Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. If such an offset is followed - by one of the characters 'y', 'm', 'w', 'd', or 'h', then the - offset is computed in years, months, weeks, days, or hours, - respectively; otherwise it is computed in seconds. + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds.
date/offset
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -320,7 +322,7 @@
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -329,7 +331,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. If such an offset is followed - by one of the characters 'y', 'm', 'w', 'd', or 'h', then the - offset is computed in years, months, weeks, days, or hours, - respectively; otherwise it is computed in seconds. + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds. To unset a date, use 'none'.
date/offset+ dnssec-settime can also be used to print the + timing metadata associated with a key. +
++ Print times in UNIX epoch format. +
C/P/A/R/U/D/all
+ Print a specific metadata value or set of metadata values.
+ The -p option may be followed by one or more
+ of the following letters to indicate which value or values to print:
+ C for the creation date,
+ P for the publication date,
+ A for the activation date,
+ R for the revokation date,
+ U for the unpublication date, or
+ D for the deletion date.
+ To print all of the metadata, use -p all.
+
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -136,7 +164,7 @@
Specifies the DNS class of the zone.
+ Compatibility mode: Generate a
+ keyset-
+ file in addition to
+ zonenamedsset-
+ when signing a zone, for use by older versions of
+ dnssec-signzone.
+ zonename
directory
Look for dsset- or
@@ -99,6 +108,8 @@
the start time. A time relative to the current time is
indicated with now+N. If no end-time is
specified, 30 days from the start time is used as a default.
+ end-time must be later than
+ start-time.
output-file@@ -279,8 +290,15 @@
ttl
- Specifies the TTL of new DNSKEY records imported to the zone
- from the key repository. Only useful with the -S option.
+ Specifies the TTL to be used for new DNSKEY records imported
+ into the zone from the key repository. If not specified,
+ the default is the minimum TTL value from the zone's SOA
+ record. This option is ignored when signing without
+ -S, since DNSKEY records are not imported
+ from the key repository in that case. It is also ignored if
+ there are any pre-existing DNSKEY records at the zone apex,
+ in which case new records' TTL values will be set to match
+ them.
@@ -326,7 +344,7 @@
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 2e264d02d3..c58535f3c2 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -68,10 +68,10 @@named.conf.
@@ -896,7 +897,13 @@ allow-update { key host1-host2. ;}; to validated the DNSKEY RRset that they are from.
- trusted-keys are described in more detail + managed-keys are trusted keys which are + automatically kept up to date via RFC 5011 trust anchor + maintenance. +
++ trusted-keys and + managed-keys are described in more detail later in this document.
@@ -911,53 +918,54 @@ allow-update { key host1-host2. ;}; more public keys for the root. This allows answers from outside the organization to be validated. It will also have several keys for parts of the namespace the organization - controls. These are here to ensure that named is immune - to compromises in the DNSSEC components of the security + controls. These are here to ensure that named + is immune to compromises in the DNSSEC components of the security of parent zones.
-trusted-keys {
-
+managed-keys {
/* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
- JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
- aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
- 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
- hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
- 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
- g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
- 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
- 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
- dgxbcDTClU0CRBdiieyLMNzXG3";
+ "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+ JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+ aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+ 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+ hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+ 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+ g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+ 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+ 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+ dgxbcDTClU0CRBdiieyLMNzXG3";
+};
-/* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
- 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
- GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
- 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
- kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
- g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
- TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
- FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
- F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
- /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
- 1OTQ09A0=";
+trusted-keys {
+ /* Key for our organization's forward zone */
+ example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+ 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
+ GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
+ 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
+ kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
+ g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
+ TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
+ FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
+ F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
+ /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
+ 1OTQ09A0=";
-/* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
- xOdNax071L18QqZnQQQAVVr+i
- LhGTnNGp3HoWQLUIzKrJVZ3zg
- gy3WwNT6kZo6c0tszYqbtvchm
- gQC8CzKojM/W16i6MG/eafGU3
- siaOdS0yOI6BgPsw+YZdzlYMa
- IJGf4M4dyoKIhzdZyQ2bYQrjy
- Q4LB0lC7aOnsMyYKHHYeRvPxj
- IQXmdqgOJGq+vsevG06zW+1xg
- YJh9rCIfnm1GX/KMgxLPG2vXT
- D/RnLX+D3T3UL7HJYHJhAZD5L
- 59VvjSPsZJHeDCUyWYrvPZesZ
- DIRvhDD52SKvbheeTJUm6Ehkz
- ytNN2SN96QRk8j/iI8ib";
+ /* Key for our reverse zone. */
+ 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+ xOdNax071L18QqZnQQQAVVr+i
+ LhGTnNGp3HoWQLUIzKrJVZ3zg
+ gy3WwNT6kZo6c0tszYqbtvchm
+ gQC8CzKojM/W16i6MG/eafGU3
+ siaOdS0yOI6BgPsw+YZdzlYMa
+ IJGf4M4dyoKIhzdZyQ2bYQrjy
+ Q4LB0lC7aOnsMyYKHHYeRvPxj
+ IQXmdqgOJGq+vsevG06zW+1xg
+ YJh9rCIfnm1GX/KMgxLPG2vXT
+ D/RnLX+D3T3UL7HJYHJhAZD5L
+ 59VvjSPsZJHeDCUyWYrvPZesZ
+ DIRvhDD52SKvbheeTJUm6Ehkz
+ ytNN2SN96QRk8j/iI8ib";
};
options {
@@ -1009,7 +1017,7 @@ options {
BIND 9 fully supports all currently
defined forms of IPv6 name to address and address to name
@@ -1047,7 +1055,7 @@ options {
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@@ -1066,7 +1074,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 56bc69d63e..c5ceb50dbf 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -45,13 +45,13 @@
Table of Contents
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 1f107e91f5..68543607dd 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -48,55 +48,58 @@
address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | @@ -483,7 +486,7 @@Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -567,7 +570,7 @@
The BIND 9 comment syntax allows for comments to appear @@ -577,7 +580,7 @@
/* This is a BIND comment as in C */@@ -593,7 +596,7 @@Comments may appear anywhere that whitespace may appear in a BIND configuration file. @@ -805,6 +808,17 @@
+ ++ +managed-keys
++ ++ lists DNSSEC keys to be kept up to date + using RFC 5011 trust anchor maintenance. +
+@@ -834,7 +848,7 @@ view
acl acl-name { address_match_list }; @@ -916,7 +930,7 @@controls { [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} @@ -1040,12 +1054,12 @@includefilename;The include statement inserts the @@ -1060,7 +1074,7 @@
keykey_id{ algorithmstring; secretstring; @@ -1069,7 +1083,7 @@The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) @@ -1116,7 +1130,7 @@
logging { [ channelchannel_name{ ( filepath_name@@ -1140,7 +1154,7 @@The logging statement configures a @@ -1174,7 +1188,7 @@
All log output goes to one or more channels; you can make as many of them as you want. @@ -1738,7 +1752,7 @@ category notify { null; };
The query-errors category is specifically intended for debugging purposes: To identify @@ -1966,7 +1980,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the lwres statement in the
named.conffile: @@ -1982,7 +1996,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]The lwres statement configures the name @@ -2033,7 +2047,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; @@ -2041,7 +2055,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]masters lists allow for a common set of masters to be easily used by @@ -2050,7 +2064,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options statement in the
@@ -3347,7 +3362,7 @@ options {named.conffile: @@ -2616,7 +2630,8 @@ options { they are secure. Ifno, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be under a - trusted-key or + trusted-keys or + managed-keys statement, or dnssec-lookaside must be active.The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3391,7 +3406,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -3588,7 +3603,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4040,7 +4055,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports, avoid-v4-udp-ports, @@ -4082,7 +4097,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4244,7 +4259,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -5040,7 +5055,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5370,7 +5385,7 @@ deny-answer-aliases { "example.net"; };
The statistics-channels statement @@ -5421,7 +5436,7 @@ deny-answer-aliases { "example.net"; };
trusted-keys {stringnumbernumbernumberstring; [stringnumbernumbernumberstring; [...]] @@ -5430,7 +5445,7 @@ deny-answer-aliases { "example.net"; };+The trusted-keys statement defines @@ -5467,11 +5482,111 @@ deny-answer-aliases { "example.net"; }; level are inherited by all views, but keys defined in a view are only used within that view.
++ ++managed-keys { ++stringinitial-keynumbernumbernumberstring; + [stringinitial-keynumbernumbernumberstring; [...]] +}; ++- In addition to keys specified in - trusted-keys statements, if the - dnssec-lookaside option is set to "auto", - named will also load a built-in trusted key for dlv.isc.org. + The managed-keys statement, like + trusted-keys, defines DNSSEC + security roots. The difference is that + managed-keys can be kept up to date + automatically, without intervention from the resolver + operator. +
++ Suppose, for example, that a zone's key-signing + key was compromised, and the zone owner had to revoke and + replace the key. A resolver which had the old key in a + trusted-keys statement would be + unable to validate this zone any longer; it would + reply with a SERVFAIL response code. This would + continue until the resolver operator had updated the + trusted-keys statement with the new key. +
++ If, however, the zone were listed in a + managed-keys statement instead, then the + zone owner could add a "stand-by" key to the zone in advance. + named would store the stand-by key, and + when the original key was revoked, named + would be able to transition smoothly to the new key. It would + also recognize that the old key had been revoked, and cease + using that key to validate answers, minimizing the damage that + the compromised key could do. +
++ A managed-keys statement contains a list of + the keys to be managed, along with information about how the + keys are to be initialized for the first time. The only + initialization method currently supported (as of + BIND 9.7.0) is
+initial-key. + This means the managed-keys statement must + contain a copy of the initializing key. (Future releases may + allow keys to be initialized by other methods, eliminating this + requirement.) ++ Consequently, a managed-keys statement + appears similar to a trusted-keys, differing + in the presence of the second field, containing the keyword +
+initial-key. The difference is, whereas the + keys listed in a trusted-keys continue to be + trusted until they are removed from +named.conf, an initializing key listed + in a managed-keys statement is only trusted + once: for as long as it takes to load the + managed key database and start the RFC 5011 key maintenance + process. ++ The first time named runs with a managed key + configured in
+named.conf, it fetches the + DNSKEY RRset directly from the zone apex, and validates it + using the key specified in the managed-keys + statement. If the DNSKEY RRset is validly signed, then it is + used as the basis for a new managed keys database. ++ From that point on, whenever named runs, it + sees the managed-keys statement, checks to + make sure RFC 5011 key maintenance has already been initialized + for the specified domain, and if so, it simply moves on. The + key specified in the managed-keys is not + used to validate answers; it has been superseded by the key or + keys stored in the managed keys database. +
++ The next time named runs after a name + has been removed from the + managed-keys statement, the corresponding + zone will be removed from the managed keys database, + and RFC 5011 key maintenance will no longer be used for that + domain. +
++ named only maintains a single managed keys + database; consequently, unlike trusted-keys, + managed-keys may only be set at the top + level of
+named.conf, not within a view. ++ If the dnssec-lookaside option is set to + "auto", named will automatically initialize + a managed key for the zone
dlv.isc.org. The + key that is used to initialize the key maintenance process is + built into named, and can be overridden + from bindkeys-file.@@ -5489,7 +5604,7 @@ deny-answer-aliases { "example.net"; };The view statement is a powerful feature @@ -5766,10 +5881,10 @@ zone
zone_name[
@@ -5980,7 +6095,7 @@ zone zone_name[The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), @@ -6002,7 +6117,7 @@ zonezone_name[@@ -6645,7 +6760,7 @@ zonezone_name[A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -7382,7 +7497,7 @@ zone
zone_name[RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -7585,7 +7700,7 @@ zone
zone_name[As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -7841,7 +7956,7 @@ zone
zone_name[Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -7902,7 +8017,7 @@ zone
zone_name[The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -7917,7 +8032,7 @@ zone
zone_name[When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -7928,7 +8043,7 @@ zone
zone_name[Syntax: $ORIGIN
domain-name@@ -7957,7 +8072,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -7993,7 +8108,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -8012,7 +8127,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -8436,7 +8551,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -8993,7 +9108,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -9147,7 +9262,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -9530,7 +9645,7 @@ HOST-127.EXAMPLE. MX 0 . Socket I/O statistics counters are defined per socket types, which are @@ -9685,7 +9800,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index c6fc069927..531c63c15e 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -46,10 +46,10 @@Table of Contents
@@ -122,7 +122,7 @@ zone "example.com" {On UNIX servers, it is possible to run BIND @@ -148,7 +148,7 @@ zone "example.com" {
In order for a chroot environment to @@ -176,7 +176,7 @@ zone "example.com" {
Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index f4e98172e6..d15cd3dbdf 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,18 +45,18 @@Table of Contents
The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@
The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 808129c540..81d1791e0e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -45,21 +45,21 @@Table of Contents
@@ -268,42 +268,42 @@Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-@@ -312,19 +312,19 @@[RFC3645] Generic Security Service Algorithm for Secret +
[RFC3645] Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-@@ -332,146 +332,146 @@[RFC4035] Protocol Modifications for the DNS +
[RFC4035] Protocol Modifications for the DNS Security Extensions. March 2005.
Other Important RFCs About DNS Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely +
[RFC1535] A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.
-[RFC1536] Common DNS Implementation +
[RFC1536] Common DNS Implementation Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS +
[RFC4074] Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using +
[RFC2168] Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the +
[RFC1876] A Means for Expressing Location Information in the Domain Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the +
[RFC2052] A DNS RR for Specifying the Location of Services.. October 1996.
-[RFC2163] Using the Internet DNS to +
[RFC2163] Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names +
[RFC1101] DNS Encoding of Network Names and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and +
[RFC1123] Requirements for Internet Hosts - Application and Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide.. November 1987.
-[RFC1912] Common DNS Operational and +
[RFC1912] Common DNS Operational and Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names, +
[RFC2825] A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.
-@@ -487,47 +487,47 @@[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
-[RFC1464] Using the Domain Name System To Store Arbitrary String +
[RFC1464] Using the Domain Name System To Store Arbitrary String Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via +
[RFC3258] Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
@@ -541,39 +541,39 @@Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical +
[RFC1712] DNS Encoding of Geographical Location. November 1994.
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC) +
[RFC3008] Domain Name System Security (DNSSEC) Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record +
[RFC3757] Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.
-@@ -594,14 +594,14 @@[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
-diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 879373bf6f..65c51472dc 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -111,15 +111,15 @@DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
Signing the Zone Configuring Servers -IPv6 Support in BIND 9 +IPv6 Support in BIND 9 5. The BIND 9 Lightweight Resolver 6. BIND 9 Configuration Reference @@ -127,55 +127,58 @@Configuration File Elements Configuration File Grammar - -
- acl Statement Grammar
+- acl Statement Grammar
- acl Statement Definition and Usage
-- controls Statement Grammar
+- controls Statement Grammar
- controls Statement Definition and Usage
-- include Statement Grammar
-- include Statement Definition and +
- include Statement Grammar
+- include Statement Definition and Usage
-- key Statement Grammar
-- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and +
- key Statement Grammar
+- key Statement Definition and Usage
+- logging Statement Grammar
+- logging Statement Definition and Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and +
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and Usage
- server Statement Grammar
- server Statement Definition and Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and +
- statistics-channels Statement Definition and Usage
-- trusted-keys Statement Grammar
-- trusted-keys Statement Definition +
- trusted-keys Statement Grammar
+- trusted-keys Statement Definition + and Usage
+- managed-keys Statement Grammar
+- managed-keys Statement Definition and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
Zone File +Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics @@ -184,31 +187,31 @@7. BIND 9 Security Considerations 8. Troubleshooting A. Appendices I. Manual pages diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 1cd8ffaf4b..c333ded46f 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -48,7 +48,7 @@
ddns-confgen[-a] [algorithm-h] [-k] [keyname-r] [randomfile-s name | -z zone] [-q] [name]-diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 8b549917ec..807c025f70 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -52,7 +52,7 @@DESCRIPTION
+DESCRIPTION
ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -75,7 +75,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -248,7 +248,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -573,7 +573,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 524129c8f2..b56ca82516 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,14 +51,14 @@
dnssec-dsfromkey{-s} [-1] [-2] [-a] [alg-K] [directory-l] [domain-s] [-c] [class-f] [file-A] [-v] {dnsname}level-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -148,13 +148,13 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 6a189afb7e..0fe11c6e9f 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -164,7 +164,7 @@
dnssec-keyfromlabel{-aalgorithm} {-llabel} [-c] [class-f] [flag-k] [-K] [directory-n] [nametype-p] [protocol-t] [type-v] {name}level-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -58,7 +58,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -176,7 +176,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 237be08bce..76c1fb62e0 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -186,7 +186,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-e] [-f] [flag-g] [generator-h] [-K] [directory-k] [-P] [date/offset-p] [protocol-R] [date/offset-r] [randomdev-s] [strength-t] [type-U] [date/offset-v] [level-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. If such an offset is followed - by one of the characters 'y', 'm', 'w', 'd', or 'h', then the - offset is computed in years, months, weeks, days, or hours, - respectively; otherwise it is computed in seconds. + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds.
- -P
@@ -271,7 +273,7 @@date/offset-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -338,7 +340,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 7eb5a742d7..9396e59333 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -347,7 +349,7 @@
dnssec-revoke[-hr] [-v] [level-K] [directory-f] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index a09b49062f..6146b93b37 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-fr] [-K] [directory-P] [date/offset-A] [date/offset-R] [date/offset-U] [date/offset-D] [date/offset-h] [-v] {keyfile}level-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -75,7 +75,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. If such an offset is followed - by one of the characters 'y', 'm', 'w', 'd', or 'h', then the - offset is computed in years, months, weeks, days, or hours, - respectively; otherwise it is computed in seconds. + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds. To unset a date, use 'none'.
- -P
@@ -146,7 +148,33 @@date/offset-+SEE ALSO
+PRINTING OPTIONS
++ dnssec-settime can also be used to print the + timing metadata associated with a key. +
+++
- -u
+- +
+ Print times in UNIX epoch format. +
- -p
+C/P/A/R/U/D/all- +
+ Print a specific metadata value or set of metadata values. + The
-poption may be followed by one or more + of the following letters to indicate which value or values to print: +Cfor the creation date, +Pfor the publication date, +Afor the activation date, +Rfor the revokation date, +Ufor the unpublication date, or +Dfor the deletion date. + To print all of the metadata, use-p all. ++diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 924217af5e..b4706285a6 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -154,7 +182,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-l] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-p] [-P] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-v] [level-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-OPTIONS
+OPTIONS
- -a
@@ -71,6 +71,15 @@
- +
Specifies the DNS class of the zone.
- -C
++ Compatibility mode: Generate a +
keyset-+ file in addition to +zonenamedsset-+ when signing a zone, for use by older versions of + dnssec-signzone. +zonename- -d
directoryLook for
dsset-or @@ -117,6 +126,8 @@ the start time. A time relative to the current time is indicated with now+N. If noend-timeis specified, 30 days from the start time is used as a default. +end-timemust be later than +start-time.- -f
output-file@@ -297,8 +308,15 @@
- -T
ttl- Specifies the TTL of new DNSKEY records imported to the zone - from the key repository. Only useful with the -S option. + Specifies the TTL to be used for new DNSKEY records imported + into the zone from the key repository. If not specified, + the default is the minimum TTL value from the zone's SOA + record. This option is ignored when signing without +
-S, since DNSKEY records are not imported + from the key repository in that case. It is also ignored if + there are any pre-existing DNSKEY records at the zone apex, + in which case new records' TTL values will be set to match + them.- -t
@@ -344,7 +362,7 @@
-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 740854b70c..f8343f2cc4 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -373,14 +391,14 @@ db.example.com.signed %
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 2a0dd01bfc..a0de1afb8c 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file.
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 5723f84ca6..38346d3b68 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-i] [mode-k] [mode-m] [mode-n] [mode-o] [filename-s] [style-t] [directory-w] [directory-D] [-W] {zonename} {filename}mode-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 5bb9f74ae3..829da5d0bc 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named[-4] [-6] [-c] [config-file-d] [debug-level-f] [-g] [-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -259,7 +259,7 @@
-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 513ab20e62..1a901314b4 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -276,7 +276,7 @@
nsupdate[-d] [-D] [[-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -205,7 +205,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 764ba4c6a8..c5fa62420a 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -50,7 +50,7 @@
rndc-confgen[-a] [-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 07e8897878..4958631a85 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 8ea6dc4dfb..db62de4fef 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -219,7 +219,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@
-OPTIONS
+OPTIONS
- -b
source-address@@ -151,7 +151,7 @@
-diff --git a/doc/misc/options b/doc/misc/options index f092ff4940..999b41af54 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -44,7 +44,8 @@ lwres { viewLIMITATIONS
+LIMITATIONS
rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -165,7 +165,7 @@
; }; -managed-keys { ; ... }; +managed-keys { + ; ... }; masters [ port ] { ( | [ port ] | [ port ] ) [ key ]; ... }; @@ -316,7 +317,7 @@ view { key-directory ; lame-ttl ; maintain-ixfr-base ; // obsolete - managed-keys { + managed-keys { ; ... }; masterfile-format ( text | raw ); match-clients { ; ... }; @@ -421,7 +422,6 @@ view { check-srv-cname ( fail | warn | ignore ); check-wildcard ; database ; - ddns-autoconf ; delegation-only ; dialup ; file ; @@ -503,7 +503,6 @@ zone { check-srv-cname ( fail | warn | ignore ); check-wildcard ; database ; - ddns-autoconf ; delegation-only ; dialup ; file ;