From 57584184fef9aef3e1719213cc54e9e36dec2fa7 Mon Sep 17 00:00:00 2001 From: Jim Reid Date: Wed, 28 Jun 2000 03:20:49 +0000 Subject: [PATCH] incorporated Brian's corrections and improvements --- bin/dnssec/dnssec-keygen.8 | 36 +++++++++++++++++++++--------- bin/dnssec/dnssec-makekeyset.8 | 7 +++--- bin/dnssec/dnssec-signkey.8 | 4 ++-- bin/dnssec/dnssec-signzone.8 | 14 +++++------- doc/man/dnssec/dnssec-keygen.8 | 36 +++++++++++++++++++++--------- doc/man/dnssec/dnssec-makekeyset.8 | 7 +++--- doc/man/dnssec/dnssec-signkey.8 | 4 ++-- doc/man/dnssec/dnssec-signzone.8 | 14 +++++------- 8 files changed, 72 insertions(+), 50 deletions(-) diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index c5a0ed2f4e..e88557cbcd 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-KEYGEN 8 @@ -39,7 +39,7 @@ .Ar name .Sh DESCRIPTION .Nm dnssec-keygen -generates keys for DNSSEC, Secure DNS, as defined in RFC2065. +generates keys for DNSSEC, Secure DNS, as defined in RFC2535. It also generates keys for use in Transaction Signatures, TSIG, which is defined in RFC2845. A short summary of the options and arguments to @@ -62,14 +62,18 @@ option to .Nm dnssec-keygen . .Ar algorithm must be one of -.Dv RSA , -.Dv RSAMD5 , +.Dv RSAMD5 .Dv DH , .Dv DSA or .Dv HMAC-MD5 -to indicate that an RSA, RSAMD5, Diffie-Hellman, Digital Signature +to indicate that an RSA, Diffie-Hellman, Digital Signature Algorithm or HMAC-MD5 key is required. +An argument of +.Dv RSA +can also be given. +It is equivalent to +.Dv RSAMD5 . The argument identifying the encryption algorithm is case-insensitive. DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one. Implementations of TSIG must support HMAC-MD5. @@ -92,12 +96,17 @@ option specifies how the generated key will be used. .Ar nametype can be either .Dv ZONE , -.Dv HOST , -.Dv ENTITY +.Dv HOST , +.Dv ENTITY , or .Dv USER to indicate that the key will be used for signing a zone, host, entity or user respectively. +In this context +.Dv HOST +and +.Dv ENTITY +are identical. .Ar nametype is case-insensitive. .Pp @@ -112,16 +121,19 @@ When creating Diffie-Hellman keys, the option selects the Diffie-Hellman generator .Ar generator that is to be used. -The value of +The only supported values value of .Ar generator -must be either 2 or 5. +are 2 and 5. +If no Diffie-Hellman generator is supplied a known prime +from RFC2539 will be used if possible; otherwise 2 will be used as the +generator. .Pp .Ar protocol-value sets the protocol value for the generated key. The default is 2 (email) for keys of type .Dv USER and 3 (DNSSEC) for all other key types. -Other possible values for this argument are listed in RFC2065 and its +Other possible values for this argument are listed in RFC2535 and its successors. .Pp .Nm dnssec-keygen @@ -146,6 +158,7 @@ given by .Ar strength-value . It should be a number between 0 and 15. The default strength is zero. +The key strength field currently has no defined purpose in DNSSEC. .Pp The .Ar t @@ -266,8 +279,9 @@ DSA key. .Sh FILES .Pa /dev/random .Sh SEE ALSO -.Xr RFC2065, +.Xr RFC2535, .Xr RFC2845, +.Xr RFC2539, .Xr dnssec-makekeyset 8 , .Xr dnssec-signkey 8 , .Xr dnssec-signzone 8 . diff --git a/bin/dnssec/dnssec-makekeyset.8 b/bin/dnssec/dnssec-makekeyset.8 index 17febcbc95..aef6e969e9 100644 --- a/bin/dnssec/dnssec-makekeyset.8 +++ b/bin/dnssec/dnssec-makekeyset.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-makekeyset.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-MAKEKEYSET 8 @@ -163,7 +163,8 @@ zone for them to sign the contents with The following command generates a key set for the DSA key for .Dv example.com that was shown in the -.Xr dnssec-keygen 8 man page. +.Xr dnssec-keygen 8 +man page. The backslash is for typographic reasons and would not be provided on the command line when running .Nm dnssec-makekeyset . @@ -196,6 +197,6 @@ signatures securely. .Sh FILES .Pa /dev/random . .Sh SEE ALSO -.Xr RFC2065 , +.Xr RFC2535 , .Xr dnssec-keygen 8 , .Xr dnssec-signkey 8 . diff --git a/bin/dnssec/dnssec-signkey.8 b/bin/dnssec/dnssec-signkey.8 index 7eb7a5b56a..76b82076a0 100644 --- a/bin/dnssec/dnssec-signkey.8 +++ b/bin/dnssec/dnssec-signkey.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signkey.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-SIGNKEY 8 @@ -151,7 +151,7 @@ zone's zone key. .Sh FILES .Pa /dev/random .Sh SEE ALSO -.Xr RFC2065, +.Xr RFC2535, .Xr dnssec-keygen 8 , .Xr dnssec-makekeyset 8 , .Xr dnssec-signzone 8 . diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index 5a2221233c..ee6374eb6e 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-SIGNZONE 8 @@ -65,9 +65,7 @@ current working directory used by .Pp .Ar zonefile is the name of the unsigned zone file. -If the fully qualified domain name is not clear from the resource -records in the zone file because the owner-names are not fully -qualified and dot-terminated, the +Unless the file name is the same as the name of the zone, the .Ar o option should be given. .Ar origin @@ -188,7 +186,7 @@ option instructs to use pseudo-random data when signing the zone's resource records. This is faster but less secure than using genuinely random data for signing. This option may be useful when the zone has many resource records to be -signed and CPU resources are limited. +signed and the entropy source is limited. It could also be used for short-lived keys and signatures that don't require strengthening against cryptanalysis: for instance when the signatures will be discarded long before the signed data could be compromised. @@ -244,9 +242,7 @@ This zone file contains the keyset for .Dv example.com that was created by .Xr dnssec-makekeyset 8 . -The zone's -.Ar .keyset -file was either appended to the zone file or +The zone's keys were either appended to the zone file or incorporated using a .Dv $INCLUDE statement. @@ -276,7 +272,7 @@ so that it can be loaded by the name server. .Sh FILES .Pa /dev/random .Sh SEE ALSO -.Xr RFC2065, +.Xr RFC2535, .Xr dnssec-keygen 8 , .Xr dnssec-makekeyset 8 , .Xr dnssec-signkey 8 . diff --git a/doc/man/dnssec/dnssec-keygen.8 b/doc/man/dnssec/dnssec-keygen.8 index c5a0ed2f4e..e88557cbcd 100644 --- a/doc/man/dnssec/dnssec-keygen.8 +++ b/doc/man/dnssec/dnssec-keygen.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-KEYGEN 8 @@ -39,7 +39,7 @@ .Ar name .Sh DESCRIPTION .Nm dnssec-keygen -generates keys for DNSSEC, Secure DNS, as defined in RFC2065. +generates keys for DNSSEC, Secure DNS, as defined in RFC2535. It also generates keys for use in Transaction Signatures, TSIG, which is defined in RFC2845. A short summary of the options and arguments to @@ -62,14 +62,18 @@ option to .Nm dnssec-keygen . .Ar algorithm must be one of -.Dv RSA , -.Dv RSAMD5 , +.Dv RSAMD5 .Dv DH , .Dv DSA or .Dv HMAC-MD5 -to indicate that an RSA, RSAMD5, Diffie-Hellman, Digital Signature +to indicate that an RSA, Diffie-Hellman, Digital Signature Algorithm or HMAC-MD5 key is required. +An argument of +.Dv RSA +can also be given. +It is equivalent to +.Dv RSAMD5 . The argument identifying the encryption algorithm is case-insensitive. DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one. Implementations of TSIG must support HMAC-MD5. @@ -92,12 +96,17 @@ option specifies how the generated key will be used. .Ar nametype can be either .Dv ZONE , -.Dv HOST , -.Dv ENTITY +.Dv HOST , +.Dv ENTITY , or .Dv USER to indicate that the key will be used for signing a zone, host, entity or user respectively. +In this context +.Dv HOST +and +.Dv ENTITY +are identical. .Ar nametype is case-insensitive. .Pp @@ -112,16 +121,19 @@ When creating Diffie-Hellman keys, the option selects the Diffie-Hellman generator .Ar generator that is to be used. -The value of +The only supported values value of .Ar generator -must be either 2 or 5. +are 2 and 5. +If no Diffie-Hellman generator is supplied a known prime +from RFC2539 will be used if possible; otherwise 2 will be used as the +generator. .Pp .Ar protocol-value sets the protocol value for the generated key. The default is 2 (email) for keys of type .Dv USER and 3 (DNSSEC) for all other key types. -Other possible values for this argument are listed in RFC2065 and its +Other possible values for this argument are listed in RFC2535 and its successors. .Pp .Nm dnssec-keygen @@ -146,6 +158,7 @@ given by .Ar strength-value . It should be a number between 0 and 15. The default strength is zero. +The key strength field currently has no defined purpose in DNSSEC. .Pp The .Ar t @@ -266,8 +279,9 @@ DSA key. .Sh FILES .Pa /dev/random .Sh SEE ALSO -.Xr RFC2065, +.Xr RFC2535, .Xr RFC2845, +.Xr RFC2539, .Xr dnssec-makekeyset 8 , .Xr dnssec-signkey 8 , .Xr dnssec-signzone 8 . diff --git a/doc/man/dnssec/dnssec-makekeyset.8 b/doc/man/dnssec/dnssec-makekeyset.8 index 17febcbc95..aef6e969e9 100644 --- a/doc/man/dnssec/dnssec-makekeyset.8 +++ b/doc/man/dnssec/dnssec-makekeyset.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-makekeyset.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-MAKEKEYSET 8 @@ -163,7 +163,8 @@ zone for them to sign the contents with The following command generates a key set for the DSA key for .Dv example.com that was shown in the -.Xr dnssec-keygen 8 man page. +.Xr dnssec-keygen 8 +man page. The backslash is for typographic reasons and would not be provided on the command line when running .Nm dnssec-makekeyset . @@ -196,6 +197,6 @@ signatures securely. .Sh FILES .Pa /dev/random . .Sh SEE ALSO -.Xr RFC2065 , +.Xr RFC2535 , .Xr dnssec-keygen 8 , .Xr dnssec-signkey 8 . diff --git a/doc/man/dnssec/dnssec-signkey.8 b/doc/man/dnssec/dnssec-signkey.8 index 7eb7a5b56a..76b82076a0 100644 --- a/doc/man/dnssec/dnssec-signkey.8 +++ b/doc/man/dnssec/dnssec-signkey.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signkey.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-SIGNKEY 8 @@ -151,7 +151,7 @@ zone's zone key. .Sh FILES .Pa /dev/random .Sh SEE ALSO -.Xr RFC2065, +.Xr RFC2535, .Xr dnssec-keygen 8 , .Xr dnssec-makekeyset 8 , .Xr dnssec-signzone 8 . diff --git a/doc/man/dnssec/dnssec-signzone.8 b/doc/man/dnssec/dnssec-signzone.8 index 5a2221233c..ee6374eb6e 100644 --- a/doc/man/dnssec/dnssec-signzone.8 +++ b/doc/man/dnssec/dnssec-signzone.8 @@ -14,7 +14,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.1 2000/06/27 21:50:27 jim Exp $ +.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $ .\" .Dd Jun 30, 2000 .Dt DNSSEC-SIGNZONE 8 @@ -65,9 +65,7 @@ current working directory used by .Pp .Ar zonefile is the name of the unsigned zone file. -If the fully qualified domain name is not clear from the resource -records in the zone file because the owner-names are not fully -qualified and dot-terminated, the +Unless the file name is the same as the name of the zone, the .Ar o option should be given. .Ar origin @@ -188,7 +186,7 @@ option instructs to use pseudo-random data when signing the zone's resource records. This is faster but less secure than using genuinely random data for signing. This option may be useful when the zone has many resource records to be -signed and CPU resources are limited. +signed and the entropy source is limited. It could also be used for short-lived keys and signatures that don't require strengthening against cryptanalysis: for instance when the signatures will be discarded long before the signed data could be compromised. @@ -244,9 +242,7 @@ This zone file contains the keyset for .Dv example.com that was created by .Xr dnssec-makekeyset 8 . -The zone's -.Ar .keyset -file was either appended to the zone file or +The zone's keys were either appended to the zone file or incorporated using a .Dv $INCLUDE statement. @@ -276,7 +272,7 @@ so that it can be loaded by the name server. .Sh FILES .Pa /dev/random .Sh SEE ALSO -.Xr RFC2065, +.Xr RFC2535, .Xr dnssec-keygen 8 , .Xr dnssec-makekeyset 8 , .Xr dnssec-signkey 8 .