From 57c7c5452a3c857e5619036376db9ca868dc1724 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 7 Aug 2024 15:47:05 +1000 Subject: [PATCH] Document -M tag_min:tag_max A new argument has been added to dnssec-keygen and dnssec-keyfromlabel to restrict the tag value of key generated / imported to a particular range. This is intended to be used by multi-signers. Co-authored-by: Suzanne Goldlust (cherry picked from commit 0c347fb321a218d59763a6759fd3aaf6d0266cd2) --- bin/dnssec/dnssec-keyfromlabel.rst | 14 +++++++++++++- bin/dnssec/dnssec-keygen.rst | 15 ++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index 098feb9ecb..ea5164d28f 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} +:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} Description ~~~~~~~~~~~ @@ -133,6 +133,18 @@ Options place, in which case the existing TTL would take precedence. Setting the default TTL to ``0`` or ``none`` removes it. +.. option:: -M tag_min:tag_max + + This option sets the range of key tag values + that ``dnssec-keyfromlabel`` will accept. If the key tag of the new + key or the key tag of the revoked version of the new key is + outside this range, the new key will be rejected. This is + designed to be used when generating keys in a multi-signer + scenario, where each operator is given a range of key tags to + prevent collisions among different operators. The valid + values for ``tag_min`` and ``tag_max`` are [0..65535]. The + default allows all key tag values to be accepted. + .. option:: -p protocol This option sets the protocol value for the key. The protocol is a number between diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 2e12fe60cd..bd9ad6a9b9 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} +:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} Description ~~~~~~~~~~~ @@ -158,6 +158,19 @@ Options This option provides a configuration file that contains a ``dnssec-policy`` statement (matching the policy set with :option:`-k`). +.. option:: -M tag_min:tag_max + + This option sets the range of acceptable key tag values that ``dnssec-keygen`` + will produce. If the key tag of the new key or the key tag of + the revoked version of the new key is outside this range, + the new key will be rejected and another new key will be generated. + This is designed to be used when generating keys in a multi-signer + scenario, where each operator is given a range of key tags to + prevent collisions among different operators. The valid values + for ``tag_min`` and ``tag_max`` are [0..65535]. The default allows all + key tag values to be produced. This option is ignored when ``-k policy`` + is specified. + .. option:: -n nametype This option specifies the owner type of the key. The value of ``nametype`` must