaceable>integer</replaceable> </optional> {
( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
@ -193,11 +194,11 @@ lwres {
lwres-clients <replaceable>integer</replaceable>;
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<literallayout>
<refsection><info><title>OPTIONS</title></info>
<literallayout class="normal">
options {
avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
avoid-v6-udp-ports { <replaceable>port</replaceable>; ... };
@ -408,11 +409,11 @@ options {
use-id-pool <replaceable>boolean</replaceable>; // obsolete
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>VIEW</title>
<literallayout>
<refsection><info><title>VIEW</title></info>
<literallayout class="normal">
view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
match-clients { <replaceable>address_match_element</replaceable>; ... };
match-destinations { <replaceable>address_match_element</replaceable>; ... };
@ -578,11 +579,11 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>ZONE</title>
<literallayout>
<refsection><info><title>ZONE</title></info>
<literallayout class="normal">
zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
type ( master | slave | stub | hint | redirect |
forward | delegation-only );
@ -676,16 +677,16 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
};
</literallayout>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/named.conf</filename>
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -697,10 +698,6 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

179
bin/named/named.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.named">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named">
<info>
<date>2014-02-19</date>
</info>
<refentryinfo>
<date>February 19, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -57,35 +58,35 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named</command>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">string</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-g</option></arg>
<arg><option>-L <replaceable class="parameter">logfile</replaceable></option></arg>
<arg><option>-M <replaceable class="parameter">option</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-S <replaceable class="parameter">#max-socks</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-U <replaceable class="parameter">#listeners</replaceable></option></arg>
<arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
<arg><option>-v</option></arg>
<arg><option>-V</option></arg>
<arg><option>-X <replaceable class="parameter">lock-file</replaceable></option></arg>
<arg><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">string</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-g</option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">logfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">option</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">#max-socks</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-U <replaceable class="parameter">#listeners</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-X <replaceable class="parameter">lock-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named</command>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@ -98,10 +99,10 @@
<filename>/etc/named.conf</filename>, read any initial
data, and listen for queries.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -158,10 +159,10 @@
<term>-D <replaceable class="parameter">string</replaceable></term>
<listitem>
<para>
Specifies a string that is used to identify a instance of
<command>named</command> in a process listing. The contents
of <replaceable class="parameter">string</replaceable> are
not examined.
Specifies a string that is used to identify a instance of
<command>named</command> in a process listing. The contents
of <replaceable class="parameter">string</replaceable> are
not examined.
</para>
</listitem>
</varlistentry>
@ -218,11 +219,11 @@
<term>-M <replaceable class="parameter">option</replaceable></term>
<listitem>
<para>
Sets the default memory context options. Currently
the only supported option is
<replaceable class="parameter">external</replaceable>,
which causes the internal memory manager to be bypassed
in favor of system-provided memory allocation functions.
Sets the default memory context options. Currently
the only supported option is
<replaceable class="parameter">external</replaceable>,
which causes the internal memory manager to be bypassed
in favor of system-provided memory allocation functions.
</para>
</listitem>
</varlistentry>
@ -231,14 +232,14 @@
<term>-m <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Turn on memory usage debugging flags. Possible flags are
<replaceable class="parameter">usage</replaceable>,
<replaceable class="parameter">trace</replaceable>,
<replaceable class="parameter">record</replaceable>,
<replaceable class="parameter">size</replaceable>, and
<replaceable class="parameter">mctx</replaceable>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<filename>&lt;isc/mem.h&gt;</filename>.
Turn on memory usage debugging flags. Possible flags are
<replaceable class="parameter">usage</replaceable>,
<replaceable class="parameter">trace</replaceable>,
<replaceable class="parameter">record</replaceable>,
<replaceable class="parameter">size</replaceable>, and
<replaceable class="parameter">mctx</replaceable>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<filename>&lt;isc/mem.h&gt;</filename>.
</para>
</listitem>
</varlistentry>
@ -285,38 +286,38 @@
<varlistentry>
<term>-S <replaceable class="parameter">#max-socks</replaceable></term>
<listitem>
<para>
Allow <command>named</command> to use up to
<replaceable class="parameter">#max-socks</replaceable> sockets.
<para>
Allow <command>named</command> to use up to
<replaceable class="parameter">#max-socks</replaceable> sockets.
The default value is 4096 on systems built with default
configuration options, and 21000 on systems built with
"configure --with-tuning=large".
</para>
</para>
<warning>
<para>
This option should be unnecessary for the vast majority
of users.
The use of this option could even be harmful because the
The use of this option could even be harmful because the
specified value may exceed the limitation of the
underlying system API.
It is therefore set only when the default configuration
It is therefore set only when the default configuration
causes exhaustion of file descriptors and the
operational environment is known to support the
specified number of sockets.
Note also that the actual maximum number is normally a little
Note also that the actual maximum number is normally a little
fewer than the specified value because
<command>named</command> reserves some file descriptors
for its internal use.
<command>named</command> reserves some file descriptors
for its internal use.
</para>
</warning>
</listitem>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>Chroot
to <replaceable class="parameter">directory</replaceable> after
to <replaceable class="parameter">directory</replaceable> after
processing the command line arguments, but before
reading the configuration file.
</para>
@ -357,14 +358,14 @@
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para>Setuid
to <replaceable class="parameter">user</replaceable> after completing
to <replaceable class="parameter">user</replaceable> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
</para>
<note>
<para>
On Linux, <command>named</command> uses the kernel's
capability mechanism to drop all root privileges
capability mechanism to drop all root privileges
except the ability to <function>bind(2)</function> to
a
privileged port and set process resource limits.
@ -431,10 +432,10 @@
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SIGNALS</title>
<refsection><info><title>SIGNALS</title></info>
<para>
In routine operation, signals should not be used to control
the nameserver; <command>rndc</command> should be used
@ -467,10 +468,10 @@
The result of sending any other signals to the server is undefined.
</para>
</refsect1>
</refsection>
<refsect1>
<title>CONFIGURATION</title>
<refsection><info><title>CONFIGURATION</title></info>
<para>
The <command>named</command> configuration file is too complex
to describe in detail here. A complete description is provided
@ -487,10 +488,10 @@
<command>named</command> process.
</para>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<variablelist>
@ -514,45 +515,35 @@
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citetitle>RFC 1033</citetitle>,
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 1035</citetitle>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle>
<manvolnum>8</manvolnum>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle>
<manvolnum>8</manvolnum>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc</refentrytitle>
<manvolnum>8</manvolnum>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>lwresd</refentrytitle>
<manvolnum>8</manvolnum>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refentrytitle>named.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

161
bin/nsupdate/nsupdate.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
@ -17,11 +14,16 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.nsupdate">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsupdate">
<info>
<date>2014-04-18</date>
</info>
<refentryinfo>
<date>April 18, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>nsupdate</application></refentrytitle>
<manvolnum>1</manvolnum>
@ -57,32 +59,32 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>nsupdate</command>
<arg><option>-d</option></arg>
<arg><option>-D</option></arg>
<arg><option>-L <replaceable class="parameter">level</replaceable></option></arg>
<group>
<arg><option>-g</option></arg>
<arg><option>-o</option></arg>
<arg><option>-l</option></arg>
<arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">level</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-g</option></arg>
<arg choice="opt" rep="norepeat"><option>-o</option></arg>
<arg choice="opt" rep="norepeat"><option>-l</option></arg>
<arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
</group>
<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-v</option></arg>
<arg><option>-T</option></arg>
<arg><option>-P</option></arg>
<arg><option>-V</option></arg>
<arg>filename</arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-T</option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>nsupdate</command>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@ -138,10 +140,10 @@
non-standards-compliant variant of GSS-TSIG used by Windows
2000 can be switched on with the <option>-o</option> flag.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -347,10 +349,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>INPUT FORMAT</title>
<refsection><info><title>INPUT FORMAT</title></info>
<para><command>nsupdate</command>
reads input from
<parameter>filename</parameter>
@ -382,8 +384,8 @@
<varlistentry>
<term>
<command>server</command>
<arg choice="req">servername</arg>
<arg choice="opt">port</arg>
<arg choice="req" rep="norepeat">servername</arg>
<arg choice="opt" rep="norepeat">port</arg>
</term>
<listitem>
<para>
@ -409,8 +411,8 @@
<varlistentry>
<term>
<command>local</command>
<arg choice="req">address</arg>
<arg choice="opt">port</arg>
<arg choice="req" rep="norepeat">address</arg>
<arg choice="opt" rep="norepeat">port</arg>
</term>
<listitem>
<para>
@ -432,7 +434,7 @@
<varlistentry>
<term>
<command>zone</command>
<arg choice="req">zonename</arg>
<arg choice="req" rep="norepeat">zonename</arg>
</term>
<listitem>
<para>
@ -451,7 +453,7 @@
<varlistentry>
<term>
<command>class</command>
<arg choice="req">classname</arg>
<arg choice="req" rep="norepeat">classname</arg>
</term>
<listitem>
<para>
@ -466,7 +468,7 @@
<varlistentry>
<term>
<command>ttl</command>
<arg choice="req">seconds</arg>
<arg choice="req" rep="norepeat">seconds</arg>
</term>
<listitem>
<para>
@ -480,8 +482,8 @@
<varlistentry>
<term>
<command>key</command>
<arg choice="opt">hmac:</arg><arg choice="req">keyname</arg>
<arg choice="req">secret</arg>
<arg choice="opt" rep="norepeat">hmac:</arg><arg choice="req" rep="norepeat">keyname</arg>
<arg choice="req" rep="norepeat">secret</arg>
</term>
<listitem>
<para>
@ -524,7 +526,7 @@
<varlistentry>
<term>
<command>realm</command>
<arg choice="req"><optional>realm_name</optional></arg>
<arg choice="req" rep="norepeat"><optional>realm_name</optional></arg>
</term>
<listitem>
<para>
@ -538,7 +540,7 @@
<varlistentry>
<term>
<command>check-names</command>
<arg choice="req"><optional>yes_or_no</optional></arg>
<arg choice="req" rep="norepeat"><optional>yes_or_no</optional></arg>
</term>
<listitem>
<para>
@ -554,7 +556,7 @@
<varlistentry>
<term>
<command><optional>prereq</optional> nxdomain</command>
<arg choice="req">domain-name</arg>
<arg choice="req" rep="norepeat">domain-name</arg>
</term>
<listitem>
<para>
@ -568,7 +570,7 @@
<varlistentry>
<term>
<command><optional>prereq</optional> yxdomain</command>
<arg choice="req">domain-name</arg>
<arg choice="req" rep="norepeat">domain-name</arg>
</term>
<listitem>
<para>
@ -582,9 +584,9 @@
<varlistentry>
<term>
<command><optional>prereq</optional> nxrrset</command>
<arg choice="req">domain-name</arg>
<arg choice="opt">class</arg>
<arg choice="req">type</arg>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
</term>
<listitem>
<para>
@ -604,9 +606,9 @@
<varlistentry>
<term>
<command><optional>prereq</optional> yxrrset</command>
<arg choice="req">domain-name</arg>
<arg choice="opt">class</arg>
<arg choice="req">type</arg>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
</term>
<listitem>
<para>
@ -626,9 +628,9 @@
<varlistentry>
<term>
<command><optional>prereq</optional> yxrrset</command>
<arg choice="req">domain-name</arg>
<arg choice="opt">class</arg>
<arg choice="req">type</arg>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
<arg choice="req" rep="repeat">data</arg>
</term>
<listitem>
@ -660,10 +662,10 @@
<varlistentry>
<term>
<command><optional>update</optional> del<optional>ete</optional></command>
<arg choice="req">domain-name</arg>
<arg choice="opt">ttl</arg>
<arg choice="opt">class</arg>
<arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">ttl</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="opt" rep="norepeat">type <arg choice="opt" rep="repeat">data</arg></arg>
</term>
<listitem>
<para>
@ -686,10 +688,10 @@
<varlistentry>
<term>
<command><optional>update</optional> add</command>
<arg choice="req">domain-name</arg>
<arg choice="req">ttl</arg>
<arg choice="opt">class</arg>
<arg choice="req">type</arg>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="req" rep="norepeat">ttl</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
<arg choice="req" rep="repeat">data</arg>
</term>
<listitem>
@ -779,10 +781,10 @@
Lines beginning with a semicolon are comments and are ignored.
</para>
</refsect1>
</refsection>
<refsect1>
<title>EXAMPLES</title>
<refsection><info><title>EXAMPLES</title></info>
<para>
The examples below show how
<command>nsupdate</command>
@ -830,10 +832,10 @@
(The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
RRSIG, DNSKEY and NSEC records.)
</para>
</refsect1>
</refsection>
<refsect1>
<title>FILES</title>
<refsection><info><title>FILES</title></info>
<variablelist>
<varlistentry>
@ -879,10 +881,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citetitle>RFC 2136</citetitle>,
<citetitle>RFC 3007</citetitle>,
@ -901,19 +903,16 @@
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>BUGS</title>
<refsection><info><title>BUGS</title></info>
<para>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
for its cryptographic operations, and may change in future
releases.
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refsection>
</refentry>

59
bin/pkcs11/pkcs11-destroy.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.pkcs11-destroy">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-destroy">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<date>January 15, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,21 +43,21 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>pkcs11-destroy</command>
<arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<group choice="req">
<arg choice="plain">-i <replaceable class="parameter">ID</replaceable></arg>
<arg choice="plain">-l <replaceable class="parameter">label</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<group choice="req" rep="norepeat">
<arg choice="plain" rep="norepeat">-i <replaceable class="parameter">ID</replaceable></arg>
<arg choice="plain" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
</group>
<arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">seconds</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">seconds</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-destroy</command> destroys keys stored in a
PKCS#11 device, identified by their <option>ID</option> or
@ -67,10 +68,10 @@
there is a five second delay to allow the user to interrupt the
process before the destruction takes place.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ARGUMENTS</title>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
@ -132,10 +133,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-keygen</refentrytitle><manvolnum>8</manvolnum>
@ -147,16 +148,6 @@
<refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

67
bin/pkcs11/pkcs11-keygen.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.pkcs11-keygen">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<date>January 15, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,33 +43,33 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>pkcs11-keygen</command>
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg><option>-P</option></arg>
<arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
<arg><option>-q</option></arg>
<arg><option>-S</option></arg>
<arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<arg choice="req">label</arg>
<arg choice="req" rep="norepeat">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-e</option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">id</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-S</option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<arg choice="req" rep="norepeat">label</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-keygen</command> causes a PKCS#11 device to generate
a new key pair with the given <option>label</option> (which must be
unique) and with <option>keysize</option> bits of prime.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ARGUMENTS</title>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
@ -179,10 +180,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
@ -197,16 +198,6 @@
<refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

57
bin/pkcs11/pkcs11-list.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.pkcs11-list">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-list">
<info>
<date>2009-10-05</date>
</info>
<refentryinfo>
<date>October 05, 2009</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,28 +43,28 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>pkcs11-list</command>
<arg><option>-P</option></arg>
<arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<arg choice="opt">-i <replaceable class="parameter">ID</replaceable></arg>
<arg choice="opt">-l <replaceable class="parameter">label</replaceable></arg>
<arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<arg choice="opt" rep="norepeat">-i <replaceable class="parameter">ID</replaceable></arg>
<arg choice="opt" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-list</command>
lists the PKCS#11 objects with <option>ID</option> or
<option>label</option> or by default all objects.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ARGUMENTS</title>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-P</term>
@ -124,10 +125,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
@ -139,16 +140,6 @@
<refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

47
bin/pkcs11/pkcs11-tokens.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.pkcs11-tokens">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-tokens">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<date>January 15, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -41,23 +42,23 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>pkcs11-tokens</command>
<arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-tokens</command>
lists the PKCS#11 available tokens with defaults from the slot/token
scan performed at application initialization.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ARGUMENTS</title>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
@ -70,10 +71,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
@ -85,16 +86,6 @@
<refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

67
bin/python/dnssec-checkds.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2012-2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-checkds">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-checkds">
<info>
<date>2013-01-01</date>
</info>
<refentryinfo>
<date>January 01, 2013</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -43,35 +44,35 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-checkds</command>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
<arg choice="req">zone</arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
<arg choice="req" rep="norepeat">zone</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
<arg choice="req">zone</arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
<arg choice="req" rep="norepeat">zone</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-checkds</command>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
zone.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -118,10 +119,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-dsfromkey</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -132,16 +133,6 @@
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

65
bin/python/dnssec-coverage.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnssec-coverage">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-coverage">
<info>
<date>2014-01-11</date>
</info>
<refentryinfo>
<date>January 11, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,23 +43,23 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-coverage</command>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">length</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">DNSKEY TTL</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">max TTL</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">compilezone path</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-z</option></arg>
<arg choice="opt">zone</arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">length</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">DNSKEY TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">max TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">compilezone path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="opt" rep="norepeat">zone</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-coverage</command>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
@ -84,10 +85,10 @@
accurate if all the zones that have keys in a given repository
share the same TTL parameters.)
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -237,10 +238,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum>
@ -255,16 +256,6 @@
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

51
bin/rndc/rndc.conf.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.rndc.conf">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
<info>
<date>2013-03-14</date>
</info>
<refentryinfo>
<date>March 14, 2013</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -51,13 +52,13 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>rndc.conf</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><filename>rndc.conf</filename> is the configuration file
for <command>rndc</command>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@ -141,10 +142,10 @@
ship with BIND 9 but is available on many systems. See the
EXAMPLE section for sample command lines for each.
</para>
</refsect1>
</refsection>
<refsect1>
<title>EXAMPLE</title>
<refsection><info><title>EXAMPLE</title></info>
<para><programlisting>
options {
@ -213,10 +214,10 @@
</para>
<para><userinput>echo "known plaintext for a secret" | mmencode</userinput>
</para>
</refsect1>
</refsection>
<refsect1>
<title>NAME SERVER CONFIGURATION</title>
<refsection><info><title>NAME SERVER CONFIGURATION</title></info>
<para>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <filename>rndc.conf</filename>
@ -224,10 +225,10 @@
See the sections on the <option>controls</option> statement in the
BIND 9 Administrator Reference Manual for details.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
@ -239,16 +240,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

77
bin/rndc/rndc.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001 Internet Software Consortium.
@ -17,10 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.rndc">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
<info>
<date>2014-08-15</date>
</info>
<refentryinfo>
<date>August 15, 2014</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -52,23 +53,23 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>rndc</command>
<arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-q</option></arg>
<arg><option>-r</option></arg>
<arg><option>-V</option></arg>
<arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
<arg choice="req">command</arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">server</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-r</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
<arg choice="req" rep="norepeat">command</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>rndc</command>
controls the operation of a name
server. It supersedes the <command>ndc</command> utility
@ -97,10 +98,10 @@
determine how to contact the name server and decide what
algorithm and key it should use.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -221,10 +222,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>COMMANDS</title>
<refsection><info><title>COMMANDS</title></info>
<para>
A list of commands supported by <command>rndc</command> can
be seen by running <command>rndc</command> without arguments.
@ -959,10 +960,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>LIMITATIONS</title>
<refsection><info><title>LIMITATIONS</title></info>
<para>
There is currently no way to provide the shared secret for a
<option>key_id</option> without using the configuration file.
@ -970,10 +971,10 @@
<para>
Several error messages could be clearer.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
@ -991,16 +992,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

40
bin/tools/arpaname.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,12 +13,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.arpaname">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.arpaname">
<info>
<date>2009-03-03</date>
</info>
<refentryinfo>
<date>March 03, 2009</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>arpaname</application></refentrytitle>
<manvolnum>1</manvolnum>
@ -42,35 +42,25 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>arpaname</command>
<arg choice="req" rep="repeat"><replaceable class="parameter">ipaddress </replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>arpaname</command> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

53
bin/tools/dnstap-read.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.dnstap-read">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnstap-read">
<info>
<date>2015-09-13</date>
</info>
<refentryinfo>
<date>September 13, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -41,17 +42,17 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnstap-read</command>
<arg><option>-m</option></arg>
<arg><option>-p</option></arg>
<arg><option>-y</option></arg>
<arg choice="req"><replaceable class="parameter">file</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-m</option></arg>
<arg choice="opt" rep="norepeat"><option>-p</option></arg>
<arg choice="opt" rep="norepeat"><option>-y</option></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">file</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>dnstap-read</command>
reads <command>dnstap</command> data from a specified file
@ -60,10 +61,10 @@
format, but if the <option>-y</option> option is specified,
then a longer and more detailed YAML format is used instead.
</para>
</refsect1>
</refsection>
<refsect1>
<title>OPTIONS</title>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
@ -97,10 +98,10 @@
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
@ -110,16 +111,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

51
bin/tools/genrandom.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009-2011, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.genrandom">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.genrandom">
<info>
<date>2011-08-08</date>
</info>
<refentryinfo>
<date>August 08, 2011</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -44,26 +45,26 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>genrandom</command>
<arg><option>-n <replaceable class="parameter">number</replaceable></option></arg>
<arg choice="req"><replaceable class="parameter">size</replaceable></arg>
<arg choice="req"><replaceable class="parameter">filename</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">number</replaceable></option></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">size</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">filename</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>genrandom</command>
generates a file or a set of files containing a specified quantity
of pseudo-random data, which can be used as a source of entropy for
other commands on systems with no random device.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ARGUMENTS</title>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-n <replaceable class="parameter">number</replaceable></term>
@ -93,10 +94,10 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>rand</refentrytitle><manvolnum>3</manvolnum>
@ -105,16 +106,6 @@
<refentrytitle>arc4random</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

51
bin/tools/isc-hmac-fixup.docbook
View file

@ -1,8 +1,6 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!-- Converted by db4-upgrade version 1.0 -->
<!--
- Copyright (C) 2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2010, 2012-2015 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -16,10 +14,13 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.isc-hmac-fixup">
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
<info>
<date>2013-04-28</date>
</info>
<refentryinfo>
<date>April 28, 2013</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -43,15 +44,15 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>isc-hmac-fixup</command>
<arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@ -75,10 +76,10 @@
secret. (If the secret did not require conversion, then it will be
printed without modification.)
</para>
</refsect1>
</refsection>
<refsect1>
<title>SECURITY CONSIDERATIONS</title>
<refsection><info><title>SECURITY CONSIDERATIONS</title></info>
<para>
Secrets that have been converted by <command>isc-hmac-fixup</command>
are shortened, but as this is how the HMAC protocol works in
@ -87,24 +88,14 @@
extra length would not significantly increase the function
strength."
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2104</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

91
bin/tools/mdig.docbook
View file

@ -1,8 +1,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2010, 2012-2015 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -16,10 +15,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.mdig">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.mdig">
<info>
<date>2015-01-05</date>
</info>
<refentryinfo>
<date>January 5, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>mdig</application></refentrytitle>
@ -39,41 +42,41 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>mdig</command>
<arg choice="req">@server</arg>
<arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v</option></arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-i</option></arg>
<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="req" rep="norepeat">@server</arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt" rep="repeat">plusopt</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>mdig</command>
<arg choice="req">-h</arg>
<arg choice="req" rep="norepeat">-h</arg>
</cmdsynopsis>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>mdig</command>
<arg>@server</arg>
<arg choice="opt" rep="norepeat">@server</arg>
<arg choice="req" rep="repeat">global-opt</arg>
<arg choice="req" rep="repeat">
<arg choice="req" rep="repeat">local-opt</arg>
<arg choice="req">query</arg>
<arg choice="req" rep="norepeat">query</arg>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>mdig</command>
is a multiple/pipelined query version of <command>dig</command>:
instead of waiting for a response after sending each query,
@ -92,7 +95,7 @@
</para>
<para>
The <arg choice="req">@server</arg> option is a mandatory global
The <arg choice="req" rep="norepeat">@server</arg> option is a mandatory global
option. It is the name or IP address of the name server to query.
(Unlike <command>dig</command>, this value is not retrieved from
<filename>/etc/resolv.conf</filename>.) It can be an IPv4 address
@ -119,10 +122,10 @@
values to options like the timeout interval. They have the
form <option>+keyword=value</option>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ANYWHERE OPTIONS</title>
<refsection><info><title>ANYWHERE OPTIONS</title></info>
<para>
The <option>-f</option> option makes <command>mdig</command>
@ -142,10 +145,10 @@
The <option>-v</option> causes <command>mdig</command> to
print the version number and exit.
</para>
</refsect1>
</refsection>
<refsect1>
<title>GLOBAL OPTIONS</title>
<refsection><info><title>GLOBAL OPTIONS</title></info>
<para>
The <option>-4</option> option forces <command>mdig</command> to
@ -383,10 +386,10 @@
</variablelist>
</para>
</refsect1>
</refsection>
<refsect1>
<title>LOCAL OPTIONS</title>
<refsection><info><title>LOCAL OPTIONS</title></info>
<para>
The <option>-c</option> option sets the query class to
@ -646,18 +649,14 @@
</variablelist>
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citetitle>RFC1035</citetitle>.
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refsection>
</refentry>

41
bin/tools/named-journalprint.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.named-journalprint">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-journalprint">
<info>
<date>2009-12-04</date>
</info>
<refentryinfo>
<date>December 04, 2009</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,14 +43,14 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-journalprint</command>
<arg choice="req"><replaceable class="parameter">journal</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">journal</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>named-journalprint</command>
prints the contents of a zone journal file in a human-readable
@ -73,10 +74,10 @@
deleted, and continues with the resource record in master-file
format.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
@ -86,16 +87,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

47
bin/tools/named-rrchecker.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.named-rrchecker">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-rrchecker">
<info>
<date>2013-11-12</date>
</info>
<refentryinfo>
<date>November 12, 2013</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-rrchecker</application></refentrytitle>
@ -40,20 +41,20 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-rrchecker</command>
<arg><option>-h</option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-p</option></arg>
<arg><option>-u</option></arg>
<arg><option>-C</option></arg>
<arg><option>-T</option></arg>
<arg><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p</option></arg>
<arg choice="opt" rep="norepeat"><option>-u</option></arg>
<arg choice="opt" rep="norepeat"><option>-C</option></arg>
<arg choice="opt" rep="norepeat"><option>-T</option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-rrchecker</command>
read a individual DNS resource record from standard input and checks if it
is syntactically correct.
@ -79,10 +80,10 @@
print out the known class, standard type and private type mnemonics
respectively.
</para>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 1035</citetitle>,
@ -90,10 +91,6 @@
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
</refsection>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

53
bin/tools/nsec3hash.docbook
View file

@ -1,6 +1,3 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -16,10 +13,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.nsec3hash">
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsec3hash">
<info>
<date>2009-03-02</date>
</info>
<refentryinfo>
<date>March 02, 2009</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
@ -42,26 +43,26 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>nsec3hash</command>
<arg choice="req"><replaceable class="parameter">salt</replaceable></arg>
<arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req"><replaceable class="parameter">iterations</replaceable></arg>
<arg choice="req"><replaceable class="parameter">domain</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">salt</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">iterations</replaceable></arg>
<arg choice="req" rep="norepeat"><replaceable class="parameter">domain</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>nsec3hash</command> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
of NSEC3 records in a signed zone.
</para>
</refsect1>
</refsection>
<refsect1>
<title>ARGUMENTS</title>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>salt</term>
@ -102,24 +103,14 @@
</listitem>
</varlistentry>
</variablelist>
</refsect1>
</refsection>
<refsect1>
<title>SEE ALSO</title>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5155</citetitle>.
</para>
</refsect1>
</refsection>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->
</refentry>

118
configure vendored
View file

@ -667,6 +667,7 @@ SO_CFLAGS
SO
BIND9_CONFIGARGS
BIND9_SRCID
BIND9_VERSIONSHORT
BIND9_VERSIONSTRING
BIND9_MAJOR
BIND9_VERSION
@ -685,8 +686,8 @@ ATFLIBS
ATFBIN
ATFBUILD
IDNLIBS
XSLT_DB2LATEX_ADMONITIONS
XSLT_DB2LATEX_STYLE
XSLT_DBLATEX_FASTBOOK
XSLT_DBLATEX_STYLE
XSLT_DOCBOOK_MAKETOC_XHTML
XSLT_DOCBOOK_MAKETOC_HTML
XSLT_DOCBOOK_CHUNKTOC_XHTML
@ -701,6 +702,7 @@ DOXYGEN
XMLLINT
XSLTPROC
W3M
DBLATEX
PDFLATEX
LATEX
DNSTAPHTML
@ -20331,6 +20333,54 @@ test -n "$PDFLATEX" || PDFLATEX="pdflatex"
for ac_prog in dblatex
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_path_DBLATEX+:} false; then :
$as_echo_n "(cached) " >&6
else
case $DBLATEX in
[\\/]* | ?:[\\/]*)
ac_cv_path_DBLATEX="$DBLATEX" # Let the user override the test with a path.
;;
*)
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_path_DBLATEX="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
;;
esac
fi
DBLATEX=$ac_cv_path_DBLATEX
if test -n "$DBLATEX"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $DBLATEX" >&5
$as_echo "$DBLATEX" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
test -n "$DBLATEX" && break
done
test -n "$DBLATEX" || DBLATEX="dblatex"
#
# Look for w3m
#
@ -20828,64 +20878,56 @@ fi
#
# Same dance for db2latex
# Same dance for dblatex
#
dblatex_xsl_trees="/usr/local/share/xml/docbook/stylesheet/dblatex /usr/pkg/share/xml/docbook/stylesheet/dblatex /usr/share/xml/docbook/stylesheet/dblatex"
db2latex_xsl_trees="/usr/local/share/db2latex/xsl /usr/pkg/share/xsl/db2latex"
#
# Look for stylesheets we need.
#
XSLT_DB2LATEX_STYLE=""
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for docbook.xsl" >&5
$as_echo_n "checking for docbook.xsl... " >&6; }
for d in $db2latex_xsl_trees
XSLT_DBLATEX_STYLE=""
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for xsl/docbook.xsl" >&5
$as_echo_n "checking for xsl/docbook.xsl... " >&6; }
for d in $dblatex_xsl_trees
do
f=$d/docbook.xsl
f=$d/xsl/docbook.xsl
if test -f $f
then
XSLT_DB2LATEX_STYLE=$f
XSLT_DBLATEX_STYLE=$f
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $f" >&5
$as_echo "$f" >&6; }
break
fi
done
if test "X$XSLT_DB2LATEX_STYLE" = "X"
if test "X$XSLT_DBLATEX_STYLE" = "X"
then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"not found\"" >&5
$as_echo "\"not found\"" >&6; };
XSLT_DB2LATEX_STYLE=docbook.xsl
XSLT_DBLATEX_STYLE=xsl/docbook.xsl
fi
#
# Look for "admonition" image directory. Can't use NOM_PATH_FILE()
# because it's a directory, so just do the same things, inline.
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db2latex xsl figures" >&5
$as_echo_n "checking for db2latex xsl figures... " >&6; }
for d in $db2latex_xsl_trees
XSLT_DBLATEX_FASTBOOK=""
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for xsl/latex_book_fast.xsl" >&5
$as_echo_n "checking for xsl/latex_book_fast.xsl... " >&6; }
for d in $dblatex_xsl_trees
do
if test -d $d/figures
f=$d/xsl/latex_book_fast.xsl
if test -f $f
then
XSLT_DB2LATEX_ADMONITIONS=$d/figures
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $d/figures" >&5
$as_echo "$d/figures" >&6; }
XSLT_DBLATEX_FASTBOOK=$f
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $f" >&5
$as_echo "$f" >&6; }
break
fi
done
if test "X$XSLT_DB2LATEX_ADMONITIONS" = "X"
if test "X$XSLT_DBLATEX_FASTBOOK" = "X"
then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
$as_echo "not found" >&6; }
XSLT_DB2LATEX_ADMONITIONS=db2latex/xsl/figures
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"not found\"" >&5
$as_echo "\"not found\"" >&6; };
XSLT_DBLATEX_FASTBOOK=xsl/latex_book_fast.xsl
fi
#
# IDN support
#
@ -21191,6 +21233,8 @@ BIND9_MAJOR="MAJOR=${MAJORVER}.${MINORVER}"
BIND9_VERSIONSTRING="${PRODUCT} ${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}${DESCRIPTION:+ }${DESCRIPTION}"
BIND9_VERSIONSHORT="${PRODUCT} ${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
BIND9_SRCID="SRCID=unset"
if test -f "${srcdir}/srcid"; then
@ -22411,7 +22455,7 @@ ac_config_commands="$ac_config_commands chmod"
# elsewhere if there's a good reason for doing so.
#
ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/builtin/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/pipelined/Makefile bin/tests/system/resolver/Makefile bin/tests/system/rndc/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/statistics/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl doc/xsl/isc-notes-latex.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/builtin/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/pipelined/Makefile bin/tests/system/resolver/Makefile bin/tests/system/rndc/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/statistics/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/tex/Makefile doc/tex/armstyle.sty doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
#
@ -23486,13 +23530,13 @@ do
"doc/doxygen/Makefile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Makefile" ;;
"doc/doxygen/doxygen-input-filter") CONFIG_FILES="$CONFIG_FILES doc/doxygen/doxygen-input-filter" ;;
"doc/misc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/misc/Makefile" ;;
"doc/tex/Makefile") CONFIG_FILES="$CONFIG_FILES doc/tex/Makefile" ;;
"doc/tex/armstyle.sty") CONFIG_FILES="$CONFIG_FILES doc/tex/armstyle.sty" ;;
"doc/xsl/Makefile") CONFIG_FILES="$CONFIG_FILES doc/xsl/Makefile" ;;
"doc/xsl/isc-docbook-chunk.xsl") CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-chunk.xsl" ;;
"doc/xsl/isc-docbook-html.xsl") CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-html.xsl" ;;
"doc/xsl/isc-docbook-latex.xsl") CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-latex.xsl" ;;
"doc/xsl/isc-manpage.xsl") CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-manpage.xsl" ;;
"doc/xsl/isc-notes-html.xsl") CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-notes-html.xsl" ;;
"doc/xsl/isc-notes-latex.xsl") CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-notes-latex.xsl" ;;
"isc-config.sh") CONFIG_FILES="$CONFIG_FILES isc-config.sh" ;;
"lib/Makefile") CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
"lib/bind9/Makefile") CONFIG_FILES="$CONFIG_FILES lib/bind9/Makefile" ;;

44
configure.in
View file

@ -4045,6 +4045,9 @@ AC_SUBST(LATEX)
AC_PATH_PROGS(PDFLATEX, pdflatex, pdflatex)
AC_SUBST(PDFLATEX)
AC_PATH_PROGS(DBLATEX, dblatex, dblatex)
AC_SUBST(DBLATEX)
#
# Look for w3m
#
@ -4150,38 +4153,11 @@ NOM_PATH_FILE(XSLT_DOCBOOK_MAKETOC_HTML, html/maketoc.xsl, $docbook_xsl_trees)
NOM_PATH_FILE(XSLT_DOCBOOK_MAKETOC_XHTML, xhtml/maketoc.xsl, $docbook_xsl_trees)
#
# Same dance for db2latex
# Same dance for dblatex
#
db2latex_xsl_trees="/usr/local/share/db2latex/xsl /usr/pkg/share/xsl/db2latex"
#
# Look for stylesheets we need.
#
NOM_PATH_FILE(XSLT_DB2LATEX_STYLE, docbook.xsl, $db2latex_xsl_trees)
#
# Look for "admonition" image directory. Can't use NOM_PATH_FILE()
# because it's a directory, so just do the same things, inline.
#
AC_MSG_CHECKING(for db2latex xsl figures)
for d in $db2latex_xsl_trees
do
if test -d $d/figures
then
XSLT_DB2LATEX_ADMONITIONS=$d/figures
AC_MSG_RESULT($d/figures)
break
fi
done
if test "X$XSLT_DB2LATEX_ADMONITIONS" = "X"
then
AC_MSG_RESULT(not found)
XSLT_DB2LATEX_ADMONITIONS=db2latex/xsl/figures
fi
AC_SUBST(XSLT_DB2LATEX_ADMONITIONS)
dblatex_xsl_trees="/usr/local/share/xml/docbook/stylesheet/dblatex /usr/pkg/share/xml/docbook/stylesheet/dblatex /usr/share/xml/docbook/stylesheet/dblatex"
NOM_PATH_FILE(XSLT_DBLATEX_STYLE, xsl/docbook.xsl, $dblatex_xsl_trees)
NOM_PATH_FILE(XSLT_DBLATEX_FASTBOOK, xsl/latex_book_fast.xsl, $dblatex_xsl_trees)
#
# IDN support
@ -4390,6 +4366,8 @@ BIND9_MAJOR="MAJOR=${MAJORVER}.${MINORVER}"
AC_SUBST(BIND9_MAJOR)
BIND9_VERSIONSTRING="${PRODUCT} ${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}${DESCRIPTION:+ }${DESCRIPTION}"
AC_SUBST(BIND9_VERSIONSTRING)
BIND9_VERSIONSHORT="${PRODUCT} ${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
AC_SUBST(BIND9_VERSIONSHORT)
BIND9_SRCID="SRCID=unset"
if test -f "${srcdir}/srcid"; then
@ -4823,13 +4801,13 @@ AC_CONFIG_FILES([
doc/doxygen/Makefile
doc/doxygen/doxygen-input-filter
doc/misc/Makefile
doc/tex/Makefile
doc/tex/armstyle.sty
doc/xsl/Makefile
doc/xsl/isc-docbook-chunk.xsl
doc/xsl/isc-docbook-html.xsl
doc/xsl/isc-docbook-latex.xsl
doc/xsl/isc-manpage.xsl
doc/xsl/isc-notes-html.xsl
doc/xsl/isc-notes-latex.xsl
isc-config.sh
lib/Makefile
lib/bind9/Makefile

4
doc/Makefile.in
View file

@ -13,8 +13,6 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.11 2007/06/19 23:47:13 tbox Exp $
# This Makefile is a placeholder. It exists merely to make
# sure that its directory gets created in the object directory
# tree when doing a build using separate object directories.
@ -23,7 +21,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = arm misc xsl doxygen
SUBDIRS = arm misc xsl doxygen tex
TARGETS =
@BIND9_MAKE_RULES@

3
doc/arm/.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
noteversion.xml
pkgversion.xml
releaseinfo.xml

2447
doc/arm/Bv9ARM-book.xml
View file

File diff suppressed because it is too large Load diff

281
doc/arm/Bv9ARM.ch01.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 1. Introduction</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="next" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
@ -39,27 +38,28 @@
</table>
<hr>
</div>
<div class="chapter" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h2></div></div></div>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563509">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563533">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564629">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564810">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.4">Scope of Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.5">Organization of This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6">Conventions Used in This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564832">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564934">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567271">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567348">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567589">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567651">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.4">DNS Fundamentals</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.5">Domains and Domain Names</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.6">Zones</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.7">Authoritative Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.8">Caching Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.9">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
<p>
<p>
The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
consists of the syntax
to specify the names of entities in the Internet in a hierarchical
@ -69,10 +69,13 @@
group of distributed
hierarchical databases.
</p>
<div class="sect1" lang="en">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2563509"></a>Scope of Document</h2></div></div></div>
<p>
<a name="id-1.2.4"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
domain name server for a number of operating systems. This
@ -81,12 +84,14 @@
<acronym class="acronym">BIND</acronym> version 9 software package for
system administrators.
</p>
<p>This version of the manual corresponds to BIND version 9.11.</p>
</div>
<div class="sect1" lang="en">
<p>This version of the manual corresponds to BIND version 9.11.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2563533"></a>Organization of This Document</h2></div></div></div>
<p>
<a name="id-1.2.5"></a>Organization of This Document</h2></div></div></div>
<p>
In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
@ -111,18 +116,22 @@
and the Domain Name
System.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564629"></a>Conventions Used in This Document</h2></div></div></div>
<p>
<a name="id-1.2.6"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
</p>
<div class="informaltable"><table border="1">
<div class="informaltable">
<table border="1">
<colgroup>
<col>
<col>
<col width="3.000in" class="1">
<col width="2.625in" class="2">
</colgroup>
<tbody>
<tr>
@ -176,14 +185,17 @@
</td>
</tr>
</tbody>
</table></div>
<p>
</table>
</div>
<p>
The following conventions are used in descriptions of the
<acronym class="acronym">BIND</acronym> configuration file:</p>
<div class="informaltable"><table border="1">
<div class="informaltable">
<table border="1">
<colgroup>
<col>
<col>
<col width="3.000in" class="1">
<col width="2.625in" class="2">
</colgroup>
<tbody>
<tr>
@ -235,46 +247,55 @@
</td>
</tr>
</tbody>
</table></div>
</table>
</div>
<p>
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564810"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
<a name="id-1.2.7"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
Name Domain) software package, and we
begin by reviewing the fundamentals of the Domain Name System
(<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
</p>
<div class="sect2" lang="en">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564832"></a>DNS Fundamentals</h3></div></div></div>
<p>
<a name="id-1.2.7.4"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
IP
addresses and vice versa, mail routing information, and other data
used by Internet applications.
</p>
<p>
<p>
Clients look up information in the DNS by calling a
<span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
The <acronym class="acronym">BIND</acronym> 9 software distribution
contains a
name server, <span><strong class="command">named</strong></span>, and a resolver
library, <span><strong class="command">liblwres</strong></span>. The older
<span><strong class="command">libbind</strong></span> resolver library is also available
name server, <span class="command"><strong>named</strong></span>, and a resolver
library, <span class="command"><strong>liblwres</strong></span>. The older
<span class="command"><strong>libbind</strong></span> resolver library is also available
from ISC as a separate download.
</p>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564934"></a>Domains and Domain Names</h3></div></div></div>
<p>
<a name="id-1.2.7.5"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
@ -285,7 +306,8 @@
separated by dots. A label need only be unique within its parent
domain.
</p>
<p>
<p>
For example, a domain name for a host at the
company <span class="emphasis"><em>Example, Inc.</em></span> could be
<code class="literal">ourhost.example.com</code>,
@ -297,7 +319,8 @@
<code class="literal">ourhost</code> is the
name of the host.
</p>
<p>
<p>
For administrative purposes, the name space is partitioned into
areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
extending down to the leaf nodes or to nodes where other zones
@ -305,27 +328,32 @@
The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
<span class="emphasis"><em>DNS protocol</em></span>.
</p>
<p>
<p>
The data associated with each domain name is stored in the
form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
Some of the supported resource record types are described in
<a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
<a class="xref" href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
</p>
<p>
<p>
For more detailed information about the design of the DNS and
the DNS protocol, please refer to the standards documents listed in
<a href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
<a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
</p>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567271"></a>Zones</h3></div></div></div>
<p>
<a name="id-1.2.7.6"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
and a <span class="emphasis"><em>domain</em></span>.
</p>
<p>
<p>
As stated previously, a zone is a point of delegation in
the <acronym class="acronym">DNS</acronym> tree. A zone consists of
those contiguous parts of the domain
@ -337,7 +365,8 @@
parent zone, which should be matched by equivalent NS records at
the root of the delegated zone.
</p>
<p>
<p>
For instance, consider the <code class="literal">example.com</code>
domain which includes names
such as <code class="literal">host.aaa.example.com</code> and
@ -359,7 +388,8 @@
gain a complete understanding of this difficult and subtle
topic.
</p>
<p>
<p>
Though <acronym class="acronym">BIND</acronym> is called a "domain name
server",
it deals primarily in terms of zones. The master and slave
@ -369,11 +399,14 @@
be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
actually asking for slave service for some collection of zones.
</p>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567348"></a>Authoritative Name Servers</h3></div></div></div>
<p>
<a name="id-1.2.7.7"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
which contains the complete data for the zone.
@ -381,16 +414,20 @@
most zones have two or more authoritative servers, on
different networks.
</p>
<p>
<p>
Responses from authoritative servers have the "authoritative
answer" (AA) bit set in the response packets. This makes them
easy to identify when debugging DNS configurations using tools like
<span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
<span class="command"><strong>dig</strong></span> (<a class="xref" href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
</p>
<div class="sect3" lang="en">
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567371"></a>The Primary Master</h4></div></div></div>
<p>
<a name="id-1.2.7.7.5"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
<span class="emphasis"><em>primary master</em></span> server, or simply the
@ -401,16 +438,19 @@
<span class="emphasis"><em>zone file</em></span> or
<span class="emphasis"><em>master file</em></span>.
</p>
<p>
<p>
In some cases, however, the master file may not be edited
by humans at all, but may instead be the result of
<span class="emphasis"><em>dynamic update</em></span> operations.
</p>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567401"></a>Slave Servers</h4></div></div></div>
<p>
<a name="id-1.2.7.7.6"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
load
@ -422,11 +462,14 @@
to transfer it from another slave. In other words, a slave server
may itself act as a master to a subordinate slave server.
</p>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567422"></a>Stealth Servers</h4></div></div></div>
<p>
<a name="id-1.2.7.7.7"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
@ -437,7 +480,8 @@
list servers in the parent's delegation that are not present at
the zone's top level.
</p>
<p>
<p>
A <span class="emphasis"><em>stealth server</em></span> is a server that is
authoritative for a zone but is not listed in that zone's NS
records. Stealth servers can be used for keeping a local copy of
@ -448,7 +492,8 @@
are
inaccessible.
</p>
<p>
<p>
A configuration where the primary master server itself is a
stealth server is often referred to as a "hidden primary"
configuration. One use for this configuration is when the primary
@ -456,12 +501,19 @@
is behind a firewall and therefore unable to communicate directly
with the outside world.
</p>
</div>
</div>
<div class="sect2" lang="en">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567589"></a>Caching Name Servers</h3></div></div></div>
<p>
<a name="id-1.2.7.8"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
capable of
@ -473,22 +525,27 @@
is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
<span class="emphasis"><em>recursive lookups</em></span> for local clients.
</p>
<p>
<p>
To improve performance, recursive servers cache the results of
the lookups they perform. Since the processes of recursion and
caching are intimately connected, the terms
<span class="emphasis"><em>recursive server</em></span> and
<span class="emphasis"><em>caching server</em></span> are often used synonymously.
</p>
<p>
<p>
The length of time for which a record may be retained in
the cache of a caching name server is controlled by the
Time To Live (TTL) field associated with each resource record.
</p>
<div class="sect3" lang="en">
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567624"></a>Forwarding</h4></div></div></div>
<p>
<a name="id-1.2.7.8.6"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
<span class="emphasis"><em>forward</em></span> some or all of the queries
@ -496,7 +553,8 @@
server,
commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
</p>
<p>
<p>
There may be one or more forwarders,
and they are queried in turn until the list is exhausted or an
answer
@ -510,18 +568,23 @@
that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
on the internal server's behalf.
</p>
</div>
</div>
<div class="sect2" lang="en">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567651"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
<a name="id-1.2.7.9"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
a master for some zones, a slave for other zones, and as a caching
(recursive) server for a set of local clients.
</p>
<p>
<p>
However, since the functions of authoritative name service
and caching/recursive name service are logically separate, it is
often advantageous to run them on separate server machines.
@ -536,9 +599,11 @@
does not need to be reachable from the Internet at large and can
be placed inside a firewall.
</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -556,6 +621,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

87
doc/arm/Bv9ARM.ch02.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 2. BIND Resource Requirements</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
<link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
@ -39,29 +38,33 @@
</table>
<hr>
</div>
<div class="chapter" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h2></div></div></div>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567685">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567712">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567793">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567819">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567830">Supported Operating Systems</a></span></dt>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.3">Hardware requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.4">CPU Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.5">Memory Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.6">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.7">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567685"></a>Hardware requirements</h2></div></div></div>
<p>
<a name="id-1.3.3"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
For many installations, servers that have been pensioned off from
active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
</p>
<p>
<p>
The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
may prove to be quite
CPU intensive however, so organizations that make heavy use of these
@ -70,30 +73,33 @@
full utilization of
multiprocessor systems for installations that need it.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567712"></a>CPU Requirements</h2></div></div></div>
<p>
<a name="id-1.3.4"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
for serving of static zones without caching, to enterprise-class
machines if you intend to process many dynamic updates and DNSSEC
signed zones, serving many thousands of queries per second.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567793"></a>Memory Requirements</h2></div></div></div>
<p>
<a name="id-1.3.5"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
cache and zones loaded off disk. The <span class="command"><strong>max-cache-size</strong></span>
option can be used to limit the amount of memory used by the cache,
at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
traffic.
Additionally, if additional section caching
(<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
the <span><strong class="command">max-acache-size</strong></span> option can be used to
(<a class="xref" href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
the <span class="command"><strong>max-acache-size</strong></span> option can be used to
limit the amount
of memory used by the mechanism.
It is still good practice to have enough memory to load
@ -104,11 +110,14 @@
a relatively stable size where entries are expiring from the cache as
fast as they are being inserted.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567819"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
<a name="id-1.3.6"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
any second-level internal name servers query a main name server, which
@ -121,11 +130,13 @@
this has the disadvantage of making many more external queries,
as none of the name servers share their cached data.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567830"></a>Supported Operating Systems</h2></div></div></div>
<p>
<a name="id-1.3.7"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number
of Unix-like operating systems and on
@ -135,8 +146,8 @@
directory
of the BIND 9 source distribution.
</p>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -154,6 +165,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

455
doc/arm/Bv9ARM.ch03.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 3. Name Server Configuration</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
<link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
@ -39,45 +38,50 @@
</table>
<hr>
</div>
<div class="chapter" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567998">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568014">An Authoritative-only Name Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.4.3">A Caching-only Name Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.4.4">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568037">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568391">Name Server Operations</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.5">Load Balancing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568396">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569465">Signals</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.3">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.4">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
<p>
<p>
In this chapter we provide some suggested configurations along
with guidelines for their use. We suggest reasonable values for
certain option settings.
</p>
<div class="sect1" lang="en">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567998"></a>A Caching-only Name Server</h3></div></div></div>
<p>
<a name="id-1.4.4.3"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
queries
from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
from outside clients are refused using the <span class="command"><strong>allow-query</strong></span>
option. Alternatively, the same effect could be achieved using
suitable
firewall rules.
</p>
<pre class="programlisting">
// Two corporate subnets we wish to allow queries from.
acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
@ -95,15 +99,19 @@ zone "0.0.127.in-addr.arpa" {
notify no;
};
</pre>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568014"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
<a name="id-1.4.4.4"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
and a slave for the subdomain "<code class="filename">eng.example.com</code>".
</p>
<pre class="programlisting">
options {
// Working directory
@ -142,29 +150,37 @@ zone "eng.example.com" {
masters { 192.168.4.12; };
};
</pre>
</div>
</div>
<div class="sect1" lang="en">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568037"></a>Load Balancing</h2></div></div></div>
<p>
<a name="id-1.4.5"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple records
(such as multiple A records) for one name.
</p>
<p>
<p>
For example, if you have three WWW servers with network addresses
of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
following means that clients will connect to each machine one third
of the time:
</p>
<div class="informaltable"><table border="1">
<div class="informaltable">
<table border="1">
<colgroup>
<col>
<col>
<col>
<col>
<col>
<col width="0.875in" class="1">
<col width="0.500in" class="2">
<col width="0.750in" class="3">
<col width="0.750in" class="4">
<col width="2.028in" class="5">
</colgroup>
<tbody>
<tr>
@ -272,48 +288,56 @@ zone "eng.example.com" {
</td>
</tr>
</tbody>
</table></div>
<p>
</table>
</div>
<p>
When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
them and respond to the query with the records in a different
order. In the example above, clients will randomly receive
records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
will use the first record returned and discard the rest.
</p>
<p>
<p>
For more detail on ordering responses, check the
<span><strong class="command">rrset-order</strong></span> sub-statement in the
<span><strong class="command">options</strong></span> statement, see
<a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
<span class="command"><strong>rrset-order</strong></span> sub-statement in the
<span class="command"><strong>options</strong></span> statement, see
<a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568391"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<a name="id-1.4.6"></a>Name Server Operations</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568396"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
<a name="id-1.4.6.3"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
administrator for controlling and debugging the name server
daemon.
</p>
<div class="sect3" lang="en">
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
<p>
The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
<span><strong class="command">nslookup</strong></span> programs are all command
<p>
The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and
<span class="command"><strong>nslookup</strong></span> programs are all command
line tools
for manually querying name servers. They differ in style and
output format.
</p>
<div class="variablelist"><dl>
<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt>
<dd>
<p>
The domain information groper (<span><strong class="command">dig</strong></span>)
<p>
The domain information groper (<span class="command"><strong>dig</strong></span>)
is the most versatile and complete of these lookup tools.
It has two modes: simple interactive
mode for a single query, and batch mode which executes a
@ -322,39 +346,61 @@ zone "eng.example.com" {
accessible
from the command line.
</p>
<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
<p>
The usual simple use of <span><strong class="command">dig</strong></span> will take the form
<div class="cmdsynopsis"><p>
<code class="command">dig</code>
[@<em class="replaceable"><code>server</code></em>]
<em class="replaceable"><code>domain</code></em>
[<em class="replaceable"><code>query-type</code></em>]
[<em class="replaceable"><code>query-class</code></em>]
[+<em class="replaceable"><code>query-option</code></em>]
[-<em class="replaceable"><code>dig-option</code></em>]
[%<em class="replaceable"><code>comment</code></em>]
</p></div>
<p>
The usual simple use of <span class="command"><strong>dig</strong></span> will take the form
</p>
<p>
<span><strong class="command">dig @server domain query-type query-class</strong></span>
<p class="simpara">
<span class="command"><strong>dig @server domain query-type query-class</strong></span>
</p>
<p>
<p>
For more information and a list of available commands and
options, see the <span><strong class="command">dig</strong></span> man
options, see the <span class="command"><strong>dig</strong></span> man
page.
</p>
</dd>
<dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
</dd>
<dt><span class="term"><span class="command"><strong>host</strong></span></span></dt>
<dd>
<p>
The <span><strong class="command">host</strong></span> utility emphasizes
<p>
The <span class="command"><strong>host</strong></span> utility emphasizes
simplicity
and ease of use. By default, it converts
between host names and Internet addresses, but its
functionality
can be extended with the use of options.
</p>
<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
<p>
<div class="cmdsynopsis"><p>
<code class="command">host</code>
[-aCdlnrsTwv]
[-c <em class="replaceable"><code>class</code></em>]
[-N <em class="replaceable"><code>ndots</code></em>]
[-t <em class="replaceable"><code>type</code></em>]
[-W <em class="replaceable"><code>timeout</code></em>]
[-R <em class="replaceable"><code>retries</code></em>]
[-m <em class="replaceable"><code>flag</code></em>]
[-4]
[-6]
<em class="replaceable"><code>hostname</code></em>
[<em class="replaceable"><code>server</code></em>]
</p></div>
<p>
For more information and a list of available commands and
options, see the <span><strong class="command">host</strong></span> man
options, see the <span class="command"><strong>host</strong></span> man
page.
</p>
</dd>
<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
</dd>
<dt><span class="term"><span class="command"><strong>nslookup</strong></span></span></dt>
<dd>
<p><span><strong class="command">nslookup</strong></span>
<p><span class="command"><strong>nslookup</strong></span>
has two modes: interactive and
non-interactive. Interactive mode allows the user to
query name servers for information about various
@ -363,8 +409,15 @@ zone "eng.example.com" {
the name and requested information for a host or
domain.
</p>
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
<p>
<div class="cmdsynopsis"><p>
<code class="command">nslookup</code>
[-option...]
[
[<em class="replaceable"><code>host-to-find</code></em>]
| [- [server]]
]
</p></div>
<p>
Interactive mode is entered when no arguments are given (the
default name server will be used) or when the first argument
is a
@ -372,7 +425,7 @@ zone "eng.example.com" {
Internet address
of a name server.
</p>
<p>
<p>
Non-interactive mode is used when the name or Internet
address
of the host to be looked up is given as the first argument.
@ -380,146 +433,179 @@ zone "eng.example.com" {
optional second argument specifies the host name or address
of a name server.
</p>
<p>
<p>
Due to its arcane user interface and frequently inconsistent
behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
Use <span><strong class="command">dig</strong></span> instead.
behavior, we do not recommend the use of <span class="command"><strong>nslookup</strong></span>.
Use <span class="command"><strong>dig</strong></span> instead.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
<p>
<p>
Administrative tools play an integral part in the management
of a server.
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt>
<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
<a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span>
</dt>
<dd>
<p>
The <span><strong class="command">named-checkconf</strong></span> program
<p>
The <span class="command"><strong>named-checkconf</strong></span> program
checks the syntax of a <code class="filename">named.conf</code> file.
</p>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
</dd>
<div class="cmdsynopsis"><p>
<code class="command">named-checkconf</code>
[-jvz]
[-t <em class="replaceable"><code>directory</code></em>]
[<em class="replaceable"><code>filename</code></em>]
</p></div>
</dd>
<dt>
<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
<a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span>
</dt>
<dd>
<p>
The <span><strong class="command">named-checkzone</strong></span> program
<p>
The <span class="command"><strong>named-checkzone</strong></span> program
checks a master file for
syntax and consistency.
</p>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
</dd>
<div class="cmdsynopsis"><p>
<code class="command">named-checkzone</code>
[-djqvD]
[-c <em class="replaceable"><code>class</code></em>]
[-o <em class="replaceable"><code>output</code></em>]
[-t <em class="replaceable"><code>directory</code></em>]
[-w <em class="replaceable"><code>directory</code></em>]
[-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
[-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
[-W <em class="replaceable"><code>(ignore|warn)</code></em>]
<em class="replaceable"><code>zone</code></em>
[<em class="replaceable"><code>filename</code></em>]
</p></div>
</dd>
<dt>
<a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
</dt>
<dd><p>
Similar to <span><strong class="command">named-checkzone,</strong></span> but
it always dumps the zone content to a specified file
(typically in a different format).
</p></dd>
<dt>
<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
<a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span>
</dt>
<dd>
<p>
<p>
Similar to <span class="command"><strong>named-checkzone,</strong></span> but
it always dumps the zone content to a specified file
(typically in a different format).
</p>
</dd>
<dt>
<a name="rndc"></a><span class="term"><span class="command"><strong>rndc</strong></span></span>
</dt>
<dd>
<p>
The remote name daemon control
(<span><strong class="command">rndc</strong></span>) program allows the
(<span class="command"><strong>rndc</strong></span>) program allows the
system
administrator to control the operation of a name server.
Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
utility except <span><strong class="command">ndc start</strong></span> and
<span><strong class="command">ndc restart</strong></span>, which were also
not supported in <span><strong class="command">ndc</strong></span>'s
Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span>
supports all the commands of the BIND 8 <span class="command"><strong>ndc</strong></span>
utility except <span class="command"><strong>ndc start</strong></span> and
<span class="command"><strong>ndc restart</strong></span>, which were also
not supported in <span class="command"><strong>ndc</strong></span>'s
channel mode.
If you run <span><strong class="command">rndc</strong></span> without any
If you run <span class="command"><strong>rndc</strong></span> without any
options
it will display a usage message as follows:
</p>
<div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
<p>See <a href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
the available <span><strong class="command">rndc</strong></span> commands.
<div class="cmdsynopsis"><p>
<code class="command">rndc</code>
[-c <em class="replaceable"><code>config</code></em>]
[-s <em class="replaceable"><code>server</code></em>]
[-p <em class="replaceable"><code>port</code></em>]
[-y <em class="replaceable"><code>key</code></em>]
<em class="replaceable"><code>command</code></em>
[<em class="replaceable"><code>command</code></em>...]
</p></div>
<p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
the available <span class="command"><strong>rndc</strong></span> commands.
</p>
<p>
<span><strong class="command">rndc</strong></span> requires a configuration file,
<p>
<span class="command"><strong>rndc</strong></span> requires a configuration file,
since all
communication with the server is authenticated with
digital signatures that rely on a shared secret, and
there is no way to provide that secret other than with a
configuration file. The default location for the
<span><strong class="command">rndc</strong></span> configuration file is
<span class="command"><strong>rndc</strong></span> configuration file is
<code class="filename">/etc/rndc.conf</code>, but an
alternate
location can be specified with the <code class="option">-c</code>
option. If the configuration file is not found,
<span><strong class="command">rndc</strong></span> will also look in
<span class="command"><strong>rndc</strong></span> will also look in
<code class="filename">/etc/rndc.key</code> (or whatever
<code class="varname">sysconfdir</code> was defined when
the <acronym class="acronym">BIND</acronym> build was
configured).
The <code class="filename">rndc.key</code> file is
generated by
running <span><strong class="command">rndc-confgen -a</strong></span> as
running <span class="command"><strong>rndc-confgen -a</strong></span> as
described in
<a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
<a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
Usage&#8221;</a>.
</p>
<p>
<p>
The format of the configuration file is similar to
that of <code class="filename">named.conf</code>, but
limited to
only four statements, the <span><strong class="command">options</strong></span>,
<span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
<span><strong class="command">include</strong></span>
only four statements, the <span class="command"><strong>options</strong></span>,
<span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and
<span class="command"><strong>include</strong></span>
statements. These statements are what associate the
secret keys to the servers with which they are meant to
be shared. The order of statements is not
significant.
</p>
<p>
The <span><strong class="command">options</strong></span> statement has
<p>
The <span class="command"><strong>options</strong></span> statement has
three clauses:
<span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
and <span><strong class="command">default-port</strong></span>.
<span><strong class="command">default-server</strong></span> takes a
<span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,
and <span class="command"><strong>default-port</strong></span>.
<span class="command"><strong>default-server</strong></span> takes a
host name or address argument and represents the server
that will
be contacted if no <code class="option">-s</code>
option is provided on the command line.
<span><strong class="command">default-key</strong></span> takes
the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
<span><strong class="command">default-port</strong></span> specifies the
<span class="command"><strong>default-key</strong></span> takes
the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement.
<span class="command"><strong>default-port</strong></span> specifies the
port to which
<span><strong class="command">rndc</strong></span> should connect if no
<span class="command"><strong>rndc</strong></span> should connect if no
port is given on the command line or in a
<span><strong class="command">server</strong></span> statement.
<span class="command"><strong>server</strong></span> statement.
</p>
<p>
The <span><strong class="command">key</strong></span> statement defines a
<p>
The <span class="command"><strong>key</strong></span> statement defines a
key to be used
by <span><strong class="command">rndc</strong></span> when authenticating
by <span class="command"><strong>rndc</strong></span> when authenticating
with
<span><strong class="command">named</strong></span>. Its syntax is
<span class="command"><strong>named</strong></span>. Its syntax is
identical to the
<span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
<span class="command"><strong>key</strong></span> statement in <code class="filename">named.conf</code>.
The keyword <strong class="userinput"><code>key</code></strong> is
followed by a key name, which must be a valid
domain name, though it need not actually be hierarchical;
thus,
a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
name.
The <span><strong class="command">key</strong></span> statement has two
The <span class="command"><strong>key</strong></span> statement has two
clauses:
<span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
<span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>.
While the configuration parser will accept any string as the
argument
to algorithm, currently only the strings
@ -532,25 +618,28 @@ zone "eng.example.com" {
have any meaning. The secret is a base-64 encoded string
as specified in RFC 3548.
</p>
<p>
The <span><strong class="command">server</strong></span> statement
<p>
The <span class="command"><strong>server</strong></span> statement
associates a key
defined using the <span><strong class="command">key</strong></span>
defined using the <span class="command"><strong>key</strong></span>
statement with a server.
The keyword <strong class="userinput"><code>server</code></strong> is followed by a
host name or address. The <span><strong class="command">server</strong></span> statement
has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
The <span><strong class="command">key</strong></span> clause specifies the
host name or address. The <span class="command"><strong>server</strong></span> statement
has two clauses: <span class="command"><strong>key</strong></span> and <span class="command"><strong>port</strong></span>.
The <span class="command"><strong>key</strong></span> clause specifies the
name of the key
to be used when communicating with this server, and the
<span><strong class="command">port</strong></span> clause can be used to
specify the port <span><strong class="command">rndc</strong></span> should
<span class="command"><strong>port</strong></span> clause can be used to
specify the port <span class="command"><strong>rndc</strong></span> should
connect
to on the server.
</p>
<p>
<p>
A sample minimal configuration file is as follows:
</p>
<pre class="programlisting">
key rndc_key {
algorithm "hmac-sha256";
@ -562,65 +651,76 @@ options {
default-key rndc_key;
};
</pre>
<p>
<p>
This file, if installed as <code class="filename">/etc/rndc.conf</code>,
would allow the command:
</p>
<p>
<p>
<code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
</p>
<p>
<p>
to connect to 127.0.0.1 port 953 and cause the name server
to reload, if a name server on the local machine were
running with
following controls statements:
</p>
<pre class="programlisting">
controls {
inet 127.0.0.1
allow { localhost; } keys { rndc_key; };
};
</pre>
<p>
<p>
and it had an identical key statement for
<code class="literal">rndc_key</code>.
</p>
<p>
Running the <span><strong class="command">rndc-confgen</strong></span>
<p>
Running the <span class="command"><strong>rndc-confgen</strong></span>
program will
conveniently create a <code class="filename">rndc.conf</code>
file for you, and also display the
corresponding <span><strong class="command">controls</strong></span>
corresponding <span class="command"><strong>controls</strong></span>
statement that you need to
add to <code class="filename">named.conf</code>.
Alternatively,
you can run <span><strong class="command">rndc-confgen -a</strong></span>
you can run <span class="command"><strong>rndc-confgen -a</strong></span>
to set up
a <code class="filename">rndc.key</code> file and not
modify
<code class="filename">named.conf</code> at all.
</p>
</dd>
</dd>
</dl></div>
</div>
</div>
<div class="sect2" lang="en">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2569465"></a>Signals</h3></div></div></div>
<p>
<a name="id-1.4.6.4"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
be sent using the <span><strong class="command">kill</strong></span> command.
be sent using the <span class="command"><strong>kill</strong></span> command.
</p>
<div class="informaltable"><table border="1">
<div class="informaltable">
<table border="1">
<colgroup>
<col>
<col>
<col width="1.125in" class="1">
<col width="4.000in" class="2">
</colgroup>
<tbody>
<tr>
<td>
<p><span><strong class="command">SIGHUP</strong></span></p>
<p><span class="command"><strong>SIGHUP</strong></span></p>
</td>
<td>
<p>
@ -631,7 +731,7 @@ controls {
</tr>
<tr>
<td>
<p><span><strong class="command">SIGTERM</strong></span></p>
<p><span class="command"><strong>SIGTERM</strong></span></p>
</td>
<td>
<p>
@ -641,7 +741,7 @@ controls {
</tr>
<tr>
<td>
<p><span><strong class="command">SIGINT</strong></span></p>
<p><span class="command"><strong>SIGINT</strong></span></p>
</td>
<td>
<p>
@ -650,10 +750,11 @@ controls {
</td>
</tr>
</tbody>
</table></div>
</div>
</div>
</div>
</table>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -671,6 +772,6 @@ controls {
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

1657
doc/arm/Bv9ARM.ch04.html
View file

File diff suppressed because it is too large Load diff

72
doc/arm/Bv9ARM.ch05.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 5. The BIND 9 Lightweight Resolver</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
@ -39,32 +38,34 @@
</table>
<hr>
</div>
<div class="chapter" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h2></div></div></div>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2571848">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch05.html#id-1.6.3">The Lightweight Resolver Library</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2571848"></a>The Lightweight Resolver Library</h2></div></div></div>
<p>
<a name="id-1.6.3"></a>The Lightweight Resolver Library</h2></div></div></div>
<p>
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name
server.
</p>
<p>
<p>
IPv6 once introduced new complexity into the resolution process,
such as following A6 chains and DNAME records, and simultaneous
lookup of IPv4 and IPv6 addresses. Though most of the complexity was
then removed, these are hard or impossible
to implement in a traditional stub resolver.
</p>
<p>
<p>
<acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
services to local clients
using a combination of a lightweight resolver library and a resolver
@ -72,62 +73,67 @@
a simple UDP-based protocol, the "lightweight resolver protocol"
that is distinct from and simpler than the full DNS protocol.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
<p>
<p>
To use the lightweight resolver interface, the system must
run the resolver daemon <span><strong class="command">lwresd</strong></span> or a
run the resolver daemon <span class="command"><strong>lwresd</strong></span> or a
local
name server configured with a <span><strong class="command">lwres</strong></span>
name server configured with a <span class="command"><strong>lwres</strong></span>
statement.
</p>
<p>
<p>
By default, applications using the lightweight resolver library will
make
UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
The
address can be overridden by <span><strong class="command">lwserver</strong></span>
address can be overridden by <span class="command"><strong>lwserver</strong></span>
lines in
<code class="filename">/etc/resolv.conf</code>.
</p>
<p>
<p>
The daemon currently only looks in the DNS, but in the future
it may use other sources such as <code class="filename">/etc/hosts</code>,
NIS, etc.
</p>
<p>
The <span><strong class="command">lwresd</strong></span> daemon is essentially a
<p>
The <span class="command"><strong>lwresd</strong></span> daemon is essentially a
caching-only name server that responds to requests using the
lightweight
resolver protocol rather than the DNS protocol. Because it needs
to run on each host, it is designed to require no or minimal
configuration.
Unless configured otherwise, it uses the name servers listed on
<span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
<span class="command"><strong>nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
as forwarders, but is also capable of doing the resolution
autonomously if
none are specified.
</p>
<p>
The <span><strong class="command">lwresd</strong></span> daemon may also be
<p>
The <span class="command"><strong>lwresd</strong></span> daemon may also be
configured with a
<code class="filename">named.conf</code> style configuration file,
in
<code class="filename">/etc/lwresd.conf</code> by default. A name
server may also
be configured to act as a lightweight resolver daemon using the
<span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.
<span class="command"><strong>lwres</strong></span> statement in <code class="filename">named.conf</code>.
</p>
<p>
The number of client queries that the <span><strong class="command">lwresd</strong></span>
<p>
The number of client queries that the <span class="command"><strong>lwresd</strong></span>
daemon is able to serve can be set using the
<code class="option">lwres-tasks</code> and <code class="option">lwres-clients</code>
statements in the configuration.
</p>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -145,6 +151,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

7661
doc/arm/Bv9ARM.ch06.html
View file

File diff suppressed because it is too large Load diff

180
doc/arm/Bv9ARM.ch07.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 7. BIND 9 Security Considerations</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
@ -39,52 +38,55 @@
</table>
<hr>
</div>
<div class="chapter" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2608685"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.4"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2608835">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2608894">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.4.7">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.4.8">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
<p>
<p>
Access Control Lists (ACLs) are address match lists that
you can set up and nickname for future use in
<span><strong class="command">allow-notify</strong></span>, <span><strong class="command">allow-query</strong></span>,
<span><strong class="command">allow-query-on</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
<span><strong class="command">match-clients</strong></span>, etc.
<span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
<span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
<span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
<span class="command"><strong>match-clients</strong></span>, etc.
</p>
<p>
<p>
Using ACLs allows you to have finer control over who can access
your name server, without cluttering up your config files with huge
lists of IP addresses.
</p>
<p>
<p>
It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
control access to your server. Limiting access to your server by
outside parties can help prevent spoofing and denial of service
(DoS) attacks against your server.
</p>
<p>
<p>
ACLs match clients on the basis of up to three characteristics:
1) The client's IP address; 2) the TSIG or SIG(0) key that was
used to sign the request, if any; and 3) an address prefix
encoded in an EDNS Client Subnet option, if any.
</p>
<p>
<p>
Here is an example of ACLs based on client addresses:
</p>
<pre class="programlisting">
// Set up an ACL named "bogusnets" that will block
// RFC1918 space and some reserved space, which is
@ -113,13 +115,14 @@ zone "example.com" {
allow-query { any; };
};
</pre>
<p>
<p>
This allows authoritative queries for "example.com" from any
address, but recursive queries only from the networks specified
in "our-nets", and no queries at all from the networks
specified in "bogusnets".
</p>
<p>
<p>
In addition to network addresses and prefixes, which are
matched against the source address of the DNS request, ACLs
may include <code class="option">key</code> elements, which specify the
@ -128,34 +131,34 @@ zone "example.com" {
if that prefix matches an EDNS client subnet option included
in the request.
</p>
<p>
<p>
The EDNS Client Subnet (ECS) option is used by a recursive
resolver to inform an authoritative name server of the network
address block from which the original query was received, enabling
authoritative servers to give different answers to the same
resolver for different resolver clients. An ACL containing
an element of the form
<span><strong class="command">ecs <em class="replaceable"><code>prefix</code></em></strong></span>
<span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
will match if a request arrives in containing an ECS option
encoding an address within that prefix. If the request has no
ECS option, then "ecs" elements are simply ignored. Addresses
in ACLs that are not prefixed with "ecs" are matched only
against the source address.
</p>
<p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
ACLs can also be used for geographic access restrictions.
This is done by specifying an ACL element of the form:
<span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
</p>
<p>
<p>
The <em class="replaceable"><code>field</code></em> indicates which field
to search for a match. Available fields are "country",
"region", "city", "continent", "postal" (postal code),
"metro" (metro code), "area" (area code), "tz" (timezone),
"isp", "org", "asnum", "domain" and "netspeed".
</p>
<p>
<p>
<em class="replaceable"><code>value</code></em> is the value to search
for within the database. A string may be quoted if it
contains spaces or other special characters. If this is
@ -171,7 +174,7 @@ zone "example.com" {
standard two-letter state or province abbreviation;
otherwise it is the full name of the state or province.
</p>
<p>
<p>
The <em class="replaceable"><code>database</code></em> field indicates which
GeoIP database to search for a match. In most cases this is
unnecessary, because most search fields can only be found in
@ -186,18 +189,18 @@ zone "example.com" {
database if it is installed, or the "region" database if it is
installed, or the "country" database, in that order.
</p>
<p>
<p>
By default, if a DNS query includes an EDNS Client Subnet (ECS)
option which encodes a non-zero address prefix, then GeoIP ACLs
will be matched against that address prefix. Otherwise, they
are matched against the source address of the query. To
prevent GeoIP ACLs from matching against ECS options, set
the <span><strong class="command">geoip-use-ecs</strong></span> to <code class="literal">no</code>.
the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
</p>
<p>
<p>
Some example GeoIP ACLs:
</p>
<pre class="programlisting">geoip country US;
<pre class="programlisting">geoip country US;
geoip country JAP;
geoip db country country Canada;
geoip db region region WA;
@ -207,17 +210,18 @@ geoip postal 95062;
geoip tz "America/Los_Angeles";
geoip org "Internet Systems Consortium";
</pre>
<p>
<p>
ACLs use a "first-match" logic rather than "best-match":
if an address prefix matches an ACL element, then that ACL
is considered to have matched even if a later element would
have matched more specifically. For example, the ACL
<span><strong class="command"> { 10/8; !10.0.0.1; }</strong></span> would actually
<span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
match a query from 10.0.0.1, because the first element
indicated that the query should be accepted, and the second
element is ignored.
</p>
<p>
<p>
When using "nested" ACLs (that is, ACLs included or referenced
within other ACLs), a negative match of a nested ACL will
the containing ACL to continue looking for matches. This
@ -227,10 +231,10 @@ geoip org "Internet Systems Consortium";
it originates from a particular network <span class="emphasis"><em>and</em></span>
only when it is signed with a particular key, use:
</p>
<pre class="programlisting">
<pre class="programlisting">
allow-query { !{ !10/8; any; }; key example; };
</pre>
<p>
<p>
Within the nested ACL, any address that is
<span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
be rejected, and this will terminate processing of the
@ -242,38 +246,43 @@ allow-query { !{ !10/8; any; }; key example; };
will only matches when <span class="emphasis"><em>both</em></span> conditions
are true.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2608685"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
<a name="id-1.8.4"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
</h2></div></div></div>
<p>
<p>
On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
in a <span class="emphasis"><em>chrooted</em></span> environment (using
the <span><strong class="command">chroot()</strong></span> function) by specifying
the <code class="option">-t</code> option for <span><strong class="command">named</strong></span>.
the <span class="command"><strong>chroot()</strong></span> function) by specifying
the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
This can help improve system security by placing
<acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
the damage done if a server is compromised.
</p>
<p>
<p>
Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
</p>
<p>
Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
<p>
Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
<span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
user 202:
</p>
<p>
<p>
<strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
</p>
<div class="sect2" lang="en">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608835"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span><strong class="command">chroot</strong></span> environment
<a name="id-1.8.4.7"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span class="command"><strong>chroot</strong></span> environment
to
work properly in a particular directory
(for example, <code class="filename">/var/named</code>),
@ -282,12 +291,12 @@ allow-query { !{ !10/8; any; }; key example; };
From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
the root of the filesystem. You will need to adjust the values of
options like
like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
like <span class="command"><strong>directory</strong></span> and <span class="command"><strong>pid-file</strong></span> to account
for this.
</p>
<p>
<p>
Unlike with earlier versions of BIND, you typically will
<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
<span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
statically nor install shared libraries under the new root.
However, depending on your operating system, you may need
to set up things like
@ -296,45 +305,51 @@ allow-query { !{ !10/8; any; }; key example; };
<code class="filename">/dev/log</code>, and
<code class="filename">/etc/localtime</code>.
</p>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608894"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<p>
Prior to running the <span><strong class="command">named</strong></span> daemon,
<a name="id-1.8.4.8"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
<p>
Prior to running the <span class="command"><strong>named</strong></span> daemon,
use
the <span><strong class="command">touch</strong></span> utility (to change file
the <span class="command"><strong>touch</strong></span> utility (to change file
access and
modification times) or the <span><strong class="command">chown</strong></span>
modification times) or the <span class="command"><strong>chown</strong></span>
utility (to
set the user id and/or group id) on files
to which you want <acronym class="acronym">BIND</acronym>
to write.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
Note that if the <span><strong class="command">named</strong></span> daemon is running as an
Note that if the <span class="command"><strong>named</strong></span> daemon is running as an
unprivileged user, it will not be able to bind to new restricted
ports if the server is reloaded.
</div>
</div>
</div>
<div class="sect1" lang="en">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
<p>
<p>
Access to the dynamic
update facility should be strictly limited. In earlier versions of
<acronym class="acronym">BIND</acronym>, the only way to do this was
based on the IP
address of the host requesting the update, by listing an IP address
or
network prefix in the <span><strong class="command">allow-update</strong></span>
network prefix in the <span class="command"><strong>allow-update</strong></span>
zone option.
This method is insecure since the source address of the update UDP
packet
is easily forged. Also note that if the IP addresses allowed by the
<span><strong class="command">allow-update</strong></span> option include the
<span class="command"><strong>allow-update</strong></span> option include the
address of a slave
server which performs forwarding of dynamic updates, the master can
be
@ -342,16 +357,18 @@ allow-query { !{ !10/8; any; }; key example; };
forward it to the master with its own source IP address causing the
master to approve it without question.
</p>
<p>
<p>
For these reasons, we strongly recommend that updates be
cryptographically authenticated by means of transaction signatures
(TSIG). That is, the <span><strong class="command">allow-update</strong></span>
(TSIG). That is, the <span class="command"><strong>allow-update</strong></span>
option should
list only TSIG key names, not IP addresses or network
prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
option can be used.
</p>
<p>
<p>
Some sites choose to keep all dynamically-updated DNS data
in a subdomain and delegate that subdomain to a separate zone. This
way, the top-level zone containing critical data such as the IP
@ -359,8 +376,9 @@ allow-query { !{ !10/8; any; }; key example; };
of public web and mail servers need not allow dynamic update at
all.
</p>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -378,6 +396,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

78
doc/arm/Bv9ARM.ch08.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 8. Troubleshooting</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
<link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
@ -39,37 +38,44 @@
</table>
<hr>
</div>
<div class="chapter" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h2></div></div></div>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2608974">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2608980">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2608992">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2609009">Where Can I Get Help?</a></span></dt>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Common Problems</a></span></dt>
<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3.3">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.4">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.5">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2608974"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<a name="id-1.9.3"></a>Common Problems</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608980"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
<a name="id-1.9.3.3"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
The best solution to solving installation and
configuration issues is to take preventative measures by setting
up logging files beforehand. The log files provide a
source of hints and information that can be used to figure out
what went wrong and how to fix the problem.
</p>
</div>
</div>
<div class="sect1" lang="en">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2608992"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
<a name="id-1.9.4"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
Zone serial numbers are just numbers &#8212; they aren't
date related. A lot of people set them to a number that
represents a date, usually of the form YYYYMMDDRR.
@ -81,22 +87,27 @@
lower than the serial number on the master, the slave
server will attempt to update its copy of the zone.
</p>
<p>
<p>
Setting the serial number to a lower number on the master
server than the slave server means that the slave will not perform
updates to its copy of the zone.
</p>
<p>
<p>
The solution to this is to add 2147483647 (2^31-1) to the
number, reload the zone and make sure all slaves have updated to
the new zone serial number, then reset the number to what you want
it to be, and reload the zone again.
</p>
</div>
<div class="sect1" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2609009"></a>Where Can I Get Help?</h2></div></div></div>
<p>
<a name="id-1.9.5"></a>Where Can I Get Help?</h2></div></div></div>
<p>
The Internet Systems Consortium
(<acronym class="acronym">ISC</acronym>) offers a wide range
of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
@ -109,15 +120,16 @@
fix announcements to remote support. It also includes training in
<acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
</p>
<p>
<p>
To discuss arrangements for support, contact
<a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
<a class="ulink" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
<acronym class="acronym">ISC</acronym> web page at
<a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
<a class="ulink" href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
to read more.
</p>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -135,6 +147,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

916
doc/arm/Bv9ARM.ch09.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Appendix A. Release Notes</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
<link rel="next" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
@ -39,11 +38,912 @@
</table>
<hr>
</div>
<div class="appendix" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch09"></a>Appendix A. Release Notes</h2></div></div></div>
<font color="red">&lt;xi:include&gt;&lt;/xi:include&gt;</font>
<div class="appendix">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch09"></a>Appendix A. Release Notes</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.3">Release Notes for BIND Version 9.11.0pre-alpha</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
</dl></dd>
</dl>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.10.3"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
This document summarizes changes since the last production release
of BIND on the corresponding major release branch.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
The latest versions of BIND 9 software can always be found at
<a class="ulink" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
An incorrect boundary check in the OPENPGPKEY rdatatype
could trigger an assertion failure. This flaw is disclosed
in CVE-2015-5986. [RT #40286]
</p>
</li>
<li class="listitem">
<p>
A buffer accounting error could trigger an assertion failure
when parsing certain malformed DNSSEC keys.
</p>
<p>
This flaw was discovered by Hanno Böck of the Fuzzing
Project, and is disclosed in CVE-2015-5722. [RT #40212]
</p>
</li>
<li class="listitem">
<p>
A specially crafted query could trigger an assertion failure
in message.c.
</p>
<p>
This flaw was discovered by Jonathan Foote, and is disclosed
in CVE-2015-5477. [RT #40046]
</p>
</li>
<li class="listitem">
<p>
On servers configured to perform DNSSEC validation, an
assertion failure could be triggered on answers from
a specially configured server.
</p>
<p>
This flaw was discovered by Breno Silveira Soares, and is
disclosed in CVE-2015-4620. [RT #39795]
</p>
</li>
<li class="listitem">
<p>
On servers configured to perform DNSSEC validation using
managed trust anchors (i.e., keys configured explicitly
via <span class="command"><strong>managed-keys</strong></span>, or implicitly
via <span class="command"><strong>dnssec-validation auto;</strong></span> or
<span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
a trust anchor and sending a new untrusted replacement
could cause <span class="command"><strong>named</strong></span> to crash with an
assertion failure. This could occur in the event of a
botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to
monitor the victim's DNS traffic.
</p>
<p>
This flaw was discovered by Jan-Piet Mens, and is
disclosed in CVE-2015-1349. [RT #38344]
</p>
</li>
<li class="listitem">
<p>
A flaw in delegation handling could be exploited to put
<span class="command"><strong>named</strong></span> into an infinite loop, in which
each lookup of a name server triggered additional lookups
of more name servers. This has been addressed by placing
limits on the number of levels of recursion
<span class="command"><strong>named</strong></span> will allow (default 7), and
on the number of queries that it will send before
terminating a recursive query (default 50).
</p>
<p>
The recursion depth limit is configured via the
<code class="option">max-recursion-depth</code> option, and the query limit
via the <code class="option">max-recursion-queries</code> option.
</p>
<p>
The flaw was discovered by Florian Maury of ANSSI, and is
disclosed in CVE-2014-8500. [RT #37580]
</p>
</li>
<li class="listitem">
<p>
Two separate problems were identified in BIND's GeoIP code that
could lead to an assertion failure. One was triggered by use of
both IPv4 and IPv6 address families, the other by referencing
a GeoIP database in <code class="filename">named.conf</code> which was
not installed. Both are covered by CVE-2014-8680. [RT #37672]
[RT #37679]
</p>
<p>
A less serious security flaw was also found in GeoIP: changes
to the <span class="command"><strong>geoip-directory</strong></span> option in
<code class="filename">named.conf</code> were ignored when running
<span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
<span class="command"><strong>named</strong></span> to allow access to unintended clients.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Added support for DynDB, a new interface for loading zone data
from an external database, developed by Red Hat for the FreeIPA
project. (Thanks in particular to Adam Tkac and Petr
Spacek of Red Hat for the contribution.)
</p>
<p>
Unlike the existing DLZ and SDB interfaces, which provide a
limited subset of database functionality within BIND &#8212;
translating DNS queries into real-time database lookups with
relatively poor performance and with no ability to handle
DNSSEC-signed data &#8212; DynDB is able to fully implement
and extend the database API used natively by BIND.
</p>
<p>
A DynDB module could pre-load data from an external data
source, then serve it with the same performance and
functionality as conventional BIND zones, and with the
ability to take advantage of database features not
available in BIND, such as multi-master replication.
</p>
</li>
<li class="listitem">
<p>
New quotas have been added to limit the queries that are
sent by recursive resolvers to authoritative servers
experiencing denial-of-service attacks. When configured,
these options can both reduce the harm done to authoritative
servers and also avoid the resource exhaustion that can be
experienced by recursives when they are being used as a
vehicle for such an attack.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
<code class="option">fetches-per-server</code> limits the number of
simultaneous queries that can be sent to any single
authoritative server. The configured value is a starting
point; it is automatically adjusted downward if the server is
partially or completely non-responsive. The algorithm used to
adjust the quota can be configured via the
<code class="option">fetch-quota-params</code> option.
</p>
</li>
<li class="listitem">
<p>
<code class="option">fetches-per-zone</code> limits the number of
simultaneous queries that can be sent for names within a
single domain. (Note: Unlike "fetches-per-server", this
value is not self-tuning.)
</p>
</li>
</ul></div>
<p>
Statistics counters have also been added to track the number
of queries affected by these quotas.
</p>
</li>
<li class="listitem">
<p>
Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
flexible method for capturing and logging DNS traffic,
developed by Robert Edmonds at Farsight Security, Inc.,
whose assistance is gratefully acknowledged.
</p>
<p>
To enable <span class="command"><strong>dnstap</strong></span> at compile time,
the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
libraries must be available, and BIND must be configured with
<code class="option">--enable-dnstap</code>.
</p>
<p>
A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
a human-readable format.
</p>
<p>
For more information on <span class="command"><strong>dnstap</strong></span>, see
<a class="ulink" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
</p>
</li>
<li class="listitem">
<p>
New statistics counters have been added to track traffic
sizes, as specified in RSSAC002. Query and response
message sizes are broken up into ranges of histogram buckets:
TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
and 4096+. These values can be accessed via the XML and JSON
statistics channels at, for example,
<a class="ulink" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
or
<a class="ulink" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
</p>
</li>
<li class="listitem">
<p>
The serial number of a dynamically updatable zone can
now be set using
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
This is particularly useful with <code class="option">inline-signing</code>
zones that have been reset. Setting the serial number to a value
larger than that on the slaves will trigger an AXFR-style
transfer.
</p>
</li>
<li class="listitem">
<p>
When answering recursive queries, SERVFAIL responses can now be
cached by the server for a limited time; subsequent queries for
the same query name and type will return another SERVFAIL until
the cache times out. This reduces the frequency of retries
when a query is persistently failing, which can be a burden
on recursive serviers. The SERVFAIL cache timeout is controlled
by <code class="option">servfail-ttl</code>, which defaults to 10 seconds
and has an upper limit of 30.
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
set a "negative trust anchor" (NTA), disabling DNSSEC validation for
a specific domain; this can be used when responses from a domain
are known to be failing validation due to administrative error
rather than because of a spoofing attack. NTAs are strictly
temporary; by default they expire after one hour, but can be
configured to last up to one week. The default NTA lifetime
can be changed by setting the <code class="option">nta-lifetime</code> in
<code class="filename">named.conf</code>. When added, NTAs are stored in a
file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
</p>
</li>
<li class="listitem">
<p>
The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option then
ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
elements can match against the the address encoded in the option.
This can be used to select a view for a query, so that different
answers can be provided depending on the client network.
</p>
</li>
<li class="listitem">
<p>
The EDNS EXPIRE option has been implemented on the client
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
server.
</p>
</li>
<li class="listitem">
<p>
A new <code class="option">masterfile-style</code> zone option controls
the formatting of text zone files: When set to
<code class="literal">full</code>, the zone file will dumped in
single-line-per-record format.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
arbitrary EDNS options in DNS requests.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
yet-to-be-defined EDNS flags in DNS requests.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
disable EDNS version negotiation.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +header-only</strong></span> can now be used to send
queries without a question section.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
to print TTL values with time-unit suffixes: w, d, h, m, s for
weeks, days, hours, minutes, and seconds.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +zflag</strong></span> can be used to set the last
unassigned DNS header flag bit. This bit in normally zero.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
can now be used to set the DSCP code point in outgoing query
packets.
</p>
</li>
<li class="listitem">
<p>
<code class="option">serial-update-method</code> can now be set to
<code class="literal">date</code>. On update, the serial number will
be set to the current date in YYYYMMDDNN format.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
number to YYYYMMDDNN.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
default instead of to the system log.
</p>
</li>
<li class="listitem">
<p>
The rate limiter configured by the
<code class="option">serial-query-rate</code> option no longer covers
NOTIFY messages; those are now separately controlled by
<code class="option">notify-rate</code> and
<code class="option">startup-notify-rate</code> (the latter of which
controls the rate of NOTIFY messages sent when the server
is first started up or reconfigured).
</p>
</li>
<li class="listitem">
<p>
The default number of tasks and client objects available
for serving lightweight resolver queries have been increased,
and are now configurable via the new <code class="option">lwres-tasks</code>
and <code class="option">lwres-clients</code> options in
<code class="filename">named.conf</code>. [RT #35857]
</p>
</li>
<li class="listitem">
<p>
Log output to files can now be buffered by specifying
<span class="command"><strong>buffered yes;</strong></span> when creating a channel.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
sending queries.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now check to see whether
other name server processes are running before starting up.
This is implemented in two ways: 1) by refusing to start
if the configured network interfaces all return "address
in use", and 2) by attempting to acquire a lock on a file
specified by the <code class="option">lock-file</code> option or
the <span class="command"><strong>-X</strong></span> command line option. The
default lock file is
<code class="filename">/var/run/named/named.lock</code>.
Specifying <code class="literal">none</code> will disable the lock
file check.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
which were configured in <code class="filename">named.conf</code>;
it is no longer restricted to zones which were added by
<span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
this does not edit <code class="filename">named.conf</code>; the zone
must be removed from the configuration or it will return
when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc showzone</strong></span> displays the current
configuration for a specified zone.
</p>
</li>
<li class="listitem">
<p>
Added server-side support for pipelined TCP queries. Clients
may continue sending queries via TCP while previous queries are
processed in parallel. Responses are sent when they are
ready, not necessarily in the order in which the queries were
received.
</p>
<p>
To revert to the former behavior for a particular
client address or range of addresses, specify the address prefix
in the "keep-response-order" option. To revert to the former
behavior for all clients, use "keep-response-order { any; };".
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>mdig</strong></span> command is a version of
<span class="command"><strong>dig</strong></span> that sends multiple pipelined
queries and then waits for responses, instead of sending one
query and waiting the response before sending the next. [RT #38261]
</p>
</li>
<li class="listitem">
<p>
To enable better monitoring and troubleshooting of RFC 5011
trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
can be used to check status of trust anchors or to force keys
to be refreshed. Also, the managed-keys data file now has
easier-to-read comments. [RT #38458]
</p>
</li>
<li class="listitem">
<p>
An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
now available to enable very verbose query tracelogging. This
option can only be set at compile time. This option has a
negative performance impact and should be used only for
debugging. [RT #37520]
</p>
</li>
<li class="listitem">
<p>
A new <span class="command"><strong>tcp-only</strong></span> option can be specified
in <span class="command"><strong>server</strong></span> statements to force
<span class="command"><strong>named</strong></span> to connect to the specified
server via TCP. [RT #37800]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
a DNS namespace to use for NXDOMAIN redirection. When a
recursive lookup returns NXDOMAIN, a second lookup is
initiated with the specified name appended to the query
name. This allows NXDOMAIN redirection data to be supplied
by multiple zones configured on the server or by recursive
queries to other servers. (The older method, using
a single <span class="command"><strong>type redirect</strong></span> zone, has
better average performance but is less flexible.) [RT #37989]
</p>
</li>
<li class="listitem">
<p>
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
not correctly matched unless the full organization name was
specified in the ACL (as in
<span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
They can now match against the AS number alone (as in
<span class="command"><strong>geoip asnum "AS1234";</strong></span>).
</p>
</li>
<li class="listitem">
<p>
When using native PKCS#11 cryptography (i.e.,
<span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
of up to 256 characters can now be used.
</p>
</li>
<li class="listitem">
<p>
NXDOMAIN responses to queries of type DS are now cached separately
from those for other types. This helps when using "grafted" zones
of type forward, for which the parent zone does not contain a
delegation, such as local top-level domains. Previously a query
of type DS for such a zone could cause the zone apex to be cached
as NXDOMAIN, blocking all subsequent queries. (Note: This
change is only helpful when DNSSEC validation is not enabled.
"Grafted" zones without a delegation in the parent are not a
recommended configuration.)
</p>
</li>
<li class="listitem">
<p>
Update forwarding performance has been improved by allowing
a single TCP connection to be shared between multiple updates.
</p>
</li>
<li class="listitem">
<p>
By default, <span class="command"><strong>nsupdate</strong></span> will now check
the correctness of hostnames when adding records of type
A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
disabled with <span class="command"><strong>check-names no</strong></span>.
</p>
</li>
<li class="listitem">
<p>
Added support for OPENPGPKEY type.
</p>
</li>
<li class="listitem">
<p>
The names of the files used to store managed keys and added
zones for each view are no longer based on the SHA256 hash
of the view name, except when this is necessary because the
view name contains characters that would be incompatible with use
as a file name. For views whose names do not contain forward
slashes ('/'), backslashes ('\'), or capital letters - which
could potentially cause namespace collision problems on
case-insensitive filesystems - files will now be named
after the view (for example, <code class="filename">internal.mkeys</code>
or <code class="filename">external.nzf</code>). However, to ensure
consistent behavior when upgrading, if a file using the old
name format is found to exist, it will continue to be used.
</p>
</li>
<li class="listitem">
<p>
"rndc" can now return text output of arbitrary size to
the caller. (Prior to this, certain commands such as
"rndc tsig-list" and "rndc zonestatus" could return
truncated output.)
</p>
</li>
<li class="listitem">
<p>
Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
(e.g., when a zone file cannot be loaded) have been clarified
to make it easier to diagnose problems.
</p>
</li>
<li class="listitem">
<p>
When encountering an authoritative name server whose name is
an alias pointing to another name, the resolver treats
this as an error and skips to the next server. Previously
this happened silently; now the error will be logged to
the newly-created "cname" log category.
</p>
</li>
<li class="listitem">
<p>
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
allow fallback to plain DNS on timeout even when we know
the server supports EDNS. This will allow the server to
potentially resolve signed queries when TCP is being
blocked.
</p>
</li>
<li class="listitem">
<p>
Large inline-signing changes should be less disruptive.
Signature generation is now done incrementally; the number
of signatures to be generated in each quantum is controlled
by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
[RT #37927]
</p>
</li>
<li class="listitem">
<p>
The experimental SIT option (code point 65001) of BIND
9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
option (code point 10). It is no longer experimental, and
is sent by default, by both <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dig</strong></span>.
</p>
<p>
The SIT-related named.conf options have been marked as
obsolete, and are otherwise ignored.
</p>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
response or a BADCOOKIE response code from a server, it
will automatically retry the query using the server COOKIE
that was returned by the server in its initial response.
[RT #39047]
</p>
</li>
<li class="listitem">
<p>
A alternative NXDOMAIN redirect method (nxdomain-redirect)
which allows the redirect information to be looked up from
a namespace on the Internet rather than requiring a zone
to be configured on the server is now available.
</p>
</li>
<li class="listitem">
<p>
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</p>
</li>
<li class="listitem">
<p>
Within the <code class="option">response-policy</code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
using the <code class="option">log</code> clause.
</p>
</li>
<li class="listitem">
<p>
The default preferred glue is now the address type of the
transport the query was received over.
</p>
</li>
<li class="listitem">
<p>
On machines with 2 or more processors (CPU), the default value
for the number of UDP listeners has been changed to the number
of detected processors minus one.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The Microsoft Windows install tool
<span class="command"><strong>BINDInstall.exe</strong></span> which requires a
non-free version of Visual Studio to be built, now uses two
files (lists of flags and files) created by the Configure
perl script with all the needed information which were
previously compiled in the binary. Read
<code class="filename">win32utils/build.txt</code> for more details.
[RT #38915]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
<span class="command"><strong>nslookup</strong></span> aborted when encountering
a name which, after appending search list elements,
exceeded 255 bytes. Such names are now skipped, but
processing of other names will continue. [RT #36892]
</p>
</li>
<li class="listitem">
<p>
The error message generated when
<span class="command"><strong>named-checkzone</strong></span> or
<span class="command"><strong>named-checkconf -z</strong></span> encounters a
<code class="option">$TTL</code> directive without a value has
been clarified. [RT #37138]
</p>
</li>
<li class="listitem">
<p>
Semicolon characters (;) included in TXT records were
incorrectly escaped with a backslash when the record was
displayed as text. This is actually only necessary when there
are no quotation marks. [RT #37159]
</p>
</li>
<li class="listitem">
<p>
When files opened for writing by <span class="command"><strong>named</strong></span>,
such as zone journal files, were referenced more than once
in <code class="filename">named.conf</code>, it could lead to file
corruption as multiple threads wrote to the same file. This
is now detected when loading <code class="filename">named.conf</code>
and reported as an error. [RT #37172]
</p>
</li>
<li class="listitem">
<p>
When checking for updates to trust anchors listed in
<code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
now revalidates keys based on the current set of
active trust anchors, without relying on any cached
record of previous validation. [RT #37506]
</p>
</li>
<li class="listitem">
<p>
Large-system tuning
(<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
problems on some platforms by setting a socket receive
buffer size that was too large. This is now detected and
corrected at run time. [RT #37187]
</p>
</li>
<li class="listitem">
<p>
When NXDOMAIN redirection is in use, queries for a name
that is present in the redirection zone but a type that
is not present will now return NOERROR instead of NXDOMAIN.
</p>
</li>
<li class="listitem">
<p>
Due to an inadvertent removal of code in the previous
release, when <span class="command"><strong>named</strong></span> encountered an
authoritative name server which dropped all EDNS queries,
it did not always try plain DNS. This has been corrected.
[RT #37965]
</p>
</li>
<li class="listitem">
<p>
A regression caused nsupdate to use the default recursive servers
rather than the SOA MNAME server when sending the UPDATE.
</p>
</li>
<li class="listitem">
<p>
Adjusted max-recursion-queries to accommodate the smaller
initial packet sizes used in BIND 9.10 and higher when
contacting authoritative servers for the first time.
</p>
</li>
<li class="listitem">
<p>
Built-in "empty" zones did not correctly inherit the
"allow-transfer" ACL from the options or view. [RT #38310]
</p>
</li>
<li class="listitem">
<p>
Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
processes to grow to very large sizes. [RT #38454]
</p>
</li>
<li class="listitem">
<p>
Fixed some bugs in RFC 5011 trust anchor management,
including a memory leak and a possible loss of state
information. [RT #38458]
</p>
</li>
<li class="listitem">
<p>
Asynchronous zone loads were not handled correctly when the
zone load was already in progress; this could trigger a crash
in zt.c. [RT #37573]
</p>
</li>
<li class="listitem">
<p>
A race during shutdown or reconfiguration could
cause an assertion failure in mem.c. [RT #38979]
</p>
</li>
<li class="listitem">
<p>
Some answer formatting options didn't work correctly with
<span class="command"><strong>dig +short</strong></span>. [RT #39291]
</p>
</li>
<li class="listitem">
<p>
Several bugs have been fixed in the RPZ implementation:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
Policy zones that did not specifically require recursion
could be treated as if they did; consequently, setting
<span class="command"><strong>qname-wait-recurse no;</strong></span> was
sometimes ineffective. This has been corrected.
In most configurations, behavioral changes due to this
fix will not be noticeable. [RT #39229]
</p>
</li>
<li class="listitem">
<p>
The server could crash if policy zones were updated (e.g.
via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
transfer) while RPZ processing was still ongoing for an
active query. [RT #39415]
</p>
</li>
<li class="listitem">
<p>
On servers with one or more policy zones configured as
slaves, if a policy zone updated during regular operation
(rather than at startup) using a full zone reload, such as
via AXFR, a bug could allow the RPZ summary data to fall out
of sync, potentially leading to an assertion failure in
rpz.c when further incremental updates were made to the
zone, such as via IXFR. [RT #39567]
</p>
</li>
<li class="listitem">
<p>
The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an
unexpected action could be taken. This has been
corrected. [RT #39481]
</p>
</li>
<li class="listitem">
<p>
The server could crash if a reload of an RPZ zone was
initiated while another reload of the same zone was
already in progress. [RT #39649]
</p>
</li>
</ul></div>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
The end of life for BIND 9.11 is yet to be determined but
will not be before BIND 9.13.0 has been released for 6 months.
<a class="ulink" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="ulink" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -62,6 +962,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

53
doc/arm/Bv9ARM.ch10.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Appendix B. A Brief History of the DNS and BIND</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
<link rel="next" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
@ -40,11 +39,22 @@
</table>
<hr>
</div>
<div class="appendix" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<div class="appendix">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch10"></a>Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
</h2></div></div></div>
<p><a name="historical_dns_information"></a>
</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch10.html#dns_history">DNS</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch10.html#bind_history">BIND</a></span></dt>
</dl>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="dns_history"></a>DNS</h2></div></div></div>
<p>
Although the "official" beginning of the Domain Name
System occurred in 1984 with the publication of RFC 920, the
core of the new system was described in 1983 in RFCs 882 and
@ -59,7 +69,8 @@
became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
built.
</p>
<p>
<p>
The first working domain name server, called "Jeeves", was
written in 1983-84 by Paul Mockapetris for operation on DEC
Tops-20
@ -77,7 +88,12 @@
Administration
(DARPA).
</p>
<p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="bind_history"></a>BIND</h2></div></div></div>
<p>
Versions of <acronym class="acronym">BIND</acronym> through
4.8.3 were maintained by the Computer
Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
@ -92,7 +108,7 @@
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
handled by Mike Karels and Øivind Kure.
</p>
<p>
<p>
<acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
released by Digital Equipment
Corporation (now Compaq Computer Corporation). Paul Vixie, then
@ -104,41 +120,42 @@
Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
Wolfhugel, and others.
</p>
<p>
<p>
In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
Vixie Enterprises. Paul
Vixie became <acronym class="acronym">BIND</acronym>'s principal
architect/programmer.
</p>
<p>
<p>
<acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
have been developed and maintained
by the Internet Systems Consortium and its predecessor,
the Internet Software Consortium, with support being provided
by ISC's sponsors.
</p>
<p>
<p>
As co-architects/programmers, Bob Halley and
Paul Vixie released the first production-ready version of
<acronym class="acronym">BIND</acronym> version 8 in May 1997.
</p>
<p>
<p>
BIND version 9 was released in September 2000 and is a
major rewrite of nearly all aspects of the underlying
BIND architecture.
</p>
<p>
<p>
BIND versions 4 and 8 are officially deprecated.
No additional development is done
on BIND version 4 or BIND version 8.
</p>
<p>
<p>
<acronym class="acronym">BIND</acronym> development work is made
possible today by the sponsorship
of several corporations, and by the tireless work efforts of
numerous individuals.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -156,6 +173,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

978
doc/arm/Bv9ARM.ch11.html
View file

File diff suppressed because it is too large Load diff

402
doc/arm/Bv9ARM.ch12.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Appendix D. BIND 9 DNS Library Support</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
<link rel="next" href="Bv9ARM.ch13.html" title="Manual pages">
@ -39,111 +38,128 @@
</table>
<hr>
</div>
<div class="appendix" lang="en">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch12"></a>Appendix D. BIND 9 DNS Library Support</h2></div></div></div>
<div class="appendix">
<div class="titlepage"><div><div><h1 class="title">
<a name="Bv9ARM.ch12"></a>Appendix D. BIND 9 DNS Library Support</h1></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2616519">Prerequisite</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615300">Compilation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615324">Installation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615355">Known Defects/Restrictions</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615432">The dns.conf File</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615459">Sample Applications</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2616705">Library References</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.5">Prerequisite</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.6">Compilation</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.7">Installation</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.8">Known Defects/Restrictions</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.9">The dns.conf File</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.10">Sample Applications</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.11">Library References</a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
<p>This version of BIND 9 "exports" its internal libraries so
<p>This version of BIND 9 "exports" its internal libraries so
that they can be used by third-party applications more easily (we
call them "export" libraries in this document). In addition to
all major DNS-related APIs BIND 9 is currently using, the export
libraries provide the following features:</p>
<div class="itemizedlist"><ul type="disc">
<li><p>The newly created "DNS client" module. This is a higher
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>The newly created "DNS client" module. This is a higher
level API that provides an interface to name resolution,
single DNS transaction with a particular server, and dynamic
update. Regarding name resolution, it supports advanced
features such as DNSSEC validation and caching. This module
supports both synchronous and asynchronous mode.</p></li>
<li><p>The new "IRS" (Information Retrieval System) library.
supports both synchronous and asynchronous mode.</p>
</li>
<li class="listitem">
<p>The new "IRS" (Information Retrieval System) library.
It provides an interface to parse the traditional resolv.conf
file and more advanced, DNS-specific configuration file for
the rest of this package (see the description for the
dns.conf file below).</p></li>
<li><p>As part of the IRS library, newly implemented standard
dns.conf file below).</p>
</li>
<li class="listitem">
<p>As part of the IRS library, newly implemented standard
address-name mapping functions, getaddrinfo() and
getnameinfo(), are provided. They use the DNSSEC-aware
validating resolver backend, and could use other advanced
features of the BIND 9 libraries such as caching. The
getaddrinfo() function resolves both A and AAAA RRs
concurrently (when the address family is unspecified).</p></li>
<li><p>An experimental framework to support other event
libraries than BIND 9's internal event task system.</p></li>
concurrently (when the address family is unspecified).</p>
</li>
<li class="listitem">
<p>An experimental framework to support other event
libraries than BIND 9's internal event task system.</p>
</li>
</ul></div>
<div class="sect2" lang="en">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2616519"></a>Prerequisite</h3></div></div></div>
<p>GNU make is required to build the export libraries (other
<a name="id-1.13.3.5"></a>Prerequisite</h3></div></div></div>
<p>GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
in some platforms you may need to invoke a different command name
than "make" (e.g. "gmake") to indicate it's GNU make.</p>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2615300"></a>Compilation</h3></div></div></div>
<pre class="screen">
<a name="id-1.13.3.6"></a>Compilation</h3></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
$ <strong class="userinput"><code>make</code></strong>
</pre>
<p>
<p>
This will create (in addition to usual BIND 9 programs) and a
separate set of libraries under the lib/export directory. For
example, <code class="filename">lib/export/dns/libdns.a</code> is the archive file of the
export version of the BIND 9 DNS library. Sample application
programs using the libraries will also be built under the
lib/export/samples directory (see below).</p>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2615324"></a>Installation</h3></div></div></div>
<pre class="screen">
<a name="id-1.13.3.7"></a>Installation</h3></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>cd lib/export</code></strong>
$ <strong class="userinput"><code>make install</code></strong>
</pre>
<p>
<p>
This will install library object files under the directory
specified by the --with-export-libdir configure option (default:
EPREFIX/lib/bind9), and header files under the directory
specified by the --with-export-includedir configure option
(default: PREFIX/include/bind9).
Root privilege is normally required.
"<span><strong class="command">make install</strong></span>" at the top directory will do the
"<span class="command"><strong>make install</strong></span>" at the top directory will do the
same.
</p>
<p>
<p>
To see how to build your own
application after the installation, see
<code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2615355"></a>Known Defects/Restrictions</h3></div></div></div>
<div class="itemizedlist"><ul type="disc">
<li><p>Currently, win32 is not supported for the export
<a name="id-1.13.3.8"></a>Known Defects/Restrictions</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
before).</p></li>
<li>
<p>The "fixed" RRset order is not (currently) supported in
before).</p>
</li>
<li class="listitem">
<p>The "fixed" RRset order is not (currently) supported in
the export library. If you want to use "fixed" RRset order
for, e.g. <span><strong class="command">named</strong></span> while still building the
for, e.g. <span class="command"><strong>named</strong></span> while still building the
export library even without the fixed order support, build
them separately:
</p>
@ -156,27 +172,34 @@ $ <strong class="userinput"><code>make</code></strong>
</pre>
<p>
</p>
</li>
<li><p>The client module and the IRS library currently do not
</li>
<li class="listitem">
<p>The client module and the IRS library currently do not
support DNSSEC validation using DLV (the underlying modules
can handle it, but there is no tunable interface to enable
the feature).</p></li>
<li><p>RFC 5011 is not supported in the validating stub
the feature).</p>
</li>
<li class="listitem">
<p>RFC 5011 is not supported in the validating stub
resolver of the export library. In fact, it is not clear
whether it should: trust anchors would be a system-wide
configuration which would be managed by an administrator,
while the stub resolver will be used by ordinary applications
run by a normal user.</p></li>
<li><p>Not all common <code class="filename">/etc/resolv.conf</code>
run by a normal user.</p>
</li>
<li class="listitem">
<p>Not all common <code class="filename">/etc/resolv.conf</code>
options are supported
in the IRS library. The only available options in this
version are "debug" and "ndots".</p></li>
version are "debug" and "ndots".</p>
</li>
</ul></div>
</div>
<div class="sect2" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2615432"></a>The dns.conf File</h3></div></div></div>
<p>The IRS library supports an "advanced" configuration file
<a name="id-1.13.3.9"></a>The dns.conf File</h3></div></div></div>
<p>The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
<code class="filename">resolv.conf</code> file.
@ -186,95 +209,98 @@ $ <strong class="userinput"><code>make</code></strong>
This module is very
experimental and the configuration syntax or library interfaces
may change in future versions. Currently, only the
<span><strong class="command">trusted-keys</strong></span>
<span class="command"><strong>trusted-keys</strong></span>
statement is supported, whose syntax is the same as the same name
of statement for <code class="filename">named.conf</code>. (See
<a href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span><strong class="command">trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)</p>
</div>
<div class="sect2" lang="en">
<a class="xref" href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span class="command"><strong>trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2615459"></a>Sample Applications</h3></div></div></div>
<p>Some sample application programs using this API are
<a name="id-1.13.3.10"></a>Sample Applications</h3></div></div></div>
<p>Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
</p>
<div class="sect3" lang="en">
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2615467"></a>sample: a simple stub resolver utility</h4></div></div></div>
<p>
<a name="id-1.13.3.10.4"></a>sample: a simple stub resolver utility</h4></div></div></div>
<p>
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
RRs. It can also act as a validating stub resolver if a trust
anchor is given via a set of command line options.</p>
<p>
<p>
Usage: sample [options] server_address hostname
</p>
<p>
<p>
Options and Arguments:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">
-t RRtype
</span></dt>
<dd><p>
specify the RR type of the query. The default is the A RR.
specify the RR type of the query. The default is the A RR.
</p></dd>
<dt><span class="term">
[-a algorithm] [-e] -k keyname -K keystring
</span></dt>
<dd>
<p>
specify a command-line DNS key to validate the answer. For
example, to specify the following DNSKEY of example.com:
specify a command-line DNS key to validate the answer. For
example, to specify the following DNSKEY of example.com:
</p>
<div class="literallayout"><p><br>
                example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
</p></div>
<p>
specify the options as follows:
specify the options as follows:
</p>
<pre class="screen">
<strong class="userinput"><code>
-e -k example.com -K "xxx"
-e -k example.com -K "xxx"
</code></strong>
</pre>
<p>
-e means that this key is a zone's "key signing key" (as known
as "secure Entry point").
When -a is omitted rsasha1 will be used by default.
-e means that this key is a zone's "key signing key" (as known
as "secure Entry point").
When -a is omitted rsasha1 will be used by default.
</p>
</dd>
<dt><span class="term">
-s domain:alt_server_address
</span></dt>
<dd><p>
specify a separate recursive server address for the specific
"domain". Example: -s example.com:2001:db8::1234
specify a separate recursive server address for the specific
"domain". Example: -s example.com:2001:db8::1234
</p></dd>
<dt><span class="term">server_address</span></dt>
<dd><p>
an IP(v4/v6) address of the recursive server to which queries
are sent.
an IP(v4/v6) address of the recursive server to which queries
are sent.
</p></dd>
<dt><span class="term">hostname</span></dt>
<dd><p>
the domain name for the query
the domain name for the query
</p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2615558"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
<p>
<a name="id-1.13.3.10.5"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
<p>
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
asynchronously.</p>
<p>
<p>
Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
<p>
<p>
Options and Arguments:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">
-s server_address
</span></dt>
@ -300,54 +326,62 @@ $ <strong class="userinput"><code>make</code></strong>
  mx.example.net<br>
  ns.xxx.example<br>
</p></div>
</dd>
</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2616021"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
<p>
<a name="id-1.13.3.10.6"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
<p>
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
"stub resolver": it stops the processing once it gets any
response from the server, whether it's a referral or an alias
(CNAME or DNAME) that would require further queries to get the
ultimate answer. In other words, this utility acts as a very
simplified <span><strong class="command">dig</strong></span>.
simplified <span class="command"><strong>dig</strong></span>.
</p>
<p>
<p>
Usage: sample-request [-t RRtype] server_address hostname
</p>
<p>
<p>
Options and Arguments:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">
-t RRtype
</span></dt>
<dd><p>
<dd>
<p>
specify the RR type of
the queries. The default is the A RR.
</p></dd>
</p>
</dd>
<dt><span class="term">
server_address
</span></dt>
<dd><p>
<dd>
<p>
an IP(v4/v6)
address of the recursive server to which the query is sent.
</p></dd>
</p>
</dd>
<dt><span class="term">
hostname
</span></dt>
<dd><p>
<dd>
<p>
the domain name for the query
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2616085"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
<p>
<a name="id-1.13.3.10.7"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
<p>
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
host name as an argument, calls getaddrinfo() with the given host
@ -357,172 +391,178 @@ $ <strong class="userinput"><code>make</code></strong>
validating resolver, and getaddrinfo()/getnameinfo() will fail
with an EAI_INSECUREDATA error when DNSSEC validation fails.
</p>
<p>
<p>
Usage: sample-gai hostname
</p>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2616100"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
<p>
<a name="id-1.13.3.10.8"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
<p>
It accepts a single update command as a
command-line argument, sends an update request message to the
authoritative server, and shows the response from the server. In
other words, this is a simplified <span><strong class="command">nsupdate</strong></span>.
other words, this is a simplified <span class="command"><strong>nsupdate</strong></span>.
</p>
<p>
<p>
Usage: sample-update [options] (add|delete) "update data"
</p>
<p>
<p>
Options and Arguments:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">
-a auth_server
</span></dt>
<dd><p>
An IP address of the authoritative server that has authority
for the zone containing the update name. This should normally
be the primary authoritative server that accepts dynamic
updates. It can also be a secondary server that is configured
to forward update requests to the primary server.
An IP address of the authoritative server that has authority
for the zone containing the update name. This should normally
be the primary authoritative server that accepts dynamic
updates. It can also be a secondary server that is configured
to forward update requests to the primary server.
</p></dd>
<dt><span class="term">
-k keyfile
</span></dt>
<dd><p>
A TSIG key file to secure the update transaction. The keyfile
format is the same as that for the nsupdate utility.
A TSIG key file to secure the update transaction. The keyfile
format is the same as that for the nsupdate utility.
</p></dd>
<dt><span class="term">
-p prerequisite
</span></dt>
<dd><p>
A prerequisite for the update (only one prerequisite can be
specified). The prerequisite format is the same as that is
accepted by the nsupdate utility.
A prerequisite for the update (only one prerequisite can be
specified). The prerequisite format is the same as that is
accepted by the nsupdate utility.
</p></dd>
<dt><span class="term">
-r recursive_server
</span></dt>
<dd><p>
An IP address of a recursive server that this utility will
use. A recursive server may be necessary to identify the
authoritative server address to which the update request is
sent.
An IP address of a recursive server that this utility will
use. A recursive server may be necessary to identify the
authoritative server address to which the update request is
sent.
</p></dd>
<dt><span class="term">
-z zonename
</span></dt>
<dd><p>
The domain name of the zone that contains
The domain name of the zone that contains
</p></dd>
<dt><span class="term">
(add|delete)
</span></dt>
<dd><p>
Specify the type of update operation. Either "add" or "delete"
must be specified.
Specify the type of update operation. Either "add" or "delete"
must be specified.
</p></dd>
<dt><span class="term">
"update data"
</span></dt>
<dd><p>
Specify the data to be updated. A typical example of the data
would look like "name TTL RRtype RDATA".
Specify the data to be updated. A typical example of the data
would look like "name TTL RRtype RDATA".
</p></dd>
</dl></div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>In practice, either -a or -r must be specified. Others can
be optional; the underlying library routine tries to identify the
appropriate server and the zone name for the update.</div>
<p>
<p>
Examples: assuming the primary authoritative server of the
dynamic.example.com zone has an IPv6 address 2001:db8::1234,
</p>
<pre class="screen">
<pre class="screen">
$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
<p>
<p>
adds an A RR for foo.dynamic.example.com using the given key.
</p>
<pre class="screen">
<pre class="screen">
$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
<p>
<p>
removes all A RRs for foo.dynamic.example.com using the given key.
</p>
<pre class="screen">
<pre class="screen">
$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
<p>
<p>
removes all RRs for foo.dynamic.example.com using the given key.
</p>
</div>
<div class="sect3" lang="en">
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2616641"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
<p>
<a name="id-1.13.3.10.9"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
<p>
It checks a set
of domains to see the name servers of the domains behave
correctly in terms of RFC 4074. This is included in the set of
sample programs to show how the export library can be used in a
DNS-related application.
</p>
<p>
<p>
Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
</p>
<p>
<p>
Options
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">
-d
</span></dt>
<dd><p>
run in the "debug" mode. with this option nsprobe will dump
every RRs it receives.
run in the "debug" mode. with this option nsprobe will dump
every RRs it receives.
</p></dd>
<dt><span class="term">
-v
</span></dt>
<dd><p>
increase verbosity of other normal log messages. This can be
specified multiple times
increase verbosity of other normal log messages. This can be
specified multiple times
</p></dd>
<dt><span class="term">
-c cache_address
</span></dt>
<dd><p>
specify an IP address of a recursive (caching) name server.
nsprobe uses this server to get the NS RRset of each domain and
the A and/or AAAA RRsets for the name servers. The default
value is 127.0.0.1.
specify an IP address of a recursive (caching) name server.
nsprobe uses this server to get the NS RRset of each domain and
the A and/or AAAA RRsets for the name servers. The default
value is 127.0.0.1.
</p></dd>
<dt><span class="term">
input_file
</span></dt>
<dd><p>
a file name containing a list of domain (zone) names to be
probed. when omitted the standard input will be used. Each
line of the input file specifies a single domain name such as
"example.com". In general this domain name must be the apex
name of some DNS zone (unlike normal "host names" such as
"www.example.com"). nsprobe first identifies the NS RRsets for
the given domain name, and sends A and AAAA queries to these
servers for some "widely used" names under the zone;
specifically, adding "www" and "ftp" to the zone name.
a file name containing a list of domain (zone) names to be
probed. when omitted the standard input will be used. Each
line of the input file specifies a single domain name such as
"example.com". In general this domain name must be the apex
name of some DNS zone (unlike normal "host names" such as
"www.example.com"). nsprobe first identifies the NS RRsets for
the given domain name, and sends A and AAAA queries to these
servers for some "widely used" names under the zone;
specifically, adding "www" and "ftp" to the zone name.
</p></dd>
</dl></div>
</div>
</div>
<div class="sect2" lang="en">
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2616705"></a>Library References</h3></div></div></div>
<p>As of this writing, there is no formal "manual" of the
<a name="id-1.13.3.11"></a>Library References</h3></div></div></div>
<p>As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
programs.</p>
</div>
</div>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -540,6 +580,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

62
doc/arm/Bv9ARM.ch13.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Manual pages</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
<link rel="next" href="man.dig.html" title="dig">
@ -39,7 +38,7 @@
</table>
<hr>
</div>
<div class="reference" lang="en">
<div class="reference">
<div class="titlepage">
<div><div><h1 class="title">
<a name="Bv9ARM.ch13"></a>Manual pages</h1></div></div>
@ -47,7 +46,7 @@
</div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dl class="toc">
<dt>
<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
</dt>
@ -88,19 +87,19 @@
<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span><strong class="command">named</strong></span></span>
<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
@ -136,17 +135,42 @@
<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> &#8212; A syntax checker for individual DNS resource records</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
</dt>
</dl>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -164,6 +188,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

3
doc/arm/Bv9ARM.conf Normal file
View file

@ -0,0 +1,3 @@
TexInputs: ../tex//
TexStyle: armstyle
XslParam: ../xsl/arm-param.xsl

363
doc/arm/Bv9ARM.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>BIND 9 Administrator Reference Manual</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@ -36,11 +35,11 @@
</table>
<hr>
</div>
<div class="book" lang="en">
<div class="book">
<div class="titlepage">
<div>
<div><h1 class="title">
<a name="id2563180"></a>BIND 9 Administrator Reference Manual</h1></div>
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.11.0pre-alpha</p></div>
<div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
@ -49,223 +48,244 @@
</div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dl class="toc">
<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563509">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563533">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564629">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564810">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.4">Scope of Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.5">Organization of This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.6">Conventions Used in This Document</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564832">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564934">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567271">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567348">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567589">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567651">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.4">DNS Fundamentals</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.5">Domains and Domain Names</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.6">Zones</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.7">Authoritative Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.8">Caching Name Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch01.html#id-1.2.7.9">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567685">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567712">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567793">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567819">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567830">Supported Operating Systems</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.3">Hardware requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.4">CPU Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.5">Memory Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.6">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#id-1.3.7">Supported Operating Systems</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567998">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568014">An Authoritative-only Name Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.4.3">A Caching-only Name Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.4.4">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568037">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568391">Name Server Operations</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.5">Load Balancing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568396">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569465">Signals</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.3">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.4">Signals</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2569988">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570006">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6">Split DNS</a></span></dt>
<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570439">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570581">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570592">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570628">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570685">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570734">Errors</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7.6">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7.7">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7.8">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7.9">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7.10">TSIG Key Based Access Control</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.7.11">Errors</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570748">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570866">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.8">TKEY</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.9">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571002">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571218">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571299">Configuring Servers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.9">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613607">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613644">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563573">Fully automatic zone signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563820">Private-type records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573415">DNSKEY rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573428">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573461">Automatic key rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573488">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573497">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573507">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573520">Converting from secure to insecure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573557">Periodic re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573571">NSEC3 and OPTOUT</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Converting from insecure to secure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.9">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.17">Fully automatic zone signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.26">Private-type records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.33">DNSKEY rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.35">Dynamic DNS update method</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.40">Automatic key rollovers</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.42">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.44">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.46">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.48">Converting from secure to insecure</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.52">Periodic re-signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.54">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573594">Validating Resolver</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573617">Authoritative Server</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.4">Validating Resolver</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.5">Authoritative Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613795">Prerequisites</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613804">Native PKCS#11</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613950">OpenSSL-based PKCS#11</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2641062">PKCS#11 Tools</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2641098">Using the HSM</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2641452">Specifying the engine on the command line</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2641500">Running named with automatic zone re-signing</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Prerequisites</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.8">Native PKCS#11</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.9">OpenSSL-based PKCS#11</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.10">PKCS#11 Tools</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.11">Using the HSM</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.12">Specifying the engine on the command line</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.13">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613331">Configuring DLZ</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2613473">Sample DLZ Driver</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.7">Configuring DLZ</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.8">Sample DLZ Driver</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2668419">Configuring DynDB</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2614349">Sample DynDB Module</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Configuring DynDB</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.7">Sample DynDB Module</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571527">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571794">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571815">Address to Name Lookups Using Nibble Format</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.8">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2571848">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#id-1.6.3">The Lightweight Resolver Library</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2564126">Comment Syntax</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.5.6">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574276"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.7"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574466"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.9"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574893"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574910"><span><strong class="command">include</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.11"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.12"><span class="command"><strong>include</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574934"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574957"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575051"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575187"><span><strong class="command">logging</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.13"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.14"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.15"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.16"><span class="command"><strong>logging</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576512"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576677"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576773"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576822"><span><strong class="command">masters</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.17"><span class="command"><strong>lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.18"><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.19"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.20"><span class="command"><strong>masters</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576843"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.21"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592781"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.26"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593147"><span><strong class="command">trusted-keys</strong></span> Statement Definition
<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.28"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593269"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.29"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593704"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.32"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595733"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.6.34"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2599438">Zone File</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.7">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602566">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2603113">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2603308">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2603581"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.7.4">Discussion of MX Records</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.7.6">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.7.7">Other Zone File Directives</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#id-1.7.7.8"><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2608685"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.4"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2608835">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2608894">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.4.7">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.4.8">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2608974">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2608980">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2608992">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2609009">Where Can I Get Help?</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Common Problems</a></span></dt>
<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3.3">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.4">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.5">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.3">Release Notes for BIND Version 9.11.0pre-alpha</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch10.html">B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch10.html#dns_history">DNS</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch10.html#bind_history">BIND</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch11.html">C. General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch11.html#id2612661">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.4.5">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch12.html">D. BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2616519">Prerequisite</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615300">Compilation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615324">Installation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615355">Known Defects/Restrictions</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615432">The dns.conf File</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2615459">Sample Applications</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2616705">Library References</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.5">Prerequisite</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.6">Compilation</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.7">Installation</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.8">Known Defects/Restrictions</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.9">The dns.conf File</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.10">Sample Applications</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.3.11">Library References</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
@ -310,19 +330,19 @@
<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span><strong class="command">named</strong></span></span>
<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
@ -358,18 +378,39 @@
<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> &#8212; A syntax checker for individual DNS resource records</span>
</dt>
<dt>
<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
</dt>
</dl></dd>
</dl>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
@ -386,6 +427,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View file

Binary file not shown.

40
doc/arm/Makefile.in
View file

@ -13,8 +13,6 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.22 2009/02/12 23:47:56 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@ -33,9 +31,9 @@ doc man:: ${MANOBJS} ${PDFOBJS}
clean::
rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx Bv9ARM.toc
rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp
rm -f Bv9ARM.log Bv9ARM.out
rm -f notes.aux notes.brf notes.glo notes.idx notes.toc
rm -f notes.log notes.out notes.tex notes.tex.tmp
rm -f notes.log notes.out
docclean manclean maintainer-clean:: clean
rm -f *.html ${PDFOBJS}
@ -47,19 +45,11 @@ docclean manclean maintainer-clean distclean::
notes.html: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml
expand notes-wrapper.xml | \
${XSLTPROC} --stringparam generate.toc "" ../xsl/isc-notes-html.xsl - |\
@PERL@ html-fixup.pl > notes.html
${XSLTPROC} --stringparam generate.toc "" ../xsl/isc-notes-html.xsl - > notes.html
notes.tex: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml
expand notes-wrapper.xml | \
${XSLTPROC} --stringparam generate.toc "book toc" ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
${XSLTPROC} ${top_srcdir}/doc/xsl/isc-notes-latex.xsl - | \
@PERL@ latex-fixup.pl >$@.tmp
if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
notes.pdf: notes.tex releaseinfo.xml pkgversion.xml noteversion.xml
rm -f notes-wrapper.aux notes.pdf notes.log
${PDFLATEX} '\batchmode\input notes.tex' || (rm -f $@ ; exit 1)
notes.pdf: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml
${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl notes-wrapper.xml | \
${DBLATEX} -c notes.conf -Pdoc.layout="mainmatter" -o notes.pdf -
Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | \
@ -70,24 +60,10 @@ Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | \
${XSLTPROC} -o Bv9ARM-all.html ../xsl/isc-docbook-html.xsl -
Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
Bv9ARM.pdf: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | \
${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \
@PERL@ latex-fixup.pl >$@.tmp
if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml pkgversion.xml noteversion.xml
rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml pkgversion.xml noteversion.xml
rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
${DBLATEX} -c Bv9ARM.conf -o Bv9ARM.pdf -
FORCE:

43
doc/arm/dlz.xml
View file

@ -1,4 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
- Copyright (C) 2012-2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -14,11 +13,9 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<sect1 id="dlz-info">
<title>DLZ (Dynamically Loadable Zones)</title>
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dlz-info"><info><title>DLZ (Dynamically Loadable Zones)</title></info>
<para>
DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
zone data to be retrieved directly from an external database. There is
@ -56,16 +53,16 @@
zones in the database.)
</para>
<sect2>
<title>Configuring DLZ</title>
<section><info><title>Configuring DLZ</title></info>
<para>
A DLZ database is configured with a <command>dlz</command>
statement in <filename>named.conf</filename>:
</para>
<screen>
dlz example {
database "dlopen driver.so <option>args</option>";
search yes;
database "dlopen driver.so <option>args</option>";
search yes;
};
</screen>
<para>
@ -94,18 +91,18 @@
</para>
<screen>
dlz other {
database "dlopen driver.so <option>args</option>";
search no;
database "dlopen driver.so <option>args</option>";
search no;
};
zone "." {
type redirect;
dlz other;
type redirect;
dlz other;
};
</screen>
</sect2>
<sect2>
<title>Sample DLZ Driver</title>
</section>
<section><info><title>Sample DLZ Driver</title></info>
<para>
For guidance in implementation of DLZ modules, the directory
<filename>contrib/dlz/example</filename> contains a basic
@ -117,7 +114,7 @@
</para>
<screen>
dlz other {
database "dlopen driver.so example.nil";
database "dlopen driver.so example.nil";
};
</screen>
<para>
@ -128,8 +125,8 @@
</para>
<screen>
example.nil. 3600 IN SOA example.nil. hostmaster.example.nil. (
123 900 600 86400 3600
)
123 900 600 86400 3600
)
example.nil. 3600 IN NS example.nil.
example.nil. 1800 IN A 10.53.0.1
</screen>
@ -137,7 +134,7 @@
The sample driver is capable of retrieving information about the
querying client, and altering its response on the basis of this
information. To demonstrate this feature, the example driver
responds to queries for "source-addr.<option>zonename</option>>/TXT"
responds to queries for "source-addr.<option>zonename</option>&gt;/TXT"
with the source address of the query. Note, however, that this
record will *not* be included in AXFR or ANY responses. Normally,
this feature would be used to alter responses in some other fashion,
@ -151,5 +148,5 @@
defines the API and should be included by any dynamically-linkable
DLZ module.
</para>
</sect2>
</sect1>
</section>
</section>

121
doc/arm/dnssec.xml
View file

@ -1,4 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
- Copyright (C) 2010, 2011, 2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -14,15 +13,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<sect1 id="dnssec.dynamic.zones">
<title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info>
<para>As of BIND 9.7.0 it is possible to change a dynamic zone
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.</para>
<sect2>
<title>Converting from insecure to secure</title>
</sect2>
<section><info><title>Converting from insecure to secure</title></info>
</section>
<para>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
<command>auto-dnssec</command> zone option.</para>
@ -35,28 +34,28 @@
in the key-directory, as specified in
<filename>named.conf</filename>:</para>
<programlisting>
zone example.net {
type master;
update-policy local;
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net";
};
zone example.net {
type master;
update-policy local;
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net";
};
</programlisting>
<para>If one KSK and one ZSK DNSKEY key have been generated, this
configuration will cause all records in the zone to be signed
with the ZSK, and the DNSKEY RRset to be signed with the KSK as
well. An NSEC chain will be generated as part of the initial
signing process.</para>
<sect2>
<title>Dynamic DNS update method</title>
</sect2>
<section><info><title>Dynamic DNS update method</title></info>
</section>
<para>To insert the keys via dynamic update:</para>
<screen>
% nsupdate
&gt; ttl 3600
&gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
&gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
&gt; send
% nsupdate
&gt; ttl 3600
&gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
&gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
&gt; send
</screen>
<para>While the update request will complete almost immediately,
the zone will not be completely signed until
@ -69,12 +68,12 @@
wish the NSEC3 chain to have the OPTOUT bit set, set it in the
flags field of the NSEC3PARAM record.</para>
<screen>
% nsupdate
&gt; ttl 3600
&gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
&gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
&gt; update add example.net NSEC3PARAM 1 1 100 1234567890
&gt; send
% nsupdate
&gt; ttl 3600
&gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
&gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
&gt; update add example.net NSEC3PARAM 1 1 100 1234567890
&gt; send
</screen>
<para>Again, this update request will complete almost
immediately; however, the record won't show up until
@ -84,9 +83,9 @@
be removed once the operation completes.</para>
<para>While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.</para>
<sect2>
<title>Fully automatic zone signing</title>
</sect2>
<section><info><title>Fully automatic zone signing</title></info>
</section>
<para>To enable automatic signing, add the
<command>auto-dnssec</command> option to the zone statement in
<filename>named.conf</filename>.
@ -148,9 +147,9 @@
<command>update-policy</command> statement to the zone
configuration. If this has not been done, the configuration will
fail.</para>
<sect2>
<title>Private-type records</title>
</sect2>
<section><info><title>Private-type records</title></info>
</section>
<para>The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@ -186,15 +185,15 @@
0x20 NONSEC
</literallayout>
</para>
<sect2>
<title>DNSKEY rollovers</title>
</sect2>
<section><info><title>DNSKEY rollovers</title></info>
</section>
<para>As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
<command>auto-dnssec</command> zone option.</para>
<sect2>
<title>Dynamic DNS update method</title>
</sect2>
<section><info><title>Dynamic DNS update method</title></info>
</section>
<para> To perform key rollovers via dynamic update, you need to add
the <filename>K*</filename> files for the new keys so that
<command>named</command> can find them. You can then add the new
@ -215,9 +214,9 @@
specify the correct key.
<command>named</command> will clean out any signatures generated
by the old key after the update completes.</para>
<sect2>
<title>Automatic key rollovers</title>
</sect2>
<section><info><title>Automatic key rollovers</title></info>
</section>
<para>When a new key reaches its activation date (as set by
<command>dnssec-keygen</command> or <command>dnssec-settime</command>),
if the <command>auto-dnssec</command> zone option is set to
@ -231,32 +230,32 @@
signature validity periods expire. By default, this rollover
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.</para>
<sect2>
<title>NSEC3PARAM rollovers via UPDATE</title>
</sect2>
<section><info><title>NSEC3PARAM rollovers via UPDATE</title></info>
</section>
<para>Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.</para>
<sect2>
<title>Converting from NSEC to NSEC3</title>
</sect2>
<section><info><title>Converting from NSEC to NSEC3</title></info>
</section>
<para>To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.</para>
<sect2>
<title>Converting from NSEC3 to NSEC</title>
</sect2>
<section><info><title>Converting from NSEC3 to NSEC</title></info>
</section>
<para>To do this, use <command>nsupdate</command> to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.</para>
<sect2>
<title>Converting from secure to insecure</title>
</sect2>
<section><info><title>Converting from secure to insecure</title></info>
</section>
<para>To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
<command>nsupdate</command>. All signatures, NSEC or NSEC3 chains,
@ -270,17 +269,17 @@
zone statement is used, it should be removed or changed to
<command>allow</command> instead (or it will re-sign).
</para>
<sect2>
<title>Periodic re-signing</title>
</sect2>
<section><info><title>Periodic re-signing</title></info>
</section>
<para>In any secure zone which supports dynamic updates, <command>named</command>
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.</para>
<sect2>
<title>NSEC3 and OPTOUT</title>
</sect2>
<section><info><title>NSEC3 and OPTOUT</title></info>
</section>
<para>
<command>named</command> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@ -291,4 +290,4 @@
state of an individual NSEC3 record, the entire chain needs to be
changed if the OPTOUT state of an individual NSEC3 needs to be
changed.</para>
</sect1>
</section>

24
doc/arm/dyndb.xml
View file

@ -1,4 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
- Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
-
@ -14,9 +13,9 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<sect1 id="dyndb-info">
<title>DynDB (Dynamic Database)</title>
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dyndb-info"><info><title>DynDB (Dynamic Database)</title></info>
<para>
DynDB is an extension to BIND 9 which, like DLZ
(see <xref linkend="dlz-info"/>), allows zone data to be
@ -32,8 +31,7 @@
<para>
A DynDB module supporting LDAP has been created by Red Hat
and is available from
<ulink url="https://fedorahosted.org/bind-dyndb-ldap/"
>https://fedorahosted.org/bind-dyndb-ldap/</ulink>.
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://fedorahosted.org/bind-dyndb-ldap/">https://fedorahosted.org/bind-dyndb-ldap/</link>.
</para>
<para>
A sample DynDB module for testing and developer guidance
@ -41,8 +39,8 @@
<filename>bin/tests/system/dyndb/driver</filename>.
</para>
<sect2>
<title>Configuring DynDB</title>
<section><info><title>Configuring DynDB</title></info>
<para>
A DynDB database is configured with a <command>dyndb</command>
statement in <filename>named.conf</filename>:
@ -67,9 +65,9 @@
string to the DynDB module's initialization routine. Configuration
syntax will differ depending on the driver.
</para>
</sect2>
<sect2>
<title>Sample DynDB Module</title>
</section>
<section><info><title>Sample DynDB Module</title></info>
<para>
For guidance in implementation of DynDB modules, the directory
<filename>bin/tests/system/dyndb/driver</filename>.
@ -101,5 +99,5 @@
reverse zone. (Updates are not stored permanently; all updates are
lost when the server is restarted.)
</para>
</sect2>
</sect1>
</section>
</section>

51
doc/arm/latex-fixup.pl
View file

@ -1,51 +0,0 @@
#!/usr/bin/perl -w
#
# Copyright (C) 2005, 2007, 2012, 2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: latex-fixup.pl,v 1.5 2007/06/19 23:47:13 tbox Exp $
# Sadly, the final stages of generating a presentable PDF file always
# seem to require some manual tweaking. Doesn't seem to matter what
# typesetting tool one uses, sane forms of automation only go so far,
# at least with present technology.
#
# This script is intended to be a collection of tweaks. The theory is
# that, while we can't avoid the need for tweaking, we can at least
# write the silly things down in a form that a program might be able
# to execute. Undoubtedly everythig in here will break, eventually,
# at which point it will need to be updated, but since the alternative
# is to do the final editing by hand every time, this approach seems
# the lesser of two evils.
while (<>) {
# Fix a db2latex oops. LaTeX2e does not like having tables with
# duplicate names. Perhaps the dblatex project will fix this
# someday, but we can get by with just deleting the offending
# LaTeX commands for now.
s/\\addtocounter\{table\}\{-1\}//g;
# Line break in the middle of quoting one period looks weird.
s/{\\texttt{{\.\\dbz{}}}}/\\mbox{{\\texttt{{\.\\dbz{}}}}}/;
# Add any further tweaking here.
# https://en.wikibooks.org/wiki/LaTeX/Special_Characters
s/&#50102;/{\\"o}/; # umlaut o &#xc3b6; or &#50102;
# Write out whatever we have now.
print;
}

190
doc/arm/libdns.xml
View file

@ -1,4 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
- Copyright (C) 2010, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -14,9 +13,9 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<sect1 id="bind9.library">
<title>BIND 9 DNS Library Support</title>
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="bind9.library"><info><title>BIND 9 DNS Library Support</title></info>
<para>This version of BIND 9 "exports" its internal libraries so
that they can be used by third-party applications more easily (we
call them "export" libraries in this document). In addition to
@ -52,16 +51,16 @@
libraries than BIND 9's internal event task system.</para>
</listitem>
</itemizedlist>
<sect2>
<title>Prerequisite</title>
<section><info><title>Prerequisite</title></info>
<para>GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
in some platforms you may need to invoke a different command name
than "make" (e.g. "gmake") to indicate it's GNU make.</para>
</sect2>
<sect2>
<title>Compilation</title>
</section>
<section><info><title>Compilation</title></info>
<screen>
$ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput>
$ <userinput>make</userinput>
@ -73,9 +72,9 @@ $ <userinput>make</userinput>
export version of the BIND 9 DNS library. Sample application
programs using the libraries will also be built under the
lib/export/samples directory (see below).</para>
</sect2>
<sect2>
<title>Installation</title>
</section>
<section><info><title>Installation</title></info>
<screen>
$ <userinput>cd lib/export</userinput>
$ <userinput>make install</userinput>
@ -94,9 +93,9 @@ $ <userinput>make install</userinput>
To see how to build your own
application after the installation, see
<filename>lib/export/samples/Makefile-postinstall.in</filename>.</para>
</sect2>
<sect2>
<title>Known Defects/Restrictions</title>
</section>
<section><info><title>Known Defects/Restrictions</title></info>
<itemizedlist>
<listitem>
<!-- TODO: what about AIX? -->
@ -140,9 +139,9 @@ $ <userinput>make</userinput>
version are "debug" and "ndots".</para>
</listitem>
</itemizedlist>
</sect2>
<sect2>
<title>The dns.conf File</title>
</section>
<section><info><title>The dns.conf File</title></info>
<para>The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
@ -156,16 +155,16 @@ $ <userinput>make</userinput>
<command>trusted-keys</command>
statement is supported, whose syntax is the same as the same name
of statement for <filename>named.conf</filename>. (See
<xref linkend="trusted-keys" /> for details.)</para>
</sect2>
<sect2>
<title>Sample Applications</title>
<xref linkend="trusted-keys"/> for details.)</para>
</section>
<section><info><title>Sample Applications</title></info>
<para>Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
</para>
<sect3>
<title>sample: a simple stub resolver utility</title>
<section><info><title>sample: a simple stub resolver utility</title></info>
<para>
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
@ -183,7 +182,7 @@ $ <userinput>make</userinput>
-t RRtype
</term>
<listitem><para>
specify the RR type of the query. The default is the A RR.
specify the RR type of the query. The default is the A RR.
</para></listitem>
</varlistentry>
<varlistentry>
@ -191,20 +190,20 @@ $ <userinput>make</userinput>
[-a algorithm] [-e] -k keyname -K keystring
</term>
<listitem><para>
specify a command-line DNS key to validate the answer. For
example, to specify the following DNSKEY of example.com:
specify a command-line DNS key to validate the answer. For
example, to specify the following DNSKEY of example.com:
<literallayout>
example.com. 3600 IN DNSKEY 257 3 5 xxx
example.com. 3600 IN DNSKEY 257 3 5 xxx
</literallayout>
specify the options as follows:
specify the options as follows:
<screen>
<userinput>
-e -k example.com -K "xxx"
-e -k example.com -K "xxx"
</userinput>
</screen>
-e means that this key is a zone's "key signing key" (as known
as "secure Entry point").
When -a is omitted rsasha1 will be used by default.
-e means that this key is a zone's "key signing key" (as known
as "secure Entry point").
When -a is omitted rsasha1 will be used by default.
</para></listitem>
</varlistentry>
<varlistentry>
@ -212,27 +211,27 @@ $ <userinput>make</userinput>
-s domain:alt_server_address
</term>
<listitem><para>
specify a separate recursive server address for the specific
"domain". Example: -s example.com:2001:db8::1234
specify a separate recursive server address for the specific
"domain". Example: -s example.com:2001:db8::1234
</para></listitem>
</varlistentry>
<varlistentry>
<term>server_address</term>
<listitem><para>
an IP(v4/v6) address of the recursive server to which queries
are sent.
an IP(v4/v6) address of the recursive server to which queries
are sent.
</para></listitem>
</varlistentry>
<varlistentry>
<term>hostname</term>
<listitem><para>
the domain name for the query
the domain name for the query
</para></listitem>
</varlistentry>
</variablelist>
</sect3>
<sect3>
<title>sample-async: a simple stub resolver, working asynchronously</title>
</section>
<section><info><title>sample-async: a simple stub resolver, working asynchronously</title></info>
<para>
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
@ -276,9 +275,9 @@ $ <userinput>make</userinput>
</listitem>
</varlistentry>
</variablelist>
</sect3>
<sect3>
<title>sample-request: a simple DNS transaction client</title>
</section>
<section><info><title>sample-request: a simple DNS transaction client</title></info>
<para>
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
@ -328,9 +327,9 @@ $ <userinput>make</userinput>
</listitem>
</varlistentry>
</variablelist>
</sect3>
<sect3>
<title>sample-gai: getaddrinfo() and getnameinfo() test code</title>
</section>
<section><info><title>sample-gai: getaddrinfo() and getnameinfo() test code</title></info>
<para>
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
@ -344,9 +343,9 @@ $ <userinput>make</userinput>
<para>
Usage: sample-gai hostname
</para>
</sect3>
<sect3>
<title>sample-update: a simple dynamic update client program</title>
</section>
<section><info><title>sample-update: a simple dynamic update client program</title></info>
<para>
It accepts a single update command as a
command-line argument, sends an update request message to the
@ -365,11 +364,11 @@ $ <userinput>make</userinput>
-a auth_server
</term>
<listitem><para>
An IP address of the authoritative server that has authority
for the zone containing the update name. This should normally
be the primary authoritative server that accepts dynamic
updates. It can also be a secondary server that is configured
to forward update requests to the primary server.
An IP address of the authoritative server that has authority
for the zone containing the update name. This should normally
be the primary authoritative server that accepts dynamic
updates. It can also be a secondary server that is configured
to forward update requests to the primary server.
</para></listitem>
</varlistentry>
<varlistentry>
@ -377,8 +376,8 @@ $ <userinput>make</userinput>
-k keyfile
</term>
<listitem><para>
A TSIG key file to secure the update transaction. The keyfile
format is the same as that for the nsupdate utility.
A TSIG key file to secure the update transaction. The keyfile
format is the same as that for the nsupdate utility.
</para></listitem>
</varlistentry>
<varlistentry>
@ -386,9 +385,9 @@ $ <userinput>make</userinput>
-p prerequisite
</term>
<listitem><para>
A prerequisite for the update (only one prerequisite can be
specified). The prerequisite format is the same as that is
accepted by the nsupdate utility.
A prerequisite for the update (only one prerequisite can be
specified). The prerequisite format is the same as that is
accepted by the nsupdate utility.
</para></listitem>
</varlistentry>
<varlistentry>
@ -396,10 +395,10 @@ $ <userinput>make</userinput>
-r recursive_server
</term>
<listitem><para>
An IP address of a recursive server that this utility will
use. A recursive server may be necessary to identify the
authoritative server address to which the update request is
sent.
An IP address of a recursive server that this utility will
use. A recursive server may be necessary to identify the
authoritative server address to which the update request is
sent.
</para></listitem>
</varlistentry>
<varlistentry>
@ -407,7 +406,7 @@ $ <userinput>make</userinput>
-z zonename
</term>
<listitem><para>
The domain name of the zone that contains
The domain name of the zone that contains
</para></listitem>
</varlistentry>
<varlistentry>
@ -415,8 +414,8 @@ $ <userinput>make</userinput>
(add|delete)
</term>
<listitem><para>
Specify the type of update operation. Either "add" or "delete"
must be specified.
Specify the type of update operation. Either "add" or "delete"
must be specified.
</para></listitem>
</varlistentry>
<varlistentry>
@ -424,8 +423,8 @@ $ <userinput>make</userinput>
"update data"
</term>
<listitem><para>
Specify the data to be updated. A typical example of the data
would look like "name TTL RRtype RDATA".
Specify the data to be updated. A typical example of the data
would look like "name TTL RRtype RDATA".
</para></listitem>
</varlistentry>
</variablelist>
@ -453,9 +452,9 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
<para>
removes all RRs for foo.dynamic.example.com using the given key.
</para>
</sect3>
<sect3>
<title>nsprobe: domain/name server checker in terms of RFC 4074</title>
</section>
<section><info><title>nsprobe: domain/name server checker in terms of RFC 4074</title></info>
<para>
It checks a set
of domains to see the name servers of the domains behave
@ -476,8 +475,8 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
-d
</term>
<listitem><para>
run in the "debug" mode. with this option nsprobe will dump
every RRs it receives.
run in the "debug" mode. with this option nsprobe will dump
every RRs it receives.
</para></listitem>
</varlistentry>
<varlistentry>
@ -485,8 +484,8 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
-v
</term>
<listitem><para>
increase verbosity of other normal log messages. This can be
specified multiple times
increase verbosity of other normal log messages. This can be
specified multiple times
</para></listitem>
</varlistentry>
<varlistentry>
@ -494,10 +493,10 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
-c cache_address
</term>
<listitem><para>
specify an IP address of a recursive (caching) name server.
nsprobe uses this server to get the NS RRset of each domain and
the A and/or AAAA RRsets for the name servers. The default
value is 127.0.0.1.
specify an IP address of a recursive (caching) name server.
nsprobe uses this server to get the NS RRset of each domain and
the A and/or AAAA RRsets for the name servers. The default
value is 127.0.0.1.
</para></listitem>
</varlistentry>
<varlistentry>
@ -505,26 +504,25 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
input_file
</term>
<listitem><para>
a file name containing a list of domain (zone) names to be
probed. when omitted the standard input will be used. Each
line of the input file specifies a single domain name such as
"example.com". In general this domain name must be the apex
name of some DNS zone (unlike normal "host names" such as
"www.example.com"). nsprobe first identifies the NS RRsets for
the given domain name, and sends A and AAAA queries to these
servers for some "widely used" names under the zone;
specifically, adding "www" and "ftp" to the zone name.
a file name containing a list of domain (zone) names to be
probed. when omitted the standard input will be used. Each
line of the input file specifies a single domain name such as
"example.com". In general this domain name must be the apex
name of some DNS zone (unlike normal "host names" such as
"www.example.com"). nsprobe first identifies the NS RRsets for
the given domain name, and sends A and AAAA queries to these
servers for some "widely used" names under the zone;
specifically, adding "www" and "ftp" to the zone name.
</para></listitem>
</varlistentry>
</variablelist>
</sect3>
</sect2>
<sect2>
<title>Library References</title>
</section>
</section>
<section><info><title>Library References</title></info>
<para>As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
programs.</para>
</sect2>
</sect1>
<!-- $Id: libdns.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->
</section>
</section>

4
doc/arm/logging-categories.xml
View file

@ -13,8 +13,8 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<informaltable colsep="0" rowsep="0">
<!-- Converted by db4-upgrade version 1.0 -->
<informaltable xmlns="http://docbook.org/ns/docbook" version="5.0" colsep="0" rowsep="0">
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>

62
doc/arm/man.arpaname.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>arpaname</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
<link rel="next" href="man.dnstap-read.html" title="dnstap-read">
@ -39,34 +38,47 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.arpaname"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2719185"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
<span class="application">arpaname</span>
&#8212; translate IP addresses to the corresponding ARPA names
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">arpaname</code>
{<em class="replaceable"><code>ipaddress </code></em>...}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>arpaname</strong></span> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2745619"></a><h2>SEE ALSO</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.27.8"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2745633"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -87,6 +99,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

187
doc/arm/man.ddns-confgen.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
<link rel="next" href="man.arpaname.html" title="arpaname">
@ -39,70 +38,111 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">tsig-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [name]</p></div>
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2719524"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">tsig-keygen</strong></span> and <span><strong class="command">ddns-confgen</strong></span>
<span class="application">ddns-confgen</span>
&#8212; ddns key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">tsig-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[name]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">ddns-confgen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[
-s <em class="replaceable"><code>name</code></em>
| -z <em class="replaceable"><code>zone</code></em>
]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.26.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<span><strong class="command">rndc</strong></span> command channel.
<span class="command"><strong>rndc</strong></span> command channel.
</p>
<p>
When run as <span><strong class="command">tsig-keygen</strong></span>, a domain name
<p>
When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <code class="constant">tsig-key</code>.
</p>
<p>
When run as <span><strong class="command">ddns-confgen</strong></span>, the generated
<p>
When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
key is accompanied by configuration text and instructions
that can be used with <span><strong class="command">nsupdate</strong></span> and
<span><strong class="command">named</strong></span> when setting up dynamic DNS,
including an example <span><strong class="command">update-policy</strong></span>
that can be used with <span class="command"><strong>nsupdate</strong></span> and
<span class="command"><strong>named</strong></span> when setting up dynamic DNS,
including an example <span class="command"><strong>update-policy</strong></span>
statement. (This usage similar to the
<span><strong class="command">rndc-confgen</strong></span> command for setting
<span class="command"><strong>rndc-confgen</strong></span> command for setting
up command channel security.)
</p>
<p>
Note that <span><strong class="command">named</strong></span> itself can configure a
local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>:
<p>
Note that <span class="command"><strong>named</strong></span> itself can configure a
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with
<span><strong class="command">update-policy local;</strong></span>.
<span><strong class="command">ddns-confgen</strong></span> is only needed when a
<span class="command"><strong>update-policy local;</strong></span>.
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance,
if <span><strong class="command">nsupdate</strong></span> is to be used from a remote
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2719696"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.26.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of options and arguments.
</p></dd>
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code> when neither
the <code class="option">-s</code> nor <code class="option">-z</code> option is
@ -112,15 +152,19 @@
<code class="constant">ddns-key.example.com.</code>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p></dd>
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd><p>
(<span><strong class="command">ddns-confgen</strong></span> only.) Quiet mode: Print
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <span><strong class="command">tsig-keygen</strong></span>.
</p></dd>
This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<code class="filename">/dev/random</code> or equivalent device, the
@ -130,12 +174,14 @@
instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard input
should be used.
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
(<span><strong class="command">ddns-confgen</strong></span> only.)
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <span><strong class="command">named.conf</strong></span>
of a single hostname. The example <span class="command"><strong>named.conf</strong></span>
text shows how to set an update policy for the specified
<em class="replaceable"><code>name</code></em>
using the "name" nametype. The default key name is
@ -143,34 +189,41 @@
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <code class="option">-z</code> option.
</p></dd>
</p>
</dd>
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
<dd><p>
(<span><strong class="command">ddns-confgen</strong></span> only.)
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <span><strong class="command">named.conf</strong></span> text
of a zone: The example <span class="command"><strong>named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>zone</code></em>
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<em class="replaceable"><code>zone</code></em>.
This option cannot be used with the <code class="option">-s</code> option.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2745512"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.26.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2745550"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -191,6 +244,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

431
doc/arm/man.delv.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>delv</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.host.html" title="host">
<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
@ -39,28 +38,73 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.delv"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p>delv &#8212; DNS lookup and validation utility</p>
<p>
delv
&#8212; DNS lookup and validation utility
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">delv</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-h</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-v</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2619310"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">delv</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[@server]
[<code class="option">-4</code>]
[<code class="option">-6</code>]
[<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-i</code>]
[<code class="option">-m</code>]
[<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
[<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
[name]
[type]
[class]
[queryopt...]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-h</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-v</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[queryopt...]
[query...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.4.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>delv</strong></span>
(Domain Entity Lookup &amp; Validation) is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <span><strong class="command">named</strong></span>.
resolver and validator logic as <span class="command"><strong>named</strong></span>.
</p>
<p>
<span><strong class="command">delv</strong></span> will send to a specified name server all
<p>
<span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
@ -69,182 +113,208 @@
behavior of a name server configured for DNSSEC validating and
forwarding.
</p>
<p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
<span><strong class="command">delv</strong></span> are either fully validated or
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <span><strong class="command">delv</strong></span> does
can be traced in detail. Because <span class="command"><strong>delv</strong></span> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</p>
<p>
<p>
Unless it is told to query a specific name server,
<span><strong class="command">delv</strong></span> will try each of the servers listed in
<span class="command"><strong>delv</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server
addresses are found, <span><strong class="command">delv</strong></span> will send
addresses are found, <span class="command"><strong>delv</strong></span> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</p>
<p>
<p>
When no command line arguments or options are given,
<span><strong class="command">delv</strong></span> will perform an NS query for "."
<span class="command"><strong>delv</strong></span> will perform an NS query for "."
(the root zone).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2619451"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">delv</strong></span> looks like:
</div>
<div class="refsection">
<a name="id-1.14.4.8"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
</p>
<pre class="programlisting"> delv @server name type </pre>
<p>
where:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a hostname,
<span><strong class="command">delv</strong></span> resolves that name before
<span class="command"><strong>delv</strong></span> resolves that name before
querying that name server (note, however, that this
initial lookup is <span class="emphasis"><em>not</em></span> validated
by DNSSEC).
</p>
<p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span><strong class="command">delv</strong></span> consults
provided, <span class="command"><strong>delv</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span><strong class="command">delv</strong></span> will send queries to
<span class="command"><strong>delv</strong></span> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</p>
</dd>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd><p>
<dd>
<p>
is the domain name to be looked up.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd><p>
<dd>
<p>
indicates what type of query is required &#8212;
ANY, A, MX, etc.
<em class="parameter"><code>type</code></em> can be any valid query
type. If no
<em class="parameter"><code>type</code></em> argument is supplied,
<span><strong class="command">delv</strong></span> will perform a lookup for an
<span class="command"><strong>delv</strong></span> will perform a lookup for an
A record.
</p></dd>
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2620129"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.4.9"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
<dd>
<p>
<p>
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
</p>
<p>
<p>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <code class="option">+dlv=NAME</code> or
<code class="option">+root=NAME</code> options.
</p>
<p>
<p>
Note: When reading the trust anchor file,
<span><strong class="command">delv</strong></span> treats <code class="option">managed-keys</code>
<span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
statements and <code class="option">trusted-keys</code> statements
identically. That is, for a managed key, it is the
<span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
key management is not supported. <span><strong class="command">delv</strong></span>
key management is not supported. <span class="command"><strong>delv</strong></span>
will not consult the managed-keys database maintained by
<span><strong class="command">named</strong></span>. This means that if either of the
<span class="command"><strong>named</strong></span>. This means that if either of the
keys in <code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span><strong class="command">delv</strong></span>.
validation in <span class="command"><strong>delv</strong></span>.
</p>
</dd>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the source IP address of the query to
<em class="parameter"><code>address</code></em>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <span><strong class="command">delv</strong></span>
only class "IN" is supported in <span class="command"><strong>delv</strong></span>
and any other value is ignored.
</p></dd>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the systemwide debug level to <code class="option">level</code>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
Debugging traces from <span><strong class="command">delv</strong></span> become
Debugging traces from <span class="command"><strong>delv</strong></span> become
more verbose as the debug level increases.
See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
and <code class="option">+vtrace</code> options below for additional
debugging details.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Display the <span><strong class="command">delv</strong></span> help usage output and exit.
</p></dd>
<dd>
<p>
Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd><p>
<dd>
<p>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <span><strong class="command">delv</strong></span> to time out. When it
can cause <span class="command"><strong>delv</strong></span> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <span><strong class="command">dig +cd</strong></span>.)
</p></dd>
problem, use <span class="command"><strong>dig +cd</strong></span>.)
</p>
</dd>
<dt><span class="term">-m</span></dt>
<dd><p>
<dd>
<p>
Enables memory usage debugging.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</p></dd>
</p>
</dd>
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the query name to <em class="parameter"><code>name</code></em>.
While the query name can be specified without using the
<code class="option">-q</code>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
<p>
Sets the query type to <em class="parameter"><code>type</code></em>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
@ -252,45 +322,57 @@
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</p>
<p>
<p>
The default query type is "A", unless the <code class="option">-x</code>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</p>
</dd>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
Print the <span><strong class="command">delv</strong></span> version and exit.
</p></dd>
<dd>
<p>
Print the <span class="command"><strong>delv</strong></span> version and exit.
</p>
</dd>
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
<dd><p>
<dd>
<p>
Performs a reverse lookup, mapping an addresses to
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <code class="option">-x</code> is used, there is no need to provide
the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
arguments. <span><strong class="command">delv</strong></span> automatically performs a
arguments. <span class="command"><strong>delv</strong></span> automatically performs a
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</p></dd>
</p>
</dd>
<dt><span class="term">-4</span></dt>
<dd><p>
Forces <span><strong class="command">delv</strong></span> to only use IPv4.
</p></dd>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd><p>
Forces <span><strong class="command">delv</strong></span> to only use IPv6.
</p></dd>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2675155"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">delv</strong></span>
</div>
<div class="refsection">
<a name="id-1.14.4.10"></a><h2>QUERY OPTIONS</h2>
<p><span class="command"><strong>delv</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
<p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded by the string
@ -300,94 +382,107 @@
The query options are:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to set the CD (checking disabled) bit in
queries sent by <span><strong class="command">delv</strong></span>. This may be useful
queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <span><strong class="command">delv</strong></span> can then
invalid responses, which <span class="command"><strong>delv</strong></span> can then
validate internally and report the errors in detail.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
<p>
<p>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <span><strong class="command">delv</strong></span>
name and type of each query sent by <span class="command"><strong>delv</strong></span>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</p>
<p>
<p>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <code class="option">-d</code> option will
product the same output (but will affect other logging
categories as well).
</p>
</dd>
</dd>
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
<p>
<p>
Toggle message logging. This produces a detailed dump of
the responses received by <span><strong class="command">delv</strong></span> in the
the responses received by <span class="command"><strong>delv</strong></span> in the
process of carrying out the resolution and validation process.
</p>
<p>
<p>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
</dd>
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
<p>
<p>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</p>
<p>
<p>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd><p>
<dd>
<p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd><p>
<dd>
<p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd><p>
<dd>
<p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
<dd><p>
<dd>
<p>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
@ -395,14 +490,18 @@
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
<dd><p>
<dd>
<p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
@ -411,36 +510,44 @@
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd><p>
<dd>
<p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd><p>
<dd>
<p>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <span><strong class="command">delv</strong></span>
facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
output.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd><p>
<dd>
<p>
Indicates whether to display RRSIG records in the
<span><strong class="command">delv</strong></span> output. The default is to
do so. Note that (unlike in <span><strong class="command">dig</strong></span>)
<span class="command"><strong>delv</strong></span> output. The default is to
do so. Note that (unlike in <span class="command"><strong>dig</strong></span>)
this does <span class="emphasis"><em>not</em></span> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code> and
<code class="option">+nodlv</code>.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd><p>
<dd>
<p>
Indicates whether to perform conventional (non-lookaside)
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
@ -448,9 +555,11 @@
a built-in key. If specifying a different trust anchor,
then <code class="option">-a</code> must be used to specify a file
containing the key.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
<dd><p>
<dd>
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
@ -458,34 +567,46 @@
built-in key. If specifying a different name, then
<code class="option">-a</code> must be used to specify a file
containing the DLV key.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</p></dd>
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2675685"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsect1" lang="en">
<a name="id2675704"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.4.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsection">
<a name="id-1.14.4.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">RFC4034</em>,
<em class="citetitle">RFC4035</em>,
<em class="citetitle">RFC4431</em>,
<em class="citetitle">RFC5074</em>,
<em class="citetitle">RFC5155</em>.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -505,6 +626,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

743
doc/arm/man.dig.html
View file

File diff suppressed because it is too large Load diff

123
doc/arm/man.dnssec-checkds.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-checkds</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.delv.html" title="delv">
<link rel="next" href="man.dnssec-coverage.html" title="dnssec-coverage">
@ -39,66 +38,108 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-checkds"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-checkds</span> &#8212; A DNSSEC delegation consistency checking tool.</p>
<p>
<span class="application">dnssec-checkds</span>
&#8212; A DNSSEC delegation consistency checking tool.
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-checkds</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2620605"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-checkds</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-checkds</code>
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
{zone}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
{zone}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.5.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-checkds</strong></span>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
zone.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2620619"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.5.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd><p>
<dd>
<p>
If a <code class="option">file</code> is specified, then the zone is
read from that file to find the DNSKEY records. If not,
then the DNSKEY records for the zone are looked up in the DNS.
</p></dd>
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
<dd>
<p>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com"
in ISC's DLV zone, use:
<span><strong class="command">dnssec-checkds -l dlv.isc.org example.com</strong></span>
</p></dd>
<span class="command"><strong>dnssec-checkds -l dlv.isc.org example.com</strong></span>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
<dd><p>
Specifies a path to a <span><strong class="command">dig</strong></span> binary. Used
<dd>
<p>
Specifies a path to a <span class="command"><strong>dig</strong></span> binary. Used
for testing.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
<dd><p>
Specifies a path to a <span><strong class="command">dnssec-dsfromkey</strong></span> binary.
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-dsfromkey</strong></span> binary.
Used for testing.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2620722"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.5.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-dsfromkey</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2620756"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -118,6 +159,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

163
doc/arm/man.dnssec-coverage.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-coverage</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
@ -39,24 +38,49 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-coverage</span> &#8212; checks future DNSKEY coverage for a zone</p>
<p>
<span class="application">dnssec-coverage</span>
&#8212; checks future DNSKEY coverage for a zone
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2620899"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-coverage</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-coverage</code>
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-z</code>]
[zone]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.6.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-coverage</strong></span>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
coverage.
</p>
<p>
<p>
If <code class="option">zone</code> is specified, then keys found in
the key repository matching that zone are scanned, and an ordered
list is generated of the events scheduled for that key (i.e.,
@ -69,47 +93,54 @@
key is rolled, and cached data signed by the prior key has not had
time to expire from resolver caches.
</p>
<p>
<p>
If <code class="option">zone</code> is not specified, then all keys in the
key repository will be scanned, and all zones for which there are
keys will be analyzed. (Note: This method of reporting is only
accurate if all the zones that have keys in a given repository
share the same TTL parameters.)
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2620925"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.6.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</p></dd>
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd><p>
<dd>
<p>
If a <code class="option">file</code> is specified, then the zone is
read from that file; the largest TTL and the DNSKEY TTL are
determined directly from the zone data, and the
<code class="option">-m</code> and <code class="option">-d</code> options do
not need to be specified on the command line.
</p></dd>
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
<dd>
<p>
<p>
The length of time to check for DNSSEC coverage. Key events
scheduled further into the future than <code class="option">duration</code>
will be ignored, and assumed to be correct.
</p>
<p>
<p>
The value of <code class="option">duration</code> can be set in seconds,
or in larger units of time by adding a suffix: 'mi' for minutes,
'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
'y' for years.
</p>
</dd>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
<dd>
<p>
<p>
Sets the value to be used as the maximum TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a zone-signing key is
@ -118,21 +149,21 @@
before that key can be purged from the DNSKEY RRset. If that
condition does not apply, a warning will be generated.
</p>
<p>
<p>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</p>
<p>
<p>
This option is mandatory unless the <code class="option">-f</code> has
been used to specify a zone file. (If <code class="option">-f</code> has
been specified, this option may still be used; it will override
the value found in the file.)
</p>
</dd>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
<dd>
<p>
<p>
Sets the value to be used as the DNSKEY TTL for the zone or
zones being analyzed when determining whether there is a
possibility of validation failure. When a key is rolled (that
@ -142,69 +173,81 @@
signatures. If that condition does not apply, a warning
will be generated.
</p>
<p>
<p>
The length of the TTL can be set in seconds, or in larger units
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</p>
<p>
<p>
This option is mandatory unless the <code class="option">-f</code> has
been used to specify a zone file, or a default key TTL was
set with the <code class="option">-L</code> to
<span><strong class="command">dnssec-keygen</strong></span>. (If either of those is true,
<span class="command"><strong>dnssec-keygen</strong></span>. (If either of those is true,
this option may still be used; it will override the value found
in the zone or key file.)
</p>
</dd>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
<dd>
<p>
<p>
Sets the value to be used as the resign interval for the zone
or zones being analyzed when determining whether there is a
possibility of validation failure. This value defaults to
22.5 days, which is also the default in
<span><strong class="command">named</strong></span>. However, if it has been changed
<span class="command"><strong>named</strong></span>. However, if it has been changed
by the <code class="option">sig-validity-interval</code> option in
<code class="filename">named.conf</code>, then it should also be
changed here.
</p>
<p>
<p>
The length of the interval can be set in seconds, or in larger
units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
</p>
</dd>
</dd>
<dt><span class="term">-k</span></dt>
<dd><p>
<dd>
<p>
Only check KSK coverage; ignore ZSK events. Cannot be
used with <code class="option">-z</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd><p>
<dd>
<p>
Only check ZSK coverage; ignore KSK events. Cannot be
used with <code class="option">-k</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
<dd><p>
Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.
<dd>
<p>
Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
Used for testing.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2621508"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
</div>
<div class="refsection">
<a name="id-1.14.6.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">dnssec-checkds</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-dsfromkey</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2621552"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -225,6 +268,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

232
doc/arm/man.dnssec-dsfromkey.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-dsfromkey</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
<link rel="next" href="man.dnssec-importkey.html" title="dnssec-importkey">
@ -39,166 +38,245 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
<p>
<span class="application">dnssec-dsfromkey</span>
&#8212; DNSSEC DS RR generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2622525"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-1</code>]
[<code class="option">-2</code>]
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
{keyfile}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
{-s}
[<code class="option">-1</code>]
[<code class="option">-2</code>]
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-A</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
{dnsname}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[<code class="option">-h</code>]
[<code class="option">-V</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.7.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2622539"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.7.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd><p>
<dd>
<p>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd><p>
<dd>
<p>
Use SHA-256 as the digest algorithm.
</p></dd>
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
<dd>
<p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</p></dd>
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the TTL of the DS records.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
<p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span><strong class="command">dig</strong></span>
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
</dd>
<dt><span class="term">-A</span></dt>
<dd><p>
<dd>
<p>
Include ZSKs when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</p></dd>
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
<dd>
<p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</p></dd>
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd><p>
<dd>
<p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints usage information.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2622814"></a><h2>EXAMPLE</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.7.9"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
keyfile name, the following command would be issued:
</p>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
</p>
<p>
<p>
The command would print something like:
</p>
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2622851"></a><h2>FILES</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.7.10"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
<p>
<p>
The keyset file name is built from the <code class="option">directory</code>,
the string <code class="filename">keyset-</code> and the
<code class="option">dnsname</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2623916"></a><h2>CAVEAT</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.7.11"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2623926"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.7.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em>,
<em class="citetitle">RFC 4431</em>.
<em class="citetitle">RFC 4509</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2624238"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -219,6 +297,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

169
doc/arm/man.dnssec-importkey.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-importkey</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
@ -39,20 +38,54 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-importkey</span> &#8212; Import DNSKEY records from external systems so they can be managed.</p>
<p>
<span class="application">dnssec-importkey</span>
&#8212; Import DNSKEY records from external systems so they can be managed.
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2623081"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-importkey</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-importkey</code>
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
{<code class="option">keyfile</code>}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-importkey</code>
{<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">dnsname</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-importkey</strong></span>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
existing .key file, in which case a corresponding .private file
@ -60,7 +93,7 @@
from the standard input, in which case both .key and .private
files will be generated.
</p>
<p>
<p>
The newly-created .private file does <span class="emphasis"><em>not</em></span>
contain private key data, and cannot be used for signing.
However, having a .private file makes it possible to set
@ -69,53 +102,68 @@
public key can be added to and removed from the DNSKEY RRset
on schedule even if the true private key is stored offline.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2623109"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.8.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
<p>
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
</dd>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Emit usage message and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2623451"></a><h2>TIMING OPTIONS</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.8.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
@ -126,43 +174,52 @@
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2623498"></a><h2>FILES</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.8.10"></a><h2>FILES</h2>
<p>
A keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2623524"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.8.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2623557"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -183,6 +240,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

319
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keyfromlabel</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
@ -39,72 +38,116 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
<p>
<span class="application">dnssec-keyfromlabel</span>
&#8212; DNSSEC key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2624571"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keyfromlabel</code>
{-l <em class="replaceable"><code>label</code></em>}
[<code class="option">-3</code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-y</code>]
{name}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.9.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
file can be used for DNSSEC signing of zone data as if it were a
conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
but the key material is stored within the HSM, and the actual signing
takes place there.
</p>
<p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2624802"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.9.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</p>
<p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
<p>
<p>
Note 2: DH automatically sets the -k flag.
</p>
</dd>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@ -112,20 +155,20 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
<p>
Specifies the label for a key pair in the crypto hardware.
</p>
<p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
<p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
@ -134,7 +177,7 @@
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
<p>
<p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
@ -143,72 +186,93 @@
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
</dd>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
</p>
</dd>
<dt><span class="term">-G</span></dt>
<dd><p>
<dd>
<p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keyfromlabel</strong></span>.
</p></dd>
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p></dd>
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd><p>
<dd>
<p>
Generate KEY records rather than DNSKEY records.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
<dd>
<p>
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
@ -216,35 +280,47 @@
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-y</span></dt>
<dd><p>
<dd>
<p>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2675856"></a><h2>TIMING OPTIONS</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.9.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
@ -255,42 +331,53 @@
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
@ -299,74 +386,84 @@
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2676182"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
</div>
<div class="refsection">
<a name="id-1.14.9.10"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key files it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p><code class="filename">nnnn</code> is the key name.
</p>
</li>
<li class="listitem">
<p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
</p>
</li>
<li class="listitem">
<p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</p>
</li>
</ul></div>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private key.
</p>
<p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2676344"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.9.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4034</em>,
<em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2676381"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -387,6 +484,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

362
doc/arm/man.dnssec-keygen.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keygen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
@ -39,36 +38,84 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
<p>
<span class="application">dnssec-keygen</span>
&#8212; DNSSEC key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2628421"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-z</code>]
{name}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.10.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</p>
<p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2628441"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.10.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
@ -78,26 +125,26 @@
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
<p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
@ -106,7 +153,7 @@
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
<p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
@ -115,9 +162,10 @@
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
@ -125,37 +173,44 @@
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</p></dd>
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@ -163,39 +218,52 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
</p>
</dd>
<dt><span class="term">-G</span></dt>
<dd><p>
<dd>
<p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
</p>
</dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
<dd>
<p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
</p></dd>
<span class="command"><strong>dnssec-keygen</strong></span>.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p></dd>
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd><p>
<dd>
<p>
Deprecated in favor of -T KEY.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
@ -204,19 +272,23 @@
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd><p>
<dd>
<p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span><strong class="command">dnssec-keygen</strong></span> is run interactively
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
@ -225,9 +297,11 @@
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
@ -237,9 +311,11 @@
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
<dd>
<p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
@ -247,16 +323,19 @@
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
@ -268,27 +347,36 @@
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2676913"></a><h2>TIMING OPTIONS</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.10.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
@ -299,44 +387,55 @@
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
@ -345,42 +444,51 @@
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2677102"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
</div>
<div class="refsection">
<a name="id-1.14.10.10"></a><h2>GENERATED KEYS</h2>
<p>
When <span class="command"><strong>dnssec-keygen</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p><code class="filename">nnnn</code> is the key name.
</p>
</li>
<li class="listitem">
<p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
</p>
</li>
<li class="listitem">
<p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</p>
</li>
</ul></div>
<p><span><strong class="command">dnssec-keygen</strong></span>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
@ -388,59 +496,61 @@
private
key.
</p>
<p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2677278"></a><h2>EXAMPLE</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.10.11"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
</p>
<p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
<p>
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
<p>
In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2677335"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.10.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 4034</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2677366"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -461,6 +571,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

129
doc/arm/man.dnssec-revoke.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-revoke</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
<link rel="next" href="man.dnssec-settime.html" title="dnssec-settime">
@ -39,54 +38,90 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
<p>
<span class="application">dnssec-revoke</span>
&#8212; Set the REVOKED bit on a DNSSEC key
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2634745"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-revoke</code>
[<code class="option">-hr</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f</code>]
[<code class="option">-R</code>]
{keyfile}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.11.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2634759"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.11.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Emit usage message and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p></dd>
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd><p>
<dd>
<p>
After writing the new keyset files remove the original keyset
files.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@ -94,32 +129,36 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-f</span></dt>
<dd><p>
Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
<dd>
<p>
Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</p></dd>
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd><p>
<dd>
<p>
Print the key tag of the key with the REVOKE bit set but do
not revoke the key.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2634897"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.11.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2634921"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -140,6 +179,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

224
doc/arm/man.dnssec-settime.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-settime</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
@ -39,33 +38,61 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-settime"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
<p>
<span class="application">dnssec-settime</span>
&#8212; Set the key timing metadata for a DNSSEC key
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2641798"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-settime</code>
[<code class="option">-f</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
{keyfile}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
<code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
options. The metadata can then be used by
<span><strong class="command">dnssec-signzone</strong></span> or other signing software to
<span class="command"><strong>dnssec-signzone</strong></span> or other signing software to
determine when a key is to be published, whether it should be
used for signing a zone, etc.
</p>
<p>
<p>
If none of these options is set on the command line,
then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
metadata already stored in the key.
</p>
<p>
<p>
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
@ -74,27 +101,35 @@
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2642266"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.12.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f</span></dt>
<dd><p>
<dd>
<p>
Force an update of an old-format key with no metadata fields.
Without this option, <span><strong class="command">dnssec-settime</strong></span> will
Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
@ -103,25 +138,32 @@
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> removes it from the key.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Emit usage message and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@ -129,12 +171,14 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2642406"></a><h2>TIMING OPTIONS</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.12.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
@ -144,39 +188,51 @@
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none' or 'never'.
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</p></dd>
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
<dd>
<p>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
@ -184,10 +240,11 @@
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
@ -196,34 +253,40 @@
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2646572"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
</div>
<div class="refsection">
<a name="id-1.14.12.10"></a><h2>PRINTING OPTIONS</h2>
<p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-u</span></dt>
<dd><p>
<dd>
<p>
Print times in UNIX epoch format.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
<dd><p>
<dd>
<p>
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
@ -234,22 +297,25 @@
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2646652"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.12.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2646685"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -270,6 +336,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

499
doc/arm/man.dnssec-signzone.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-signzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
@ -39,19 +38,74 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
<p>
<span class="application">dnssec-signzone</span>
&#8212; DNSSEC zone signing tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2646342"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-signzone</code>
[<code class="option">-a</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
[<code class="option">-g</code>]
[<code class="option">-h</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
[<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
[<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
[<code class="option">-P</code>]
[<code class="option">-p</code>]
[<code class="option">-Q</code>]
[<code class="option">-R</code>]
[<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
[<code class="option">-S</code>]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-t</code>]
[<code class="option">-u</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
[<code class="option">-x</code>]
[<code class="option">-z</code>]
[<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
[<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
[<code class="option">-A</code>]
{zonefile}
[key...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. The security status of delegations from the signed zone
@ -59,51 +113,64 @@
determined by the presence or absence of a
<code class="filename">keyset</code> file for each child zone.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2646361"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.13.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a</span></dt>
<dd><p>
<dd>
<p>
Verify all generated signatures.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the DNS class of the zone.
</p></dd>
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Compatibility mode: Generate a
<code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
file in addition to
<code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
when signing a zone, for use by older versions of
<span><strong class="command">dnssec-signzone</strong></span>.
</p></dd>
<span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Look for <code class="filename">dsset-</code> or
<code class="filename">keyset-</code> files in <code class="option">directory</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd><p>
<dd>
<p>
Output only those record types automatically managed by
<span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
<span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(<code class="option">-S</code>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
cannot be combined with <code class="option">-O raw</code>,
<code class="option">-O map</code>, or serial number updating.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
When applicable, specifies the hardware to use for
cryptographic operations, such as a secure key store used
for signing.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@ -111,30 +178,39 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-g</span></dt>
<dd><p>
<dd>
<p>
Generate DS records for child zones from
<code class="filename">dsset-</code> or <code class="filename">keyset-</code>
file. Existing DS records will be removed.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Key repository: Specify a directory to search for DNSSEC keys.
If not specified, defaults to the current directory.
</p></dd>
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
<dd>
<p>
Treat specified key as a key signing key ignoring any
key flags. This option may be specified multiple times.
</p></dd>
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
<dd>
<p>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</p></dd>
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the maximum TTL for the signed zone.
Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
@ -147,9 +223,11 @@
<code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
(Note: This option is incompatible with <code class="option">-D</code>,
because it modifies non-DNSSEC data in the output zone.)
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the date and time when the generated RRSIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
@ -158,9 +236,11 @@
indicated by +N, which is N seconds from the current time.
If no <code class="option">start-time</code> is specified, the current
time minus 1 hour (to allow for clock skew) is used.
</p></dd>
</p>
</dd>
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the date and time when the generated RRSIG records
expire. As with <code class="option">start-time</code>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
@ -170,10 +250,11 @@
specified, 30 days from the start time is used as a default.
<code class="option">end-time</code> must be later than
<code class="option">start-time</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
<dd>
<p>
<p>
Specify the date and time when the generated RRSIG records
for the DNSKEY RRset will expire. This is to be used in cases
when the DNSKEY signatures need to persist longer than
@ -181,7 +262,7 @@
of the KSK is kept offline and the KSK signature is to be
refreshed manually.
</p>
<p>
<p>
As with <code class="option">start-time</code>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
@ -192,28 +273,34 @@
30 days from the start time.) <code class="option">extended end-time</code>
must be later than <code class="option">start-time</code>.
</p>
</dd>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
<dd><p>
<dd>
<p>
The name of the output file containing the signed zone. The
default is to append <code class="filename">.signed</code> to
the input filename. If <code class="option">output-file</code> is
set to <code class="literal">"-"</code>, then the signed zone is
written to the standard output, with a default output
format of "full".
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-signzone</strong></span>.
</p></dd>
<span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
<p>
When a previously-signed zone is passed as input, records
may be resigned. The <code class="option">interval</code> option
specifies the cycle interval as an offset from the current
@ -221,32 +308,34 @@
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</p>
<p>
<p>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<code class="option">end-time</code> or <code class="option">start-time</code>
are specified, <span><strong class="command">dnssec-signzone</strong></span>
are specified, <span class="command"><strong>dnssec-signzone</strong></span>
generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
</p>
</dd>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
<dd><p>
<dd>
<p>
The format of the input zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default),
<span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly.
The use of this option does not make much sense for
non-dynamic zones.
</p></dd>
</p>
</dd>
<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
<dd>
<p>
<p>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
@ -257,121 +346,142 @@
expire time, thus spreading incremental signature
regeneration over time.
</p>
<p>
<p>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</p>
</dd>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd><p>
<dd>
<p>
When writing a signed zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</p></dd>
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</p></dd>
</p>
</dd>
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
<dd>
<p>
<p>
The SOA serial number format of the signed zone.
Possible formats are <span><strong class="command">"keep"</strong></span> (default),
<span><strong class="command">"increment"</strong></span>, <span><strong class="command">"unixtime"</strong></span>,
and <span><strong class="command">"date"</strong></span>.
Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
<span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
and <span class="command"><strong>"date"</strong></span>.
</p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
<dd><p>Do not modify the SOA serial number.</p></dd>
<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
<dd><p>Increment the SOA serial number using RFC 1982
arithmetics.</p></dd>
<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
<dd><p>Set the SOA serial number to the number of seconds
since epoch.</p></dd>
<dt><span class="term"><span><strong class="command">"date"</strong></span></span></dt>
<dd><p>Set the SOA serial number to today's date in
YYYYMMDDNN format.</p></dd>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
<dd>
<p>Do not modify the SOA serial number.</p>
</dd>
<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
<dd>
<p>Increment the SOA serial number using RFC 1982
arithmetics.</p>
</dd>
<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
<dd>
<p>Set the SOA serial number to the number of seconds
since epoch.</p>
</dd>
<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
<dd>
<p>Set the SOA serial number to today's date in
YYYYMMDDNN format.</p>
</dd>
</dl></div>
</dd>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd><p>
<dd>
<p>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</p></dd>
</p>
</dd>
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
<dd><p>
<dd>
<p>
The format of the output file containing the signed zone.
Possible formats are <span><strong class="command">"text"</strong></span> (default),
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
which is the standard textual representation of the zone;
<span><strong class="command">"full"</strong></span>, which is text output in a
<span class="command"><strong>"full"</strong></span>, which is text output in a
format suitable for processing by external scripts;
and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
binary formats for rapid loading by <span><strong class="command">named</strong></span>.
<span><strong class="command">"raw=N"</strong></span> specifies the format version of
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
<span class="command"><strong>"raw=N"</strong></span> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <span><strong class="command">named</strong></span>; if N is 1, the file
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</p></dd>
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd><p>
<dd>
<p>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</p></dd>
</p>
</dd>
<dt><span class="term">-P</span></dt>
<dd>
<p>
<p>
Disable post sign verification tests.
</p>
<p>
<p>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key,
that all revoked KSK keys are self signed, and that all records
in the zone are signed by the algorithm.
This option skips these tests.
</p>
</dd>
</dd>
<dt><span class="term">-Q</span></dt>
<dd>
<p>
<p>
Remove signatures from keys that are no longer active.
</p>
<p>
<p>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <code class="option">-Q</code>
forces <span><strong class="command">dnssec-signzone</strong></span> to remove
forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
signatures from keys that are no longer active. This
enables ZSK rollover using the procedure described in
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
</p>
</dd>
</dd>
<dt><span class="term">-R</span></dt>
<dd>
<p>
<p>
Remove signatures from keys that are no longer published.
</p>
<p>
<p>
This option is similar to <code class="option">-Q</code>, except it
forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
keys that are no longer published. This enables ZSK rollover
using the procedure described in RFC 4641, section 4.2.1.2
("Double Signature Zone Signing Key Rollover").
</p>
</dd>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
@ -381,53 +491,65 @@
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
</p>
</dd>
<dt><span class="term">-S</span></dt>
<dd>
<p>
Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
<p>
Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</p>
<p>
<p>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt></dt>
<dd><p>
<dd>
<p>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</p></dd>
</p>
</dd>
<dt></dt>
<dd><p>
<dd>
<p>
If the key's publication date is set and is in the past, the
key is published in the zone.
</p></dd>
</p>
</dd>
<dt></dt>
<dd><p>
<dd>
<p>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</p></dd>
</p>
</dd>
<dt></dt>
<dd><p>
<dd>
<p>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</p></dd>
</p>
</dd>
<dt></dt>
<dd><p>
<dd>
<p>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</p></dd>
</p>
</dd>
</dl></div>
</dd>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not
specified, the default is the TTL value from the zone's SOA
@ -439,100 +561,121 @@
them, or if any of the imported DNSKEY records had a default
TTL value. In the event of a a conflict between TTL values in
imported keys, the shortest one is used.
</p></dd>
</p>
</dd>
<dt><span class="term">-t</span></dt>
<dd><p>
<dd>
<p>
Print statistics at completion.
</p></dd>
</p>
</dd>
<dt><span class="term">-u</span></dt>
<dd><p>
<dd>
<p>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
retain the existing chain when re-signing.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd><p>
<dd>
<p>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
<span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span class="command"><strong>named</strong></span>.)
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd><p>
<dd>
<p>
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<span><strong class="command">update-check-ksk no;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<span class="command"><strong>update-check-ksk no;</strong></span> zone option in
<span class="command"><strong>named</strong></span>.)
</p>
</dd>
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
<dd><p>
<dd>
<p>
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<em class="replaceable"><code>salt</code></em>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</p></dd>
</p>
</dd>
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
<dd><p>
<dd>
<p>
When generating an NSEC3 chain, use this many iterations. The
default is 10.
</p></dd>
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
<p>
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</p>
<p>
<p>
Using this option twice (i.e., <code class="option">-AA</code>)
turns the OPTOUT flag off for all records. This is useful
when using the <code class="option">-u</code> option to modify an NSEC3
chain which previously had OPTOUT set.
</p>
</dd>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
<dd>
<p>
The file containing the zone to be signed.
</p></dd>
</p>
</dd>
<dt><span class="term">key</span></dt>
<dd><p>
<dd>
<p>
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2678967"></a><h2>EXAMPLE</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.13.9"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
(Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
(Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option
is not being used, the zone's keys must be in the master file
(<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">dsset</code> files, in the current directory,
so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
<p>
In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
<p>
In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
the file <code class="filename">db.example.com.signed</code>. This
file should be referenced in a zone statement in a
<code class="filename">named.conf</code> file.
</p>
<p>
<p>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</p>
@ -540,19 +683,19 @@ db.example.com.signed
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2679046"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.13.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2679074"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -573,6 +716,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

152
doc/arm/man.dnssec-verify.html
View file

@ -14,16 +14,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-verify</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
<link rel="next" href="man.lwresd.html" title="lwresd">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@ -33,43 +32,72 @@
<td width="20%" align="left">
<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
<td width="20%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnssec-verify"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
<p>
<span class="application">dnssec-verify</span>
&#8212; DNSSEC zone verification tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2646843"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-verify</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-verify</code>
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-x</code>]
[<code class="option">-z</code>]
{zonefile}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.14.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-verify</strong></span>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
chains are complete.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2646857"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.14.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the DNS class of the zone.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@ -77,43 +105,53 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
<dd><p>
<dd>
<p>
The format of the input zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default)
and <span><strong class="command">"raw"</strong></span>.
Possible formats are <span class="command"><strong>"text"</strong></span> (default)
and <span class="command"><strong>"raw"</strong></span>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be verified independently.
The use of this option does not make much sense for
non-dynamic zones.
</p></dd>
</p>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd><p>
<dd>
<p>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd><p>
<dd>
<p>
Only verify that the DNSKEY RRset is signed with key-signing
keys. Without this flag, it is assumed that the DNSKEY RRset
will be signed by all active keys. When this flag is set,
it will not be an error if the DNSKEY RRset is not signed
by zone-signing keys. This corresponds to the <code class="option">-x</code>
option in <span><strong class="command">dnssec-signzone</strong></span>.
</p></dd>
option in <span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
<p>
Ignore the KSK flag on the keys when determining whether
the zone if correctly signed. Without this flag it is
assumed that there will be a non-revoked, self-signed
@ -121,35 +159,37 @@
that RRsets other than DNSKEY RRset will be signed with
a different DNSKEY without the KSK flag set.
</p>
<p>
<p>
With this flag set, we only require that for each algorithm,
there will be at least one non-revoked, self-signed DNSKEY,
regardless of the KSK flag state, and that other RRsets
will be signed by a non-revoked key for the same algorithm
that includes the self-signed key; the same key may be used
for both purposes. This corresponds to the <code class="option">-z</code>
option in <span><strong class="command">dnssec-signzone</strong></span>.
option in <span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
<dd>
<p>
The file containing the zone to be signed.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2647109"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.14.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2647134"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -158,18 +198,18 @@
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
<td width="40%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-signzone</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
<td width="40%" align="right" valign="top"> <span class="application">lwresd</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

113
doc/arm/man.dnstap-read.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnstap-read</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.arpaname.html" title="arpaname">
<link rel="next" href="man.genrandom.html" title="genrandom">
@ -39,60 +38,90 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.dnstap-read"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnstap-read</span> &#8212; print dnstap data in human-readable form</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnstap-read</code> [<code class="option">-m</code>] [<code class="option">-p</code>] [<code class="option">-y</code>] {<em class="replaceable"><code>file</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2745265"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">dnstap-read</strong></span>
reads <span><strong class="command">dnstap</strong></span> data from a specified file
<span class="application">dnstap-read</span>
&#8212; print dnstap data in human-readable form
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnstap-read</code>
[<code class="option">-m</code>]
[<code class="option">-p</code>]
[<code class="option">-y</code>]
{<em class="replaceable"><code>file</code></em>}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>dnstap-read</strong></span>
reads <span class="command"><strong>dnstap</strong></span> data from a specified file
and prints it in a human-readable format. By default,
<span><strong class="command">dnstap</strong></span> data is printed in a short summary
<span class="command"><strong>dnstap</strong></span> data is printed in a short summary
format, but if the <code class="option">-y</code> option is specified,
then a longer and more detailed YAML format is used instead.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746114"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.28.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-m</span></dt>
<dd><p>
<dd>
<p>
Trace memory allocations; used for debugging memory leaks.
</p></dd>
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd><p>
After printing the <span><strong class="command">dnstap</strong></span> data, print
<dd>
<p>
After printing the <span class="command"><strong>dnstap</strong></span> data, print
the text form of the DNS message that was encapsulated in the
<span><strong class="command">dnstap</strong></span> frame.
</p></dd>
<span class="command"><strong>dnstap</strong></span> frame.
</p>
</dd>
<dt><span class="term">-y</span></dt>
<dd><p>
Print <span><strong class="command">dnstap</strong></span> data in a detailed YAML
<dd>
<p>
Print <span class="command"><strong>dnstap</strong></span> data in a detailed YAML
format. Implies <code class="option">-p</code>.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2746183"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.28.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746214"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -113,6 +142,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

101
doc/arm/man.genrandom.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>genrandom</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnstap-read.html" title="dnstap-read">
<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
@ -39,55 +38,83 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.genrandom"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2746392"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">genrandom</strong></span>
<span class="application">genrandom</span>
&#8212; generate a file containing random data
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">genrandom</code>
[<code class="option">-n <em class="replaceable"><code>number</code></em></code>]
{<em class="replaceable"><code>size</code></em>}
{<em class="replaceable"><code>filename</code></em>}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.29.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>genrandom</strong></span>
generates a file or a set of files containing a specified quantity
of pseudo-random data, which can be used as a source of entropy for
other commands on systems with no random device.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746407"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.29.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
<dd>
<p>
In place of generating one file, generates <code class="option">number</code>
(from 2 to 9) files, appending <code class="option">number</code> to the name.
</p></dd>
</p>
</dd>
<dt><span class="term">size</span></dt>
<dd><p>
<dd>
<p>
The size of the file, in kilobytes, to generate.
</p></dd>
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd><p>
<dd>
<p>
The file name into which random data should be written.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2746468"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
</div>
<div class="refsection">
<a name="id-1.14.29.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">rand</span>(3)
</span>,
<span class="citerefentry">
<span class="refentrytitle">arc4random</span>(3)
</span>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746494"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -108,6 +135,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

190
doc/arm/man.host.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dig.html" title="dig">
<link rel="next" href="man.delv.html" title="delv">
@ -39,58 +38,92 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.host"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p>host &#8212; DNS lookup utility</p>
<p>
host
&#8212; DNS lookup utility
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2617856"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">host</code>
[<code class="option">-aCdlnrsTwv</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-4</code>]
[<code class="option">-6</code>]
[<code class="option">-v</code>]
[<code class="option">-V</code>]
{name}
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.3.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<span><strong class="command">host</strong></span>
<span class="command"><strong>host</strong></span>
prints a short summary of its command line arguments and options.
</p>
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <span><strong class="command">host</strong></span> will by
IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
default
perform a reverse lookup for that address.
<em class="parameter"><code>server</code></em> is an optional argument which
is either
the name or IP address of the name server that <span><strong class="command">host</strong></span>
the name or IP address of the name server that <span class="command"><strong>host</strong></span>
should query instead of the server or servers listed in
<code class="filename">/etc/resolv.conf</code>.
</p>
<p>
<p>
The <code class="option">-a</code> (all) option is equivalent to setting the
<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
<code class="option">-v</code> option and asking <span class="command"><strong>host</strong></span> to make
a query of type ANY.
</p>
<p>
When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
<p>
When the <code class="option">-C</code> option is used, <span class="command"><strong>host</strong></span>
will attempt to display the SOA records for zone
<em class="parameter"><code>name</code></em> from all the listed
authoritative name
servers for that zone. The list of name servers is defined by the NS
records that are found for the zone.
</p>
<p>
<p>
The <code class="option">-c</code> option instructs to make a DNS query of class
<em class="parameter"><code>class</code></em>. This can be used to lookup
Hesiod or
Chaosnet class resource records. The default class is IN (Internet).
</p>
<p>
Verbose output is generated by <span><strong class="command">host</strong></span> when
<p>
Verbose output is generated by <span class="command"><strong>host</strong></span> when
the
<code class="option">-d</code> or <code class="option">-v</code> option is used. The two
options are equivalent. They have been provided for backwards
@ -100,21 +133,24 @@
<em class="parameter"><code>debug</code></em> option in
<code class="filename">/etc/resolv.conf</code>.
</p>
<p>
<p>
List mode is selected by the <code class="option">-l</code> option. This makes
<span><strong class="command">host</strong></span> perform a zone transfer for zone
<span class="command"><strong>host</strong></span> perform a zone transfer for zone
<em class="parameter"><code>name</code></em>. Transfer the zone printing out
the NS, PTR
and address records (A/AAAA). If combined with <code class="option">-a</code>
all records will be printed.
</p>
<p>
<p>
The <code class="option">-i</code>
option specifies that reverse lookups of IPv6 addresses should
use the IP6.INT domain as defined in RFC1886.
The default is to use IP6.ARPA.
</p>
<p>
<p>
The <code class="option">-N</code> option sets the number of dots that have to be
in <em class="parameter"><code>name</code></em> for it to be considered
absolute. The
@ -126,11 +162,12 @@
or <span class="type">domain</span> directive in
<code class="filename">/etc/resolv.conf</code>.
</p>
<p>
<p>
The number of UDP retries for a lookup can be changed with the
<code class="option">-R</code> option. <em class="parameter"><code>number</code></em>
indicates
how many times <span><strong class="command">host</strong></span> will repeat a query
how many times <span class="command"><strong>host</strong></span> will repeat a query
that does
not get answered. If
<em class="parameter"><code>number</code></em> is negative or zero, the
@ -139,105 +176,124 @@
the value of the <em class="parameter"><code>attempts</code></em> option in
<code class="filename">/etc/resolv.conf</code>, if set.
</p>
<p>
<p>
Non-recursive queries can be made via the <code class="option">-r</code> option.
Setting this option clears the <span class="type">RD</span> &#8212; recursion
desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
desired &#8212; bit in the query which <span class="command"><strong>host</strong></span> makes.
This should mean that the name server receiving the query will not
attempt to resolve <em class="parameter"><code>name</code></em>. The
<code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
<code class="option">-r</code> option enables <span class="command"><strong>host</strong></span>
to mimic
the behavior of a name server by making non-recursive queries and
expecting to receive answers to those queries that are usually
referrals to other name servers.
</p>
<p>
By default, <span><strong class="command">host</strong></span> uses UDP when making
<p>
By default, <span class="command"><strong>host</strong></span> uses UDP when making
queries. The
<code class="option">-T</code> option makes it use a TCP connection when querying
the name server. TCP will be automatically selected for queries that
require it, such as zone transfer (AXFR) requests.
</p>
<p>
The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
<p>
The <code class="option">-4</code> option forces <span class="command"><strong>host</strong></span> to only
use IPv4 query transport. The <code class="option">-6</code> option forces
<span><strong class="command">host</strong></span> to only use IPv6 query transport.
<span class="command"><strong>host</strong></span> to only use IPv6 query transport.
</p>
<p>
<p>
The <code class="option">-t</code> option is used to select the query type.
<em class="parameter"><code>type</code></em> can be any recognized query
type: CNAME,
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<span><strong class="command">host</strong></span> automatically selects an appropriate
<span class="command"><strong>host</strong></span> automatically selects an appropriate
query
type. By default, it looks for A, AAAA, and MX records, but if the
<code class="option">-C</code> option was given, queries will be made for SOA
records, and if <em class="parameter"><code>name</code></em> is a
dotted-decimal IPv4
address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
address or colon-delimited IPv6 address, <span class="command"><strong>host</strong></span> will
query for PTR records. If a query type of IXFR is chosen the starting
serial number can be specified by appending an equal followed by the
starting serial number (e.g. -t IXFR=12345678).
</p>
<p>
<p>
The time to wait for a reply can be controlled through the
<code class="option">-W</code> and <code class="option">-w</code> options. The
<code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
<code class="option">-W</code> option makes <span class="command"><strong>host</strong></span>
wait for
<em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em>
is less than one, the wait interval is set to one second. When the
<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
<code class="option">-w</code> option is used, <span class="command"><strong>host</strong></span>
will
effectively wait forever for a reply. The time to wait for a response
will be set to the number of seconds given by the hardware's maximum
value for an integer quantity. By default, <span><strong class="command">host</strong></span>
value for an integer quantity. By default, <span class="command"><strong>host</strong></span>
will wait for 5 seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by the
<em class="parameter"><code>timeout</code></em> option in
<code class="filename">/etc/resolv.conf</code>.
</p>
<p>
The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span>
<p>
The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span>
<span class="emphasis"><em>not</em></span> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behavior.
</p>
<p>
<p>
The <code class="option">-m</code> can be used to set the memory usage debugging
flags
<em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
<em class="parameter"><code>trace</code></em>.
</p>
<p>
The <code class="option">-V</code> option causes <span><strong class="command">host</strong></span>
<p>
The <code class="option">-V</code> option causes <span class="command"><strong>host</strong></span>
to print the version number and exit.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2618828"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
</div>
<div class="refsection">
<a name="id-1.14.3.8"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span><strong class="command">host</strong></span> appropriately converts character encoding of
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span><strong class="command">host</strong></span> runs.
<span class="command"><strong>host</strong></span> runs.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2620427"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</div>
<div class="refsection">
<a name="id-1.14.3.9"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2620441"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</div>
<div class="refsection">
<a name="id-1.14.3.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -256,6 +312,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

90
doc/arm/man.isc-hmac-fixup.html
View file

@ -14,16 +14,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>isc-hmac-fixup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.genrandom.html" title="genrandom">
<link rel="next" href="man.named-journalprint.html" title="named-journalprint">
<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@ -33,25 +32,42 @@
<td width="20%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2745732"></a><h2>DESCRIPTION</h2>
<p>
<span class="application">isc-hmac-fixup</span>
&#8212; fixes HMAC keys generated by older versions of BIND
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">isc-hmac-fixup</code>
{<em class="replaceable"><code>algorithm</code></em>}
{<em class="replaceable"><code>secret</code></em>}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
@ -59,14 +75,14 @@
message authentication code that was incompatible with other DNS
implementations.
</p>
<p>
<p>
This bug has been fixed in BIND 9.7. However, the fix may
cause incompatibility between older and newer versions of
BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span>
modifies those keys to restore compatibility.
</p>
<p>
To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
<p>
To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
specify the key's algorithm and secret on the command line. If the
secret is longer than the digest length of the algorithm (64 bytes
for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
@ -74,30 +90,30 @@
secret. (If the secret did not require conversion, then it will be
printed without modification.)
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746579"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
</div>
<div class="refsection">
<a name="id-1.14.30.8"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
operation anyway, it does not affect security. RFC 2104 notes,
"Keys longer than [the digest length] are acceptable but the
extra length would not significantly increase the function
strength."
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746595"></a><h2>SEE ALSO</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.30.9"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746612"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -106,18 +122,18 @@
<td width="40%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">genrandom</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span>
<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

260
doc/arm/man.lwresd.html
View file

@ -14,16 +14,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>lwresd</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.named.conf.html" title="named.conf">
<link rel="next" href="man.named-journalprint.html" title="named-journalprint">
<link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
<link rel="next" href="man.named.html" title="named">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@ -31,112 +30,165 @@
<tr><th colspan="3" align="center"><span class="application">lwresd</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
<td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.lwresd"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
<p>
<span class="application">lwresd</span>
&#8212; lightweight resolver daemon
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2660187"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">lwresd</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">lwresd</code>
[<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
[<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
[<code class="option">-f</code>]
[<code class="option">-g</code>]
[<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
[<code class="option">-v</code>]
[<code class="option">-4</code>]
[<code class="option">-6</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.15.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>lwresd</strong></span>
is the daemon providing name lookup
services to clients that use the BIND 9 lightweight resolver
library. It is essentially a stripped-down, caching-only name
server that answers queries using the BIND 9 lightweight
resolver protocol rather than the DNS protocol.
</p>
<p><span><strong class="command">lwresd</strong></span>
<p><span class="command"><strong>lwresd</strong></span>
listens for resolver queries on a
UDP port on the IPv4 loopback interface, 127.0.0.1. This
means that <span><strong class="command">lwresd</strong></span> can only be used by
means that <span class="command"><strong>lwresd</strong></span> can only be used by
processes running on the local machine. By default, UDP port
number 921 is used for lightweight resolver requests and
responses.
</p>
<p>
<p>
Incoming lightweight resolver requests are decoded by the
server which then resolves them using the DNS protocol. When
the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes
the DNS lookup completes, <span class="command"><strong>lwresd</strong></span> encodes
the answers in the lightweight resolver format and returns
them to the client that made the request.
</p>
<p>
<p>
If <code class="filename">/etc/resolv.conf</code> contains any
<code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span>
<code class="option">nameserver</code> entries, <span class="command"><strong>lwresd</strong></span>
sends recursive DNS queries to those servers. This is similar
to the use of forwarders in a caching name server. If no
<code class="option">nameserver</code> entries are present, or if
forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the
forwarding fails, <span class="command"><strong>lwresd</strong></span> resolves the
queries autonomously starting at the root name servers, using
a built-in list of root server hints.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2660249"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.15.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd><p>
<dd>
<p>
Use IPv4 only even if the host machine is capable of IPv6.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p></dd>
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd><p>
<dd>
<p>
Use IPv6 only even if the host machine is capable of IPv4.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
<dd><p>
<dd>
<p>
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/lwresd.conf</code>.
<code class="option">-c</code> can not be used with <code class="option">-C</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
<dd><p>
<dd>
<p>
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/resolv.conf</code>.
<code class="option">-C</code> can not be used with <code class="option">-c</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
Debugging traces from <span><strong class="command">lwresd</strong></span> become
Debugging traces from <span class="command"><strong>lwresd</strong></span> become
more verbose as the debug level increases.
</p></dd>
</p>
</dd>
<dt><span class="term">-f</span></dt>
<dd><p>
<dd>
<p>
Run the server in the foreground (i.e. do not daemonize).
</p></dd>
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd><p>
<dd>
<p>
Run the server in the foreground and force all logging
to <code class="filename">stderr</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>pid-file</code></em></span></dt>
<dd><p>
<dd>
<p>
Use <em class="replaceable"><code>pid-file</code></em> as the
PID file instead of the default,
<code class="filename">/var/run/lwresd/lwresd.pid</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
<dd>
<p>
Turn on memory usage debugging flags. Possible flags are
<em class="replaceable"><code>usage</code></em>,
<em class="replaceable"><code>trace</code></em>,
@ -145,54 +197,61 @@
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
<dd><p>
<dd>
<p>
Create <em class="replaceable"><code>#cpus</code></em> worker threads
to take advantage of multiple CPUs. If not specified,
<span><strong class="command">lwresd</strong></span> will try to determine the
<span class="command"><strong>lwresd</strong></span> will try to determine the
number of CPUs present and create one thread per CPU.
If it is unable to determine the number of CPUs, a
single worker thread will be created.
</p></dd>
</p>
</dd>
<dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
<dd>
<p>
Listen for lightweight resolver queries on port
<em class="replaceable"><code>port</code></em>. If
not specified, the default is port 921.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
<dd>
<p>
Send DNS lookups to port <em class="replaceable"><code>port</code></em>. If not
specified, the default is port 53. This provides a
way of testing the lightweight resolver daemon with a
name server that listens for queries on a non-standard
port number.
</p></dd>
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
<p>
Write memory usage statistics to <code class="filename">stdout</code>
on exit.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
<p>
This option is mainly of interest to BIND 9 developers
and may be removed or changed in a future release.
</p>
</div>
</dd>
</div>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>Chroot
<p>Chroot
to <em class="replaceable"><code>directory</code></em> after
processing the command line arguments, but before
reading the configuration file.
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
<p>
This option should be used in conjunction with the
<code class="option">-u</code> option, as chrooting a process
running as root doesn't enhance security on most
@ -200,65 +259,82 @@
defined allows a process with root privileges to
escape a chroot jail.
</p>
</div>
</dd>
</div>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd><p>Setuid
<dd>
<p>Setuid
to <em class="replaceable"><code>user</code></em> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
</p></dd>
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
<dd>
<p>
Report the version number and exit.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2661095"></a><h2>FILES</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.15.9"></a><h2>FILES</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
<dd><p>
<dd>
<p>
The default configuration file.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt>
<dd><p>
<dd>
<p>
The default process-id file.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2664279"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
</div>
<div class="refsection">
<a name="id-1.14.15.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">lwres</span>(3)
</span>,
<span class="citerefentry">
<span class="refentrytitle">resolver</span>(5)
</span>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2664313"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
<td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<code class="filename">named.conf</code> </td>
<span class="application">dnssec-verify</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span>
<td width="40%" align="right" valign="top"> <span class="application">named</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

167
doc/arm/man.named-checkconf.html
View file

@ -14,15 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkconf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
<link rel="prev" href="man.named.conf.html" title="named.conf">
<link rel="next" href="man.named-checkzone.html" title="named-checkzone">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@ -31,7 +30,7 @@
<tr><th colspan="3" align="center"><span class="application">named-checkconf</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
</td>
@ -39,61 +38,96 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.named-checkconf"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
<p>
<span class="application">named-checkconf</span>
&#8212; named configuration file syntax checking tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2647314"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">named-checkconf</code>
[<code class="option">-h</code>]
[<code class="option">-v</code>]
[<code class="option">-j</code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
{filename}
[<code class="option">-p</code>]
[<code class="option">-x</code>]
[<code class="option">-z</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.18.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
<span class="command"><strong>named</strong></span> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <code class="filename">/etc/named.conf</code> is read
by default.
</p>
<p>
Note: files that <span><strong class="command">named</strong></span> reads in separate
<p>
Note: files that <span class="command"><strong>named</strong></span> reads in separate
parser contexts, such as <code class="filename">rndc.key</code> and
<code class="filename">bind.keys</code>, are not automatically read
by <span><strong class="command">named-checkconf</strong></span>. Configuration
errors in these files may cause <span><strong class="command">named</strong></span> to
fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
successful. <span><strong class="command">named-checkconf</strong></span> can be run
by <span class="command"><strong>named-checkconf</strong></span>. Configuration
errors in these files may cause <span class="command"><strong>named</strong></span> to
fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
successful. <span class="command"><strong>named-checkconf</strong></span> can be run
on these files explicitly, however.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2647384"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.18.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Print the usage summary and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <span><strong class="command">named</strong></span>.
</p></dd>
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
Print the version of the <span><strong class="command">named-checkconf</strong></span>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkconf</strong></span>
program and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd><p>
<dd>
<p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
</p></dd>
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd><p>
<dd>
<p>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
@ -101,62 +135,73 @@
files to be shared &#8212; for example, when submitting
bug reports &#8212; without compromising private data.
This option cannot be used without <code class="option">-p</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd><p>
<dd>
<p>
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd><p>
<dd>
<p>
When loading a zonefile read the journal if it exists.
</p></dd>
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd><p>
<dd>
<p>
The name of the configuration file to be checked. If not
specified, it defaults to <code class="filename">/etc/named.conf</code>.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2648091"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
</div>
<div class="refsection">
<a name="id-1.14.18.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2648105"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.18.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2648135"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-verify</span> </td>
<code class="filename">named.conf</code> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">named-checkzone</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

455
doc/arm/man.named-checkzone.html
View file

@ -14,16 +14,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
<link rel="next" href="man.named.html" title="named">
<link rel="next" href="man.named-journalprint.html" title="named-journalprint">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@ -33,297 +32,425 @@
<td width="20%" align="left">
<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
<td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.named-checkzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
<p>
<span class="application">named-checkzone</span>,
<span class="application">named-compilezone</span>
&#8212; zone file validity checking or converting tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2679184"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">named-checkzone</code>
[<code class="option">-d</code>]
[<code class="option">-h</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{zonename}
{filename}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">named-compilezone</code>
[<code class="option">-d</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
{zonename}
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.19.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
zone. This makes <span><strong class="command">named-checkzone</strong></span> useful for
same checks as <span class="command"><strong>named</strong></span> does when loading a
zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for
checking zone files before configuring them into a name server.
</p>
<p>
<span><strong class="command">named-compilezone</strong></span> is similar to
<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
<p>
<span class="command"><strong>named-compilezone</strong></span> is similar to
<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <span><strong class="command">named</strong></span>.
loaded by <span class="command"><strong>named</strong></span>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<span><strong class="command">named</strong></span> configuration file.
<span class="command"><strong>named</strong></span> configuration file.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2679234"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.19.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-d</span></dt>
<dd><p>
<dd>
<p>
Enable debugging.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Print the usage summary and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd><p>
<dd>
<p>
Quiet mode - exit code only.
</p></dd>
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
Print the version of the <span><strong class="command">named-checkzone</strong></span>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkzone</strong></span>
program and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd><p>
<dd>
<p>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <code class="filename">.jnl</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
<dd><p>
<dd>
<p>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the class of the zone. If not specified, "IN" is assumed.
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
<p>
Perform post-load zone integrity checks. Possible modes are
<span><strong class="command">"full"</strong></span> (default),
<span><strong class="command">"full-sibling"</strong></span>,
<span><strong class="command">"local"</strong></span>,
<span><strong class="command">"local-sibling"</strong></span> and
<span><strong class="command">"none"</strong></span>.
<span class="command"><strong>"full"</strong></span> (default),
<span class="command"><strong>"full-sibling"</strong></span>,
<span class="command"><strong>"local"</strong></span>,
<span class="command"><strong>"local-sibling"</strong></span> and
<span class="command"><strong>"none"</strong></span>.
</p>
<p>
Mode <span><strong class="command">"full"</strong></span> checks that MX records
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span><strong class="command">"local"</strong></span> only
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks MX records which refer to in-zone hostnames.
</p>
<p>
Mode <span><strong class="command">"full"</strong></span> checks that SRV records
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span><strong class="command">"local"</strong></span> only
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks SRV records which refer to in-zone hostnames.
</p>
<p>
Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <span><strong class="command">"local"</strong></span> only checks NS records which
Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</p>
<p>
Mode <span><strong class="command">"full-sibling"</strong></span> and
<span><strong class="command">"local-sibling"</strong></span> disable sibling glue
checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
and <span><strong class="command">"local"</strong></span> respectively.
<p>
Mode <span class="command"><strong>"full-sibling"</strong></span> and
<span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
and <span class="command"><strong>"local"</strong></span> respectively.
</p>
<p>
Mode <span><strong class="command">"none"</strong></span> disables the checks.
<p>
Mode <span class="command"><strong>"none"</strong></span> disables the checks.
</p>
</dd>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the format of the zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default),
<span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
</p></dd>
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
</p>
</dd>
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
<p>
Specify the format of the output file specified.
For <span><strong class="command">named-checkzone</strong></span>,
For <span class="command"><strong>named-checkzone</strong></span>,
this does not cause any effects unless it dumps the zone
contents.
</p>
<p>
Possible formats are <span><strong class="command">"text"</strong></span> (default),
<p>
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
which is the standard textual representation of the zone,
and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
and <span><strong class="command">"raw=N"</strong></span>, which store the zone in a
binary format for rapid loading by <span><strong class="command">named</strong></span>.
<span><strong class="command">"raw=N"</strong></span> specifies the format version of
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
binary format for rapid loading by <span class="command"><strong>named</strong></span>.
<span class="command"><strong>"raw=N"</strong></span> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <span><strong class="command">named</strong></span>; if N is 1, the file
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</p>
</dd>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Perform <span><strong class="command">"check-names"</strong></span> checks with the
<dd>
<p>
Perform <span class="command"><strong>"check-names"</strong></span> checks with the
specified failure mode.
Possible modes are <span><strong class="command">"fail"</strong></span>
(default for <span><strong class="command">named-compilezone</strong></span>),
<span><strong class="command">"warn"</strong></span>
(default for <span><strong class="command">named-checkzone</strong></span>) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<span><strong class="command">max-zone-ttl</strong></span> option in
<span class="command"><strong>max-zone-ttl</strong></span> option in
<code class="filename">named.conf</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd><p>
<dd>
<p>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</p></dd>
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check if a MX record refers to a CNAME.
Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <span><strong class="command">"fail"</strong></span>
(default for <span><strong class="command">named-compilezone</strong></span>),
<span><strong class="command">"warn"</strong></span>
(default for <span><strong class="command">named-checkzone</strong></span>) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
<dd><p>
<dd>
<p>
Write zone output to <code class="filename">filename</code>.
If <code class="filename">filename</code> is <code class="filename">-</code> then
write to standard out.
This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
</p></dd>
This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the style of the dumped zone file.
Possible styles are <span><strong class="command">"full"</strong></span> (default)
and <span><strong class="command">"relative"</strong></span>.
Possible styles are <span class="command"><strong>"full"</strong></span> (default)
and <span class="command"><strong>"relative"</strong></span>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <span><strong class="command">named-checkzone</strong></span>
For <span class="command"><strong>named-checkzone</strong></span>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</p></dd>
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check if a SRV record refers to a CNAME.
Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <span><strong class="command">named</strong></span>.
</p></dd>
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <span><strong class="command">"warn"</strong></span>
(default), <span><strong class="command">"ignore"</strong></span>.
</p></dd>
not also present. Possible modes are <span class="command"><strong>"warn"</strong></span>
(default), <span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
chdir to <code class="filename">directory</code> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<code class="filename">named.conf</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd><p>
<dd>
<p>
Dump zone file in canonical format.
This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
</p></dd>
This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <span><strong class="command">"warn"</strong></span> (default)
Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">zonename</span></dt>
<dd><p>
<dd>
<p>
The domain name of the zone being checked.
</p></dd>
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd><p>
<dd>
<p>
The name of the zone file.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2680140"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
</div>
<div class="refsection">
<a name="id-1.14.19.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2680222"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.19.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>(8)
</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2680256"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -332,18 +459,18 @@
<td width="40%" align="left">
<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
<td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">named-checkconf</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">named</span>
<td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

89
doc/arm/man.named-journalprint.html
View file

@ -14,15 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-journalprint</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
<link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
<link rel="next" href="man.named-rrchecker.html" title="named-rrchecker">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@ -31,7 +30,7 @@
<tr><th colspan="3" align="center"><span class="application">named-journalprint</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.named-rrchecker.html">Next</a>
</td>
@ -39,27 +38,43 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.named-journalprint"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2718420"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">named-journalprint</strong></span>
<span class="application">named-journalprint</span>
&#8212; print zone journal in human-readable form
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-journalprint</code>
{<em class="replaceable"><code>journal</code></em>}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.20.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
form.
</p>
<p>
Journal files are automatically created by <span><strong class="command">named</strong></span>
<p>
Journal files are automatically created by <span class="command"><strong>named</strong></span>
when changes are made to dynamic zones (e.g., by
<span><strong class="command">nsupdate</strong></span>). They record each addition
<span class="command"><strong>nsupdate</strong></span>). They record each addition
or deletion of a resource record, in binary format, allowing the
changes to be re-applied to the zone when the server is
restarted after a shutdown or crash. By default, the name of
@ -67,47 +82,49 @@
<code class="filename">.jnl</code> to the name of the corresponding
zone file.
</p>
<p>
<span><strong class="command">named-journalprint</strong></span> converts the contents of a given
<p>
<span class="command"><strong>named-journalprint</strong></span> converts the contents of a given
journal file into a human-readable text format. Each line begins
with "add" or "del", to indicate whether the record was added or
deleted, and continues with the resource record in master-file
format.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2745587"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.20.8"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2745650"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.named-rrchecker.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">isc-hmac-fixup</span> </td>
<span class="application">named-checkzone</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">named-rrchecker</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

80
doc/arm/man.named-rrchecker.html
View file

@ -14,16 +14,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-rrchecker</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
<link rel="next" href="man.nsupdate.html" title="nsupdate">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@ -33,58 +32,83 @@
<td width="20%" align="left">
<a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
<td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.named-rrchecker"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-rrchecker</span> &#8212; A syntax checker for individual DNS resource records</p>
<p>
<span class="application">named-rrchecker</span>
&#8212; A syntax checker for individual DNS resource records
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-rrchecker</code> [<code class="option">-h</code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-u</code>] [<code class="option">-C</code>] [<code class="option">-T</code>] [<code class="option">-P</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2746265"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-rrchecker</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">named-rrchecker</code>
[<code class="option">-h</code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-p</code>]
[<code class="option">-u</code>]
[<code class="option">-C</code>]
[<code class="option">-T</code>]
[<code class="option">-P</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.21.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-rrchecker</strong></span>
read a individual DNS resource record from standard input and checks if it
is syntactically correct.
</p>
<p>
<p>
The <code class="option">-h</code> prints out the help menu.
</p>
<p>
<p>
The <code class="option">-o <em class="replaceable"><code>origin</code></em></code>
option specifies a origin to be used when interpreting the record.
</p>
<p>
<p>
The <code class="option">-p</code> prints out the resulting record in canonical
form. If there is no canonical form defined then the record will be
printed in unknown record format.
</p>
<p>
<p>
The <code class="option">-u</code> prints out the resulting record in unknown record
form.
</p>
<p>
<p>
The <code class="option">-C</code>, <code class="option">-T</code> and <code class="option">-P</code>
print out the known class, standard type and private type mnemonics
respectively.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746534"></a><h2>SEE ALSO</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.21.8"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -93,18 +117,18 @@
<td width="40%" align="left">
<a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
<td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">named-journalprint</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
<td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

209
doc/arm/man.named.conf.html
View file

@ -14,16 +14,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named.conf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.named.html" title="named">
<link rel="next" href="man.lwresd.html" title="lwresd">
<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@ -33,69 +32,92 @@
<td width="20%" align="left">
<a accesskey="p" href="man.named.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.named.conf"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><code class="filename">named.conf</code> &#8212; configuration file for <span><strong class="command">named</strong></span></p>
<p>
<code class="filename">named.conf</code>
&#8212; configuration file for <span class="command"><strong>named</strong></span>
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2656756"></a><h2>DESCRIPTION</h2>
<p><code class="filename">named.conf</code> is the configuration file
<div class="cmdsynopsis"><p>
<code class="command">named.conf</code>
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2>
<p><code class="filename">named.conf</code> is the configuration file
for
<span><strong class="command">named</strong></span>. Statements are enclosed
<span class="command"><strong>named</strong></span>. Statements are enclosed
in braces and terminated with a semi-colon. Clauses in
the statements are also semi-colon terminated. The usual
comment styles are supported:
</p>
<p>
<p>
C style: /* */
</p>
<p>
<p>
C++ style: // to end of line
</p>
<p>
<p>
Unix style: # to end of line
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2656788"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.8"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2656808"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.9"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>domain_name</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
secret <em class="replaceable"><code>string</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2656832"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.10"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2656882"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.11"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
edns <em class="replaceable"><code>boolean</code></em>;<br>
@ -115,26 +137,32 @@ server
support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2657299"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.12"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
trusted-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2657329"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.13"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
managed-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2657362"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.14"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
@ -143,10 +171,12 @@ controls
unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2657401"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.15"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
channel <em class="replaceable"><code>string</code></em> {<br>
file <em class="replaceable"><code>log_file</code></em>;<br>
@ -161,10 +191,12 @@ logging
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2657444"></a><h2>LWRES</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.16"></a><h2>LWRES</h2>
<div class="literallayout"><p><br>
lwres {<br>
listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
@ -176,10 +208,12 @@ lwres
lwres-clients <em class="replaceable"><code>integer</code></em>;<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2659817"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@ -390,10 +424,12 @@ options
use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2688312"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.18"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -559,10 +595,12 @@ view
max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2688980"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
</div>
<div class="refsection">
<a name="id-1.14.17.19"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
type ( master | slave | stub | hint | redirect |<br>
forward | delegation-only );<br>
@ -656,20 +694,31 @@ zone
pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
};<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2689305"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</div>
<div class="refsection">
<a name="id-1.14.17.20"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2689319"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.17.21"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -678,18 +727,18 @@ zone
<td width="40%" align="left">
<a accesskey="p" href="man.named.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">named</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">lwresd</span>
<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

435
doc/arm/man.named.html
View file

@ -14,15 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
<link rel="prev" href="man.lwresd.html" title="lwresd">
<link rel="next" href="man.named.conf.html" title="named.conf">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@ -31,7 +30,7 @@
<tr><th colspan="3" align="center"><span class="application">named</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
<a accesskey="p" href="man.lwresd.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a>
</td>
@ -39,48 +38,93 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.named"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named</span> &#8212; Internet domain name server</p>
<p>
<span class="application">named</span>
&#8212; Internet domain name server
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-D <em class="replaceable"><code>string</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>] [<code class="option">-M <em class="replaceable"><code>option</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2656041"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">named</code>
[<code class="option">-4</code>]
[<code class="option">-6</code>]
[<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>string</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>]
[<code class="option">-f</code>]
[<code class="option">-g</code>]
[<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>option</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
[<code class="option">-v</code>]
[<code class="option">-V</code>]
[<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>]
[<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.16.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
information on the DNS, see RFCs 1033, 1034, and 1035.
</p>
<p>
When invoked without arguments, <span><strong class="command">named</strong></span>
<p>
When invoked without arguments, <span class="command"><strong>named</strong></span>
will
read the default configuration file
<code class="filename">/etc/named.conf</code>, read any initial
data, and listen for queries.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2656072"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.16.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd><p>
<dd>
<p>
Use IPv4 only even if the host machine is capable of IPv6.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p></dd>
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd><p>
<dd>
<p>
Use IPv6 only even if the host machine is capable of IPv4.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
<dd><p>
<dd>
<p>
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/named.conf</code>. To
@ -90,28 +134,33 @@
<code class="option">directory</code> option in the configuration
file, <em class="replaceable"><code>config-file</code></em> should be
an absolute pathname.
</p></dd>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
Debugging traces from <span><strong class="command">named</strong></span> become
Debugging traces from <span class="command"><strong>named</strong></span> become
more verbose as the debug level increases.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>string</code></em></span></dt>
<dd><p>
Specifies a string that is used to identify a instance of
<span><strong class="command">named</strong></span> in a process listing. The contents
of <em class="replaceable"><code>string</code></em> are
not examined.
</p></dd>
<dd>
<p>
Specifies a string that is used to identify a instance of
<span class="command"><strong>named</strong></span> in a process listing. The contents
of <em class="replaceable"><code>string</code></em> are
not examined.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
<dd>
<p>
<p>
When applicable, specifies the hardware to use for
cryptographic operations, such as a secure key store used
for signing.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@ -119,105 +168,119 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-f</span></dt>
<dd><p>
<dd>
<p>
Run the server in the foreground (i.e. do not daemonize).
</p></dd>
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd><p>
<dd>
<p>
Run the server in the foreground and force all logging
to <code class="filename">stderr</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>logfile</code></em></span></dt>
<dd><p>
<dd>
<p>
Log to the file <code class="option">logfile</code> by default
instead of the system log.
</p></dd>
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>option</code></em></span></dt>
<dd><p>
Sets the default memory context options. Currently
the only supported option is
<em class="replaceable"><code>external</code></em>,
which causes the internal memory manager to be bypassed
in favor of system-provided memory allocation functions.
</p></dd>
<dd>
<p>
Sets the default memory context options. Currently
the only supported option is
<em class="replaceable"><code>external</code></em>,
which causes the internal memory manager to be bypassed
in favor of system-provided memory allocation functions.
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Turn on memory usage debugging flags. Possible flags are
<em class="replaceable"><code>usage</code></em>,
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd>
<dd>
<p>
Turn on memory usage debugging flags. Possible flags are
<em class="replaceable"><code>usage</code></em>,
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
<dd><p>
<dd>
<p>
Create <em class="replaceable"><code>#cpus</code></em> worker threads
to take advantage of multiple CPUs. If not specified,
<span><strong class="command">named</strong></span> will try to determine the
<span class="command"><strong>named</strong></span> will try to determine the
number of CPUs present and create one thread per CPU.
If it is unable to determine the number of CPUs, a
single worker thread will be created.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
<dd>
<p>
Listen for queries on port <em class="replaceable"><code>port</code></em>. If not
specified, the default is port 53.
</p></dd>
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
<p>
Write memory usage statistics to <code class="filename">stdout</code> on exit.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
<p>
This option is mainly of interest to BIND 9 developers
and may be removed or changed in a future release.
</p>
</div>
</dd>
</div>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
<dd>
<p>
Allow <span><strong class="command">named</strong></span> to use up to
<em class="replaceable"><code>#max-socks</code></em> sockets.
<p>
Allow <span class="command"><strong>named</strong></span> to use up to
<em class="replaceable"><code>#max-socks</code></em> sockets.
The default value is 4096 on systems built with default
configuration options, and 21000 on systems built with
"configure --with-tuning=large".
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
<p>
This option should be unnecessary for the vast majority
of users.
The use of this option could even be harmful because the
The use of this option could even be harmful because the
specified value may exceed the limitation of the
underlying system API.
It is therefore set only when the default configuration
It is therefore set only when the default configuration
causes exhaustion of file descriptors and the
operational environment is known to support the
specified number of sockets.
Note also that the actual maximum number is normally a little
Note also that the actual maximum number is normally a little
fewer than the specified value because
<span><strong class="command">named</strong></span> reserves some file descriptors
for its internal use.
<span class="command"><strong>named</strong></span> reserves some file descriptors
for its internal use.
</p>
</div>
</dd>
</div>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>Chroot
to <em class="replaceable"><code>directory</code></em> after
<p>Chroot
to <em class="replaceable"><code>directory</code></em> after
processing the command line arguments, but before
reading the configuration file.
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
<p>
This option should be used in conjunction with the
<code class="option">-u</code> option, as chrooting a process
running as root doesn't enhance security on most
@ -225,168 +288,214 @@
defined allows a process with root privileges to
escape a chroot jail.
</p>
</div>
</dd>
</div>
</dd>
<dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
<dd><p>
<dd>
<p>
Use <em class="replaceable"><code>#listeners</code></em>
worker threads to listen for incoming UDP packets on each
address. If not specified, <span><strong class="command">named</strong></span> will
address. If not specified, <span class="command"><strong>named</strong></span> will
calculate a default value based on the number of detected
CPUs: 1 for 1 CPU, 2 for 2-4 CPUs, and the number of
detected CPUs divided by 2 for values higher than 4.
CPUs: 1 for 1 CPU, and the number of detected CPUs
minus one for machines with more than 1 CPU. This cannot
be increased to a value higher than the number of CPUs.
If <code class="option">-n</code> has been set to a higher value than
the number of detected CPUs, then <code class="option">-U</code> may
be increased as high as that value, but no higher.
</p></dd>
On Windows, the number of UDP listeners is hardwired to 1
and this option has no effect.
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd>
<p>Setuid
to <em class="replaceable"><code>user</code></em> after completing
<p>Setuid
to <em class="replaceable"><code>user</code></em> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
On Linux, <span><strong class="command">named</strong></span> uses the kernel's
capability mechanism to drop all root privileges
<p>
On Linux, <span class="command"><strong>named</strong></span> uses the kernel's
capability mechanism to drop all root privileges
except the ability to <code class="function">bind(2)</code> to
a
privileged port and set process resource limits.
Unfortunately, this means that the <code class="option">-u</code>
option only works when <span><strong class="command">named</strong></span> is
option only works when <span class="command"><strong>named</strong></span> is
run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
later, since previous kernels did not allow privileges
to be retained after <code class="function">setuid(2)</code>.
</p>
</div>
</dd>
</div>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
<dd>
<p>
Report the version number and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Report the version number and build options, and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-X <em class="replaceable"><code>lock-file</code></em></span></dt>
<dd><p>
<dd>
<p>
Acquire a lock on the specified file at runtime; this
helps to prevent duplicate <span><strong class="command">named</strong></span> instances
helps to prevent duplicate <span class="command"><strong>named</strong></span> instances
from running simultaneously.
Use of this option overrides the <span><strong class="command">lock-file</strong></span>
Use of this option overrides the <span class="command"><strong>lock-file</strong></span>
option in <code class="filename">named.conf</code>.
If set to <code class="literal">none</code>, the lock file check
is disabled.
</p></dd>
</p>
</dd>
<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
<dd>
<p>
<p>
Load data from <em class="replaceable"><code>cache-file</code></em> into the
cache of the default view.
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
<p>
This option must not be used. It is only of interest
to BIND 9 developers and may be removed or changed in a
future release.
</p>
</div>
</dd>
</div>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2687354"></a><h2>SIGNALS</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.16.9"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
the nameserver; <span class="command"><strong>rndc</strong></span> should be used
instead.
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">SIGHUP</span></dt>
<dd><p>
<dd>
<p>
Force a reload of the server.
</p></dd>
</p>
</dd>
<dt><span class="term">SIGINT, SIGTERM</span></dt>
<dd><p>
<dd>
<p>
Shut down the server.
</p></dd>
</p>
</dd>
</dl></div>
<p>
<p>
The result of sending any other signals to the server is undefined.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2687404"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
</div>
<div class="refsection">
<a name="id-1.14.16.10"></a><h2>CONFIGURATION</h2>
<p>
The <span class="command"><strong>named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
in the
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
<p>
<span><strong class="command">named</strong></span> inherits the <code class="function">umask</code>
<p>
<span class="command"><strong>named</strong></span> inherits the <code class="function">umask</code>
(file creation mode mask) from the parent process. If files
created by <span><strong class="command">named</strong></span>, such as journal files,
created by <span class="command"><strong>named</strong></span>, such as journal files,
need to have custom permissions, the <code class="function">umask</code>
should be set explicitly in the script used to start the
<span><strong class="command">named</strong></span> process.
<span class="command"><strong>named</strong></span> process.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2687453"></a><h2>FILES</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.16.11"></a><h2>FILES</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
<dd>
<p>
The default configuration file.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
<dd><p>
<dd>
<p>
The default process-id file.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2687497"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
</div>
<div class="refsection">
<a name="id-1.14.16.12"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>
(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkzone</span>
(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc</span>
(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">lwresd</span>
(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named.conf</span>
(5)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2687568"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
<a accesskey="p" href="man.lwresd.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">named-checkzone</span> </td>
<span class="application">lwresd</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <code class="filename">named.conf</code>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

108
doc/arm/man.nsec3hash.html
View file

@ -14,15 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nsec3hash</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@ -30,85 +29,112 @@
<tr><th colspan="3" align="center"><span class="application">nsec3hash</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.named-rrchecker.html">Prev</a> </td>
<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> </td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.nsec3hash"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2746647"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
<span class="application">nsec3hash</span>
&#8212; generate NSEC3 hash
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">nsec3hash</code>
{<em class="replaceable"><code>salt</code></em>}
{<em class="replaceable"><code>algorithm</code></em>}
{<em class="replaceable"><code>iterations</code></em>}
{<em class="replaceable"><code>domain</code></em>}
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.31.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>nsec3hash</strong></span> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
of NSEC3 records in a signed zone.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746662"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.31.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">salt</span></dt>
<dd><p>
<dd>
<p>
The salt provided to the hash algorithm.
</p></dd>
</p>
</dd>
<dt><span class="term">algorithm</span></dt>
<dd><p>
<dd>
<p>
A number indicating the hash algorithm. Currently the
only supported hash algorithm for NSEC3 is SHA-1, which is
indicated by the number 1; consequently "1" is the only
useful value for this argument.
</p></dd>
</p>
</dd>
<dt><span class="term">iterations</span></dt>
<dd><p>
<dd>
<p>
The number of additional times the hash should be performed.
</p></dd>
</p>
</dd>
<dt><span class="term">domain</span></dt>
<dd><p>
<dd>
<p>
The domain name to be hashed.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2746724"></a><h2>SEE ALSO</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.31.9"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5155</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746741"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.named-rrchecker.html">Prev</a> </td>
<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right"> </td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">named-rrchecker</span> </td>
<span class="application">isc-hmac-fixup</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> </td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

515
doc/arm/man.nsupdate.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nsupdate</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
<link rel="next" href="man.rndc.html" title="rndc">
@ -39,19 +38,52 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.nsupdate"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
<p>
<span class="application">nsupdate</span>
&#8212; Dynamic DNS update utility
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [<code class="option">-L <em class="replaceable"><code>level</code></em></code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2664568"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">nsupdate</code>
[<code class="option">-d</code>]
[<code class="option">-D</code>]
[<code class="option">-L <em class="replaceable"><code>level</code></em></code>]
[
[<code class="option">-g</code>]
| [<code class="option">-o</code>]
| [<code class="option">-l</code>]
| [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>]
| [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]
]
[<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>]
[<code class="option">-v</code>]
[<code class="option">-T</code>]
[<code class="option">-P</code>]
[<code class="option">-V</code>]
[filename]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.22.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
This allows resource records to be added or removed from a zone
@ -60,114 +92,134 @@
one
resource record.
</p>
<p>
<p>
Zones that are under dynamic control via
<span><strong class="command">nsupdate</strong></span>
<span class="command"><strong>nsupdate</strong></span>
or a DHCP server should not be edited by hand.
Manual edits could
conflict with dynamic updates and cause data to be lost.
</p>
<p>
<p>
The resource records that are dynamically added or removed with
<span><strong class="command">nsupdate</strong></span>
<span class="command"><strong>nsupdate</strong></span>
have to be in the same zone.
Requests are sent to the zone's master server.
This is identified by the MNAME field of the zone's SOA record.
</p>
<p>
<p>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
in RFC 2845 or the SIG(0) record described in RFC 2535 and
RFC 2931 or GSS-TSIG as described in RFC 3645.
</p>
<p>
<p>
TSIG relies on
a shared secret that should only be known to
<span><strong class="command">nsupdate</strong></span> and the name server.
<span class="command"><strong>nsupdate</strong></span> and the name server.
For instance, suitable <span class="type">key</span> and
<span class="type">server</span> statements would be added to
<code class="filename">/etc/named.conf</code> so that the name server
can associate the appropriate secret key and algorithm with
the IP address of the client application that will be using
TSIG authentication. You can use <span><strong class="command">ddns-confgen</strong></span>
TSIG authentication. You can use <span class="command"><strong>ddns-confgen</strong></span>
to generate suitable configuration fragments.
<span><strong class="command">nsupdate</strong></span>
<span class="command"><strong>nsupdate</strong></span>
uses the <code class="option">-y</code> or <code class="option">-k</code> options
to provide the TSIG shared secret. These options are mutually exclusive.
</p>
<p>
<p>
SIG(0) uses public key cryptography.
To use a SIG(0) key, the public key must be stored in a KEY
record in a zone served by the name server.
</p>
<p>
<p>
GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
is switched on with the <code class="option">-g</code> flag. A
non-standards-compliant variant of GSS-TSIG used by Windows
2000 can be switched on with the <code class="option">-o</code> flag.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2665339"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.22.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-d</span></dt>
<dd><p>
<dd>
<p>
Debug mode. This provides tracing information about the
update requests that are made and the replies received
from the name server.
</p></dd>
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd><p>
<dd>
<p>
Extra debug mode.
</p></dd>
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd><p>
<dd>
<p>
The file containing the TSIG authentication key.
Keyfiles may be in two formats: a single file containing
a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
statement, which may be generated automatically by
<span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
<span class="command"><strong>ddns-confgen</strong></span>, or a pair of files whose names are
of the format <code class="filename">K{name}.+157.+{random}.key</code> and
<code class="filename">K{name}.+157.+{random}.private</code>, which can be
generated by <span><strong class="command">dnssec-keygen</strong></span>.
generated by <span class="command"><strong>dnssec-keygen</strong></span>.
The <code class="option">-k</code> may also be used to specify a SIG(0) key used
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</p></dd>
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd><p>
<dd>
<p>
Local-host only mode. This sets the server address to
localhost (disabling the <span><strong class="command">server</strong></span> so that the server
localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
address cannot be overridden). Connections to the local server will
use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
which is automatically generated by <span><strong class="command">named</strong></span> if any
local master zone has set <span><strong class="command">update-policy</strong></span> to
<span><strong class="command">local</strong></span>. The location of this key file can be
which is automatically generated by <span class="command"><strong>named</strong></span> if any
local master zone has set <span class="command"><strong>update-policy</strong></span> to
<span class="command"><strong>local</strong></span>. The location of this key file can be
overridden with the <code class="option">-k</code> option.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the logging debug level. If zero, logging is disabled.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the port to use for connections to a name server. The
default is 53.
</p></dd>
</p>
</dd>
<dt><span class="term">-P</span></dt>
<dd><p>
<dd>
<p>
Print the list of private BIND-specific resource record
types whose format is understood
by <span><strong class="command">nsupdate</strong></span>. See also
by <span class="command"><strong>nsupdate</strong></span>. See also
the <code class="option">-T</code> option.
</p></dd>
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
<dd><p>
<dd>
<p>
The number of UDP retries. The default is 3. If zero, only
one update request will be made.
</p></dd>
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
<dd>
<p>
Where to obtain randomness. If the operating system
does not provide a <code class="filename">/dev/random</code> or
equivalent device, the default source of randomness is keyboard
@ -176,51 +228,60 @@
instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard input
should be used. This option may be specified multiple times.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
<dd><p>
<dd>
<p>
The maximum time an update request can take before it is
aborted. The default is 300 seconds. Zero can be used to
disable the timeout.
</p></dd>
</p>
</dd>
<dt><span class="term">-T</span></dt>
<dd>
<p>
<p>
Print the list of IANA standard resource record types
whose format is understood by <span><strong class="command">nsupdate</strong></span>.
<span><strong class="command">nsupdate</strong></span> will exit after the lists are
whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
<span class="command"><strong>nsupdate</strong></span> will exit after the lists are
printed. The <code class="option">-T</code> option can be combined
with the <code class="option">-P</code> option.
</p>
<p>
<p>
Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
decimal value of the type with no leading zeros. The rdata,
if present, will be parsed using the UNKNOWN rdata format,
(&lt;backslash&gt; &lt;hash&gt; &lt;space&gt; &lt;length&gt;
&lt;space&gt; &lt;hexstring&gt;).
</p>
</dd>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
<dd><p>
<dd>
<p>
The UDP retry interval. The default is 3 seconds. If zero,
the interval will be computed from the timeout interval and
number of UDP retries.
</p></dd>
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
<dd>
<p>
Use TCP even for small update requests.
By default, <span><strong class="command">nsupdate</strong></span>
By default, <span class="command"><strong>nsupdate</strong></span>
uses UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used.
TCP may be preferable when a batch of update requests is made.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Print the version number and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
<dd>
<p>
<p>
Literal TSIG authentication key.
<em class="parameter"><code>keyname</code></em> is the name of the key, and
<em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
@ -231,19 +292,23 @@
<code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
is not specified, the default is <code class="literal">hmac-md5</code>.
</p>
<p>
<p>
NOTE: Use of the <code class="option">-y</code> option is discouraged because the
shared secret is supplied as a command line argument in clear text.
This may be visible in the output from
<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
<span class="citerefentry">
<span class="refentrytitle">ps</span>(1)
</span>
or in a history file maintained by the user's shell.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2765929"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
</div>
<div class="refsection">
<a name="id-1.14.22.9"></a><h2>INPUT FORMAT</h2>
<p><span class="command"><strong>nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
or standard input.
@ -257,30 +322,31 @@
Updates will be rejected if the tests for the prerequisite conditions
fail.
</p>
<p>
<p>
Every update request consists of zero or more prerequisites
and zero or more updates.
This allows a suitably authenticated update request to proceed if some
specified resource records are present or missing from the zone.
A blank input line (or the <span><strong class="command">send</strong></span> command)
A blank input line (or the <span class="command"><strong>send</strong></span> command)
causes the
accumulated commands to be sent as one Dynamic DNS update request to the
name server.
</p>
<p>
<p>
The command formats and their meaning are as follows:
</p>
<div class="variablelist"><dl>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">
<span><strong class="command">server</strong></span>
<span class="command"><strong>server</strong></span>
{servername}
[port]
</span></dt>
<dd><p>
<dd>
<p>
Sends all dynamic update requests to the name server
<em class="parameter"><code>servername</code></em>.
When no server statement is provided,
<span><strong class="command">nsupdate</strong></span>
<span class="command"><strong>nsupdate</strong></span>
will send updates to the master server of the correct zone.
The MNAME field of that zone's SOA record will identify the
master
@ -292,131 +358,155 @@
If no port number is specified, the default DNS port number of
53 is
used.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">local</strong></span>
<span class="command"><strong>local</strong></span>
{address}
[port]
</span></dt>
<dd><p>
<dd>
<p>
Sends all dynamic update requests using the local
<em class="parameter"><code>address</code></em>.
When no local statement is provided,
<span><strong class="command">nsupdate</strong></span>
<span class="command"><strong>nsupdate</strong></span>
will send updates using an address and port chosen by the
system.
<em class="parameter"><code>port</code></em>
can additionally be used to make requests come from a specific
port.
If no port number is specified, the system will assign one.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">zone</strong></span>
<span class="command"><strong>zone</strong></span>
{zonename}
</span></dt>
<dd><p>
<dd>
<p>
Specifies that all updates are to be made to the zone
<em class="parameter"><code>zonename</code></em>.
If no
<em class="parameter"><code>zone</code></em>
statement is provided,
<span><strong class="command">nsupdate</strong></span>
<span class="command"><strong>nsupdate</strong></span>
will attempt determine the correct zone to update based on the
rest of the input.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">class</strong></span>
<span class="command"><strong>class</strong></span>
{classname}
</span></dt>
<dd><p>
<dd>
<p>
Specify the default class.
If no <em class="parameter"><code>class</code></em> is specified, the
default class is
<em class="parameter"><code>IN</code></em>.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">ttl</strong></span>
<span class="command"><strong>ttl</strong></span>
{seconds}
</span></dt>
<dd><p>
<dd>
<p>
Specify the default time to live for records to be added.
The value <em class="parameter"><code>none</code></em> will clear the default
ttl.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">key</strong></span>
<span class="command"><strong>key</strong></span>
[hmac:] {keyname}
{secret}
</span></dt>
<dd><p>
<dd>
<p>
Specifies that all updates are to be TSIG-signed using the
<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
signing algorithm in use; the default is
<code class="literal">hmac-md5</code>. The <span><strong class="command">key</strong></span>
<code class="literal">hmac-md5</code>. The <span class="command"><strong>key</strong></span>
command overrides any key specified on the command line via
<code class="option">-y</code> or <code class="option">-k</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">gsstsig</strong></span>
<span class="command"><strong>gsstsig</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Use GSS-TSIG to sign the updated. This is equivalent to
specifying <code class="option">-g</code> on the command line.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">oldgsstsig</strong></span>
<span class="command"><strong>oldgsstsig</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Use the Windows 2000 version of GSS-TSIG to sign the updated.
This is equivalent to specifying <code class="option">-o</code> on the
command line.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">realm</strong></span>
<span class="command"><strong>realm</strong></span>
{[<span class="optional">realm_name</span>]}
</span></dt>
<dd><p>
<dd>
<p>
When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
than the default realm in <code class="filename">krb5.conf</code>. If no
realm is specified the saved realm is cleared.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">check-names</strong></span>
<span class="command"><strong>check-names</strong></span>
{[<span class="optional">yes_or_no</span>]}
</span></dt>
<dd><p>
<dd>
<p>
Turn on or off check-names processing on records to
be added. Check-names has no effect on prerequisites
or records to be deleted. By default check-names
processing is on. If check-names processing fails
the record will not be added to the UPDATE message.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span>
<span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span>
{domain-name}
</span></dt>
<dd><p>
<dd>
<p>
Requires that no resource record of any type exists with name
<em class="parameter"><code>domain-name</code></em>.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span>
<span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span>
{domain-name}
</span></dt>
<dd><p>
<dd>
<p>
Requires that
<em class="parameter"><code>domain-name</code></em>
exists (has as at least one resource record, of any type).
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span>
<span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span>
{domain-name}
[class]
{type}
</span></dt>
<dd><p>
<dd>
<p>
Requires that no resource record exists of the specified
<em class="parameter"><code>type</code></em>,
<em class="parameter"><code>class</code></em>
@ -425,14 +515,16 @@
If
<em class="parameter"><code>class</code></em>
is omitted, IN (internet) is assumed.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
<span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
{domain-name}
[class]
{type}
</span></dt>
<dd><p>
<dd>
<p>
This requires that a resource record of the specified
<em class="parameter"><code>type</code></em>,
<em class="parameter"><code>class</code></em>
@ -442,15 +534,17 @@
If
<em class="parameter"><code>class</code></em>
is omitted, IN (internet) is assumed.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
<span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
{domain-name}
[class]
{type}
{data...}
</span></dt>
<dd><p>
<dd>
<p>
The
<em class="parameter"><code>data</code></em>
from each set of prerequisites of this form
@ -471,15 +565,17 @@
are written in the standard text representation of the resource
record's
RDATA.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
<span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
{domain-name}
[ttl]
[class]
[type [data...]]
</span></dt>
<dd><p>
<dd>
<p>
Deletes any resource records named
<em class="parameter"><code>domain-name</code></em>.
If
@ -492,73 +588,92 @@
is not supplied. The
<em class="parameter"><code>ttl</code></em>
is ignored, and is only allowed for compatibility.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">[<span class="optional">update</span>] add</strong></span>
<span class="command"><strong>[<span class="optional">update</span>] add</strong></span>
{domain-name}
{ttl}
[class]
{type}
{data...}
</span></dt>
<dd><p>
<dd>
<p>
Adds a new resource record with the specified
<em class="parameter"><code>ttl</code></em>,
<em class="parameter"><code>class</code></em>
and
<em class="parameter"><code>data</code></em>.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">show</strong></span>
<span class="command"><strong>show</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Displays the current message, containing all of the
prerequisites and
updates specified since the last send.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">send</strong></span>
<span class="command"><strong>send</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Sends the current message. This is equivalent to entering a
blank line.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">answer</strong></span>
<span class="command"><strong>answer</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Displays the answer.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">debug</strong></span>
<span class="command"><strong>debug</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Turn on debugging.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">version</strong></span>
<span class="command"><strong>version</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Print version number.
</p></dd>
</p>
</dd>
<dt><span class="term">
<span><strong class="command">help</strong></span>
<span class="command"><strong>help</strong></span>
</span></dt>
<dd><p>
<dd>
<p>
Print a list of commands.
</p></dd>
</p>
</dd>
</dl></div>
<p>
</p>
<p>
<p>
Lines beginning with a semicolon are comments and are ignored.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2767207"></a><h2>EXAMPLES</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.22.10"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
<span class="command"><strong>nsupdate</strong></span>
could be used to insert and delete resource records from the
<span class="type">example.com</span>
zone.
@ -577,7 +692,7 @@
</pre>
<p>
</p>
<p>
<p>
Any A records for
<span class="type">oldhost.example.com</span>
are deleted.
@ -594,7 +709,7 @@
</pre>
<p>
</p>
<p>
<p>
The prerequisite condition gets the name server to check that there
are no resource records of any type for
<span class="type">nickname.example.com</span>.
@ -607,33 +722,50 @@
(The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
RRSIG, DNSKEY and NSEC records.)
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2767257"></a><h2>FILES</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.22.11"></a><h2>FILES</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
<dd>
<p>
used to identify default name server
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
<dd><p>
<dd>
<p>
sets the default TSIG key for use in local-only mode
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
<dd><p>
<dd>
<p>
base-64 encoding of HMAC-MD5 key created by
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
</p></dd>
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>.
</p>
</dd>
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
<dd><p>
<dd>
<p>
base-64 encoding of HMAC-MD5 key created by
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
</p></dd>
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2767412"></a><h2>SEE ALSO</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.22.12"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
<em class="citetitle">RFC 2104</em>,
@ -641,20 +773,29 @@
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 2535</em>,
<em class="citetitle">RFC 2931</em>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2767469"></a><h2>BUGS</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.22.13"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
for its cryptographic operations, and may change in future
releases.
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -675,6 +816,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

233
doc/arm/man.rndc-confgen.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
<link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
@ -39,108 +38,151 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
<p>
<span class="application">rndc-confgen</span>
&#8212; rndc key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2718548"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
<div class="cmdsynopsis"><p>
<code class="command">rndc-confgen</code>
[<code class="option">-a</code>]
[<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.25.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
for <span class="command"><strong>rndc</strong></span>. It can be used as a
convenient alternative to writing the
<code class="filename">rndc.conf</code> file
and the corresponding <span><strong class="command">controls</strong></span>
and <span><strong class="command">key</strong></span>
and the corresponding <span class="command"><strong>controls</strong></span>
and <span class="command"><strong>key</strong></span>
statements in <code class="filename">named.conf</code> by hand.
Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
Alternatively, it can be run with the <span class="command"><strong>-a</strong></span>
option to set up a <code class="filename">rndc.key</code> file and
avoid the need for a <code class="filename">rndc.conf</code> file
and a <span><strong class="command">controls</strong></span> statement altogether.
and a <span class="command"><strong>controls</strong></span> statement altogether.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2718614"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
</div>
<div class="refsection">
<a name="id-1.14.25.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a</span></dt>
<dd>
<p>
Do automatic <span><strong class="command">rndc</strong></span> configuration.
<p>
Do automatic <span class="command"><strong>rndc</strong></span> configuration.
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
<code class="varname">sysconfdir</code>
was specified as when <acronym class="acronym">BIND</acronym> was
built)
that is read by both <span><strong class="command">rndc</strong></span>
and <span><strong class="command">named</strong></span> on startup. The
that is read by both <span class="command"><strong>rndc</strong></span>
and <span class="command"><strong>named</strong></span> on startup. The
<code class="filename">rndc.key</code> file defines a default
command channel and authentication key allowing
<span><strong class="command">rndc</strong></span> to communicate with
<span><strong class="command">named</strong></span> on the local host
<span class="command"><strong>rndc</strong></span> to communicate with
<span class="command"><strong>named</strong></span> on the local host
with no further configuration.
</p>
<p>
Running <span><strong class="command">rndc-confgen -a</strong></span> allows
BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
<p>
Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
drop-in
replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>,
with no changes to the existing BIND 8
<code class="filename">named.conf</code> file.
</p>
<p>
<p>
If a more elaborate configuration than that
generated by <span><strong class="command">rndc-confgen -a</strong></span>
generated by <span class="command"><strong>rndc-confgen -a</strong></span>
is required, for example if rndc is to be used remotely,
you should run <span><strong class="command">rndc-confgen</strong></span> without
you should run <span class="command"><strong>rndc-confgen</strong></span> without
the
<span><strong class="command">-a</strong></span> option and set up a
<span class="command"><strong>-a</strong></span> option and set up a
<code class="filename">rndc.conf</code> and
<code class="filename">named.conf</code>
as directed.
</p>
</dd>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-md5.
</p></dd>
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd><p>
Used with the <span><strong class="command">-a</strong></span> option to specify
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
an alternate location for <code class="filename">rndc.key</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of the options and arguments to
<span><strong class="command">rndc-confgen</strong></span>.
</p></dd>
<span class="command"><strong>rndc-confgen</strong></span>.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <code class="constant">rndc-key</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
Specifies the command channel port where <span><strong class="command">named</strong></span>
listens for connections from <span><strong class="command">rndc</strong></span>.
<dd>
<p>
Specifies the command channel port where <span class="command"><strong>named</strong></span>
listens for connections from <span class="command"><strong>rndc</strong></span>.
The default is 953.
</p></dd>
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a source of random data for generating the
authorization. If the operating
system does not provide a <code class="filename">/dev/random</code>
@ -151,64 +193,77 @@
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
<dd><p>
Specifies the IP address where <span><strong class="command">named</strong></span>
<dd>
<p>
Specifies the IP address where <span class="command"><strong>named</strong></span>
listens for command channel connections from
<span><strong class="command">rndc</strong></span>. The default is the loopback
<span class="command"><strong>rndc</strong></span>. The default is the loopback
address 127.0.0.1.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
<dd><p>
Used with the <span><strong class="command">-a</strong></span> option to specify
a directory where <span><strong class="command">named</strong></span> will run
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
a directory where <span class="command"><strong>named</strong></span> will run
chrooted. An additional copy of the <code class="filename">rndc.key</code>
will be written relative to this directory so that
it will be found by the chrooted <span><strong class="command">named</strong></span>.
</p></dd>
it will be found by the chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd><p>
Used with the <span><strong class="command">-a</strong></span> option to set the
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to set the
owner
of the <code class="filename">rndc.key</code> file generated.
If
<span><strong class="command">-t</strong></span> is also specified only the file
<span class="command"><strong>-t</strong></span> is also specified only the file
in
the chroot area has its owner changed.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2719085"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
</div>
<div class="refsection">
<a name="id-1.14.25.9"></a><h2>EXAMPLES</h2>
<p>
To allow <span class="command"><strong>rndc</strong></span> to be used with
no manual configuration, run
</p>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
</p>
<p>
<p>
To print a sample <code class="filename">rndc.conf</code> file and
corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
statements to be manually inserted into <code class="filename">named.conf</code>,
run
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2745971"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</div>
<div class="refsection">
<a name="id-1.14.25.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2746009"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -229,6 +284,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

150
doc/arm/man.rndc.conf.html
View file

@ -14,13 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc.conf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.rndc.html" title="rndc">
<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
@ -39,46 +38,61 @@
</table>
<hr>
</div>
<div class="refentry" lang="en">
<div class="refentry">
<a name="man.rndc.conf"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
<p>
<code class="filename">rndc.conf</code>
&#8212; rndc configuration file
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2665719"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
<div class="cmdsynopsis"><p>
<code class="command">rndc.conf</code>
</p></div>
</div>
<div class="refsection">
<a name="id-1.14.24.7"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
<code class="filename">named.conf</code>. Statements are enclosed
in braces and terminated with a semi-colon. Clauses in
the statements are also semi-colon terminated. The usual
comment styles are supported:
</p>
<p>
<p>
C style: /* */
</p>
<p>
<p>
C++ style: // to end of line
</p>
<p>
<p>
Unix style: # to end of line
</p>
<p><code class="filename">rndc.conf</code> is much simpler than
<p><code class="filename">rndc.conf</code> is much simpler than
<code class="filename">named.conf</code>. The file uses three
statements: an options statement, a server statement
and a key statement.
</p>
<p>
<p>
The <code class="option">options</code> statement contains five clauses.
The <code class="option">default-server</code> clause is followed by the
name or address of a name server. This host will be used when
no name server is given as an argument to
<span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code>
<span class="command"><strong>rndc</strong></span>. The <code class="option">default-key</code>
clause is followed by the name of a key which is identified by
a <code class="option">key</code> statement. If no
<code class="option">keyid</code> is provided on the rndc command line,
@ -96,7 +110,7 @@
can be used to set the IPv4 and IPv6 source addresses
respectively.
</p>
<p>
<p>
After the <code class="option">server</code> keyword, the server
statement includes a string which is the hostname or address
for a name server. The statement has three possible clauses:
@ -110,34 +124,37 @@
of supplied then these will be used to specify the IPv4 and IPv6
source addresses respectively.
</p>
<p>
<p>
The <code class="option">key</code> statement begins with an identifying
string, the name of the key. The statement has two clauses.
<code class="option">algorithm</code> identifies the authentication algorithm
for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
for <span class="command"><strong>rndc</strong></span> to use; currently only HMAC-MD5
(for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
(default), HMAC-SHA384 and HMAC-SHA512 are
supported. This is followed by a secret clause which contains
the base-64 encoding of the algorithm's authentication key. The
base-64 string is enclosed in double quotes.
</p>
<p>
<p>
There are two common ways to generate the base-64 string for the
secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
secret. The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
can
be used to generate a random key, or the
<span><strong class="command">mmencode</strong></span> program, also known as
<span><strong class="command">mimencode</strong></span>, can be used to generate a
<span class="command"><strong>mmencode</strong></span> program, also known as
<span class="command"><strong>mimencode</strong></span>, can be used to generate a
base-64
string from known input. <span><strong class="command">mmencode</strong></span> does
string from known input. <span class="command"><strong>mmencode</strong></span> does
not
ship with BIND 9 but is available on many systems. See the
EXAMPLE section for sample command lines for each.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2718183"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
</div>
<div class="refsection">
<a name="id-1.14.24.8"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
default-key samplekey;
@ -145,14 +162,14 @@
</pre>
<p>
</p>
<pre class="programlisting">
<pre class="programlisting">
server localhost {
key samplekey;
};
</pre>
<p>
</p>
<pre class="programlisting">
<pre class="programlisting">
server testserver {
key testkey;
addresses { localhost port 5353; };
@ -160,7 +177,7 @@
</pre>
<p>
</p>
<pre class="programlisting">
<pre class="programlisting">
key samplekey {
algorithm hmac-sha256;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
@ -168,7 +185,7 @@
</pre>
<p>
</p>
<pre class="programlisting">
<pre class="programlisting">
key testkey {
algorithm hmac-sha256;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
@ -176,8 +193,9 @@
</pre>
<p>
</p>
<p>
In the above example, <span><strong class="command">rndc</strong></span> will by
<p>
In the above example, <span class="command"><strong>rndc</strong></span> will by
default use
the server at localhost (127.0.0.1) and the key called samplekey.
Commands to the localhost server will use the samplekey key, which
@ -186,16 +204,16 @@
uses the HMAC-SHA256 algorithm and its secret clause contains the
base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
</p>
<p>
If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
<p>
If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
connect to server on localhost port 5353 using the key testkey.
</p>
<p>
To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
<p>
To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
<p>
<p>
A complete <code class="filename">rndc.conf</code> file, including
the
randomly generated key, will be written to the standard
@ -203,35 +221,41 @@
<code class="option">controls</code> statements for
<code class="filename">named.conf</code> are also printed.
</p>
<p>
To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
<p>
To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
</p>
<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2718305"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
</div>
<div class="refsection">
<a name="id-1.14.24.9"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
file, using the controls statement in <code class="filename">named.conf</code>.
See the sections on the <code class="option">controls</code> statement in the
BIND 9 Administrator Reference Manual for details.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2718330"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
</div>
<div class="refsection">
<a name="id-1.14.24.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc-confgen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">mmencode</span>(1)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2718369"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
@ -252,6 +276,6 @@
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>

586
doc/arm/man.rndc.html
View file

File diff suppressed because it is too large Load diff

25
doc/arm/managed-keys.xml
View file

@ -1,4 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
- Copyright (C) 2010, 2014 Internet Systems Consortium, Inc. ("ISC")
-
@ -14,29 +13,27 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: managed-keys.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->
<sect1 id="rfc5011.support">
<title>Dynamic Trust Anchor Management</title>
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info>
<para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
anchor management. Using this feature allows
<command>named</command> to keep track of changes to critical
DNSSEC keys without any need for the operator to make changes to
configuration files.</para>
<sect2>
<title>Validating Resolver</title>
<section><info><title>Validating Resolver</title></info>
<!-- TODO: command tag is overloaded for configuration and executables -->
<para>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<command>managed-keys</command> statement. Information about
this can be found in
<xref linkend="managed-keys" />.</para>
<xref linkend="managed-keys"/>.</para>
<!-- TODO: managed-keys examples
also in DNSSEC section above here in ARM -->
</sect2>
<sect2>
<title>Authoritative Server</title>
</section>
<section><info><title>Authoritative Server</title></info>
<para>To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@ -96,5 +93,5 @@ $ <userinput>dnssec-signzone -S -K keys example.net</userinput>
<para>It is expected that a future release of BIND 9 will
address this problem in a different way, by storing revoked
keys with their original unrevoked key IDs.</para>
</sect2>
</sect1>
</section>
</section>

21
doc/arm/notes-wrapper.xml
View file

@ -1,8 +1,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2010, 2012-2015 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -16,14 +15,8 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<article xmlns:xi="http://www.w3.org/2001/XInclude">
<title/>
<xi:include href="notes.xml"/>
<!-- Converted by db4-upgrade version 1.0 -->
<article xmlns="http://docbook.org/ns/docbook" version="5.0"><info><title/></info>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes.xml"/>
</article>
<!--
- Local variables:
- mode: sgml
- End:
-->

3
doc/arm/notes.conf Normal file
View file

@ -0,0 +1,3 @@
TexInputs: ../tex//
TexStyle: notestyle
XslParam: ../xsl/notes-param.xsl

890
doc/arm/notes.html
View file

@ -17,7 +17,893 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title></title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><font color="red">&lt;xi:include&gt;&lt;/xi:include&gt;</font></div></body>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
This document summarizes changes since the last production release
of BIND on the corresponding major release branch.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
The latest versions of BIND 9 software can always be found at
<a class="ulink" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
An incorrect boundary check in the OPENPGPKEY rdatatype
could trigger an assertion failure. This flaw is disclosed
in CVE-2015-5986. [RT #40286]
</p>
</li>
<li class="listitem">
<p>
A buffer accounting error could trigger an assertion failure
when parsing certain malformed DNSSEC keys.
</p>
<p>
This flaw was discovered by Hanno Böck of the Fuzzing
Project, and is disclosed in CVE-2015-5722. [RT #40212]
</p>
</li>
<li class="listitem">
<p>
A specially crafted query could trigger an assertion failure
in message.c.
</p>
<p>
This flaw was discovered by Jonathan Foote, and is disclosed
in CVE-2015-5477. [RT #40046]
</p>
</li>
<li class="listitem">
<p>
On servers configured to perform DNSSEC validation, an
assertion failure could be triggered on answers from
a specially configured server.
</p>
<p>
This flaw was discovered by Breno Silveira Soares, and is
disclosed in CVE-2015-4620. [RT #39795]
</p>
</li>
<li class="listitem">
<p>
On servers configured to perform DNSSEC validation using
managed trust anchors (i.e., keys configured explicitly
via <span class="command"><strong>managed-keys</strong></span>, or implicitly
via <span class="command"><strong>dnssec-validation auto;</strong></span> or
<span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
a trust anchor and sending a new untrusted replacement
could cause <span class="command"><strong>named</strong></span> to crash with an
assertion failure. This could occur in the event of a
botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to
monitor the victim's DNS traffic.
</p>
<p>
This flaw was discovered by Jan-Piet Mens, and is
disclosed in CVE-2015-1349. [RT #38344]
</p>
</li>
<li class="listitem">
<p>
A flaw in delegation handling could be exploited to put
<span class="command"><strong>named</strong></span> into an infinite loop, in which
each lookup of a name server triggered additional lookups
of more name servers. This has been addressed by placing
limits on the number of levels of recursion
<span class="command"><strong>named</strong></span> will allow (default 7), and
on the number of queries that it will send before
terminating a recursive query (default 50).
</p>
<p>
The recursion depth limit is configured via the
<code class="option">max-recursion-depth</code> option, and the query limit
via the <code class="option">max-recursion-queries</code> option.
</p>
<p>
The flaw was discovered by Florian Maury of ANSSI, and is
disclosed in CVE-2014-8500. [RT #37580]
</p>
</li>
<li class="listitem">
<p>
Two separate problems were identified in BIND's GeoIP code that
could lead to an assertion failure. One was triggered by use of
both IPv4 and IPv6 address families, the other by referencing
a GeoIP database in <code class="filename">named.conf</code> which was
not installed. Both are covered by CVE-2014-8680. [RT #37672]
[RT #37679]
</p>
<p>
A less serious security flaw was also found in GeoIP: changes
to the <span class="command"><strong>geoip-directory</strong></span> option in
<code class="filename">named.conf</code> were ignored when running
<span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
<span class="command"><strong>named</strong></span> to allow access to unintended clients.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Added support for DynDB, a new interface for loading zone data
from an external database, developed by Red Hat for the FreeIPA
project. (Thanks in particular to Adam Tkac and Petr
Spacek of Red Hat for the contribution.)
</p>
<p>
Unlike the existing DLZ and SDB interfaces, which provide a
limited subset of database functionality within BIND &#8212;
translating DNS queries into real-time database lookups with
relatively poor performance and with no ability to handle
DNSSEC-signed data &#8212; DynDB is able to fully implement
and extend the database API used natively by BIND.
</p>
<p>
A DynDB module could pre-load data from an external data
source, then serve it with the same performance and
functionality as conventional BIND zones, and with the
ability to take advantage of database features not
available in BIND, such as multi-master replication.
</p>
</li>
<li class="listitem">
<p>
New quotas have been added to limit the queries that are
sent by recursive resolvers to authoritative servers
experiencing denial-of-service attacks. When configured,
these options can both reduce the harm done to authoritative
servers and also avoid the resource exhaustion that can be
experienced by recursives when they are being used as a
vehicle for such an attack.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
<code class="option">fetches-per-server</code> limits the number of
simultaneous queries that can be sent to any single
authoritative server. The configured value is a starting
point; it is automatically adjusted downward if the server is
partially or completely non-responsive. The algorithm used to
adjust the quota can be configured via the
<code class="option">fetch-quota-params</code> option.
</p>
</li>
<li class="listitem">
<p>
<code class="option">fetches-per-zone</code> limits the number of
simultaneous queries that can be sent for names within a
single domain. (Note: Unlike "fetches-per-server", this
value is not self-tuning.)
</p>
</li>
</ul></div>
<p>
Statistics counters have also been added to track the number
of queries affected by these quotas.
</p>
</li>
<li class="listitem">
<p>
Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
flexible method for capturing and logging DNS traffic,
developed by Robert Edmonds at Farsight Security, Inc.,
whose assistance is gratefully acknowledged.
</p>
<p>
To enable <span class="command"><strong>dnstap</strong></span> at compile time,
the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
libraries must be available, and BIND must be configured with
<code class="option">--enable-dnstap</code>.
</p>
<p>
A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
a human-readable format.
</p>
<p>
For more information on <span class="command"><strong>dnstap</strong></span>, see
<a class="ulink" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
</p>
</li>
<li class="listitem">
<p>
New statistics counters have been added to track traffic
sizes, as specified in RSSAC002. Query and response
message sizes are broken up into ranges of histogram buckets:
TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
and 4096+. These values can be accessed via the XML and JSON
statistics channels at, for example,
<a class="ulink" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
or
<a class="ulink" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
</p>
</li>
<li class="listitem">
<p>
The serial number of a dynamically updatable zone can
now be set using
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
This is particularly useful with <code class="option">inline-signing</code>
zones that have been reset. Setting the serial number to a value
larger than that on the slaves will trigger an AXFR-style
transfer.
</p>
</li>
<li class="listitem">
<p>
When answering recursive queries, SERVFAIL responses can now be
cached by the server for a limited time; subsequent queries for
the same query name and type will return another SERVFAIL until
the cache times out. This reduces the frequency of retries
when a query is persistently failing, which can be a burden
on recursive serviers. The SERVFAIL cache timeout is controlled
by <code class="option">servfail-ttl</code>, which defaults to 10 seconds
and has an upper limit of 30.
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
set a "negative trust anchor" (NTA), disabling DNSSEC validation for
a specific domain; this can be used when responses from a domain
are known to be failing validation due to administrative error
rather than because of a spoofing attack. NTAs are strictly
temporary; by default they expire after one hour, but can be
configured to last up to one week. The default NTA lifetime
can be changed by setting the <code class="option">nta-lifetime</code> in
<code class="filename">named.conf</code>. When added, NTAs are stored in a
file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
</p>
</li>
<li class="listitem">
<p>
The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option then
ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
elements can match against the the address encoded in the option.
This can be used to select a view for a query, so that different
answers can be provided depending on the client network.
</p>
</li>
<li class="listitem">
<p>
The EDNS EXPIRE option has been implemented on the client
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
server.
</p>
</li>
<li class="listitem">
<p>
A new <code class="option">masterfile-style</code> zone option controls
the formatting of text zone files: When set to
<code class="literal">full</code>, the zone file will dumped in
single-line-per-record format.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
arbitrary EDNS options in DNS requests.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
yet-to-be-defined EDNS flags in DNS requests.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
disable EDNS version negotiation.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +header-only</strong></span> can now be used to send
queries without a question section.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
to print TTL values with time-unit suffixes: w, d, h, m, s for
weeks, days, hours, minutes, and seconds.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +zflag</strong></span> can be used to set the last
unassigned DNS header flag bit. This bit in normally zero.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
can now be used to set the DSCP code point in outgoing query
packets.
</p>
</li>
<li class="listitem">
<p>
<code class="option">serial-update-method</code> can now be set to
<code class="literal">date</code>. On update, the serial number will
be set to the current date in YYYYMMDDNN format.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
number to YYYYMMDDNN.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
default instead of to the system log.
</p>
</li>
<li class="listitem">
<p>
The rate limiter configured by the
<code class="option">serial-query-rate</code> option no longer covers
NOTIFY messages; those are now separately controlled by
<code class="option">notify-rate</code> and
<code class="option">startup-notify-rate</code> (the latter of which
controls the rate of NOTIFY messages sent when the server
is first started up or reconfigured).
</p>
</li>
<li class="listitem">
<p>
The default number of tasks and client objects available
for serving lightweight resolver queries have been increased,
and are now configurable via the new <code class="option">lwres-tasks</code>
and <code class="option">lwres-clients</code> options in
<code class="filename">named.conf</code>. [RT #35857]
</p>
</li>
<li class="listitem">
<p>
Log output to files can now be buffered by specifying
<span class="command"><strong>buffered yes;</strong></span> when creating a channel.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
sending queries.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now check to see whether
other name server processes are running before starting up.
This is implemented in two ways: 1) by refusing to start
if the configured network interfaces all return "address
in use", and 2) by attempting to acquire a lock on a file
specified by the <code class="option">lock-file</code> option or
the <span class="command"><strong>-X</strong></span> command line option. The
default lock file is
<code class="filename">/var/run/named/named.lock</code>.
Specifying <code class="literal">none</code> will disable the lock
file check.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
which were configured in <code class="filename">named.conf</code>;
it is no longer restricted to zones which were added by
<span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
this does not edit <code class="filename">named.conf</code>; the zone
must be removed from the configuration or it will return
when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc showzone</strong></span> displays the current
configuration for a specified zone.
</p>
</li>
<li class="listitem">
<p>
Added server-side support for pipelined TCP queries. Clients
may continue sending queries via TCP while previous queries are
processed in parallel. Responses are sent when they are
ready, not necessarily in the order in which the queries were
received.
</p>
<p>
To revert to the former behavior for a particular
client address or range of addresses, specify the address prefix
in the "keep-response-order" option. To revert to the former
behavior for all clients, use "keep-response-order { any; };".
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>mdig</strong></span> command is a version of
<span class="command"><strong>dig</strong></span> that sends multiple pipelined
queries and then waits for responses, instead of sending one
query and waiting the response before sending the next. [RT #38261]
</p>
</li>
<li class="listitem">
<p>
To enable better monitoring and troubleshooting of RFC 5011
trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
can be used to check status of trust anchors or to force keys
to be refreshed. Also, the managed-keys data file now has
easier-to-read comments. [RT #38458]
</p>
</li>
<li class="listitem">
<p>
An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
now available to enable very verbose query tracelogging. This
option can only be set at compile time. This option has a
negative performance impact and should be used only for
debugging. [RT #37520]
</p>
</li>
<li class="listitem">
<p>
A new <span class="command"><strong>tcp-only</strong></span> option can be specified
in <span class="command"><strong>server</strong></span> statements to force
<span class="command"><strong>named</strong></span> to connect to the specified
server via TCP. [RT #37800]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
a DNS namespace to use for NXDOMAIN redirection. When a
recursive lookup returns NXDOMAIN, a second lookup is
initiated with the specified name appended to the query
name. This allows NXDOMAIN redirection data to be supplied
by multiple zones configured on the server or by recursive
queries to other servers. (The older method, using
a single <span class="command"><strong>type redirect</strong></span> zone, has
better average performance but is less flexible.) [RT #37989]
</p>
</li>
<li class="listitem">
<p>
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
not correctly matched unless the full organization name was
specified in the ACL (as in
<span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
They can now match against the AS number alone (as in
<span class="command"><strong>geoip asnum "AS1234";</strong></span>).
</p>
</li>
<li class="listitem">
<p>
When using native PKCS#11 cryptography (i.e.,
<span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
of up to 256 characters can now be used.
</p>
</li>
<li class="listitem">
<p>
NXDOMAIN responses to queries of type DS are now cached separately
from those for other types. This helps when using "grafted" zones
of type forward, for which the parent zone does not contain a
delegation, such as local top-level domains. Previously a query
of type DS for such a zone could cause the zone apex to be cached
as NXDOMAIN, blocking all subsequent queries. (Note: This
change is only helpful when DNSSEC validation is not enabled.
"Grafted" zones without a delegation in the parent are not a
recommended configuration.)
</p>
</li>
<li class="listitem">
<p>
Update forwarding performance has been improved by allowing
a single TCP connection to be shared between multiple updates.
</p>
</li>
<li class="listitem">
<p>
By default, <span class="command"><strong>nsupdate</strong></span> will now check
the correctness of hostnames when adding records of type
A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
disabled with <span class="command"><strong>check-names no</strong></span>.
</p>
</li>
<li class="listitem">
<p>
Added support for OPENPGPKEY type.
</p>
</li>
<li class="listitem">
<p>
The names of the files used to store managed keys and added
zones for each view are no longer based on the SHA256 hash
of the view name, except when this is necessary because the
view name contains characters that would be incompatible with use
as a file name. For views whose names do not contain forward
slashes ('/'), backslashes ('\'), or capital letters - which
could potentially cause namespace collision problems on
case-insensitive filesystems - files will now be named
after the view (for example, <code class="filename">internal.mkeys</code>
or <code class="filename">external.nzf</code>). However, to ensure
consistent behavior when upgrading, if a file using the old
name format is found to exist, it will continue to be used.
</p>
</li>
<li class="listitem">
<p>
"rndc" can now return text output of arbitrary size to
the caller. (Prior to this, certain commands such as
"rndc tsig-list" and "rndc zonestatus" could return
truncated output.)
</p>
</li>
<li class="listitem">
<p>
Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
(e.g., when a zone file cannot be loaded) have been clarified
to make it easier to diagnose problems.
</p>
</li>
<li class="listitem">
<p>
When encountering an authoritative name server whose name is
an alias pointing to another name, the resolver treats
this as an error and skips to the next server. Previously
this happened silently; now the error will be logged to
the newly-created "cname" log category.
</p>
</li>
<li class="listitem">
<p>
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
allow fallback to plain DNS on timeout even when we know
the server supports EDNS. This will allow the server to
potentially resolve signed queries when TCP is being
blocked.
</p>
</li>
<li class="listitem">
<p>
Large inline-signing changes should be less disruptive.
Signature generation is now done incrementally; the number
of signatures to be generated in each quantum is controlled
by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
[RT #37927]
</p>
</li>
<li class="listitem">
<p>
The experimental SIT option (code point 65001) of BIND
9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
option (code point 10). It is no longer experimental, and
is sent by default, by both <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dig</strong></span>.
</p>
<p>
The SIT-related named.conf options have been marked as
obsolete, and are otherwise ignored.
</p>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
response or a BADCOOKIE response code from a server, it
will automatically retry the query using the server COOKIE
that was returned by the server in its initial response.
[RT #39047]
</p>
</li>
<li class="listitem">
<p>
A alternative NXDOMAIN redirect method (nxdomain-redirect)
which allows the redirect information to be looked up from
a namespace on the Internet rather than requiring a zone
to be configured on the server is now available.
</p>
</li>
<li class="listitem">
<p>
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</p>
</li>
<li class="listitem">
<p>
Within the <code class="option">response-policy</code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
using the <code class="option">log</code> clause.
</p>
</li>
<li class="listitem">
<p>
The default preferred glue is now the address type of the
transport the query was received over.
</p>
</li>
<li class="listitem">
<p>
On machines with 2 or more processors (CPU), the default value
for the number of UDP listeners has been changed to the number
of detected processors minus one.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The Microsoft Windows install tool
<span class="command"><strong>BINDInstall.exe</strong></span> which requires a
non-free version of Visual Studio to be built, now uses two
files (lists of flags and files) created by the Configure
perl script with all the needed information which were
previously compiled in the binary. Read
<code class="filename">win32utils/build.txt</code> for more details.
[RT #38915]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
<span class="command"><strong>nslookup</strong></span> aborted when encountering
a name which, after appending search list elements,
exceeded 255 bytes. Such names are now skipped, but
processing of other names will continue. [RT #36892]
</p>
</li>
<li class="listitem">
<p>
The error message generated when
<span class="command"><strong>named-checkzone</strong></span> or
<span class="command"><strong>named-checkconf -z</strong></span> encounters a
<code class="option">$TTL</code> directive without a value has
been clarified. [RT #37138]
</p>
</li>
<li class="listitem">
<p>
Semicolon characters (;) included in TXT records were
incorrectly escaped with a backslash when the record was
displayed as text. This is actually only necessary when there
are no quotation marks. [RT #37159]
</p>
</li>
<li class="listitem">
<p>
When files opened for writing by <span class="command"><strong>named</strong></span>,
such as zone journal files, were referenced more than once
in <code class="filename">named.conf</code>, it could lead to file
corruption as multiple threads wrote to the same file. This
is now detected when loading <code class="filename">named.conf</code>
and reported as an error. [RT #37172]
</p>
</li>
<li class="listitem">
<p>
When checking for updates to trust anchors listed in
<code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
now revalidates keys based on the current set of
active trust anchors, without relying on any cached
record of previous validation. [RT #37506]
</p>
</li>
<li class="listitem">
<p>
Large-system tuning
(<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
problems on some platforms by setting a socket receive
buffer size that was too large. This is now detected and
corrected at run time. [RT #37187]
</p>
</li>
<li class="listitem">
<p>
When NXDOMAIN redirection is in use, queries for a name
that is present in the redirection zone but a type that
is not present will now return NOERROR instead of NXDOMAIN.
</p>
</li>
<li class="listitem">
<p>
Due to an inadvertent removal of code in the previous
release, when <span class="command"><strong>named</strong></span> encountered an
authoritative name server which dropped all EDNS queries,
it did not always try plain DNS. This has been corrected.
[RT #37965]
</p>
</li>
<li class="listitem">
<p>
A regression caused nsupdate to use the default recursive servers
rather than the SOA MNAME server when sending the UPDATE.
</p>
</li>
<li class="listitem">
<p>
Adjusted max-recursion-queries to accommodate the smaller
initial packet sizes used in BIND 9.10 and higher when
contacting authoritative servers for the first time.
</p>
</li>
<li class="listitem">
<p>
Built-in "empty" zones did not correctly inherit the
"allow-transfer" ACL from the options or view. [RT #38310]
</p>
</li>
<li class="listitem">
<p>
Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
processes to grow to very large sizes. [RT #38454]
</p>
</li>
<li class="listitem">
<p>
Fixed some bugs in RFC 5011 trust anchor management,
including a memory leak and a possible loss of state
information. [RT #38458]
</p>
</li>
<li class="listitem">
<p>
Asynchronous zone loads were not handled correctly when the
zone load was already in progress; this could trigger a crash
in zt.c. [RT #37573]
</p>
</li>
<li class="listitem">
<p>
A race during shutdown or reconfiguration could
cause an assertion failure in mem.c. [RT #38979]
</p>
</li>
<li class="listitem">
<p>
Some answer formatting options didn't work correctly with
<span class="command"><strong>dig +short</strong></span>. [RT #39291]
</p>
</li>
<li class="listitem">
<p>
Several bugs have been fixed in the RPZ implementation:
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem">
<p>
Policy zones that did not specifically require recursion
could be treated as if they did; consequently, setting
<span class="command"><strong>qname-wait-recurse no;</strong></span> was
sometimes ineffective. This has been corrected.
In most configurations, behavioral changes due to this
fix will not be noticeable. [RT #39229]
</p>
</li>
<li class="listitem">
<p>
The server could crash if policy zones were updated (e.g.
via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
transfer) while RPZ processing was still ongoing for an
active query. [RT #39415]
</p>
</li>
<li class="listitem">
<p>
On servers with one or more policy zones configured as
slaves, if a policy zone updated during regular operation
(rather than at startup) using a full zone reload, such as
via AXFR, a bug could allow the RPZ summary data to fall out
of sync, potentially leading to an assertion failure in
rpz.c when further incremental updates were made to the
zone, such as via IXFR. [RT #39567]
</p>
</li>
<li class="listitem">
<p>
The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an
unexpected action could be taken. This has been
corrected. [RT #39481]
</p>
</li>
<li class="listitem">
<p>
The server could crash if a reload of an RPZ zone was
initiated while another reload of the same zone was
already in progress. [RT #39649]
</p>
</li>
</ul></div>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
The end of life for BIND 9.11 is yet to be determined but
will not be before BIND 9.13.0 has been released for 6 months.
<a class="ulink" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="ulink" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
</p>
</div>
</div>
</div></body>
</html>

Some files were not shown because too many files have changed in this diff Show more