diff --git a/CHANGES b/CHANGES index e58cad4c49..e89d05adef 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ to yes. Change and only set inline-signing to yes if the zone is not dynamic. [GL #1709] + --- 9.17.1 released --- + 5383. [func] Add a quota attach function with a callback and clean up the isc_quota API. [GL !3280] diff --git a/bin/dig/host.1 b/bin/dig/host.1 index ea0bc06a43..6775a14cd5 100644 --- a/bin/dig/host.1 +++ b/bin/dig/host.1 @@ -39,7 +39,7 @@ host \- DNS lookup utility .SH "SYNOPSIS" .HP \w'\fBhost\fR\ 'u -\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server] +\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server] .SH "DESCRIPTION" .PP \fBhost\fR @@ -138,6 +138,11 @@ directive in /etc/resolv\&.conf\&. .RE .PP +\-p \fIport\fR +.RS 4 +Specify the port on the server to query\&. The default is 53\&. +.RE +.PP \-r .RS 4 Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve diff --git a/bin/dig/host.html b/bin/dig/host.html index e0076735ef..1ebf702999 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -36,6 +36,7 @@ [-aACdlnrsTUwv] [-c class] [-N ndots] + [-p port] [-R number] [-t type] [-W wait] @@ -165,6 +166,12 @@ in /etc/resolv.conf.

+
-p port
+
+

+ Specify the port on the server to query. The default is 53. +

+
-r

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 297cd1ec8b..edb5d11c84 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index aedc15ccfc..32b932966a 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -10,7 +10,7 @@ Chapter 2. BIND Resource Requirements - + @@ -43,16 +43,17 @@
Supported Operating Systems
-
+ +

Hardware requirements

-

+

DNS hardware requirements have traditionally been quite modest. For many installations, servers that have been pensioned off from active duty have performed admirably as DNS servers.

-

+

The DNSSEC features of BIND 9 may prove to be quite CPU intensive however, so organizations that make heavy use of these @@ -61,22 +62,22 @@ full utilization of multiprocessor systems for installations that need it.

-
-
+
+

CPU Requirements

-

+

CPU requirements for BIND 9 range from i386-class machines for serving of static zones without caching, to enterprise-class machines if you intend to process many dynamic updates and DNSSEC signed zones, serving many thousands of queries per second.

-
-
+
+

Memory Requirements

-

+

The memory of the server has to be large enough to fit the cache and zones loaded off disk. The max-cache-size option can be used to limit the amount of memory used by the cache, @@ -90,11 +91,14 @@ a relatively stable size where entries are expiring from the cache as fast as they are being inserted.

-
-
+ +
+ +

Name Server Intensive Environment Issues

-

+ +

For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and any second-level internal name servers query a main name server, which @@ -107,11 +111,13 @@ this has the disadvantage of making many more external queries, as none of the name servers share their cached data.

-
-
+
+ +

Supported Operating Systems

-

+ +

ISC BIND 9 compiles and runs on a large number of Unix-like operating systems and on @@ -121,8 +127,8 @@ directory of the BIND 9 source distribution.

-
-
+ +
@@ -140,6 +146,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 291a1c03cb..116ac7b6fa 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -10,7 +10,7 @@ Chapter 3. Name Server Configuration - + @@ -54,18 +54,22 @@ -

+ +

In this chapter we provide some suggested configurations along with guidelines for their use. We suggest reasonable values for certain option settings.

-
+ +

Sample Configurations

-
+ +

A Caching-only Name Server

-

+ +

The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All queries @@ -74,6 +78,7 @@ suitable firewall rules.

+ 
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
@@ -91,15 +96,19 @@ zone "0.0.127.in-addr.arpa" {
      notify no;
 };
-
-
+ +
+ +

An Authoritative-only Name Server

-

+ +

This sample configuration is for an authoritative-only server that is the master server for "example.com" and a slave for the subdomain "eng.example.com".

+ 
 options {
      // Working directory
@@ -138,23 +147,31 @@ zone "eng.example.com" {
      masters { 192.168.4.12; };
 };
-
-
-
+ +
+
+ +

Load Balancing

-

+ + + +

A primitive form of load balancing can be achieved in the DNS by using multiple records (such as multiple A records) for one name.

-

+ +

For example, if you have three HTTP servers with network addresses of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the following means that clients will connect to each machine one third of the time:

-
+ +
+
@@ -268,47 +285,52 @@ zone "eng.example.com" { -
-

+ +

+

When a resolver queries for these records, BIND will rotate them and respond to the query with the records in a different order. In the example above, clients will randomly receive records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients will use the first record returned and discard the rest.

-

+

For more detail on ordering responses, check the rrset-order sub-statement in the options statement, see RRset Ordering.

-
-
+ +
+ +

Name Server Operations

-
+ +

Tools for Use With the Name Server Daemon

-

+

This section describes several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon.

-
+

Diagnostic Tools

-

+

The dig, host, and nslookup programs are all command line tools for manually querying name servers. They differ in style and output format.

-
+ +
dig
-

+

dig is the most versatile and complete of these lookup tools. It has two modes: simple interactive @@ -318,22 +340,31 @@ zone "eng.example.com" { accessible from the command line.

-

dig [@server] domain [query-type] [query-class] [+query-option] [-dig-option] [%comment]

-

+

+ dig + [@server] + domain + [query-type] + [query-class] + [+query-option] + [-dig-option] + [%comment] +

+

The usual simple use of dig will take the form

-

+

dig @server domain query-type query-class

-

+

For more information and a list of available commands and options, see the dig man page.

-
+
host
-

+

The host utility emphasizes simplicity and ease of use. By default, it converts @@ -341,16 +372,29 @@ zone "eng.example.com" { functionality can be extended with the use of options.

-

host [-aCdlnrsTwv] [-c class] [-N ndots] [-t type] [-W timeout] [-R retries] [-m flag] [-4] [-6] hostname [server]

-

+

+ host + [-aCdlnrsTwv] + [-c class] + [-N ndots] + [-t type] + [-W timeout] + [-R retries] + [-m flag] + [-4] + [-6] + hostname + [server] +

+

For more information and a list of available commands and options, see the host man page.

-
+
nslookup
-

nslookup +

nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various @@ -359,8 +403,15 @@ zone "eng.example.com" { the name and requested information for a host or domain.

-

nslookup [-option...] [[host-to-find] | [- [server]]]

-

+

+ nslookup + [-option...] + [ + [host-to-find] + | [- [server]] + ] +

+

Interactive mode is entered when no arguments are given (the default name server will be used) or when the first argument is a @@ -368,7 +419,7 @@ zone "eng.example.com" { Internet address of a name server.

-

+

Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. @@ -376,56 +427,76 @@ zone "eng.example.com" { optional second argument specifies the host name or address of a name server.

-

+

Due to its arcane user interface and frequently inconsistent behavior, we do not recommend the use of nslookup. Use dig instead.

-
+
-
-
+
+ +

Administrative Tools

-

+

Administrative tools play an integral part in the management of a server.

-
+
named-checkconf
-

+

The named-checkconf program checks the syntax of a named.conf file.

-

named-checkconf [-jvz] [-t directory] [filename]

-
+

+ named-checkconf + [-jvz] + [-t directory] + [filename] +

+
named-checkzone
-

+

The named-checkzone program checks a master file for syntax and consistency.

-

named-checkzone [-djqvD] [-c class] [-o output] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-W (ignore|warn)] zone [filename]

-
+

+ named-checkzone + [-djqvD] + [-c class] + [-o output] + [-t directory] + [-w directory] + [-k (ignore|warn|fail)] + [-n (ignore|warn|fail)] + [-W (ignore|warn)] + zone + [filename] +

+
named-compilezone
-

+

+

Similar to named-checkzone, but it always dumps the zone content to a specified file (typically in a different format). -

+

+
rndc
-

+

The remote name daemon control (rndc) program allows the system @@ -433,11 +504,21 @@ zone "eng.example.com" { If you run rndc without any options, it will display a usage message as follows:

-

rndc [-c config] [-s server] [-p port] [-y key] command [command...]

-

See rndc(8) for details of +

+ rndc + [-c config] + [-s server] + [-p port] + [-y key] + command + [command...] +

+ +

See rndc(8) for details of the available rndc commands.

-

+ +

rndc requires a configuration file, since all communication with the server is authenticated with @@ -461,7 +542,8 @@ zone "eng.example.com" { the section called “controls Statement Definition and Usage”.

-

+ +

The format of the configuration file is similar to that of named.conf, but limited to @@ -473,7 +555,8 @@ zone "eng.example.com" { be shared. The order of statements is not significant.

-

+ +

The options statement has three clauses: default-server, default-key, @@ -491,7 +574,8 @@ zone "eng.example.com" { port is given on the command line or in a server statement.

-

+ +

The key statement defines a key to be used by rndc when authenticating @@ -520,7 +604,8 @@ zone "eng.example.com" { have any meaning. The secret is a Base64 encoded string as specified in RFC 3548.

-

+ +

The server statement associates a key defined using the key @@ -536,9 +621,11 @@ zone "eng.example.com" { connect to on the server.

-

+ +

A sample minimal configuration file is as follows:

+ 
 key rndc_key {
      algorithm "hmac-sha256";
@@ -550,30 +637,36 @@ options {
      default-key    rndc_key;
 };
-

+ +

This file, if installed as /etc/rndc.conf, would allow the command:

-

+ +

$ rndc reload

-

+ +

to connect to 127.0.0.1 port 953 and cause the name server to reload, if a name server on the local machine were running with following controls statements:

+ 
 controls {
         inet 127.0.0.1
             allow { localhost; } keys { rndc_key; };
 };
-

+ +

and it had an identical key statement for rndc_key.

-

+ +

Running the rndc-confgen program will conveniently create a rndc.conf @@ -588,19 +681,23 @@ controls { modify named.conf at all.

-
+ +
-
-
-
+ +
+
+ +

Signals

-

+

Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can be sent using the kill command.

-
+
+
@@ -638,26 +735,29 @@ controls { -
-
-
-
+ +
+
+
+ +

Plugins

-

+ +

Plugins are a mechanism to extend the functionality of named using dynamically loadable libraries. By using plugins, core server functionality can be kept simple for the majority of users; more complex code implementing optional features need only be installed by users that need those features.

-

+

The plugin interface is a work in progress, and is expected to evolve as more plugins are added. Currently, only "query plugins" are supported; these modify the name server query logic. Other plugin types may be added in the future.

-

+

The only plugin currently included in BIND is filter-aaaa.so, which replaces the filter-aaaa feature that previously existed natively @@ -668,19 +768,20 @@ controls { filter-aaaa.so plugin provides identical functionality.

-
+ +

Configuring Plugins

-

+

A plugin is configured with the plugin statement in named.conf:

-
+    
     plugin query "library.so" {
         parameters
     };
     

-

+    

       In this example, file library.so is the plugin
       library.  query indicates that this is a query
       plugin.
@@ -691,16 +792,17 @@ controls {
       Multiple plugin statements can be specified, to load
       different plugins or multiple instances of the same plugin.
     

-

+    

       parameters are passed as an opaque
       string to the plugin's initialization routine. Configuration
       syntax will differ depending on the module.
     

-
-
+
+ +

Developing Plugins

-

+

Each plugin implements four functions:

    @@ -720,7 +822,7 @@ controls {

-

+

At various locations within the named source code, there are "hook points" at which a plugin may register itself. When a hook point is reached while named is @@ -732,9 +834,11 @@ controls { aborted. More details can be found in the file lib/ns/include/ns/hooks.h.

+
+
-
-
+ +
@@ -752,6 +856,6 @@ controls {
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index a35ee56e17..51039db6c0 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -2928,6 +2928,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 4ddb87f226..1db7d40676 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -7798,18 +7798,36 @@ deny-answer-aliases { "example.net"; };

NSDNAME triggers match names of authoritative servers - for the query name, a parent of the query name, a CNAME for - query name, or a parent of a CNAME. - They are encoded as subdomains of - rpz-nsdname relativized - to the RPZ origin name. - NSIP triggers match IP addresses in A and - AAAA RRsets for domains that can be checked against NSDNAME - policy records. - The nsdname-enable phrase turns NSDNAME + for the query name, a parent of the query name, a CNAME + for query name, or a parent of a CNAME. They are + encoded as subdomains of rpz-nsdname + relativized to the RPZ origin name. NSIP triggers match + IP addresses in A and AAAA RRsets for domains that can + be checked against NSDNAME policy records. The + nsdname-enable phrase turns NSDNAME triggers off or on for a single policy zone or all zones.

+

+ If authoritative nameservers for the query name are not + yet known, named will recursively + look up the authoritative servers for the query name + before applying an RPZ-NSDNAME rule. + This can cause a processing delay. To speed up + processing at the cost of precision, the + nsdname-wait-recurse option + can be used: when set to no, + RPZ-NSDNAME rules will only be applied when authoritative + servers for the query name have already been looked up and + cached. If authoritative servers for the query name + are not in the cache, then the RPZ-NSDNAME rule will be + ignored, but the authoritative servers for the query name + will be looked up in the background, and the rule will be + applied to subsequent queries. The default is + yes, meaning RPZ-NSDNAME + rules should always be applied even if authoritative + servers for the query name need to be looked up first. +

RPZ-NSIP
@@ -9882,79 +9900,72 @@ view "external" { -+ - + - - - - - - - - - - - - - - - - - -
+

- master + primary

+

The server has a master copy of the data for the zone and will be able to provide authoritative - answers for it. Type primary is - a synonym for master. + answers for it. Type master is + a synonym for primary.

+

- slave + secondary

+

- A slave zone is a replica of a master - zone. Type secondary is a - synonym for slave. + A secondary zone is a replica of a master + zone. Type slave is a + synonym for secondary. The masters list specifies one or more IP addresses of master servers that the slave contacts to update - its copy of the zone. - Masters list elements can also be names of other - masters lists. - By default, transfers are made from port 53 on the - servers; this can - be changed for all servers by specifying a port number - before the - list of IP addresses, or on a per-server basis after - the IP address. + its copy of the zone. Masters list elements can + also be names of other masters lists. By default, + transfers are made from port 53 on the servers; + this can be changed for all servers by specifying + a port number before the list of IP addresses, + or on a per-server basis after the IP address. Authentication to the master can also be done with - per-server TSIG keys. - If a file is specified, then the + per-server TSIG keys. If a file is specified, then the replica will be written to this file whenever the zone - is changed, - and reloaded from this file on a server restart. Use - of a file is - recommended, since it often speeds server startup and - eliminates - a needless waste of bandwidth. Note that for large - numbers (in the - tens or hundreds of thousands) of zones per server, it - is best to - use a two-level naming scheme for zone filenames. For - example, - a slave server for the zone example.com might place + is changed, and reloaded from this file on a server + restart. Use of a file is recommended, since it + often speeds server startup and eliminates a + needless waste of bandwidth. Note that for large + numbers (in the tens or hundreds of thousands) of + zones per server, it is best to use a two-level + naming scheme for zone filenames. For example, + a slave server for the zone + example.com might place the zone contents into a file called - ex/example.com where ex/ is - just the first two letters of the zone name. (Most - operating systems + ex/example.com where + ex/ is just the first two + letters of the zone name. (Most operating systems behave very slowly if you put 100000 files into a single directory.)

+

stub

+

A stub zone is similar to a slave zone, except that it replicates only the NS records of a @@ -10007,93 +10018,30 @@ view "external" {

+

mirror

+

- Note: using - this zone type with any zone other than the root - zone should be considered - experimental and may cause - performance issues, especially for zones which - are large and/or frequently updated. -

-

- A mirror zone acts like a zone of type - secondary whose data is - subject to DNSSEC validation before being used - in answers. Validation is performed during the - zone transfer process (for both AXFR and IXFR), - and again when the zone file is loaded from disk - when named is restarted. If + A mirror zone is similar to a zone of type + secondary, except its data + is subject to DNSSEC validation before being used + in answers. Validation is applied to the entire + zone during the zone transfer process, and again + when the zone file is loaded from disk when + named is restarted. If validation of a new version of a mirror zone fails, a retransfer is scheduled and the most recent correctly validated version of that zone - is used until it expires; if a newer version of - that zone is later correctly validated, it - replaces the previously used version. If no - usable zone data is available for a mirror zone - (either because it was never loaded from disk - and has not yet been transferred from a primary - server or because its most recent correctly - validated version expired), traditional DNS - recursion will be used to look up the answers - instead. -

-

- While any zone may be configured with this type, - it is intended to be used to set up a fast local - copy of the root zone, similar to the one - described in RFC 7706. Note, however, that - mirror zones are not supposed to augment the - example configuration provided by RFC 7706 but - rather to replace it altogether. -

-

- A default list of primary servers for the IANA - root zone is built into named - and thus its mirroring can be enabled using the - following configuration: -

-
zone "." {
-        type mirror;
-};
-

- In order to set up mirroring of any other zone, - an explicit list of primary servers needs to be - provided using the masters - option (see the section called “masters Statement Grammar” - for details). -

-

- To make mirror zone contents persist between - named restarts, use the - file - option. -

-

- Mirror zone validation always happens for the - entire zone contents, i.e. no "incremental - validation" takes place, even for IXFRs. This - is required to ensure that each version of the - zone used by the resolver is fully - self-consistent with respect to DNSSEC. Other, - more efficient zone verification methods may be - added in the future. -

-

- For validation to succeed, a key-signing key - (KSK) for the zone must be configured as a trust - anchor in named.conf: that - is, a key for the zone must be specified in - trust-anchors. In the case - of the root zone, you may also rely on the - built-in root trust anchor, which is enabled - when dnssec-validation is set to the - default value auto. + is used until it either expires or a newer version + validates correctly. If no usable zone data is + available for a mirror zone at all, either due to + transfer failure or expiration, traditional DNS + recursion is used to look up the answers instead. + Mirror zones cannot be used in a view that does + not have recursion enabled.

Answers coming from a mirror zone look almost @@ -10104,27 +10052,50 @@ view "external" { bit ("authenticated data") is.

- Since mirror zones are intended to be used by - recursive resolvers, adding one to a view with - recursion disabled is considered to be a - configuration error. + Mirror zones are intended to be used to set up a + fast local copy of the root zone, similar to the + one described in RFC 7706. A default list of primary + servers for the IANA root zone is built into + named and thus its mirroring + can be enabled using the following configuration: +

+
zone "." {
+        type mirror;
+};
+

+ Other zones can be configured as mirror zones, + but this should be considered + experimental and may cause + performance issues, especially with zones that + are large and/or frequently updated. + Mirroring a zone other than root requires an + explicit list of primary servers to be provided + using the masters option + (see the section called “masters Statement Grammar” + for details), and a key-signing key (KSK) + for the specified zone to be explicitly + configured as a trust anchor. +

+

+ To make mirror zone contents persist between + named restarts, use the + file + option.

When configuring NOTIFY for a mirror zone, only notify no; and notify explicit; can be - used. Using any other notify - setting at the zone level is a configuration - error. Using any other + used at the zone level. Using any other notify setting at the options or view level will cause that setting to be overridden with notify explicit; for the - mirror zone in question. Since the global - default for the notify option - is yes, mirror zones are - by default configured with + mirror zone. The global default for the + notify option is + yes, so mirror + zones are by default configured with notify explicit;.

@@ -10135,12 +10106,12 @@ view "external" {

+

static-stub

+

A static-stub zone is similar to a stub zone with the following exceptions: @@ -10184,12 +10155,12 @@ view "external" {

+

forward

+

A "forward zone" is a way to configure forwarding on a per-domain basis. A zone statement @@ -10217,12 +10188,12 @@ view "external" {

+

hint

+

The initial set of root name servers is specified using a "hint zone". When the server starts @@ -10238,12 +10209,12 @@ view "external" {

+

redirect

+

Redirect zones are used to provide answers to queries when normal resolution would result in @@ -10303,12 +10274,12 @@ view "external" {

+

delegation-only

+

This is used to enforce the delegation-only status of infrastructure zones (e.g. COM, @@ -15374,6 +15345,6 @@ HOST-127.EXAMPLE. MX 0 .

-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index a29fd9c95d..dae6762274 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -10,7 +10,7 @@ Chapter 6. BIND 9 Security Considerations - + @@ -45,10 +45,12 @@
Dynamic Update Security
-
+ +

Access Control Lists

-

+ +

Access Control Lists (ACLs) are address match lists that you can set up and nickname for future use in allow-notify, allow-query, @@ -56,26 +58,27 @@ blackhole, allow-transfer, match-clients, etc.

-

+

Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge lists of IP addresses.

-

+

It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and denial of service (DoS) attacks against your server.

-

+

ACLs match clients on the basis of up to three characteristics: 1) The client's IP address; 2) the TSIG or SIG(0) key that was used to sign the request, if any; and 3) an address prefix encoded in an EDNS Client Subnet option, if any.

-

+

Here is an example of ACLs based on client addresses:

+ 
 // Set up an ACL named "bogusnets" that will block
 // RFC1918 space and some reserved space, which is
@@ -104,32 +107,33 @@ zone "example.com" {
   allow-query { any; };
 };
-

+ +

This allows authoritative queries for "example.com" from any address, but recursive queries only from the networks specified in "our-nets", and no queries at all from the networks specified in "bogusnets".

-

+

In addition to network addresses and prefixes, which are matched against the source address of the DNS request, ACLs may include key elements, which specify the name of a TSIG or SIG(0) key.

-

+

When BIND 9 is built with GeoIP support, ACLs can also be used for geographic access restrictions. This is done by specifying an ACL element of the form: geoip [db database] field value

-

+

The field indicates which field to search for a match. Available fields are "country", "region", "city", "continent", "postal" (postal code), "metro" (metro code), "area" (area code), "tz" (timezone), "isp", "asnum", and "domain".

-

+

value is the value to search for within the database. A string may be quoted if it contains spaces or other special characters. An "asnum" @@ -144,7 +148,7 @@ zone "example.com" { abbreviation; otherwise it treated as the full name of the state or province.

-

+

The database field indicates which GeoIP database to search for a match. In most cases this is unnecessary, because most search fields can only be found in @@ -159,10 +163,10 @@ zone "example.com" { is installed, in that order. Valid database names are "country", "city", "asnum", "isp", and "domain".

-

+

Some example GeoIP ACLs:

-
geoip country US;
+        
geoip country US;
 geoip country JP;
 geoip db country country Canada;
 geoip region WA;
@@ -172,7 +176,8 @@ geoip postal 95062;
 geoip tz "America/Los_Angeles";
 geoip org "Internet Systems Consortium";
 

-

+
+        

           ACLs use a "first-match" logic rather than "best-match":
           if an address prefix matches an ACL element, then that ACL
           is considered to have matched even if a later element would
@@ -182,7 +187,7 @@ geoip org "Internet Systems Consortium";
           indicated that the query should be accepted, and the second
           element is ignored.
         

-

+        

           When using "nested" ACLs (that is, ACLs included or referenced
           within other ACLs), a negative match of a nested ACL will
           the containing ACL to continue looking for matches.  This
@@ -192,10 +197,10 @@ geoip org "Internet Systems Consortium";
           it originates from a particular network and
           only when it is signed with a particular key, use:
         

-
+        
 allow-query { !{ !10/8; any; }; key example; };
 

-

+        

           Within the nested ACL, any address that is
           not in the 10/8 network prefix will
           be rejected, and this will terminate processing of the
@@ -207,12 +212,14 @@ allow-query { !{ !10/8; any; }; key example; };
           will only matches when both conditions
           are true.
         

-
-
+
+ +

Chroot and Setuid

-

+ +

On UNIX servers, it is possible to run BIND in a chrooted environment (using the chroot() function) by specifying @@ -221,23 +228,25 @@ allow-query { !{ !10/8; any; }; key example; }; BIND in a "sandbox", which will limit the damage done if a server is compromised.

-

+

Another useful feature in the UNIX version of BIND is the ability to run the daemon as an unprivileged user ( -u user ). We suggest running as an unprivileged user when using the chroot feature.

-

+

Here is an example command line to load BIND in a chroot sandbox, /var/named, and to run named setuid to user 202:

-

+

/usr/local/sbin/named -u 202 -t /var/named

-
+ +

The chroot Environment

-

+ +

In order for a chroot environment to work properly in a particular directory (for example, /var/named), you will need to set @@ -249,7 +258,7 @@ allow-query { !{ !10/8; any; }; key example; }; options like directory and pid-file to account for this.

-

+

Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root. @@ -260,11 +269,13 @@ allow-query { !{ !10/8; any; }; key example; }; /dev/log, and /etc/localtime.

-
-
+
+ +

Using the setuid Function

-

+ +

Prior to running the named daemon, use the touch utility (to change file @@ -275,7 +286,7 @@ allow-query { !{ !10/8; any; }; key example; }; to which you want BIND to write.

-
+

Note

If the named daemon is running as an @@ -283,12 +294,14 @@ allow-query { !{ !10/8; any; }; key example; }; ports if the server is reloaded.

-
-
-
+
+
+ +

Dynamic Update Security

-

+ +

Access to the dynamic update facility should be strictly limited. In earlier versions of BIND, the only way to do this was @@ -308,7 +321,8 @@ allow-query { !{ !10/8; any; }; key example; }; forward it to the master with its own source IP address causing the master to approve it without question.

-

+ +

For these reasons, we strongly recommend that updates be cryptographically authenticated by means of transaction signatures (TSIG). That is, the allow-update @@ -317,7 +331,8 @@ allow-query { !{ !10/8; any; }; key example; }; prefixes. Alternatively, the new update-policy option can be used.

-

+ +

Some sites choose to keep all dynamically-updated DNS data in a subdomain and delegate that subdomain to a separate zone. This way, the top-level zone containing critical data such as the IP @@ -325,8 +340,9 @@ allow-query { !{ !10/8; any; }; key example; }; of public web and mail servers need not allow dynamic update at all.

-
-
+ +
+
@@ -344,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index cd5011fc25..8b48966a04 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -10,7 +10,7 @@ Chapter 7. Troubleshooting - + @@ -45,24 +45,28 @@
Where Can I Get Help?
-
+ +

Common Problems

-
+ +

It's not working; how can I figure out what's wrong?

-

+ +

The best solution to solving installation and configuration issues is to take preventative measures by setting up logging files beforehand. The log files provide a source of hints and information that can be used to figure out what went wrong and how to fix the problem.

-
-
+
+ +

EDNS compliance issues

-

+

EDNS (Extended DNS) is a standard that was first specified in 1999. It is required for DNSSEC validation, DNS COOKIE options, and other features. There are broken and outdated @@ -73,7 +77,7 @@ situation, retrying queries in different ways and eventually falling back to plain DNS queries without EDNS.

-

+

Such workarounds cause unnecessary resolution delays, increase code complexity, and prevent deployment of new DNS features. As of February 2019, all major DNS software vendors @@ -82,7 +86,7 @@ for further details. This change was implemented in BIND as of release 9.14.0.

-

+

As a result, some domains may be non-resolvable without manual intervention. In these cases, resolution can be restored by adding server clauses for the offending @@ -90,32 +94,33 @@ send-cookie no, depending on the specific noncompliance.

-

+

To determine which server clause to use, run the following commands to send queries to the authoritative servers for the broken domain:

-


+


            dig soa <zone> @<server> +dnssec
            dig soa <zone> @<server> +dnssec +nocookie
            dig soa <zone> @<server> +noedns
  

-

+

If the first command fails but the second succeeds, the server most likely needs send-cookie no. If the first two fail but the third succeeds, then the server needs EDNS to be fully disabled with edns no.

-

+

Please contact the administrators of noncompliant domains and encourage them to upgrade their broken DNS servers.

-
-
-
+
+
+

Incrementing and Changing the Serial Number

-

+ +

Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that represents a date, usually of the form YYYYMMDDRR. @@ -127,22 +132,26 @@ lower than the serial number on the master, the slave server will attempt to update its copy of the zone.

-

+ +

Setting the serial number to a lower number on the master server than the slave server means that the slave will not perform updates to its copy of the zone.

-

+ +

The solution to this is to add 2147483647 (2^31-1) to the number, reload the zone and make sure all slaves have updated to the new zone serial number, then reset the number to what you want it to be, and reload the zone again.

-
-
+ +
+

Where Can I Get Help?

-

+ +

The Internet Systems Consortium (ISC) offers a wide range of support and service agreements for BIND and DHCP servers. Four @@ -155,15 +164,16 @@ fix announcements to remote support. It also includes training in BIND and DHCP.

-

+ +

To discuss arrangements for support, contact info@isc.org or visit the ISC web page at http://www.isc.org/services/support/ to read more.

-
-
+
+
@@ -181,6 +191,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 3db76a58c5..cfc28d5ab6 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,11 +36,12 @@

Table of Contents

-
Release Notes for BIND Version 9.17.0
+
Release Notes for BIND Version 9.17.1
Introduction
Supported Platforms
Download
+
Notes for BIND 9.17.1
Notes for BIND 9.17.0
License
End of Life
@@ -50,7 +51,7 @@

-Release Notes for BIND Version 9.17.0

+Release Notes for BIND Version 9.17.1

@@ -107,6 +108,100 @@

+Notes for BIND 9.17.1

+ +
+

+Security Fixes

+
  • +

    + DNS rebinding protection was ineffective when BIND 9 is configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] +

    +
+
+ +
+

+Known Issues

+
  • +

    + We have received reports that in some circumstances, receipt of an + IXFR can cause the processing of queries to slow significantly. Some + of these were related to RPZ processing, which has been fixed in this + release (see below). Others appear to occur where there are + NSEC3-related changes (such as an operator changing the NSEC3 salt + used in the hash calculation). These are being investigated. + [GL #1685] +

    +
+
+ +
+

+New Features

+
  • +

    + A new option, nsdname-wait-recurse, has been added + to the response-policy clause in the configuration + file. When set to no, RPZ NSDNAME rules are only + applied if the authoritative nameservers for the query name have been + looked up and are present in the cache. If this information is not + present, the RPZ NSDNAME rules are ignored, but the information is + looked up in the background and applied to subsequent queries. The + default is yes, meaning that RPZ NSDNAME rules + should always be applied, even if the information needs to be looked + up first. [GL #1138] +

    +
+
+ +
+

+Feature Changes

+
  • +

    + The previous DNSSEC sign statistics used lots of memory. The number of + keys to track is reduced to four per zone, which should be enough for + 99% of all signed zones. [GL #1179] +

    +
+
+ +
+

+Bug Fixes

+
    +
  • +

    + When an RPZ policy zone was updated via zone transfer and a large + number of records was deleted, named could become + nonresponsive for a short period while deleted names were removed from + the RPZ summary database. This database cleanup is now done + incrementally over a longer period of time, reducing such delays. + [GL #1447] +

    +
    • +
  • +

    + When trying to migrate an already-signed zone from + auto-dnssec maintain to one based on + dnssec-policy, the existing keys were immediately + deleted and replaced with new ones. As the key rollover timing + constraints were not being followed, it was possible that some clients + would not have been able to validate responses until all old DNSSEC + information had timed out from caches. BIND now looks at the time + metadata of the existing keys and incorporates it into its DNSSEC + policy operation. [GL #1706] +

    +
    • +
+
+ +
+
+

Notes for BIND 9.17.0

@@ -131,7 +226,8 @@

New Features

-
  • +
      +

    • When a secondary server receives a large incremental zone transfer (IXFR), it can have a negative impact on query @@ -147,7 +243,21 @@ to the size of a full zone transfer. The default is 100%. [GL #1515]

      -
    +
    • +
  • +

    + A new RPZ option nsdname-wait-recurse + controls whether RPZ-NSDNAME rules should always be applied + even if the names of authoritative name servers for the query + name need to be looked up recurively first. The default is + yes. Setting it to + no speeds up initial responses by skipping + RPZ-NSDNAME rules when name server domain names are not yet + in the cache. The names will be looked up in the background and + the rule will be applied for subsequent queries. [GL #1138] +

    +
    • +
@@ -264,6 +374,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 042f771c62..41e3557d5e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -10,7 +10,7 @@ Appendix B. A Brief History of the DNS and BIND - + @@ -35,7 +35,7 @@

A Brief History of the DNS and BIND

-

+

Although the "official" beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the core of the new system was described in 1983 in RFCs 882 and @@ -50,7 +50,8 @@ became the standards upon which all DNS implementations are built.

-

+ +

The first working domain name server, called "Jeeves", was written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20 @@ -68,7 +69,7 @@ Administration (DARPA).

-

+

Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark @@ -83,7 +84,7 @@ Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently handled by Mike Karels and Øivind Kure.

-

+

BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then @@ -95,41 +96,41 @@ Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel, and others.

-

+

In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer.

-

+

BIND versions from 4.9.3 onward have been developed and maintained by the Internet Systems Consortium and its predecessor, the Internet Software Consortium, with support being provided by ISC's sponsors.

-

+

As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997.

-

+

BIND version 9 was released in September 2000 and is a major rewrite of nearly all aspects of the underlying BIND architecture.

-

+

BIND versions 4 and 8 are officially deprecated. No additional development is done on BIND version 4 or BIND version 8.

-

+

BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals.

-
+
@@ -147,6 +148,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index e09e3140d6..9be6a0cfca 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -10,7 +10,7 @@ Appendix C. General DNS Reference Information - + @@ -45,10 +45,12 @@

-
+ +

IPv6 addresses (AAAA)

-

+ +

IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces which were introduced in the DNS to facilitate scalable Internet routing. There are three types of addresses: Unicast, @@ -59,13 +61,13 @@ Unicast address scheme. For more information, see RFC 3587, "Global Unicast Address Format."

-

+

IPv6 unicast addresses consist of a global routing prefix, a subnet identifier, and an interface identifier.

-

+

The global routing prefix is provided by the upstream provider or ISP, and (roughly) corresponds to the IPv4 network section @@ -79,14 +81,14 @@ interface on a given network; in IPv6, addresses belong to interfaces rather than to machines.

-

+

The subnetting capability of IPv6 is much more flexible than that of IPv4: subnetting can be carried out on bit boundaries, in much the same way as Classless InterDomain Routing (CIDR), and the DNS PTR representation ("nibble" format) makes setting up reverse zones easier.

-

+

The Interface Identifier must be unique on the local link, and is usually generated automatically by the IPv6 implementation, although it is usually possible to @@ -94,7 +96,7 @@ address might look like: 2001:db8:201:9:a00:20ff:fe81:2b32

-

+

IPv6 address specifications often contain long strings of zeros, so the architects have included a shorthand for specifying @@ -102,14 +104,16 @@ string of zeros that can fit, and can be used only once in an address.

-
-
+
+

Bibliography (and Suggested Reading)

-
+ +

Request for Comments (RFCs)

-

+ +

Specification documents for the Internet protocol suite, including the DNS, are published as part of the Request for Comments (RFCs) @@ -117,358 +121,774 @@ by the Internet Engineering Task Force (IETF) and the Internet Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:

-

+

ftp://www.isi.edu/in-notes/RFCxxxx.txt

-

+

(where xxxx is the number of the RFC). RFCs are also available via the Web at:

-

+

http://www.ietf.org/rfc/.

-
+

-
+

Standards

-
-

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

+ + +
+

[RFC974] + + C. Partridge. + Mail Routing and the Domain System. + January 1986. +

-
-

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

+
+

[RFC1034] + + P.V. Mockapetris. + Domain Names — Concepts and Facilities. + November 1987. +

-
-

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and - Specification. November 1987.

+
+

[RFC1035] + + P. V. Mockapetris. Domain Names — Implementation and + Specification. + November 1987. +

-
-
+
+

Proposed Standards

-
-

[RFC2181] R., R. Bush Elz. Clarifications to the DNS - Specification. July 1997.

+ + +
+

[RFC2181] + + R., R. Bush Elz. + Clarifications to the DNS + Specification. + July 1997. +

-
-

[RFC2308] M. Andrews. Negative Caching of DNS - Queries. March 1998.

+
+

[RFC2308] + + M. Andrews. + Negative Caching of DNS + Queries. + March 1998. +

-
-

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

+
+

[RFC1995] + + M. Ohta. + Incremental Zone Transfer in DNS. + August 1996. +

-
-

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

+
+

[RFC1996] + + P. Vixie. + A Mechanism for Prompt Notification of Zone Changes. + August 1996. +

-
-

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

+
+

[RFC2136] + + P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. + Dynamic Updates in the Domain Name System. + April 1997. +

-
-

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

+
+

[RFC2671] + + P. Vixie. + Extension Mechanisms for DNS (EDNS0). + August 1997. +

-
-

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

+
+

[RFC2672] + + M. Crawford. + Non-Terminal DNS Name Redirection. + August 1999. +

-
-

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

+
+

[RFC2845] + + P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. + Secret Key Transaction Authentication for DNS (TSIG). + May 2000. +

-
-

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

+
+

[RFC2930] + + D. Eastlake, 3rd. + Secret Key Establishment for DNS (TKEY RR). + September 2000. +

-
-

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

+
+

[RFC2931] + + D. Eastlake, 3rd. + DNS Request and Transaction Signatures (SIG(0)s). + September 2000. +

-
-

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

+
+

[RFC3007] + + B. Wellington. + Secure Domain Name System (DNS) Dynamic Update. + November 2000. +

-
-

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret +

+

[RFC3645] + + S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. + Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS - (GSS-TSIG). October 2003.

+ (GSS-TSIG). + October 2003. +

-
-
+
+

DNS Security Proposed Standards

-
-

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

+ +
+

[RFC3225] + + D. Conrad. + Indicating Resolver Support of DNSSEC. + December 2001. +

-
-

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

+
+

[RFC3833] + + D. Atkins and R. Austein. + Threat Analysis of the Domain Name System (DNS). + August 2004. +

-
-

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

+
+

[RFC4033] + + R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. + DNS Security Introduction and Requirements. + March 2005. +

-
-

[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

+
+

[RFC4034] + + R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. + Resource Records for the DNS Security Extensions. + March 2005. +

-
-

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS - Security Extensions. March 2005.

+
+

[RFC4035] + + R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. + Protocol Modifications for the DNS + Security Extensions. + March 2005. +

-
-
+
+

Other Important RFCs About DNS Implementation

-
-

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely - Deployed DNS Software. October 1993.

+ +
+

[RFC1535] + + E. Gavron. + A Security Problem and Proposed Correction With Widely + Deployed DNS Software. + October 1993. +

-
-

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation - Errors and Suggested Fixes. October 1993.

+
+

[RFC1536] + + A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. + Common DNS Implementation + Errors and Suggested Fixes. + October 1993. +

-
-

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

+
+

[RFC1982] + + R. Elz and R. Bush. + Serial Number Arithmetic. + August 1996. +

-
-

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS - Queries for IPv6 Addresses. May 2005.

+
+

[RFC4074] + + Y. Morishita and T. Jinmei. + Common Misbehaviour Against DNS + Queries for IPv6 Addresses. + May 2005. +

-
-
+
+

Resource Record Types

-
-

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

+ +
+

[RFC1183] + + C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. + New DNS RR Definitions. + October 1990. +

-
-

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

+
+

[RFC1706] + + B. Manning and R. Colella. + DNS NSAP Resource Records. + October 1994. +

-
-

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using - the Domain Name System. June 1997.

+
+

[RFC2168] + + R. Daniel and M. Mealling. + Resolution of Uniform Resource Identifiers using + the Domain Name System. + June 1997. +

-
-

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the +

+

[RFC1876] + + C. Davis, P. Vixie, T., and I. Dickinson. + A Means for Expressing Location Information in the Domain - Name System. January 1996.

+ Name System. + January 1996. +

-
-

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the +

+

[RFC2052] + + A. Gulbrandsen and P. Vixie. + A DNS RR for Specifying the Location of - Services. October 1996.

+ Services. + October 1996. +

-
-

[RFC2163] A. Allocchio. Using the Internet DNS to +

+

[RFC2163] + + A. Allocchio. + Using the Internet DNS to Distribute MIXER - Conformant Global Address Mapping. January 1998.

+ Conformant Global Address Mapping. + January 1998. +

-
-

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

+
+

[RFC2230] + + R. Atkinson. + Key Exchange Delegation Record for the DNS. + October 1997. +

-
-

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

+
+

[RFC2536] + + D. Eastlake, 3rd. + DSA KEYs and SIGs in the Domain Name System (DNS). + March 1999. +

-
-

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

+
+

[RFC2537] + + D. Eastlake, 3rd. + RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). + March 1999. +

-
-

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

+
+

[RFC2538] + + D. Eastlake, 3rd and O. Gudmundsson. + Storing Certificates in the Domain Name System (DNS). + March 1999. +

-
-

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

+
+

[RFC2539] + + D. Eastlake, 3rd. + Storage of Diffie-Hellman Keys in the Domain Name System (DNS). + March 1999. +

-
-

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

+
+

[RFC2540] + + D. Eastlake, 3rd. + Detached Domain Name System (DNS) Information. + March 1999. +

-
-

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

+
+

[RFC2782] + + A. Gulbrandsen. + P. Vixie. + L. Esibov. + A DNS RR for specifying the location of services (DNS SRV). + February 2000. +

-
-

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

+
+

[RFC2915] + + M. Mealling. + R. Daniel. + The Naming Authority Pointer (NAPTR) DNS Resource Record. + September 2000. +

-
-

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

+
+

[RFC3110] + + D. Eastlake, 3rd. + RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). + May 2001. +

-
-

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

+
+

[RFC3123] + + P. Koch. + A DNS RR Type for Lists of Address Prefixes (APL RR). + June 2001. +

-
-

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP - version 6. October 2003.

+
+

[RFC3596] + + S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. + DNS Extensions to support IP + version 6. + October 2003. +

-
-

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

+
+

[RFC3597] + + A. Gustafsson. + Handling of Unknown DNS Resource Record (RR) Types. + September 2003. +

-
-
+
+

DNS and the Internet

-
-

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names - and Other Types. April 1989.

+ +
+

[RFC1101] + + P. V. Mockapetris. + DNS Encoding of Network Names + and Other Types. + April 1989. +

-
-

[RFC1123] Braden. Requirements for Internet Hosts - Application and - Support. October 1989.

+
+

[RFC1123] + + Braden. + Requirements for Internet Hosts - Application and + Support. + October 1989. +

-
-

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

+
+

[RFC1591] + + J. Postel. + Domain Name System Structure and Delegation. + March 1994. +

-
-

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

+
+

[RFC2317] + + H. Eidnes, G. de Groot, and P. Vixie. + Classless IN-ADDR.ARPA Delegation. + March 1998. +

-
-

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

+
+

[RFC2826] + + Internet Architecture Board. + IAB Technical Comment on the Unique DNS Root. + May 2000. +

-
-

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

+
+

[RFC2929] + + D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. + Domain Name System (DNS) IANA Considerations. + September 2000. +

-
-
+
+

DNS Operations

-
-

[RFC1033] M. Lottor. Domain administrators operations guide. November 1987.

+ +
+

[RFC1033] + + M. Lottor. + Domain administrators operations guide. + November 1987. +

-
-

[RFC1537] P. Beertema. Common DNS Data File - Configuration Errors. October 1993.

+
+

[RFC1537] + + P. Beertema. + Common DNS Data File + Configuration Errors. + October 1993. +

-
-

[RFC1912] D. Barr. Common DNS Operational and - Configuration Errors. February 1996.

+
+

[RFC1912] + + D. Barr. + Common DNS Operational and + Configuration Errors. + February 1996. +

-
-

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996.

+
+

[RFC2010] + + B. Manning and P. Vixie. + Operational Criteria for Root Name Servers. + October 1996. +

-
-

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for - Network Services. October 1997.

+
+

[RFC2219] + + M. Hamilton and R. Wright. + Use of DNS Aliases for + Network Services. + October 1997. +

-
-
+
+

Internationalized Domain Names

-
-

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, - and the Other Internet protocols. May 2000.

+ +
+

[RFC2825] + + IAB and R. Daigle. + A Tangled Web: Issues of I18N, Domain Names, + and the Other Internet protocols. + May 2000. +

-
-

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

+
+

[RFC3490] + + P. Faltstrom, P. Hoffman, and A. Costello. + Internationalizing Domain Names in Applications (IDNA). + March 2003. +

-
-

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

+
+

[RFC3491] + + P. Hoffman and M. Blanchet. + Nameprep: A Stringprep Profile for Internationalized Domain Names. + March 2003. +

-
-

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode +

+

[RFC3492] + + A. Costello. + Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in - Applications (IDNA). March 2003.

+ Applications (IDNA). + March 2003. +

-
-
+
+

Other DNS-related RFCs

-
+ +

Note

-

+

Note: the following list of RFCs, although DNS-related, are not concerned with implementing software.

+
+
+

[RFC1464] + + R. Rosenbaum. + Using the Domain Name System To Store Arbitrary String + Attributes. + May 1993. +

-
-

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String - Attributes. May 1993.

+
+

[RFC1713] + + A. Romao. + Tools for DNS Debugging. + November 1994. +

-
-

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

+
+

[RFC1794] + + T. Brisco. + DNS Support for Load + Balancing. + April 1995. +

-
-

[RFC1794] T. Brisco. DNS Support for Load - Balancing. April 1995.

+
+

[RFC2240] + + O. Vaughan. + A Legal Basis for Domain Name Allocation. + November 1997. +

-
-

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

+
+

[RFC2345] + + J. Klensin, T. Wolf, and G. Oglesby. + Domain Names and Company Name Retrieval. + May 1998. +

-
-

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

+
+

[RFC2352] + + O. Vaughan. + A Convention For Using Legal Names as Domain Names. + May 1998. +

-
-

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

+
+

[RFC3071] + + J. Klensin. + Reflections on the DNS, RFC 1591, and Categories of Domains. + February 2001. +

-
-

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

+
+

[RFC3258] + + T. Hardie. + Distributing Authoritative Name Servers via + Shared Unicast Addresses. + April 2002. +

-
-

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via - Shared Unicast Addresses. April 2002.

+
+

[RFC3901] + + A. Durand and J. Ihren. + DNS IPv6 Transport Operational Guidelines. + September 2004. +

-
-

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

-
-
-
+
+

Obsolete and Unimplemented Experimental RFC

-
-

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical - Location. November 1994.

+ +
+

[RFC1712] + + C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. + DNS Encoding of Geographical + Location. + November 1994. +

-
-

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

+
+

[RFC2673] + + M. Crawford. + Binary Labels in the Domain Name System. + August 1999. +

-
-

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation - and Renumbering. July 2000.

+
+

[RFC2874] + + M. Crawford and C. Huitema. + DNS Extensions to Support IPv6 Address Aggregation + and Renumbering. + July 2000. +

-
-
+
+

Obsoleted DNS Security RFCs

-
+ +

Note

-

+

Most of these have been consolidated into RFC4033, RFC4034 and RFC4035 which collectively describe DNSSECbis.

+
+
+

[RFC2065] + + D. Eastlake, 3rd and C. Kaufman. + Domain Name System Security Extensions. + January 1997. +

-
-

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

+
+

[RFC2137] + + D. Eastlake, 3rd. + Secure Domain Name System Dynamic Update. + April 1997. +

-
-

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

+
+

[RFC2535] + + D. Eastlake, 3rd. + Domain Name System Security Extensions. + March 1999. +

-
-

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

+
+

[RFC3008] + + B. Wellington. + Domain Name System Security (DNSSEC) + Signing Authority. + November 2000. +

-
-

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) - Signing Authority. November 2000.

+
+

[RFC3090] + + E. Lewis. + DNS Security Extension Clarification on Zone Status. + March 2001. +

-
-

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

+
+

[RFC3445] + + D. Massey and S. Rose. + Limiting the Scope of the KEY Resource Record (RR). + December 2002. +

-
-

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

+
+

[RFC3655] + + B. Wellington and O. Gudmundsson. + Redefinition of DNS Authenticated Data (AD) bit. + November 2003. +

-
-

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

+
+

[RFC3658] + + O. Gudmundsson. + Delegation Signer (DS) Resource Record (RR). + December 2003. +

-
-

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

+
+

[RFC3755] + + S. Weiler. + Legacy Resolver Compatibility for Delegation Signer (DS). + May 2004. +

-
-

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

+
+

[RFC3757] + + O. Kolkman, J. Schlyter, and E. Lewis. + Domain Name System KEY (DNSKEY) Resource Record + (RR) Secure Entry Point (SEP) Flag. + April 2004. +

-
-

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record - (RR) Secure Entry Point (SEP) Flag. April 2004.

+
+

[RFC3845] + + J. Schlyter. + DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. + August 2004. +

-
-

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

-
-
-
-
-
+
+
+
+

Internet Drafts

-

+ +

Internet Drafts (IDs) are rough-draft working documents of the Internet Engineering Task Force. They are, in essence, RFCs in the preliminary stages of development. Implementors are @@ -478,21 +898,26 @@ they are "works in progress." IDs have a lifespan of six months after which they are deleted unless updated by their authors.

-
-
+
+

Other Documents About BIND

-

-
+ +

+

-
-

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

-
-
-
-
+
+

+ Paul Albitz and Cricket Liu. + DNS and BIND. + Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. +

+
+
+
+
@@ -510,6 +935,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index ca185b2a19..3a681e51d0 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -10,7 +10,7 @@ Appendix D. BIND 9 DNS Library Support - + @@ -46,10 +46,11 @@
-
+

BIND 9 DNS Library Support

-

+ +

This version of BIND 9 "exports" its internal libraries so that they can be used by third-party applications more easily (we call them "export" libraries in this document). Certain library @@ -58,27 +59,32 @@ the calling program initializes the libraries by calling isc_lib_register().

-

+

In addition to DNS-related APIs that are used within BIND 9, the libraries provide the following features:

-
    -

  • +

      +
    • +

      The "DNS client" module. This is a higher level API that provides an interface to name resolution, single DNS transaction with a particular server, and dynamic update. Regarding name resolution, it supports advanced features such as DNSSEC validation and caching. This module supports both synchronous and asynchronous mode. -

      • -

    • +

      +
      • +
    • +

      The "IRS" (Information Retrieval System) library. It provides an interface to parse the traditional resolv.conf file and more advanced, DNS-specific configuration file for the rest of this package (see the description for the dns.conf file below). -

      • -

    • +

      +
      • +
    • +

      As part of the IRS library, the standard address-name mapping functions, getaddrinfo() and getnameinfo(), are provided. They use the @@ -87,33 +93,38 @@ getaddrinfo() function resolves both A and AAAA RRs concurrently when the address family is unspecified. -

      • -

    • +

      +
      • +
    • +

      An experimental framework to support other event libraries than BIND 9's internal event task system. -

      • +

      +
    -
    +

    Installation

    -
    +    
+    
     $ make install
     
    
-
    
+    
    
       Normal installation of BIND will also install library object
       and header files.  Root privilege is normally required.
     
    
-
    
+    
    
       To see how to build your own application after the installation, see
       lib/samples/Makefile-postinstall.in.
     
    
-
    -
    +
    +

    Known Defects/Restrictions

    -
      + +
      • -

        +

        The "fixed" RRset order is not (currently) supported in the export library. If you want to use "fixed" RRset order for, e.g. named while still building the export library @@ -128,25 +139,30 @@ $ make

        -
        • -

      • +

        • +
      • +

        RFC 5011 is not supported in the validating stub resolver of the export library. In fact, it is not clear whether it should: trust anchors would be a system-wide configuration which would be managed by an administrator, while the stub resolver will be used by ordinary applications run by a normal user. -

        • -

      • +

        +
        • +
      • +

        Not all common /etc/resolv.conf options are supported in the IRS library. The only available options in this version are debug and ndots. -

        • +

        +
      -
    -
    +
    +

    The dns.conf File

    -

    + +

    The IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the resolv.conf file. @@ -164,38 +180,42 @@ $ make with initial-key or iniital-ds. (See the section called “managed-keys Statement Grammar” for syntax details.)

    -
    -
    +
    +

    Sample Applications

    -

    + +

    Some sample application programs using this API are provided for reference. The following is a brief description of these applications.

    -
    +

    sample: a simple stub resolver utility

    -

    + +

    Sends a query of a given name (of a given optional RR type) to a specified recursive server and prints the result as a list of RRs. It can also act as a validating stub resolver if a trust anchor is given via a set of command line options.

    -

    +

    Usage: sample [options] server_address hostname

    -

    +

    Options and Arguments:

    -
    +
    -t RRtype
    -

    +

    +

    specify the RR type of the query. The default is the A RR. -

    +

    +
    [-a algorithm] [-e] -k keyname -K keystring
    -

    +

    specify a command-line DNS key to validate the answer. For example, to specify the following DNSKEY of example.com:

    @@ -213,36 +233,43 @@ $ make as "secure entry point"). When -a is omitted rsasha1 will be used by default.

    -
    +
    -s domain:alt_server_address
    -

    +

    +

    specify a separate recursive server address for the specific "domain". Example: -s example.com:2001:db8::1234 -

    +

    +
    server_address
    -

    +

    +

    an IP(v4/v6) address of the recursive server to which queries are sent. -

    +

    +
    hostname
    -

    +

    +

    the domain name for the query -

    +

    +
    -
    -
    +
    +

    sample-async: a simple stub resolver, working asynchronously

    -

    + +

    Similar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names asynchronously.

    -

    +

    Usage: sample-async [-s server_address] [-t RR_type] input_file

    -

    +

    Options and Arguments:

    -
    +
    -s server_address
    an IPv4 address of the recursive server to which queries are sent. @@ -262,13 +289,14 @@ $ make       mx.example.net
          ns.xxx.example
          

    - +
    -
    -
    +
    +

    sample-request: a simple DNS transaction client

    -

    + +

    Sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a "stub resolver": it stops the processing once it gets any response from the server, whether @@ -276,32 +304,39 @@ $ make further queries to get the ultimate answer. In other words, this utility acts as a very simplified dig.

    -

    +

    Usage: sample-request [-t RRtype] server_address hostname

    -

    +

    Options and Arguments:

    -
    +
    -t RRtype
    -

    +

    +

    specify the RR type of the queries. The default is the A RR. -

    +

    +
    server_address
    -

    +

    +

    an IP(v4/v6) address of the recursive server to which the query is sent. -

    +

    +
    hostname
    -

    +

    +

    the domain name for the query -

    +

    +
    -
    -
    +
    +

    sample-gai: getaddrinfo() and getnameinfo() test code

    -

    + +

    This is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a host name as an argument, calls getaddrinfo() with the given host @@ -313,130 +348,153 @@ $ make will fail with an EAI_INSECUREDATA error when DNSSEC validation fails.

    -

    +

    Usage: sample-gai hostname

    -
    -
    +
    +

    sample-update: a simple dynamic update client program

    -

    + +

    Accepts a single update command as a command-line argument, sends an update request message to the authoritative server, and shows the response from the server. In other words, this is a simplified nsupdate.

    -

    +

    Usage: sample-update [options] (add|delete) "update data"

    -

    +

    Options and Arguments:

    -
    +
    -a auth_server
    -

    +

    +

    An IP address of the authoritative server that has authority for the zone containing the update name. This should normally be the primary authoritative server that accepts dynamic updates. It can also be a secondary server that is configured to forward update requests to the primary server. -

    +

    +
    -k keyfile
    -

    +

    +

    A TSIG key file to secure the update transaction. The keyfile format is the same as that for the nsupdate utility. -

    +

    +
    -p prerequisite
    -

    +

    +

    A prerequisite for the update (only one prerequisite can be specified). The prerequisite format is the same as that is accepted by the nsupdate utility. -

    +

    +
    -r recursive_server
    -

    +

    +

    An IP address of a recursive server that this utility will use. A recursive server may be necessary to identify the authoritative server address to which the update request is sent. -

    +

    +
    -z zonename
    -

    +

    +

    The domain name of the zone that contains -

    +

    +
    (add|delete)
    -

    +

    +

    Specify the type of update operation. Either "add" or "delete" must be specified. -

    +

    +
    "update data"
    -

    +

    +

    Specify the data to be updated. A typical example of the data would look like "name TTL RRtype RDATA". -

    +

    +
    -
    +

    Note

    -

    +

    In practice, either -a or -r must be specified. Others can be optional; the underlying library routine tries to identify the appropriate server and the zone name for the update.

    -
    -

    +

    +

    Examples: assuming the primary authoritative server of the dynamic.example.com zone has an IPv6 address 2001:db8::1234,

    -
    +      
     $ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"
    
-
    
+      
    
 	adds an A RR for foo.dynamic.example.com using the given key.
       
    
-
    +      
     $ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"
    
-
    
+      
    
 	removes all A RRs for foo.dynamic.example.com using the given key.
       
    
-
    +      
     $ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"
    
-
    
+      
    
 	removes all RRs for foo.dynamic.example.com using the given key.
       
    
-
    -
    +
    +

    nsprobe: domain/name server checker in terms of RFC 4074

    -

    + +

    Checks a set of domains to see the name servers of the domains behave correctly in terms of RFC 4074. This is included in the set of sample programs to show how the export library can be used in a DNS-related application.

    -

    +

    Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]

    -

    +

    Options

    -
    +
    -d
    -

    +

    +

    Run in "debug" mode. With this option nsprobe will dump every RRs it receives. -

    +

    +
    -v
    -

    +

    +

    Increase verbosity of other normal log messages. This can be specified multiple times. -

    +

    +
    -c cache_address
    -

    +

    +

    Specify an IP address of a recursive (caching) name server. nsprobe uses this server to get the NS RRset of each domain and the A and/or AAAA RRsets for the name servers. The default value is 127.0.0.1. -

    +

    +
    input_file
    -

    +

    +

    A file name containing a list of domain (zone) names to be probed. when omitted the standard input will be used. Each line of the input file specifies a single domain name such as @@ -446,21 +504,23 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm for the given domain name, and sends A and AAAA queries to these servers for some "widely used" names under the zone; specifically, adding "www" and "ftp" to the zone name. -

    +

    +
    -
    -
    -
    +
    +
    +

    Library References

    -

    + +

    As of this writing, there is no formal "manual" for the libraries, except this document, header files (some of which provide pretty detailed explanations), and sample application programs.

    +
    -
    -
    +
    @@ -478,6 +538,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
    -

    BIND 9.17.0 (Development Release)

    +

    BIND 9.17.1 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 020d12dbd3..8c82dd9da1 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -10,7 +10,7 @@ Manual pages - + @@ -154,7 +154,44 @@
    -
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
@@ -173,6 +210,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index cfd1f052d7..9ffb10deca 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -10,7 +10,7 @@ BIND 9 Administrator Reference Manual - + @@ -32,7 +32,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.17.0

+

BIND Version 9.17.1

Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")

@@ -247,11 +247,12 @@
A. Release Notes
-
Release Notes for BIND Version 9.17.0
+
Release Notes for BIND Version 9.17.1
Introduction
Supported Platforms
Download
+
Notes for BIND 9.17.1
Notes for BIND 9.17.0
License
End of Life
@@ -398,7 +399,32 @@
-
+ + + + + + + + + + + + + + + + + + + + + + + + + +
@@ -415,6 +441,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 601873735a..ea200533b3 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index fba6292fea..dfcbab7976 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -10,7 +10,7 @@ arpaname - + @@ -32,27 +32,45 @@
-
+ + + + +

Name

-

arpaname — translate IP addresses to the corresponding ARPA names

-
-
-

Synopsis

-

arpaname {ipaddress ...}

-
-
-

DESCRIPTION

+ arpaname + — translate IP addresses to the corresponding ARPA names +

+
+ + + +
+

Synopsis

+

+ arpaname + {ipaddress ...} +

+
+ +
+

DESCRIPTION

+ +

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-
-
+
+ +

SEE ALSO

-

+ +

BIND 9 Administrator Reference Manual.

-
+
+
@@ -72,6 +90,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index e58f6601d3..59a59cb880 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -10,7 +10,7 @@ ddns-confgen - + @@ -32,31 +32,62 @@
-
+ + + + + +

Name

-

ddns-confgen — ddns key generation tool

-
-
-

Synopsis

-

tsig-keygen [-a algorithm] [-h] [name]

-

ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name | -z zone ]

-
-
-

DESCRIPTION

+ ddns-confgen + — ddns key generation tool +

+
+ + + +
+

Synopsis

+

+ tsig-keygen + [-a algorithm] + [-h] + [name] +

+

+ ddns-confgen + [-a algorithm] + [-h] + [-k keyname] + [-q] + [-r randomfile] + [ + -s name + | -z zone + ] +

+
+ +
+

DESCRIPTION

+ +

tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use in TSIG signing. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the rndc command channel.

-

+ +

When run as tsig-keygen, a domain name can be specified on the command line which will be used as the name of the generated key. If no name is specified, the default is tsig-key.

-

+ +

When run as ddns-confgen, the generated key is accompanied by configuration text and instructions that can be used with nsupdate and @@ -66,7 +97,8 @@ rndc-confgen command for setting up command channel security.)

-

+ +

Note that named itself can configure a local DDNS key for use with nsupdate -l: it does this when a zone is configured with @@ -76,24 +108,32 @@ if nsupdate is to be used from a remote system.

-
-
+
+ +

OPTIONS

-
+ + +
-a algorithm
-

+

+

Specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The default is hmac-sha256. Options are case-insensitive, and the "hmac-" prefix may be omitted. -

+

+
-h
-

+

+

Prints a short summary of options and arguments. -

+

+
-k keyname
-

+

+

Specifies the key name of the DDNS authentication key. The default is ddns-key when neither the -s nor -z option is @@ -103,15 +143,19 @@ ddns-key.example.com. The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods. -

+

+
-q
-

+

+

(ddns-confgen only.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to tsig-keygen. -

+

+
-s name
-

+

+

(ddns-confgen only.) Generate configuration example to allow dynamic updates of a single hostname. The example named.conf @@ -122,9 +166,11 @@ Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the -z option. -

+

+
-z zone
-

+

+

(ddns-confgen only.) Generate configuration example to allow dynamic updates of a zone: The example named.conf text @@ -134,17 +180,27 @@ all subdomain names within that zone. This option cannot be used with the -s option. -

+

+
-
-
+
+ +

SEE ALSO

-

nsupdate(1), - named.conf(5), - named(8), + +

+ nsupdate(1) + , + + named.conf(5) + , + + named(8) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -164,6 +220,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 368b845acb..05147a811d 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -10,7 +10,7 @@ delv - + @@ -32,25 +32,72 @@
-
+ + + + + +

Name

-

delv — DNS lookup and validation utility

+

+ delv + — DNS lookup and validation utility +

-
+ + + +

Synopsis

-

delv [@server] [[-4] | [-6]] [-a anchor-file] [-b address] [-c class] [-d level] [-i] [-m] [-p port#] [-q name] [-t type] [-x addr] [name] [type] [class] [queryopt...]

-

delv [-h]

-

delv [-v]

-

delv [queryopt...] [query...]

-
-
+

+ delv + [@server] + [ + [-4] + | [-6] + ] + [-a anchor-file] + [-b address] + [-c class] + [-d level] + [-i] + [-m] + [-p port#] + [-q name] + [-t type] + [-x addr] + [name] + [type] + [class] + [queryopt...] +

+ +

+ delv + [-h] +

+ +

+ delv + [-v] +

+ +

+ delv + [queryopt...] + [query...] +

+
+ +

DESCRIPTION

-

delv + +

delv is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as named.

-

+

delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow @@ -60,7 +107,7 @@ behavior of a name server configured for DNSSEC validating and forwarding.

-

+

By default, responses are validated using built-in DNSSEC trust anchor for the root zone ("."). Records returned by delv are either fully validated or @@ -71,7 +118,7 @@ be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.

-

+

Unless it is told to query a specific name server, delv will try each of the servers listed in /etc/resolv.conf. If no usable server @@ -79,15 +126,18 @@ queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).

-

+

When no command line arguments or options are given, delv will perform an NS query for "." (the root zone).

-
-
+
+ +

SIMPLE USAGE

-

+ + +

A typical invocation of delv looks like: 

 delv @server name type
@@ -98,7 +148,7 @@
server
-

+

is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied @@ -108,7 +158,7 @@ initial lookup is not validated by DNSSEC).

-

+

If no server argument is provided, delv consults /etc/resolv.conf; if an @@ -121,13 +171,16 @@ the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).

-
+
name
-

+

+

is the domain name to be looked up. -

+

+
type
-

+

+

indicates what type of query is required — ANY, A, MX, etc. type can be any valid query @@ -135,28 +188,32 @@ type argument is supplied, delv will perform a lookup for an A record. -

+

+

-
-
+ +
+ +

OPTIONS

-
+ +
-a anchor-file
-

+

Specifies a file from which to read DNSSEC trust anchors. The default is /etc/bind.keys, which is included with BIND 9 and contains one or more trust anchors for the root zone (".").

-

+

Keys that do not match the root zone name are ignored. An alternate key name can be specified using the +root=NAME options.

-

+

Note: When reading the trust anchor file, delv treats trust-anchors initial-key and static-key @@ -173,23 +230,28 @@ /etc/bind.keys to use DNSSEC validation in delv.

-
+
-b address
-

+

+

Sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional source port may be specified by appending "#<port>" -

+

+
-c class
-

+

+

Sets the query class for the requested data. Currently, only class "IN" is supported in delv and any other value is ignored. -

+

+
-d level
-

+

+

Set the systemwide debug level to level. The allowed range is from 0 to 99. The default is 0 (no debugging). @@ -198,13 +260,17 @@ See the +mtrace, +rtrace, and +vtrace options below for additional debugging details. -

+

+
-h
-

+

+

Display the delv help usage output and exit. -

+

+
-i
-

+

+

Insecure mode. This disables internal DNSSEC validation. (Note, however, this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC @@ -212,30 +278,37 @@ can cause delv to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use dig +cd.) -

+

+
-m
-

+

+

Enables memory usage debugging. -

+

+
-p port#
-

+

+

Specifies a destination port to use for queries instead of the standard DNS port number 53. This option would be used with a name server that has been configured to listen for queries on a non-standard port number. -

+

+
-q name
-

+

+

Sets the query name to name. While the query name can be specified without using the -q, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH). -

+

+
-t type
-

+

Sets the query type to type, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR. As with @@ -243,18 +316,21 @@ query name type or class when they are ambiguous. it is sometimes necessary to disambiguate names from types.

-

+

The default query type is "A", unless the -x option is supplied to indicate a reverse lookup, in which case it is "PTR".

-
+
-v
-

+

+

Print the delv version and exit. -

+

+
-x addr
-

+

+

Performs a reverse lookup, mapping an addresses to a name. addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. @@ -264,24 +340,33 @@ lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type to PTR. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. -

+

+
-4
-

+

+

Forces delv to only use IPv4. -

+

+
-6
-

+

+

Forces delv to only use IPv6. -

+

+
-
-
+
+ +

QUERY OPTIONS

-

delv + + +

delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed.

-

+ +

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string @@ -293,7 +378,8 @@

+[no]cdflag
-

+

+

Controls whether to set the CD (checking disabled) bit in queries sent by delv. This may be useful when troubleshooting DNSSEC problems from behind a validating @@ -302,20 +388,25 @@ the CD flag on queries will cause the resolver to return invalid responses, which delv can then validate internally and report the errors in detail. -

+

+
+[no]class
-

+

+

Controls whether to display the CLASS when printing a record. The default is to display the CLASS. -

+

+
+[no]ttl
-

+

+

Controls whether to display the TTL when printing a record. The default is to display the TTL. -

+

+
+[no]rtrace
-

+

Toggle resolver fetch logging. This reports the name and type of each query sent by delv in the process of carrying out the resolution and validation @@ -323,62 +414,69 @@ all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation.

-

+

This is equivalent to setting the debug level to 1 in the "resolver" logging category. Setting the systemwide debug level to 1 using the -d option will product the same output (but will affect other logging categories as well).

-
+
+[no]mtrace
-

+

Toggle message logging. This produces a detailed dump of the responses received by delv in the process of carrying out the resolution and validation process.

-

+

This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category. Setting the systemwide debug level to 10 using the -d option will produce the same output (but will affect other logging categories as well).

-
+
+[no]vtrace
-

+

Toggle validation logging. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid.

-

+

This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category. Setting the systemwide debug level to 3 using the -d option will produce the same output (but will affect other logging categories as well).

-
+
+[no]short
-

+

+

Provide a terse answer. The default is to print the answer in a verbose form. -

+

+
+[no]comments
-

+

+

Toggle the display of comment lines in the output. The default is to print comments. -

+

+
+[no]rrcomments
-

+

+

Toggle the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is to print per-record comments. -

+

+
+[no]crypto
-

+

+

Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see @@ -386,14 +484,18 @@ When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]". -

+

+
+[no]trust
-

+

+

Controls whether to display the trust level when printing a record. The default is to display the trust level. -

+

+
+[no]split[=W]
-

+

+

Split long hex- or base64-formatted fields in resource records into chunks of W characters (where W is rounded up to the nearest @@ -402,24 +504,30 @@ +split=0 causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -

+

+
+[no]all
-

+

+

Set or clear the display options +[no]comments, +[no]rrcomments, and +[no]trust as a group. -

+

+
+[no]multiline
-

+

+

Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the delv output. -

+

+
+[no]dnssec
-

+

+

Indicates whether to display RRSIG records in the delv output. The default is to do so. Note that (unlike in dig) @@ -428,9 +536,11 @@ DNSSEC records are always requested, and validation will always occur unless suppressed by the use of -i or +noroot. -

+

+
+[no]root[=ROOT]
-

+

+

Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using @@ -438,44 +548,60 @@ a built-in key. If specifying a different trust anchor, then -a must be used to specify a file containing the key. -

+

+
+[no]tcp
-

+

+

Controls whether to use TCP when sending queries. The default is to use UDP unless a truncated response has been received. -

+

+
+[no]unknownformat
-

+

+

Print all RDATA in unknown RR type presentation format (RFC 3597). The default is to print RDATA for known types in the type's presentation format. -

+

+
+[no]yaml
-

+

+

Print response data in YAML format. -

+

+

-
-
+
+ +

FILES

-

/etc/bind.keys

-

/etc/resolv.conf

-
-
+ +

/etc/bind.keys

+

/etc/resolv.conf

+
+ +

SEE ALSO

-

dig(1), - named(8), + +

+ dig(1) + , + + named(8) + , RFC4034, RFC4035, RFC4431, RFC5074, RFC5155.

-
+
+
@@ -495,6 +621,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 5747a46a57..dc0a0e1a0a 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -10,7 +10,7 @@ dig - + @@ -32,19 +32,63 @@
-
+ + + + + +

Name

-

dig — DNS lookup utility

+

+ dig + — DNS lookup utility +

-
+ + + +

Synopsis

-

dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [[-4] | [-6]] [name] [type] [class] [queryopt...]

-

dig [-h]

-

dig [global-queryopt...] [query...]

-
-
+

+ dig + [@server] + [-b address] + [-c class] + [-f filename] + [-k filename] + [-m] + [-p port#] + [-q name] + [-t type] + [-v] + [-x addr] + [-y [hmac:]name:key] + [ + [-4] + | [-6] + ] + [name] + [type] + [class] + [queryopt...] +

+ +

+ dig + [-h] +

+ +

+ dig + [global-queryopt...] + [query...] +

+
+ +

DESCRIPTION

-

dig is a flexible tool + +

dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to @@ -52,7 +96,8 @@ clarity of output. Other lookup tools tend to have less functionality than dig.

-

+ +

Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup @@ -63,35 +108,43 @@ from the command line.

-

+ +

Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. If no usable server addresses are found, dig will send the query to the local host.

-

+ +

When no command line arguments or options are given, dig will perform an NS query for "." (the root).

-

+ +

It is possible to set per-user defaults for dig via ${HOME}/.digrc. This file is read and any options in it are applied before the command line arguments. The -r option disables this feature, for scripts that need predictable behaviour.

-

+ +

The IN and CH class names overlap with the IN and CH top level domain names. Either use the -t and -c options to specify the type and class, use the -q the specify the domain name, or use "IN." and "CH." when looking up these top level domains.

-
-
+ +
+ +

SIMPLE USAGE

-

+ + +

A typical invocation of dig looks like: 

 dig @server name type
@@ -102,7 +155,7 @@
server
-

+

is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied @@ -110,7 +163,7 @@ dig resolves that name before querying that name server.

-

+

If no server argument is provided, dig consults /etc/resolv.conf; if an @@ -123,13 +176,16 @@ local host. The reply from the name server that responds is displayed.

-
+
name
-

+

+

is the name of the resource record that is to be looked up. -

+

+
type
-

+

+

indicates what type of query is required — ANY, A, MX, SIG, etc. type can be any valid query @@ -137,81 +193,108 @@ type argument is supplied, dig will perform a lookup for an A record. -

+

+

-
-
+ +
+ +

OPTIONS

-
+ + +
-4
-

+

+

Use IPv4 only. -

+

+
-6
-

+

+

Use IPv6 only. -

+

+
-b address[#port]
-

+

+

Set the source IP address of the query. The address must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>" -

+

+
-c class
-

+

+

Set the query class. The default class is IN; other classes are HS for Hesiod records or CH for Chaosnet records. -

+

+
-f file
-

+

+

Batch mode: dig reads a list of lookup requests to process from the given file. Each line in the file should be organized in the same way they would be presented as queries to dig using the command-line interface. -

+

+
-k keyfile
-

+

+

Sign queries using TSIG using a key read from the given file. Key files can be generated using - tsig-keygen(8). + + tsig-keygen(8) + . When using TSIG authentication with dig, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf. -

+

+
-m
-

+

+

Enable memory usage debugging. -

+

+
-p port
-

+

+

Send the query to a non-standard port on the server, instead of the default port 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number. -

+

+
-q name
-

+

+

The domain name to query. This is useful to distinguish the name from other arguments. -

+

+
-r
-

+

+

Do not read options from ${HOME}/.digrc. This is useful for scripts that need predictable behaviour. -

+

+
-t type
-

+

The resource record type to query. It can be any valid query type. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA"). @@ -225,23 +308,28 @@ record was N.

-

+

All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597.

-
+
-u
-

+

+

Print query times in microseconds instead of milliseconds. -

+

+
-v
-

+

+

Print the version number and exit. -

+

+
-x addr
-

+

+

Simplified reverse lookups, for mapping addresses to names. The addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 @@ -255,10 +343,11 @@ query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. -

+

+
-y [hmac:]keyname:secret
-

+

Sign queries using TSIG with the given authentication key. keyname is the name of the key, and secret is the base64 encoded shared secret. @@ -270,28 +359,34 @@ is not specified, the default is hmac-md5 or if MD5 was disabled hmac-sha256.

-

+

NOTE: You should use the -k option and avoid the -y option, because with -y the shared secret is supplied as a command line argument in clear text. This may be visible in the output from - ps(1) + + ps(1) + or in a history file maintained by the user's shell.

-
+
-
-
+
+ +

QUERY OPTIONS

-

dig + + +

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.

-

+ +

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded @@ -307,20 +402,27 @@

+[no]aaflag
-

+

+

A synonym for +[no]aaonly. -

+

+
+[no]aaonly
-

+

+

Sets the "aa" flag in the query. -

+

+
+[no]additional
-

+

+

Display [do not display] the additional section of a reply. The default is to display it. -

+

+
+[no]adflag
-

+

+

Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all @@ -330,70 +432,89 @@ from a OPT-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. This bit is set by default. -

+

+
+[no]all
-

+

+

Set or clear all display flags. -

+

+
+[no]answer
-

+

+

Display [do not display] the answer section of a reply. The default is to display it. -

+

+
+[no]authority
-

+

+

Display [do not display] the authority section of a reply. The default is to display it. -

+

+
+[no]badcookie
-

+

+

Retry lookup with the new server cookie if a BADCOOKIE response is received. -

+

+
+[no]besteffort
-

+

+

Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -

+

+
+bufsize=B
-

+

+

Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent. -

+

+
+[no]cdflag
-

+

+

Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -

+

+
+[no]class
-

+

+

Display [do not display] the CLASS when printing the record. -

+

+
+[no]cmd
-

+

+

Toggles the printing of the initial comment in the output, identifying the version of dig and the query options that have been applied. This option always has global effect; it cannot be set globally and then overridden on a per-lookup basis. The default is to print this comment. -

+

+
+[no]comments
-

+

Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section. The default is to print these comments.

-

+

Other types of comments in the output are not affected by this option, but can be controlled using other command line switches. These include +[no]cmd, @@ -401,23 +522,24 @@ +[no]stats, and +[no]rrcomments.

-
+
+[no]cookie[=####]
-

+

Send a COOKIE EDNS option, with optional value. Replaying a COOKIE from a previous response will allow the server to identify a previous client. The default is +cookie.

-

+

+cookie is also set when +trace is set to better emulate the default queries from a nameserver.

-
+
+[no]crypto
-

+

+

Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing @@ -426,55 +548,71 @@ are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]". -

+

+
+[no]defname
-

+

+

Deprecated, treated as a synonym for +[no]search -

+

+
+[no]dnssec
-

+

+

Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -

+

+
+domain=somename
-

+

+

Set the search list to contain the single domain somename, as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if the +search option were given. -

+

+
+dscp=value
-

+

+

Set the DSCP code point to be used when sending the query. Valid DSCP code points are in the range [0..63]. By default no code point is explicitly set. -

+

+
+[no]edns[=#]
-

+

+

Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +noedns clears the remembered EDNS version. EDNS is set to 0 by default. -

+

+
+[no]ednsflags[=#]
-

+

+

Set the must-be-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set. -

+

+
+[no]ednsnegotiation
-

+

+

Enable / disable EDNS version negotiation. By default EDNS version negotiation is enabled. -

+

+
+[no]ednsopt[=code[:value]]
-

+

+

Specify EDNS option with code point code and optionally payload of value as a hexadecimal string. code can be @@ -482,95 +620,117 @@ NSID or ECS), or an arbitrary numeric value. +noednsopt clears the EDNS options to be sent. -

+

+
+[no]expire
-

+

+

Send an EDNS Expire option. -

+

+
+[no]expandaaaa
-

+

+

When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format. -

+

+
+[no]fail
-

+

+

Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior. -

+

+
+[no]header-only
-

+

+

Send a query with a DNS header without a question section. The default is to add a question section. The query type and query name are ignored when this is set. -

+

+
+[no]identify
-

+

+

Show [or do not show] the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. -

+

+
+[no]idnin
-

+

Process [do not process] IDN domain names on input. This requires IDN SUPPORT to have been enabled at compile time.

-

+

The default is to process IDN input when standard output is a tty. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non-tty file descriptors.

-
+
+[no]idnout
-

+

Convert [do not convert] puny code on output. This requires IDN SUPPORT to have been enabled at compile time.

-

+

The default is to process puny code on output when standard output is a tty. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non-tty file descriptors.

-
+
+[no]ignore
-

+

+

Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. -

+

+
+[no]keepalive
-

+

+

Send [or do not send] an EDNS Keepalive option. -

+

+
+[no]keepopen
-

+

+

Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup. The default is +nokeepopen. -

+

+
+[no]mapped
-

+

+

Allow mapped IPv4 over IPv6 addresses to be used. The default is +mapped. -

+

+
+[no]multiline
-

+

+

Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the dig output. -

+

+
+ndots=D
-

+

+

Set the number of dots that have to appear in name to D for it to be considered absolute. The default value @@ -582,34 +742,44 @@ or domain directive in /etc/resolv.conf if +search is set. -

+

+
+[no]nsid
-

+

+

Include an EDNS name server ID request when sending a query. -

+

+
+[no]nssearch
-

+

+

When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. Addresses of servers that that did not respond are also printed. -

+

+
+[no]onesoa
-

+

+

Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records. -

+

+
+[no]opcode=value
-

+

+

Set [restore] the DNS message opcode to the specified value. The default value is QUERY (0). -

+

+
+padding=value
-

+

+

Pad the size of the query packet using the EDNS Padding option to blocks of value bytes. For example, +padding=32 would cause a 48-byte query to @@ -619,30 +789,40 @@ however, this is not mandatory. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE. -

+

+
+[no]qr
-

+

+

Toggles the display of the query message as it is sent. By default, the query is not printed. -

+

+
+[no]question
-

+

+

Toggles the display of the question section of a query when an answer is returned. The default is to print the question section as a comment. -

+

+
+[no]raflag
-

+

+

Set [do not set] the RA (Recursion Available) bit in the query. The default is +noraflag. This bit should be ignored by the server for QUERY. -

+

+
+[no]rdflag
-

+

+

A synonym for +[no]recurse. -

+

+
+[no]recurse
-

+

+

Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means dig normally sends recursive @@ -651,56 +831,68 @@ when using +trace except for an initial recursive query to get the list of root servers. -

+

+
+retry=T
-

+

+

Sets the number of times to retry UDP queries to server to T instead of the default, 2. Unlike +tries, this does not include the initial query. -

+

+
+[no]rrcomments
-

+

+

Toggle the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active. -

+

+
+[no]search
-

+

Use [do not use] the search list defined by the searchlist or domain directive in resolv.conf (if any). The search list is not used by default.

-

+

'ndots' from resolv.conf (default 1) which may be overridden by +ndots determines if the name will be treated as relative or not and hence whether a search is eventually performed or not.

-
+
+[no]short
-

+

+

Provide a terse answer. The default is to print the answer in a verbose form. This option always has global effect; it cannot be set globally and then overridden on a per-lookup basis. -

+

+
+[no]showsearch
-

+

+

Perform [do not perform] a search showing intermediate results. -

+

+
+[no]sigchase
-

+

+

This feature is now obsolete and has been removed; use delv instead. -

+

+
+split=W
-

+

+

Split long hex- or base64-formatted fields in resource records into chunks of W characters (where W is rounded @@ -709,20 +901,23 @@ +split=0 causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -

+

+
+[no]stats
-

+

+

Toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics as a comment after each lookup. -

+

+
+[no]subnet=addr[/prefix-length]
-

+

Send (don't send) an EDNS Client Subnet option with the specified IP address or network prefix.

-

+

dig +subnet=0.0.0.0/0, or simply dig +subnet=0 for short, sends an EDNS CLIENT-SUBNET option with an empty address and a source @@ -731,23 +926,28 @@ not be used when resolving this query.

-
+
+[no]tcflag
-

+

+

Set [do not set] the TC (TrunCation) bit in the query. The default is +notcflag. This bit should be ignored by the server for QUERY. -

+

+
+[no]tcp
-

+

+

Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless a type any or ixfr=N query is requested, in which case the default is TCP. AXFR queries always use TCP. -

+

+
+timeout=T
-

+

+

Sets the timeout for a query to T seconds. The default @@ -755,16 +955,19 @@ An attempt to set T to less than 1 will result in a query timeout of 1 second being applied. -

+

+
+[no]topdown
-

+

+

This feature is related to dig +sigchase, which is obsolete and has been removed. Use delv instead. -

+

+
+[no]trace
-

+

Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, @@ -772,80 +975,99 @@ resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. -

-

+

If @server is also specified, it affects only the initial query for the root zone name servers. -

-

+

+dnssec is also set when +trace is set to better emulate the default queries from a nameserver.

-
+
+tries=T
-

+

+

Sets the number of times to try UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of tries is silently rounded up to 1. -

+

+
+trusted-key=####
-

+

+

Formerly specified trusted keys for use with dig +sigchase. This feature is now obsolete and has been removed; use delv instead. -

+

+
+[no]ttlid
-

+

+

Display [do not display] the TTL when printing the record. -

+

+
+[no]ttlunits
-

+

+

Display [do not display] the TTL in friendly human-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks. Implies +ttlid. -

+

+
+[no]unexpected
-

+

+

Accept [do not accept] answers from unexpected sources. By default, dig won't accept a reply from a source other than the one to which it sent the query. -

+

+
+[no]unknownformat
-

+

+

Print all RDATA in unknown RR type presentation format (RFC 3597). The default is to print RDATA for known types in the type's presentation format. -

+

+
+[no]vc
-

+

+

Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit". -

+

+
+[no]yaml
-

+

+

Print the responses (and, if +qr is in use, also the outgoing queries) in a detailed YAML format. -

+

+
+[no]zflag
-

+

+

Set [do not set] the last unassigned DNS header flag in a DNS query. This flag is off by default. -

+

+

-
-
+
+ +

MULTIPLE QUERIES

-

+ + +

The BIND 9 implementation of dig supports specifying multiple queries on the command line (in addition to @@ -853,7 +1075,8 @@ queries can be supplied with its own set of flags, options and query options.

-

+ +

In this case, each query argument represent an individual query in the command-line syntax described above. Each @@ -861,7 +1084,8 @@ looked up, an optional query type and class and any query options that should be applied to that query.

-

+ +

A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options @@ -889,10 +1113,13 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr will not print the initial query when it looks up the NS records for isc.org.

-
-
+ +
+ +

IDN SUPPORT

-

+ +

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. dig appropriately converts character encoding of @@ -904,29 +1131,44 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr the IDN_DISABLE environment variable.

-
-
+
+ +

FILES

-

/etc/resolv.conf + +

/etc/resolv.conf

-

${HOME}/.digrc +

${HOME}/.digrc

-
-
+
+ +

SEE ALSO

-

delv(1), - host(1), - named(8), - dnssec-keygen(8), + +

+ delv(1) + , + + host(1) + , + + named(8) + , + + dnssec-keygen(8) + , RFC 1035.

-
-
+
+ +

BUGS

-

+ +

There are probably too many query options.

-
+
+
@@ -946,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index 466a580776..14c02c1118 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -10,7 +10,7 @@ dnssec-cds - + @@ -32,17 +32,44 @@
-
+ + + + + +

Name

-

dnssec-cds — change DS records for a child zone based on CDS/CDNSKEY

-
-
-

Synopsis

-

dnssec-cds [-a alg...] [-c class] [-D] {-d dsset-file} {-f child-file} [-i [extension]] [-s start-time] [-T ttl] [-u] [-v level] [-V] {domain}

-
-
-

DESCRIPTION

+ dnssec-cds + — change DS records for a child zone based on CDS/CDNSKEY +

+
+ + + +
+

Synopsis

+

+ dnssec-cds + [-a alg...] + [-c class] + [-D] + {-d dsset-file} + {-f child-file} + [-i [extension]] + [-s start-time] + [-T ttl] + [-u] + [-v level] + [-V] + {domain} +

+
+ +
+

DESCRIPTION

+ +

The dnssec-cds command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone. If both CDS and CDNSKEY records are present in @@ -52,7 +79,7 @@ parent can keep the DS records up to date and enable automatic rolling of KSKs.

-

+

Two input files are required. The -f child-file option specifies a file containing the child's CDS and/or CDNSKEY @@ -65,27 +92,27 @@ dnssec-dsfromkey, or the output of a previous run of dnssec-cds.

-

+

The dnssec-cds command uses special DNSSEC validation logic specified by RFC 7344. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records. This will typically be the pre-existing key-signing key (KSK).

-

+

For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of dnssec-cds. This time is obtained from the modification time of the dsset- file, or from the -s option.

-

+

To protect against breaking the delegation, dnssec-cds ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type.

-

+

By default, replacement DS records are written to the standard output; with the -i option the input file is overwritten in place. The replacement DS records will be the @@ -93,49 +120,56 @@ output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure.

-

+

Warning: Be careful not to delete the DS records when dnssec-cds fails!

-

+

Alternatively, dnssec-cds -u writes an nsupdate script to the standard output. You can use the -u and -i options together to maintain a dsset- file as well as emit an nsupdate script.

-
-
+ +
+ +

OPTIONS

-
+ +
-a algorithm
-

+

Specify a digest algorithm to use when converting CDNSKEY records to DS records. This option can be repeated, so that multiple DS records are created for each CDNSKEY record. This option has no effect when using CDS records.

-

+

The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256.

-
+
-c class
-

+

+

Specifies the DNS class of the zones. -

+

+
-D
-

+

+

Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone. By default CDS records are preferred. -

+

+
-d path
-

+

Location of the parent DS records. The path can be the name of a file containing the DS records, or if it is a @@ -143,31 +177,31 @@ a dsset- file for the domain inside the directory.

-

+

To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the dsset- file. This can be adjusted with the -s option.

-
+
-f child-file
-

+

File containing the child's CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated.

-

+

The EXAMPLES below describe how to generate this file.

-
+
-i[extension]
-

+

Update the dsset- file in place, instead of writing DS records to the standard output.

-

+

There must be no space between the -i and the extension. If you provide no extension then the @@ -177,17 +211,17 @@ with the extension appended to its filename.

-

+

To protect against replay attacks, the modification time of the dsset- file is set to match the signature inception time of the child records, provided that is later than the file's current modification time.

-
+
-s start-time
-

+

Specify the date and time after which RRSIG records become acceptable. This can be either an absolute or relative time. An absolute start time is indicated by a number in @@ -197,69 +231,82 @@ which is N seconds before the file modification time. A time relative to the current time is indicated with now+N.

-

+

If no start-time is specified, the modification time of the dsset- file is used.

-
+
-T ttl
-

+

+

Specifies a TTL to be used for new DS records. If not specified, the default is the TTL of the old DS records. If they had no explicit TTL then the new DS records also have no explicit TTL. -

+

+
-u
-

+

Write an nsupdate script to the standard output, instead of printing the new DS reords. The output will be empty if no change is needed.

-

+

Note: The TTL of new records needs to be specified, either in the original dsset- file, or with the -T option, or using the nsupdate ttl command.

-
+
-V
-

+

+

Print version information. -

+

+
-v level
-

+

+

Sets the debugging level. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers. -

+

+
domain
-

+

+

The name of the delegation point / child zone apex. -

+

+
-
-
+
+ +

EXIT STATUS

-

+ +

The dnssec-cds command exits 0 on success, or non-zero if an error occurred.

-

+

In the success case, the DS records might or might not need to be changed.

-
-
+ +
+ +

EXAMPLES

-

+ +

Before running dnssec-signzone, you can ensure that the delegations are up-to-date by running dnssec-cds on every dsset- file.

-

+

To fetch the child records required by dnssec-cds you can invoke dig as in the script below. It's okay if the dig fails since @@ -272,7 +319,8 @@ do dnssec-cds -i -f /dev/stdin -d $f $d done -

+ +

When the parent zone is automatically signed by named, you can use dnssec-cds with nsupdate to maintain a delegation as follows. @@ -285,18 +333,30 @@ dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | dnssec-cds -u -i -f /dev/stdin -d $f $d | nsupdate -l -

-
+
+ +

SEE ALSO

-

- dig(1), - dnssec-settime(8), - dnssec-signzone(8), - nsupdate(1), + +

+ + dig(1) + , + + dnssec-settime(8) + , + + dnssec-signzone(8) + , + + nsupdate(1) + , BIND 9 Administrator Reference Manual, RFC 7344.

-
+ +
+
@@ -316,6 +376,6 @@ nsupdate -l
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index cd6f05a4b5..cbb152cfea 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -10,7 +10,7 @@ dnssec-checkds - + @@ -32,70 +32,110 @@
-
+ + + + + +

Name

-

dnssec-checkds — DNSSEC delegation consistency checking tool

+

+ dnssec-checkds + — DNSSEC delegation consistency checking tool +

-
+ + + +

Synopsis

-

dnssec-checkds [-d dig path] [-D dsfromkey path] [-f file] [-l domain] [-s file] {zone}

-
-
+

+ dnssec-checkds + [-d dig path] + [-D dsfromkey path] + [-f file] + [-l domain] + [-s file] + {zone} +

+
+ +

DESCRIPTION

-

dnssec-checkds + +

dnssec-checkds verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone.

-
-
+
+ +

OPTIONS

-
+ +
-a algorithm
-

+

Specify a digest algorithm to use when converting the zone's DNSKEY records to expected DS records. This option can be repeated, so that multiple records are checked for each DNSKEY record.

-

+

The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256.

-
+
-f file
-

+

+

If a file is specified, then the zone is read from that file to find the DNSKEY records. If not, then the DNSKEY records for the zone are looked up in the DNS. -

+

+
-s file
-

+

+

Specifies a prepared dsset file, such as would be generated by dnssec-signzone, to use as a source for the DS RRset instead of querying the parent. -

+

+
-d dig path
-

+

+

Specifies a path to a dig binary. Used for testing. -

+

+
-D dsfromkey path
-

+

+

Specifies a path to a dnssec-dsfromkey binary. Used for testing. -

+

+
-
-
+
+ +

SEE ALSO

-

dnssec-dsfromkey(8), - dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-dsfromkey(8) + , + + dnssec-keygen(8) + , + + dnssec-signzone(8) + ,

-
+
+
@@ -116,6 +156,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index c3faab3d74..3c4f351897 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -10,7 +10,7 @@ dnssec-coverage - + @@ -32,22 +32,47 @@
-
+ + + + + +

Name

-

dnssec-coverage — checks future DNSKEY coverage for a zone

+

+ dnssec-coverage + — checks future DNSKEY coverage for a zone +

-
+ + + +

Synopsis

-

dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone...]

-
-
+

+ dnssec-coverage + [-K directory] + [-l length] + [-f file] + [-d DNSKEY TTL] + [-m max TTL] + [-r interval] + [-c compilezone path] + [-k] + [-z] + [zone...] +

+
+ +

DESCRIPTION

-

dnssec-coverage + +

dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage.

-

+

If zone is specified, then keys found in the key repository matching that zone are scanned, and an ordered list is generated of the events scheduled for that key (i.e., @@ -60,47 +85,54 @@ key is rolled, and cached data signed by the prior key has not had time to expire from resolver caches.

-

+

If zone is not specified, then all keys in the key repository will be scanned, and all zones for which there are keys will be analyzed. (Note: This method of reporting is only accurate if all the zones that have keys in a given repository share the same TTL parameters.)

-
-
+
+ +

OPTIONS

-
+ + +
-K directory
-

+

+

Sets the directory in which keys can be found. Defaults to the current working directory. -

+

+
-f file
-

+

+

If a file is specified, then the zone is read from that file; the largest TTL and the DNSKEY TTL are determined directly from the zone data, and the -m and -d options do not need to be specified on the command line. -

+

+
-l duration
-

+

The length of time to check for DNSSEC coverage. Key events scheduled further into the future than duration will be ignored, and assumed to be correct.

-

+

The value of duration can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-
+
-m maximum TTL
-

+

Sets the value to be used as the maximum TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure. When a zone-signing key is @@ -109,26 +141,26 @@ before that key can be purged from the DNSKEY RRset. If that condition does not apply, a warning will be generated.

-

+

The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-

+

This option is not necessary if the -f has been used to specify a zone file. If -f has been specified, this option may still be used; it will override the value found in the file.

-

+

If this option is not used and the maximum TTL cannot be retrieved from a zone file, a warning is generated and a default value of 1 week is used.

-
+
-d DNSKEY TTL
-

+

Sets the value to be used as the DNSKEY TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure. When a key is rolled (that @@ -137,12 +169,12 @@ the new key is activated and begins generating signatures. If that condition does not apply, a warning will be generated.

-

+

The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-

+

This option is not necessary if -f has been used to specify a zone file from which the TTL of the DNSKEY RRset can be read, or if a default key TTL was @@ -151,15 +183,15 @@ this option may still be used; it will override the values found in the zone file or the key file.

-

+

If this option is not used and the key TTL cannot be retrieved from the zone file or the key file, then a warning is generated and a default value of 1 day is used.

-
+
-r resign interval
-

+

Sets the value to be used as the resign interval for the zone or zones being analyzed when determining whether there is a possibility of validation failure. This value defaults to @@ -169,38 +201,55 @@ named.conf, then it should also be changed here.

-

+

The length of the interval can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-
+
-k
-

+

+

Only check KSK coverage; ignore ZSK events. Cannot be used with -z. -

+

+
-z
-

+

+

Only check ZSK coverage; ignore KSK events. Cannot be used with -k. -

+

+
-c compilezone path
-

+

+

Specifies a path to a named-compilezone binary. Used for testing. -

+

+
-
-
+
+ +

SEE ALSO

-

- dnssec-checkds(8), - dnssec-dsfromkey(8), - dnssec-keygen(8), - dnssec-signzone(8) + +

+ + dnssec-checkds(8) + , + + dnssec-dsfromkey(8) + , + + dnssec-keygen(8) + , + + dnssec-signzone(8) +

-
+
+
@@ -221,6 +270,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index b15aa8973f..3357a80763 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -10,7 +10,7 @@ dnssec-dsfromkey - + @@ -32,66 +32,145 @@
-
+ + + + + +

Name

-

dnssec-dsfromkey — DNSSEC DS RR generation tool

-
-
-

Synopsis

-

dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C | -l domain ] [-T TTL] [-v level] [-K directory] {keyfile}

-

dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C | -l domain ] [-T TTL] [-v level] [-c class] [-A] {-f file} [dnsname]

-

dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C | -l domain ] [-T TTL] [-v level] [-c class] [-K directory] {-s} {dnsname}

-

dnssec-dsfromkey [ -h | -V ]

-
-
-

DESCRIPTION

+ dnssec-dsfromkey + — DNSSEC DS RR generation tool +

+
+ + + +
+

Synopsis

+

+ dnssec-dsfromkey + [ + -1 + | -2 + | -a alg + ] + [ + -C + | -l domain + ] + [-T TTL] + [-v level] + [-K directory] + {keyfile} +

+

+ dnssec-dsfromkey + [ + -1 + | -2 + | -a alg + ] + [ + -C + | -l domain + ] + [-T TTL] + [-v level] + [-c class] + [-A] + {-f file} + [dnsname] +

+

+ dnssec-dsfromkey + [ + -1 + | -2 + | -a alg + ] + [ + -C + | -l domain + ] + [-T TTL] + [-v level] + [-c class] + [-K directory] + {-s} + {dnsname} +

+

+ dnssec-dsfromkey + [ + -h + | -V + ] +

+
+ +
+

DESCRIPTION

+ +

The dnssec-dsfromkey command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the -C option.

-

+ +

The input keys can be specified in a number of ways:

-

+ +

By default, dnssec-dsfromkey reads a key file named like Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.

-

+ +

With the -f file option, dnssec-dsfromkey reads keys from a zone file or partial zone file (which can contain just the DNSKEY records).

-

+ +

With the -s option, dnssec-dsfromkey reads a keyset- file, as generated by dnssec-keygen -C.

-
-
+ +
+ +

OPTIONS

-
+ +
-1
-

+

+

An abbreviation for -a SHA-1. (Note: The SHA-1 algorithm is no longer recommended for use when generating new DS and CDS records.) -

+

+
-2
-

+

+

An abbreviation for -a SHA-256. -

+

+
-a algorithm
-

+

Specify a digest algorithm to use when converting DNSKEY records to DS records. This option can be repeated, so that multiple DS records are created for each DNSKEY record.

-

+

The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, @@ -99,117 +178,149 @@ (Note: The SHA-1 algorithm is no longer recommended for use when generating new DS and CDS records.)

-
+
-A
-

+

+

Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in -f zone file mode. -

+

+
-c class
-

+

+

Specifies the DNS class (default is IN). Useful only in -s keyset or -f zone file mode. -

+

+
-C
-

+

+

Generate CDS records rather than DS records. -

+

+
-f file
-

+

Zone file mode: dnssec-dsfromkey's final dnsname argument is the DNS domain name of a zone whose master file can be read from file. If the zone name is the same as file, then it may be omitted.

-

+

If file is "-", then the zone data is read from the standard input. This makes it possible to use the output of the dig command as input, as in:

-

+

dig dnskey example.com | dnssec-dsfromkey -f - example.com

-
+
-h
-

+

+

Prints usage information. -

+

+
-K directory
-

+

+

Look for key files or keyset- files in directory. -

+

+
-s
-

+

+

Keyset mode: dnssec-dsfromkey's final dnsname argument is the DNS domain name used to locate a keyset- file. -

+

+
-T TTL
-

+

+

Specifies the TTL of the DS records. By default the TTL is omitted. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-
-
+
+ +

EXAMPLE

-

+ +

To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, you can issue the following command:

-

dnssec-dsfromkey -2 Kexample.com.+003+26160 +

dnssec-dsfromkey -2 Kexample.com.+003+26160

-

+

The command would print something like:

-

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94 +

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94

-
-
+ +
+ +

FILES

-

+ +

The keyfile can be designated by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

-

+

The keyset file name is built from the directory, the string keyset- and the dnsname.

-
-
+
+ +

CAVEAT

-

+ +

A keyfile error can give a "file not found" even if the file exists.

-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), RFC 4509 (SHA-256 for DS RRs), RFC 6605 (SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs).

-
+
+
@@ -230,6 +341,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 5aad272064..2b6267b8d2 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -10,7 +10,7 @@ dnssec-importkey - + @@ -32,18 +32,56 @@
-
+ + + + + +

Name

-

dnssec-importkey — import DNSKEY records from external systems so they can be managed

+

+ dnssec-importkey + — import DNSKEY records from external systems so they can be managed +

-
+ + + +

Synopsis

-

dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] {keyfile}

-

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

-
-
+

+ dnssec-importkey + [-K directory] + [-L ttl] + [-P date/offset] + [-P sync date/offset] + [-D date/offset] + [-D sync date/offset] + [-h] + [-v level] + [-V] + {keyfile} +

+

+ dnssec-importkey + {-f filename} + [-K directory] + [-L ttl] + [-P date/offset] + [-P sync date/offset] + [-D date/offset] + [-D sync date/offset] + [-h] + [-v level] + [-V] + [dnsname] +

+
+ +

DESCRIPTION

-

dnssec-importkey + +

dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an existing .key file, in which case a corresponding .private file @@ -51,7 +89,7 @@ from the standard input, in which case both .key and .private files will be generated.

-

+

The newly-created .private file does not contain private key data, and cannot be used for signing. However, having a .private file makes it possible to set @@ -60,53 +98,68 @@ public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline.

-
-
+
+ +

OPTIONS

-
+ + +
-f filename
-

+

Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from file. If the domain name is the same as file, then it may be omitted.

-

+

If file is set to "-", then the zone data is read from the standard input.

-
+
-K directory
-

+

+

Sets the directory in which the key files are to reside. -

+

+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to 0 or none removes it. -

+

+
-h
-

+

+

Emit usage message and exit. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-
-
+
+ +

TIMING OPTIONS

-

+ +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -117,48 +170,66 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. -

+

+
-P sync date/offset
-

+

+

Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. -

+

+
-
-
+
+ +

FILES

-

+ +

A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 5011.

-
+
+
@@ -179,6 +250,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index eb168c244b..1fd757c12c 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -10,7 +10,7 @@ dnssec-keyfromlabel - + @@ -32,17 +32,58 @@
-
+ + + + + +

Name

-

dnssec-keyfromlabel — DNSSEC key generation tool

+

+ dnssec-keyfromlabel + — DNSSEC key generation tool +

-
+ + + +

Synopsis

-

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

-
-
+

+ dnssec-keyfromlabel + {-l label} + [-3] + [-a algorithm] + [-A date/offset] + [-c class] + [-D date/offset] + [-D sync date/offset] + [-E engine] + [-f flag] + [-G] + [-I date/offset] + [-i interval] + [-k] + [-K directory] + [-L ttl] + [-n nametype] + [-P date/offset] + [-P sync date/offset] + [-p protocol] + [-R date/offset] + [-S key] + [-t type] + [-v level] + [-V] + [-y] + {name} +

+
+ +

DESCRIPTION

-

dnssec-keyfromlabel + +

dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key file can be used for DNSSEC signing of zone data as if it were a @@ -50,58 +91,63 @@ but the key material is stored within the HSM, and the actual signing takes place there.

-

+

The name of the key is specified on the command line. This must match the name of the zone for which the key is being generated.

-
-
+
+ +

OPTIONS

-
+ + +
-a algorithm
-

+

Selects the cryptographic algorithm. The value of algorithm must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.

-

+

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, in which case NSEC3RSASHA1 will be used instead. (If -3 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)

-

+

These values are case insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option, then NSEC3RSASHA1 will be used instead.

-

+

As of BIND 9.12.0, this option is mandatory except when using the -S option (which copies the algorithm from the predecessory key). Previously, the default for newly generated keys was RSASHA1.

-
+
-3
-

+

+

Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example, dnssec-keygen -3a RSASHA1 specifies the NSEC3RSASHA1 algorithm. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -109,18 +155,18 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-l label
-

+

Specifies the label for a key pair in the crypto hardware.

-

+

When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is an arbitrary string that identifies a particular key.

-

+

When BIND 9 is built with native PKCS#11 support, the label is a PKCS#11 URI string in the format "pkcs11:keyword=value[;keyword=value;...]" @@ -129,7 +175,7 @@ which the HSM's PIN code can be obtained. The label will be stored in the on-disk "private" file.

-

+

If the label contains a pin-source field, tools using the generated key files will be able to use the HSM for signing and other @@ -138,18 +184,21 @@ may reduce the security advantage of using an HSM; be sure this is what you want to do before making use of this feature.

-
+
-n nametype
-

+

+

Specifies the owner type of the key. The value of nametype must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. -

+

+
-C
-

+

+

Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keyfromlabel will include the key's creation date in the metadata stored @@ -157,53 +206,71 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

+
-c class
-

+

+

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -

+

+
-f flag
-

+

+

Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+

+
-G
-

+

+

Generate a key, but do not publish it or sign with it. This option is incompatible with -P and -A. -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to dnssec-keyfromlabel. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to be written. -

+

+
-k
-

+

+

Generate KEY records rather than DNSKEY records. -

+

+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to 0 or none removes it. -

+

+
-p protocol
-

+

+

Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -

+

+
-S key
-

+

+

Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new @@ -211,35 +278,47 @@ one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

+
-t type
-

+

+

Indicates the use of the key. type must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-y
-

+

+

Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.) -

+

+
-
-
+
+ +

TIMING OPTIONS

-

+ + +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -250,52 +329,67 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the -G option has not been used, the default is "now". -

+

+
-P sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone. -

+

+
-A date/offset
-

+

+

Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the -G option has not been used, the default is "now". -

+

+
-R date/offset
-

+

+

Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it. -

+

+
-I date/offset
-

+

+

Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted. -

+

+
-i interval
-

+

Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the @@ -304,69 +398,84 @@ the publication date is specified but activation date isn't, then activation will be set to this much time after publication.

-

+

If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.

-

+

As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.

-
+
-
-
+
+ +

GENERATED KEY FILES

-

+ +

When dnssec-keyfromlabel completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to the standard output. This is an identification string for the key files it has generated.

-
    -

  • nnnn is the key name. -

    • -

  • aaa is the numeric representation +

      +
    • +

      nnnn is the key name. +

      +
      • +
    • +

      aaa is the numeric representation of the algorithm. -

      • -

    • iiiii is the key identifier (or +

      +
      • +
    • +

      iiiii is the key identifier (or footprint). -

      • +

      +
    -

    dnssec-keyfromlabel +

    dnssec-keyfromlabel creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private key.

    -

    +

    The .key file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).

    -

    +

    The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.

    -
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 4034, The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13).

-
+
+
@@ -387,6 +496,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 303399c840..12783bc5c5 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -10,7 +10,7 @@ dnssec-keygen - + @@ -32,49 +32,102 @@
-
+ + + + + +

Name

-

dnssec-keygen — DNSSEC key generation tool

+

+ dnssec-keygen + — DNSSEC key generation tool +

-
+ + + +

Synopsis

-

dnssec-keygen [-3] [-A date/offset] [-a algorithm] [-b keysize] [-C] [-c class] [-D date/offset] [-D sync date/offset] [-d bits] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-k policy] [-L ttl] [-l file] [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] [-q] [-R date/offset] [-S key] [-s strength] [-T rrtype] [-t type] [-V] [-v level] {name}

-
-
+

+ dnssec-keygen + [-3] + [-A date/offset] + [-a algorithm] + [-b keysize] + [-C] + [-c class] + [-D date/offset] + [-D sync date/offset] + [-d bits] + [-E engine] + [-f flag] + [-G] + [-g generator] + [-h] + [-I date/offset] + [-i interval] + [-K directory] + [-k policy] + [-L ttl] + [-l file] + [-n nametype] + [-P date/offset] + [-P sync date/offset] + [-p protocol] + [-q] + [-R date/offset] + [-S key] + [-s strength] + [-T rrtype] + [-t type] + [-V] + [-v level] + {name} +

+
+ +

DESCRIPTION

-

dnssec-keygen + +

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.

-

+

The name of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.

-

+

The dnssec-keymgr command acts as a wrapper around dnssec-keygen, generating and updating keys as needed to enforce defined security policies such as key rollover scheduling. Using dnssec-keymgr may be preferable to direct use of dnssec-keygen.

-
-
+
+ +

OPTIONS

-
+ + +
-3
-

+

+

Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example, dnssec-keygen -3a RSASHA1 specifies the NSEC3RSASHA1 algorithm. -

+

+
-a algorithm
-

+

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, @@ -83,42 +136,43 @@ his value will automatically set the -T KEY option as well.

-

+

These values are case insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option, then NSEC3RSASHA1 will be used instead.

-

+

This parameter must be specified except when using the -S option, which copies the algorithm from the predecessor key.

-

+

In prior releases, HMAC algorithms could be generated for use as TSIG keys, but that feature has been removed as of BIND 9.13.0. Use tsig-keygen to generate TSIG keys.

-
+
-b keysize
-

+

Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 1024 and 4096 bits. Diffie Hellman keys must be between 128 and 4096 bits. Elliptic curve algorithms don't need this parameter.

-

+

If the key size is not specified, some algorithms have pre-defined defaults. For instance, RSA keys have a default size of 2048 bits.

-
+
-C
-

+

+

Compatibility mode: generates an old-style key, without any timing metadata. By default, dnssec-keygen will include the key's creation date in the metadata stored with @@ -126,25 +180,30 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

+
-c class
-

+

+

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -

+

+
-d bits
-

+

+

Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024-4096. DH size is between 128 and 4096. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -152,50 +211,61 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-f flag
-

+

+

Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+

+
-G
-

+

+

Generate a key, but do not publish it or sign with it. This option is incompatible with -P and -A. -

+

+
-g generator
-

+

+

If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to dnssec-keygen. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to be written. -

+

+
-k policy
-

+

Create keys for a specific dnssec-policy. If a policy uses multiple keys, dnssec-keygen will generate multiple keys. This will also create a ".state" file to keep track of the key state.

-

+

This option creates keys according to the dnssec-policy configuration, hence it cannot be used together with many of the other options that dnssec-keygen provides.

-
+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was @@ -204,30 +274,38 @@ is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to 0 or none is the same as leaving it unset. -

+

+
-l file
-

+

+

Provide a configuration file that contains a dnssec-policy statement (matching the policy set with -k). -

+

+
-n nametype
-

+

+

Specifies the owner type of the key. The value of nametype must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation. -

+

+
-p protocol
-

+

+

Sets the protocol value for the generated key, for use with -T KEY. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -

+

+
-q
-

+

+

Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when dnssec-keygen is run interactively @@ -239,9 +317,11 @@ round of the Miller-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key. -

+

+
-S key
-

+

+

Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation @@ -249,41 +329,55 @@ the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

+
-s strength
-

+

+

Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -

+

+
-T rrtype
-

+

+

Specifies the resource record type to use for the key. rrtype must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0). -

+

+
-t type
-

+

+

Indicates the use of the key, for use with -T KEY. type must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -

+

+
-V
-

+

+

Prints version information. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-
-
+
+ +

TIMING OPTIONS

-

+ + +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -294,54 +388,69 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the -G option has not been used, the default is "now". -

+

+
-P sync date/offset
-

+

+

Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. -

+

+
-A date/offset
-

+

+

Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the -G option has not been used, the default is "now". If set, if and -P is not set, then the publication date will be set to the activation date minus the prepublication interval. -

+

+
-R date/offset
-

+

+

Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it. -

+

+
-I date/offset
-

+

+

Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. -

+

+
-i interval
-

+

Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the @@ -350,42 +459,51 @@ the publication date is specified but activation date isn't, then activation will be set to this much time after publication.

-

+

If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.

-

+

As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.

-
+
-
-
+
+ + +

GENERATED KEYS

-

+ +

When dnssec-keygen completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to the standard output. This is an identification string for the key it has generated.

-
    -

  • nnnn is the key name. -

    • -

  • aaa is the numeric representation +

      +
    • +

      nnnn is the key name. +

      +
      • +
    • +

      aaa is the numeric representation of the algorithm. -

      • -

    • iiiii is the key identifier (or +

      +
      • +
    • +

      iiiii is the key identifier (or footprint). -

      • +

      +
    -

    dnssec-keygen +

    dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and @@ -393,7 +511,7 @@ private key.

    -

    +

    The .key file contains a DNSKEY or KEY record. When a zone is being signed by named or dnssec-signzone -S, DNSKEY @@ -401,49 +519,56 @@ the .key file can be inserted into a zone file manually or with a $INCLUDE statement.

    -

    +

    The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.

    -
-
+
+ +

EXAMPLE

-

+ +

To generate an ECDSAP256SHA256 zone-signing key for the zone example.com, issue the command:

-

+

dnssec-keygen -a ECDSAP256SHA256 example.com

-

+

The command would print a string of the form:

-

Kexample.com.+013+26160 +

Kexample.com.+013+26160

-

+

In this example, dnssec-keygen creates the files Kexample.com.+013+26160.key and Kexample.com.+013+26160.private.

-

+

To generate a matching key-signing key, issue the command:

-

+

dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com

-
-
+
+ +

SEE ALSO

-

dnssec-signzone(8), + +

+ dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, RFC 4034.

-
+
+
@@ -464,6 +589,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index d5e519f6b3..8b3b952ac8 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -10,7 +10,7 @@ dnssec-keymgr - + @@ -32,24 +32,48 @@
-
+ + + + + +

Name

-

dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy

-
-
-

Synopsis

-

dnssec-keymgr [-K directory] [-c file] [-f] [-k] [-q] [-v] [-z] [-g path] [-s path] [zone...]

-
-
-

DESCRIPTION

+ dnssec-keymgr + — Ensures correct DNSKEY coverage for a zone based on a defined policy +

+
+ + + +
+

Synopsis

+

+ dnssec-keymgr + [-K directory] + [-c file] + [-f] + [-k] + [-q] + [-v] + [-z] + [-g path] + [-s path] + [zone...] +

+
+ +
+

DESCRIPTION

+

dnssec-keymgr is a high level Python wrapper to facilitate the key rollover process for zones handled by BIND. It uses the BIND commands for manipulating DNSSEC key metadata: dnssec-keygen and dnssec-settime.

-

+

DNSSEC policy can be read from a configuration file (default /etc/dnssec-policy.conf), from which the key parameters, publication and rollover schedule, and desired @@ -58,14 +82,14 @@ per-zone basis, or to set a "default" policy used for all zones.

-

+

When dnssec-keymgr runs, it examines the DNSSEC keys for one or more zones, comparing their timing metadata against the policies for those zones. If key settings do not conform to the DNSSEC policy (for example, because the policy has been changed), they are automatically corrected.

-

+

A zone policy can specify a duration for which we want to ensure the key correctness (coverage). It can also specify a rollover period (roll-period). @@ -73,43 +97,47 @@ coverage period ends, then a successor key will automatically be created and added to the end of the key series.

-

+

If zones are specified on the command line, dnssec-keymgr will examine only those zones. If a specified zone does not already have keys in place, then keys will be generated for it according to policy.

-

+

If zones are not specified on the command line, then dnssec-keymgr will search the key directory (either the current working directory or the directory set by the -K option), and check the keys for all the zones represented in the directory.

-

+

Key times that are in the past will not be updated unless the -f is used (see below). Key inactivation and deletion times that are less than five minutes in the future will be delayed by five minutes.

-

+

It is expected that this tool will be run automatically and unattended (for example, by cron).

-
-
+
+ +

OPTIONS

-
+
-c file
-

+

+

If -c is specified, then the DNSSEC policy is read from file. (If not specified, then the policy is read from /etc/dnssec-policy.conf; if that file doesn't exist, a built-in global default policy is used.) -

+

+
-f
-

+

+

Force: allow updating of key events even if they are already in the past. This is not recommended for use with zones in which keys have already been published. However, @@ -118,58 +146,77 @@ keys have not been published in a zone as yet, then this option can be used to clean them up and turn them into a proper series of keys with appropriate rollover intervals. -

+

+
-g keygen-path
-

+

+

Specifies a path to a dnssec-keygen binary. Used for testing. See also the -s option. -

+

+
-h
-

+

+

Print the dnssec-keymgr help summary and exit. -

+

+
-K directory
-

+

+

Sets the directory in which keys can be found. Defaults to the current working directory. -

+

+
-k
-

+

+

Only apply policies to KSK keys. See also the -z option. -

+

+
-q
-

+

+

Quiet: suppress printing of dnssec-keygen and dnssec-settime. -

+

+
-s settime-path
-

+

+

Specifies a path to a dnssec-settime binary. Used for testing. See also the -g option. -

+

+
-v
-

+

+

Print the dnssec-keymgr version and exit. -

+

+
-z
-

+

+

Only apply policies to ZSK keys. See also the -k option. -

+

+
-
-
+
+ +

POLICY CONFIGURATION

-

+

The dnssec-policy.conf file can specify three kinds of policies:

-
    -

  • +

      +
    • +

      Policy classes (policy name { ... };) can be inherited by zone policies or other policy classes; these @@ -178,16 +225,20 @@ 1024-bit key sizes, but a class extra might specify 2048 bits instead; extra would be used for zones that had unusually high security needs. -

      • -

    • +

      +
      • +
    • +

      Algorithm policies: (algorithm-policy algorithm { ... }; ) override default per-algorithm settings. For example, by default, RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This can be modified using algorithm-policy, and the new key sizes would then be used for any key of type RSASHA256. -

      • -

    • +

      +
      • +
    • +

      Zone policies: (zone name { ... }; ) set policy for a single zone by name. A zone policy can inherit @@ -195,21 +246,25 @@ Zone names beginning with digits (i.e., 0-9) must be quoted. If a zone does not have its own policy then the "default" policy applies. -

      • +

      +
    -

    +

    Options that can be specified in policies:

    -
    +
    algorithm name;
    -

    +

    +

    The key algorithm. If no policy is defined, the default is RSASHA256. -

    +

    +
    coverage duration;
    -

    +

    +

    The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. This can be represented as a number of seconds, or as a duration @@ -217,89 +272,119 @@ A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is six months. -

    +

    +
    directory path;
    -

    +

    +

    Specifies the directory in which keys should be stored. -

    +

    +
    key-size keytype size;
    -

    +

    +

    Specifies the number of bits to use in creating keys. The keytype is either "zsk" or "ksk". A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is 2048 bits for RSA keys. -

    +

    +
    keyttl duration;
    -

    +

    +

    The key TTL. If no policy is defined, the default is one hour. -

    +

    +
    post-publish keytype duration;
    -

    +

    +

    How long after inactivation a key should be deleted from the zone. Note: If roll-period is not set, this value is ignored. The keytype is either "zsk" or "ksk". A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. -

    +

    +
    pre-publish keytype duration;
    -

    +

    +

    How long before activation a key should be published. Note: If roll-period is not set, this value is ignored. The keytype is either "zsk" or "ksk". A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. -

    +

    +
    roll-period keytype duration;
    -

    +

    +

    How frequently keys should be rolled over. The keytype is either "zsk" or "ksk". A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is one year for ZSKs. KSKs do not roll over by default. -

    +

    +
    standby keytype number;
    -

    +

    +

    Not yet implemented. -

    +

    +
    -
    -
    +
    + +

    REMAINING WORK

    -
      -

    • +

        +
      • +

        Enable scheduling of KSK rollovers using the -P sync and -D sync options to dnssec-keygen and dnssec-settime. Check the parent zone (as in dnssec-checkds) to determine when it's safe for the key to roll. -

        • -

      • +

        +
        • +
      • +

        Allow configuration of standby keys and use of the REVOKE bit, for keys that use RFC 5011 semantics. -

        • +

        +
      -
    -
    +
    + +

    SEE ALSO

    -

    - dnssec-coverage(8), - dnssec-keygen(8), - dnssec-settime(8), - dnssec-checkds(8) +

    + + dnssec-coverage(8) + , + + dnssec-keygen(8) + , + + dnssec-settime(8) + , + + dnssec-checkds(8) +

    -
    +
    +
@@ -320,6 +405,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 0dffdac856..87bf44004e 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -10,7 +10,7 @@ dnssec-revoke - + @@ -32,52 +32,88 @@
-
+ + + + + +

Name

-

dnssec-revoke — set the REVOKED bit on a DNSSEC key

+

+ dnssec-revoke + — set the REVOKED bit on a DNSSEC key +

-
+ + + +

Synopsis

-

dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

-
-
+

+ dnssec-revoke + [-hr] + [-v level] + [-V] + [-K directory] + [-E engine] + [-f] + [-R] + {keyfile} +

+
+ +

DESCRIPTION

-

dnssec-revoke + +

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now-revoked key.

-
-
+
+ +

OPTIONS

-
+ + +
-h
-

+

+

Emit usage message and exit. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to reside. -

+

+
-r
-

+

+

After writing the new keyset files remove the original keyset files. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -85,27 +121,36 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-f
-

+

+

Force overwrite: Causes dnssec-revoke to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key. -

+

+
-R
-

+

+

Print the key tag of the key with the REVOKE bit set but do not revoke the key. -

+

+
-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), + +

+ dnssec-keygen(8) + , BIND 9 Administrator Reference Manual, RFC 5011.

-
+
+
@@ -126,6 +171,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index d5c8f3ed2b..37ff2e45f2 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -10,7 +10,7 @@ dnssec-settime - + @@ -32,17 +32,55 @@
-
+ + + + + +

Name

-

dnssec-settime — set the key timing metadata for a DNSSEC key

+

+ dnssec-settime + — set the key timing metadata for a DNSSEC key +

-
+ + + +

Synopsis

-

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-D sync date/offset] [-S key] [-i interval] [-h] [-V] [-v level] [-E engine] [-s] [-g state] [-d state date/offset] [-k state date/offset] [-r state date/offset] [-z state date/offset] {keyfile}

-
-
+

+ dnssec-settime + [-f] + [-K directory] + [-L ttl] + [-P date/offset] + [-P sync date/offset] + [-A date/offset] + [-R date/offset] + [-I date/offset] + [-D date/offset] + [-D sync date/offset] + [-S key] + [-i interval] + [-h] + [-V] + [-v level] + [-E engine] + [-s] + [-g state] + [-d state date/offset] + [-k state date/offset] + [-r state date/offset] + [-z state date/offset] + {keyfile} +

+
+ +

DESCRIPTION

-

dnssec-settime + +

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, -R, -I, and -D @@ -51,23 +89,23 @@ determine when a key is to be published, whether it should be used for signing a zone, etc.

-

+

If none of these options is set on the command line, then dnssec-settime simply prints the key timing metadata already stored in the key.

-

+

When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated.

-

+

Metadata fields are stored in the private file. A human-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).

-

+

When working with state files, it is possible to update the timing metadata in those files as well with -s. If this option is used you can also update key states with -d @@ -75,21 +113,25 @@ or -z (RRSIG of ZSK). Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.

-

+

You can also set the goal state of the key with -g. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published).

-

+

It is NOT RECOMMENDED to manipulate state files manually except for testing purposes.

-
-
+
+ +

OPTIONS

-
+ + +
-f
-

+

+

Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail when attempting to update a legacy key. With this option, @@ -98,13 +140,17 @@ set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to reside. -

+

+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was @@ -113,25 +159,32 @@ is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to 0 or none removes it from the key. -

+

+
-h
-

+

+

Emit usage message and exit. -

+

+
-V
-

+

+

Prints version information. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -139,12 +192,14 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-
-
+
+ +

TIMING OPTIONS

-

+ +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -154,49 +209,65 @@ days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. -

+

+
-P sync date/offset
-

+

+

Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. -

+

+
-A date/offset
-

+

+

Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. -

+

+
-R date/offset
-

+

+

Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it. -

+

+
-I date/offset
-

+

+

Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. -

+

+
-S predecessor key
-

+

+

Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being @@ -204,10 +275,11 @@ to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

+
-i interval
-

+

Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the @@ -216,69 +288,90 @@ the publication date is specified but activation date isn't, then activation will be set to this much time after publication.

-

+

If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.

-

+

As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.

-
+
-
-
+
+ +

KEY STATE OPTIONS

-

+ +

Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE. These should not be set manually except for testing purposes.

-
+ +
-s
-

+

+

When setting key timing data, also update the state file. -

+

+
-g
-

+

+

Set the goal state for this key. Must be HIDDEN or OMNIPRESENT. -

+

+
-d
-

+

+

Set the DS state for this key, and when it was last changed. -

+

+
-k
-

+

+

Set the DNSKEY state for this key, and when it was last changed. -

+

+
-r
-

+

+

Set the RRSIG (KSK) state for this key, and when it was last changed. -

+

+
-z
-

+

+

Set the RRSIG (ZSK) state for this key, and when it was last changed. -

+

+
-
-
+
+ +

PRINTING OPTIONS

-

+ +

dnssec-settime can also be used to print the timing metadata associated with a key.

-
+ +
-u
-

+

+

Print times in UNIX epoch format. -

+

+
-p C/P/Psync/A/R/I/D/Dsync/all
-

+

+

Print a specific metadata value or set of metadata values. The -p option may be followed by one or more of the following letters or strings to indicate which value @@ -292,17 +385,25 @@ D for the deletion date, and Dsync for the CDS and CDNSKEY deletion date To print all of the metadata, use -p all. -

+

+
-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 5011.

-
+
+
@@ -323,6 +424,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 79b326e00d..3d4b9562be 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -10,7 +10,7 @@ dnssec-signzone - + @@ -32,17 +32,71 @@
-
+ + + + + +

Name

-

dnssec-signzone — DNSSEC zone signing tool

+

+ dnssec-signzone + — DNSSEC zone signing tool +

-
+ + + +

Synopsis

-

dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-i interval] [-I input-format] [-j jitter] [-K directory] [-k key] [-L serial] [-l domain] [-M maxttl] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-Q] [-q] [-R] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-
-
+

+ dnssec-signzone + [-a] + [-c class] + [-d directory] + [-D] + [-E engine] + [-e end-time] + [-f output-file] + [-g] + [-h] + [-i interval] + [-I input-format] + [-j jitter] + [-K directory] + [-k key] + [-L serial] + [-l domain] + [-M maxttl] + [-N soa-serial-format] + [-o origin] + [-O output-format] + [-P] + [-Q] + [-q] + [-R] + [-S] + [-s start-time] + [-T ttl] + [-t] + [-u] + [-v level] + [-V] + [-X extended end-time] + [-x] + [-z] + [-3 salt] + [-H iterations] + [-A] + {zonefile} + [key...] +

+
+ +

DESCRIPTION

-

dnssec-signzone + +

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone @@ -50,34 +104,46 @@ determined by the presence or absence of a keyset file for each child zone.

-
-
+
+ +

OPTIONS

-
+ + +
-a
-

+

+

Verify all generated signatures. -

+

+
-c class
-

+

+

Specifies the DNS class of the zone. -

+

+
-C
-

+

+

Compatibility mode: Generate a keyset-zonename file in addition to dsset-zonename when signing a zone, for use by older versions of dnssec-signzone. -

+

+
-d directory
-

+

+

Look for dsset- or keyset- files in directory. -

+

+
-D
-

+

+

Output only those record types automatically managed by dnssec-signzone, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing @@ -86,15 +152,16 @@ zone file with $INCLUDE. This option cannot be combined with -O raw, -O map, or serial number updating. -

+

+
-E engine
-

+

When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -102,25 +169,32 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-g
-

+

+

Generate DS records for child zones from dsset- or keyset- file. Existing DS records will be removed. -

+

+
-K directory
-

+

+

Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory. -

+

+
-k key
-

+

+

Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. -

+

+
-M maxttl
-

+

+

Sets the maximum TTL for the signed zone. Any TTL higher than maxttl in the input zone will be reduced to maxttl @@ -133,9 +207,11 @@ max-zone-ttl in named.conf. (Note: This option is incompatible with -D, because it modifies non-DNSSEC data in the output zone.) -

+

+
-s start-time
-

+

+

Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number @@ -144,9 +220,11 @@ indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time minus 1 hour (to allow for clock skew) is used. -

+

+
-e end-time
-

+

+

Specify the date and time when the generated RRSIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative @@ -156,10 +234,11 @@ specified, 30 days from the start time is used as a default. end-time must be later than start-time. -

+

+
-X extended end-time
-

+

Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire. This is to be used in cases when the DNSKEY signatures need to persist longer than @@ -167,7 +246,7 @@ of the KSK is kept offline and the KSK signature is to be refreshed manually.

-

+

As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from @@ -178,28 +257,34 @@ 30 days from the start time.) extended end-time must be later than start-time.

-
+
-f output-file
-

+

+

The name of the output file containing the signed zone. The default is to append .signed to the input filename. If output-file is set to "-", then the signed zone is written to the standard output, with a default output format of "full". -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to dnssec-signzone. -

+

+
-V
-

+

+

Prints version information. -

+

+
-i interval
-

+

When a previously-signed zone is passed as input, records may be resigned. The interval option specifies the cycle interval as an offset from the current @@ -207,7 +292,7 @@ cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

-

+

The default cycle interval is one quarter of the difference between the signature end and start times. So if neither end-time or start-time @@ -218,9 +303,10 @@ are due to expire in less than 7.5 days, they would be replaced.

-
+
-I input-format
-

+

+

The format of the input zone file. Possible formats are "text" (default), "raw", and "map". @@ -229,10 +315,11 @@ format containing updates can be signed directly. The use of this option does not make much sense for non-dynamic zones. -

+

+
-j jitter
-

+

When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. @@ -243,55 +330,72 @@ expire time, thus spreading incremental signature regeneration over time.

-

+

Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.

-
+
-L serial
-

+

+

When writing a signed zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) -

+

+
-n ncpus
-

+

+

Specifies the number of threads to use. By default, one thread is started for each detected CPU. -

+

+
-N soa-serial-format
-

+

The SOA serial number format of the signed zone. Possible formats are "keep" (default), "increment", "unixtime", and "date".

-
+ +
"keep"
-

Do not modify the SOA serial number.

+
+

Do not modify the SOA serial number.

+
"increment"
-

Increment the SOA serial number using RFC 1982 - arithmetic.

+
+

Increment the SOA serial number using RFC 1982 + arithmetic.

+
"unixtime"
-

Set the SOA serial number to the number of seconds - since epoch.

+
+

Set the SOA serial number to the number of seconds + since epoch.

+
"date"
-

Set the SOA serial number to today's date in - YYYYMMDDNN format.

+
+

Set the SOA serial number to today's date in + YYYYMMDDNN format.

+
-
+ +
-o origin
-

+

+

The zone origin. If not specified, the name of the zone file is assumed to be the origin. -

+

+
-O output-format
-

+

+

The format of the output file containing the signed zone. Possible formats are "text" (default), which is the standard textual representation of the zone; @@ -304,26 +408,27 @@ the raw zone file: if N is 0, the raw file can be read by any version of named; if N is 1, the file can be read by release 9.9.0 or higher; the default is 1. -

+

+
-P
-

+

Disable post sign verification tests.

-

+

The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.

-
+
-Q
-

+

Remove signatures from keys that are no longer active.

-

+

Normally, when a previously-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key @@ -335,9 +440,10 @@ enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").

-
+
-q
-

+

+

Quiet mode: Suppresses unnecessary output. Without this option, when dnssec-signzone is run it will print to standard output the number of keys in use, @@ -345,78 +451,94 @@ and other status information, and finally the filename containing the signed zone. With it, that output is suppressed, leaving only the filename. -

+

+
-R
-

+

Remove signatures from keys that are no longer published.

-

+

This option is similar to -Q, except it forces dnssec-signzone to signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.2 ("Double Signature Zone Signing Key Rollover").

-
+
-S
-

+

Smart signing: Instructs dnssec-signzone to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.

-

+

When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:

-
+
-

+

+

If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone. -

+

+
-

+

+

If the key's publication date is set and is in the past, the key is published in the zone. -

+

+
-

+

+

If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone. -

+

+
-

+

+

If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone. -

+

+
-

+

+

If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata. -

+

+
-

+

+

If key's sync publication date is set and in the past, synchronization records (type CDS and/or CDNSKEY) are created. -

+

+
-

+

+

If key's sync deletion date is set and in the past, synchronization records (type CDS and/or CDNSKEY) are removed. -

+

+
- +
-T ttl
-

+

+

Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the TTL value from the zone's SOA @@ -428,82 +550,103 @@ them, or if any of the imported DNSKEY records had a default TTL value. In the event of a a conflict between TTL values in imported keys, the shortest one is used. -

+

+
-t
-

+

+

Print statistics at completion. -

+

+
-u
-

+

+

Update NSEC/NSEC3 chain when re-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option, dnssec-signzone will retain the existing chain when re-signing. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-x
-

+

+

Only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys, and omit signatures from zone-signing keys. (This is similar to the dnssec-dnskey-kskonly yes; zone option in named.) -

+

+
-z
-

+

+

Ignore KSK flag on key when determining what to sign. This causes KSK-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the update-check-ksk no; zone option in named.) -

+

+
-3 salt
-

+

+

Generate an NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain. -

+

+
-H iterations
-

+

+

When generating an NSEC3 chain, use this many iterations. The default is 10. -

+

+
-A
-

+

When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.

-

+

Using this option twice (i.e., -AA) turns the OPTOUT flag off for all records. This is useful when using the -u option to modify an NSEC3 chain which previously had OPTOUT set.

-
+
zonefile
-

+

+

The file containing the zone to be signed. -

+

+
key
-

+

+

Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing. -

+

+
-
-
+
+ +

EXAMPLE

-

+ +

The following command signs the example.com zone with the ECDSAP256SHA256 key generated by key generated by dnssec-keygen (Kexample.com.+013+17247). @@ -517,13 +660,13 @@ Kexample.com.+013+17247 db.example.com.signed % -

+

In the above example, dnssec-signzone creates the file db.example.com.signed. This file should be referenced in a zone statement in a named.conf file.

-

+

This example re-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.

@@ -531,14 +674,19 @@ db.example.com.signed % dnssec-signzone -o example.com db.example.com db.example.com.signed % -
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), + +

+ dnssec-keygen(8) + , BIND 9 Administrator Reference Manual, RFC 4033, RFC 4641.

-
+
+
@@ -559,6 +707,6 @@ db.example.com.signed
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index fae87bb8f2..9895ea5ece 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -10,7 +10,7 @@ dnssec-verify - + @@ -32,35 +32,65 @@
-
+ + + + + +

Name

-

dnssec-verify — DNSSEC zone verification tool

+

+ dnssec-verify + — DNSSEC zone verification tool +

-
+ + + +

Synopsis

-

dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-q] [-v level] [-V] [-x] [-z] {zonefile}

-
-
+

+ dnssec-verify + [-c class] + [-E engine] + [-I input-format] + [-o origin] + [-q] + [-v level] + [-V] + [-x] + [-z] + {zonefile} +

+
+ +

DESCRIPTION

-

dnssec-verify + +

dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.

-
-
+
+ +

OPTIONS

-
+ + +
-c class
-

+

+

Specifies the DNS class of the zone. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -68,9 +98,10 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-I input-format
-

+

+

The format of the input zone file. Possible formats are "text" (default) and "raw". @@ -79,41 +110,52 @@ format containing updates can be verified independently. The use of this option does not make much sense for non-dynamic zones. -

+

+
-o origin
-

+

+

The zone origin. If not specified, the name of the zone file is assumed to be the origin. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-q
-

+

+

Quiet mode: Suppresses output. Without this option, when dnssec-verify is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information. With it, all non-error output is suppressed, and only the exit code will indicate success. -

+

+
-x
-

+

+

Only verify that the DNSKEY RRset is signed with key-signing keys. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone-signing keys. This corresponds to the -x option in dnssec-signzone. -

+

+
-z
-

+

Ignore the KSK flag on the keys when determining whether the zone if correctly signed. Without this flag it is assumed that there will be a non-revoked, self-signed @@ -121,7 +163,7 @@ that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set.

-

+

With this flag set, we only require that for each algorithm, there will be at least one non-revoked, self-signed DNSKEY, regardless of the KSK flag state, and that other RRsets @@ -130,21 +172,28 @@ for both purposes. This corresponds to the -z option in dnssec-signzone.

-
+
zonefile
-

+

+

The file containing the zone to be signed. -

+

+
-
-
+
+ +

SEE ALSO

-

- dnssec-signzone(8), + +

+ + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 4033.

-
+
+
@@ -165,6 +214,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 36c7f26406..85d4996273 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -10,7 +10,7 @@ dnstap-read - + @@ -32,17 +32,37 @@
-
+ + + + + +

Name

-

dnstap-read — print dnstap data in human-readable form

-
-
-

Synopsis

-

dnstap-read [-m] [-p] [-x] [-y] {file}

-
-
-

DESCRIPTION

+ dnstap-read + — print dnstap data in human-readable form +

+
+ + + +
+

Synopsis

+

+ dnstap-read + [-m] + [-p] + [-x] + [-y] + {file} +

+
+ +
+

DESCRIPTION

+ +

dnstap-read reads dnstap data from a specified file and prints it in a human-readable format. By default, @@ -50,41 +70,59 @@ format, but if the -y option is specified, then a longer and more detailed YAML format is used instead.

-
-
+
+ +

OPTIONS

-
+ + +
-m
-

+

+

Trace memory allocations; used for debugging memory leaks. -

+

+
-p
-

+

+

After printing the dnstap data, print the text form of the DNS message that was encapsulated in the dnstap frame. -

+

+
-x
-

+

+

After printing the dnstap data, print a hex dump of the wire form of the DNS message that was encapsulated in the dnstap frame. -

+

+
-y
-

+

+

Print dnstap data in a detailed YAML format. -

+

+
-
-
+
+ +

SEE ALSO

-

- named(8), - rndc(8), + +

+ + named(8) + , + + rndc(8) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -105,6 +143,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 2caf1081d7..0e91759c23 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -10,7 +10,7 @@ filter-aaaa.so - + @@ -32,23 +32,36 @@
-
+ + + + +

Name

-

filter-aaaa.so — filter AAAA in DNS responses when A is present

-
-
-

Synopsis

-

plugin query "filter-aaaa.so" [{ parameters }]; -

-
-
-

DESCRIPTION

+ filter-aaaa.so + — filter AAAA in DNS responses when A is present +

+
+ + + +
+

Synopsis

+

+ plugin query "filter-aaaa.so" + [{ parameters }]; +

+
+ +
+

DESCRIPTION

+

filter-aaaa.so is a query plugin module for named, enabling named to omit some IPv6 addresses when responding to clients.

-

+

Until BIND 9.12, this feature was implemented natively in named and enabled with the filter-aaaa ACL and the @@ -58,40 +71,43 @@ passed as parameters to the filter-aaaa.so plugin, for example:

-
+    
 plugin query "/usr/local/lib/filter-aaaa.so" {
         filter-aaaa-on-v4 yes;
         filter-aaaa-on-v6 yes;
         filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
 };
 

-

+    

       This module is intended to aid transition from IPv4 to IPv6 by
       withholding IPv6 addresses from DNS clients which are not connected
       to the IPv6 Internet, when the name being looked up has an IPv4
       address available.  Use of this module is not recommended unless
       absolutely necessary.
     

-

+    

       Note: This mechanism can erroneously cause other servers not to
       give AAAA records to their clients.  If a recursing server with
       both IPv6 and IPv4 network connections queries an authoritative
       server using this mechanism via IPv4, it will be denied AAAA
       records even if its client is using IPv6.
     

-
-
+
+ +

OPTIONS

-
+
filter-aaaa
-

+

+

Specifies a list of client addresses for which AAAA filtering is to be applied. The default is any. -

+

+
filter-aaaa-on-v4
-

+

If set to yes, the DNS client is at an IPv4 address, in filter-aaaa, and if the response does not include DNSSEC signatures, @@ -99,36 +115,40 @@ plugin query "/usr/local/lib/filter-aaaa.so" { This filtering applies to all responses and not only authoritative responses.

-

+

If set to break-dnssec, then AAAA records are deleted even when DNSSEC is enabled. As suggested by the name, this causes the response to fail to verify, because the DNSSEC protocol is designed to detect deletions.

-

+

This mechanism can erroneously cause other servers not to give AAAA records to their clients. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is using IPv6.

-
+
filter-aaaa-on-v6
-

+

+

Identical to filter-aaaa-on-v4, except it filters AAAA responses to queries from IPv6 clients instead of IPv4 clients. To filter all responses, set both options to yes. -

+

+
-
-
+
+ +

SEE ALSO

-

+

BIND 9 Administrator Reference Manual.

-
+
+
@@ -148,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index b32b021ecf..274a48a934 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -10,7 +10,7 @@ host - + @@ -32,24 +32,57 @@
-
+ + + + + +

Name

-

host — DNS lookup utility

+

+ host + — DNS lookup utility +

-
+ + + +

Synopsis

-

host [-aACdlnrsTUwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [[-4] | [-6]] [-v] [-V] {name} [server]

-
-
+

+ host + [-aACdlnrsTUwv] + [-c class] + [-N ndots] + [-p port] + [-R number] + [-t type] + [-W wait] + [-m flag] + [ + [-4] + | [-6] + ] + [-v] + [-V] + {name} + [server] +

+
+ +

DESCRIPTION

-

host + + +

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.

-

name is the domain name that is to be + +

name is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which case host will by @@ -61,67 +94,85 @@ should query instead of the server or servers listed in /etc/resolv.conf.

-
-
+ +
+ +

OPTIONS

-
+ +
-4
-

+

+

Use IPv4 only for query transport. See also the -6 option. -

+

+
-6
-

+

+

Use IPv6 only for query transport. See also the -4 option. -

+

+
-a
-

+

+

"All". The -a option is normally equivalent to -v -t ANY. It also affects the behaviour of the -l list zone option. -

+

+
-A
-

+

+

"Almost all". The -A option is equivalent to -a except RRSIG, NSEC, and NSEC3 records are omitted from the output. -

+

+
-c class
-

+

+

Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records. The default class is IN (Internet). -

+

+
-C
-

+

+

Check consistency: host will query the SOA records for zone name from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone. -

+

+
-d
-

+

+

Print debugging traces. Equivalent to the -v verbose option. -

+

+
-l
-

+

List zone: The host command performs a zone transfer of zone name and prints out the NS, PTR and address records (A/AAAA).

-

+

Together, the -l -a options print all records in the zone.

-
+
-N ndots
-

+

+

The number of dots that have to be in name for it to be considered absolute. The default value is that defined using the @@ -131,9 +182,17 @@ searched for in the domains listed in the search or domain directive in /etc/resolv.conf. -

+

+ +
-p port
+
+

+ Specify the port on the server to query. The default is 53. +

+
-r
-

+

+

Non-recursive query: Setting this option clears the RD (recursion desired) bit in the query. This should mean that the name server @@ -144,30 +203,35 @@ name server by making non-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers. -

+

+
-R number
-

+

+

Number of retries for UDP queries: If number is negative or zero, the number of retries will default to 1. The default value is 1, or the value of the attempts option in /etc/resolv.conf, if set. -

+

+
-s
-

+

+

Do not send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior. -

+

+
-t type
-

+

Query type: The type argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.

-

+

When no query type is specified, host automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records. @@ -178,17 +242,18 @@ address, host will query for PTR records.

-

+

If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like -t IXFR=12345678).

-
+
-T, -U
-

+

+

TCP/UDP: By default, host uses UDP when making queries. The -T option makes it use a TCP @@ -196,55 +261,67 @@ automatically selected for queries that require it, such as zone transfer (AXFR) requests. Type ANY queries default to TCP but can be forced to UDP initially using -U. -

+

+
-m flag
-

+

+

Memory usage debugging: the flag can be record, usage, or trace. You can specify the -m option more than once to set multiple flags. -

+

+
-v
-

+

+

Verbose output. Equivalent to the -d debug option. Verbose output can also be enabled by setting the debug option in /etc/resolv.conf. -

+

+
-V
-

+

+

Print the version number and exit. -

+

+
-w
-

+

+

Wait forever: The query timeout is set to the maximum possible. See also the -W option. -

+

+
-W wait
-

+

Timeout: Wait for up to wait seconds for a reply. If wait is less than one, the wait interval is set to one second.

-

+

By default, host will wait for 5 seconds for UDP responses and 10 seconds for TCP connections. These defaults can be overridden by the timeout option in /etc/resolv.conf.

-

+

See also the -w option.

-
+
-
-
+ +
+ +

IDN SUPPORT

-

+ +

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. host appropriately converts character encoding of @@ -255,18 +332,27 @@ The IDN support is disabled if the variable is set when host runs.

-
-
+
+ +

FILES

-

/etc/resolv.conf + +

/etc/resolv.conf

-
-
+
+ +

SEE ALSO

-

dig(1), - named(8). + +

+ dig(1) + , + + named(8) + .

-
+
+
@@ -287,6 +373,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 44358caee6..d380317c36 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -10,7 +10,7 @@ mdig - + @@ -32,29 +32,69 @@
-
+ + + +

Name

-

mdig — DNS pipelined lookup utility

+

+ mdig + — DNS pipelined lookup utility +

-
+ + + +

Synopsis

-

mdig {@server} [-f filename] [-h] [-v] [[-4] | [-6]] [-m] [-b address] [-p port#] [-c class] [-t type] [-i] [-x addr] [plusopt...]

-

mdig {-h}

-

mdig [@server] {global-opt...} { +

+ mdig + {@server} + [-f filename] + [-h] + [-v] + [ + [-4] + | [-6] + ] + [-m] + [-b address] + [-p port#] + [-c class] + [-t type] + [-i] + [-x addr] + [plusopt...] +

+ +

+ mdig + {-h} +

+ +

+ mdig + [@server] + {global-opt...} + { {local-opt...} {query} - ...}

-
-
+ ...} +

+
+ +

DESCRIPTION

-

mdig + +

mdig is a multiple/pipelined query version of dig: instead of waiting for a response after sending each query, it begins by sending all queries. Responses are displayed in the order in which they are received, not in the order the corresponding queries were sent.

-

+ +

mdig options are a subset of the dig options, and are divided into "anywhere options" which can occur anywhere, "global options" which must @@ -62,7 +102,8 @@ and "local options" which apply to the next query on the command line.

-

+ +

The {@server} option is a mandatory global option. It is the name or IP address of the name server to query. (Unlike dig, this value is not retrieved from @@ -73,14 +114,16 @@ mdig resolves that name before querying the name server.

-

mdig + +

mdig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.

-

+ +

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string no @@ -88,10 +131,13 @@ values to options like the timeout interval. They have the form +keyword=value.

-
-
+
+ +

ANYWHERE OPTIONS

-

+ + +

The -f option makes mdig operate in batch mode by reading a list of lookup requests to process from the file filename. The file @@ -99,36 +145,45 @@ file should be organized in the same way they would be presented as queries to mdig using the command-line interface.

-

+ +

The -h causes mdig to print the detailed help with the full list of options and exit.

-

+ +

The -v causes mdig to print the version number and exit.

-
-
+
+ +

GLOBAL OPTIONS

-

+ + +

The -4 option forces mdig to only use IPv4 query transport.

-

+ +

The -6 option forces mdig to only use IPv6 query transport.

-

+ +

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

-

+ +

The -m option enables memory usage debugging.

-

+ +

The -p option is used when a non-standard port number is to be queried. port# is the port number @@ -137,51 +192,69 @@ test a name server that has been configured to listen for queries on a non-standard port number.

-

+ +

The global query options are:

+[no]additional
-

+

+

Display [do not display] the additional section of a reply. The default is to display it. -

+

+
+[no]all
-

+

+

Set or clear all display flags. -

+

+
+[no]answer
-

+

+

Display [do not display] the answer section of a reply. The default is to display it. -

+

+
+[no]authority
-

+

+

Display [do not display] the authority section of a reply. The default is to display it. -

+

+
+[no]besteffort
-

+

+

Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -

+

+
+[no]cl
-

+

+

Display [do not display] the CLASS when printing the record. -

+

+
+[no]comments
-

+

+

Toggle the display of comment lines in the output. The default is to print comments. -

+

+
+[no]continue
-

+

+

Continue on errors (e.g. timeouts). -

+

+
+[no]crypto
-

+

+

Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing @@ -190,41 +263,53 @@ are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]". -

+

+
+dscp[=value]
-

+

+

Set the DSCP code point to be used when sending the query. Valid DSCP code points are in the range [0..63]. By default no code point is explicitly set. -

+

+
+[no]multiline
-

+

+

Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the mdig output. -

+

+
+[no]question
-

+

+

Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. -

+

+
+[no]rrcomments
-

+

+

Toggle the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active. -

+

+
+[no]short
-

+

+

Provide a terse answer. The default is to print the answer in a verbose form. -

+

+
+split=W
-

+

+

Split long hex- or base64-formatted fields in resource records into chunks of W characters (where W is rounded @@ -233,54 +318,70 @@ +split=0 causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -

+

+
+[no]tcp
-

+

+

Use [do not use] TCP when querying name servers. The default behavior is to use UDP. -

+

+
+[no]ttlid
-

+

+

Display [do not display] the TTL when printing the record. -

+

+
+[no]ttlunits
-

+

+

Display [do not display] the TTL in friendly human-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks. Implies +ttlid. -

+

+
+[no]vc
-

+

+

Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit". -

+

+
+[no]yaml
-

+

+

Print the responses in a detailed YAML format. -

+

+

-
-
+
+ +

LOCAL OPTIONS

-

+ + +

The -c option sets the query class to class. It can be any valid query class which is supported in BIND 9. The default query class is "IN".

-

+ +

The -t option sets the query type to type. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the -x option is supplied to indicate a reverse lookup with the "PTR" query type.

-

+ +

Reverse lookups — mapping addresses to names — are simplified by the -x option. addr is an IPv4 @@ -291,20 +392,26 @@ By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.

-

+ +

The local query options are:

+[no]aaflag
-

+

+

A synonym for +[no]aaonly. -

+

+
+[no]aaonly
-

+

+

Sets the "aa" flag in the query. -

+

+
+[no]adflag
-

+

+

Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all @@ -314,87 +421,110 @@ from a OPT-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. This bit is set by default. -

+

+
+bufsize=B
-

+

+

Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent. -

+

+
+[no]cdflag
-

+

+

Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -

+

+
+[no]cookie[=####]
-

+

+

Send a COOKIE EDNS option, with optional value. Replaying a COOKIE from a previous response will allow the server to identify a previous client. The default is +nocookie. -

+

+
+[no]dnssec
-

+

+

Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -

+

+
+[no]edns[=#]
-

+

+

Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +noedns clears the remembered EDNS version. EDNS is set to 0 by default. -

+

+
+[no]ednsflags[=#]
-

+

+

Set the must-be-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set. -

+

+
+[no]ednsopt[=code[:value]]
-

+

+

Specify EDNS option with code point code and optionally payload of value as a hexadecimal string. +noednsopt clears the EDNS options to be sent. -

+

+
+[no]expire
-

+

+

Send an EDNS Expire option. -

+

+
+[no]nsid
-

+

+

Include an EDNS name server ID request when sending a query. -

+

+
+[no]recurse
-

+

+

Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means mdig normally sends recursive queries. -

+

+
+retry=T
-

+

+

Sets the number of times to retry UDP queries to server to T instead of the default, 2. Unlike +tries, this does not include the initial query. -

+

+
+[no]subnet=addr[/prefix-length]
-

+

Send (don't send) an EDNS Client Subnet option with the specified IP address or network prefix.

-

+

mdig +subnet=0.0.0.0/0, or simply mdig +subnet=0 for short, sends an EDNS client-subnet option with an empty address and a source @@ -403,50 +533,64 @@ not be used when resolving this query.

-
+
+timeout=T
-

+

+

Sets the timeout for a query to T seconds. The default timeout is 5 seconds for UDP transport and 10 for TCP. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied. -

+

+
+tries=T
-

+

+

Sets the number of times to try UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of tries is silently rounded up to 1. -

+

+
+udptimeout=T
-

+

+

Sets the timeout between UDP query retries. -

+

+
+[no]unknownformat
-

+

+

Print all RDATA in unknown RR type presentation format (RFC 3597). The default is to print RDATA for known types in the type's presentation format. -

+

+
+[no]zflag
-

+

+

Set [do not set] the last unassigned DNS header flag in a DNS query. This flag is off by default. -

+

+

-
-
+
+ +

SEE ALSO

-

dig(1), + +

+ dig(1) + , RFC1035.

-
+
@@ -466,6 +610,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 7bf7ec35dc..33bb5738ab 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -10,7 +10,7 @@ named-checkconf - + @@ -32,26 +32,45 @@
-
+ + + + + + + +

Name

-

named-checkconf — named configuration file syntax checking tool

+

+ named-checkconf + — named configuration file syntax checking tool +

-
+ +

Synopsis

-

named-checkconf [-chjlvz] [-p +

+ named-checkconf + [-chjlvz] + [-p [-x - ]] [-t directory] {filename}

-
-
+ ]] + [-t directory] + {filename} +

+
+ +

DESCRIPTION

-

named-checkconf + +

named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified, /etc/named.conf is read by default.

-

+

Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read @@ -61,53 +80,72 @@ successful. named-checkconf can be run on these files explicitly, however.

-
-
+
+ +

OPTIONS

-
+ +
-h
-

+

+

Print the usage summary and exit. -

+

+
-j
-

+

+

When loading a zonefile read the journal if it exists. -

+

+
-l
-

+

+

List all the configured zones. Each line of output contains the zone name, class (e.g. IN), view, and type (e.g. master or slave). -

+

+
-c
-

+

+

Check "core" configuration only. This suppresses the loading of plugin modules, and causes all parameters to plugin statements to be ignored. -

+

+
-i
-

+

+

Ignore warnings on deprecated options. -

+

+
-p
-

+

+

Print out the named.conf and included files in canonical form if no errors were detected. See also the -x option. -

+

+
-t directory
-

+

+

Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named. -

+

+
-v
-

+

+

Print the version of the named-checkconf program and exit. -

+

+
-x
-

+

+

When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks ('?'). This allows the @@ -115,33 +153,47 @@ files to be shared — for example, when submitting bug reports — without compromising private data. This option cannot be used without -p. -

+

+
-z
-

+

+

Perform a test load of all master zones found in named.conf. -

+

+
filename
-

+

+

The name of the configuration file to be checked. If not specified, it defaults to /etc/named.conf. -

+

+
-
-
+ +
+ +

RETURN VALUES

-

named-checkconf + +

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-
-
+
+ +

SEE ALSO

-

named(8), - named-checkzone(8), + +

+ named(8) + , + + named-checkzone(8) + , BIND 9 Administrator Reference Manual.

-
+
@@ -162,6 +214,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 6af75d2ae2..ec4bbc0358 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -10,7 +10,7 @@ named-checkzone - + @@ -32,24 +32,94 @@
-
+ + + + + + + +

Name

-

named-checkzone, named-compilezone — zone file validity checking or converting tool

+

+ named-checkzone, + named-compilezone + — zone file validity checking or converting tool +

-
+ +

Synopsis

-

named-checkzone [-d] [-h] [-j] [-q] [-v] [-c class] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-M mode] [-n mode] [-l ttl] [-L serial] [-o filename] [-r mode] [-s style] [-S mode] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {zonename} {filename}

-

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-
-
+

+ named-checkzone + [-d] + [-h] + [-j] + [-q] + [-v] + [-c class] + [-f format] + [-F format] + [-J filename] + [-i mode] + [-k mode] + [-m mode] + [-M mode] + [-n mode] + [-l ttl] + [-L serial] + [-o filename] + [-r mode] + [-s style] + [-S mode] + [-t directory] + [-T mode] + [-w directory] + [-D] + [-W mode] + {zonename} + {filename} +

+

+ named-compilezone + [-d] + [-j] + [-q] + [-v] + [-c class] + [-C mode] + [-f format] + [-F format] + [-J filename] + [-i mode] + [-k mode] + [-m mode] + [-n mode] + [-l ttl] + [-L serial] + [-r mode] + [-s style] + [-t directory] + [-T mode] + [-w directory] + [-D] + [-W mode] + {-o filename} + {zonename} + {filename} +

+
+ +

DESCRIPTION

-

named-checkzone + +

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named-checkzone useful for checking zone files before configuring them into a name server.

-

+

named-compilezone is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format. @@ -60,45 +130,62 @@ least be as strict as those specified in the named configuration file.

-
-
+
+ +

OPTIONS

-
+ + +
-d
-

+

+

Enable debugging. -

+

+
-h
-

+

+

Print the usage summary and exit. -

+

+
-q
-

+

+

Quiet mode - exit code only. -

+

+
-v
-

+

+

Print the version of the named-checkzone program and exit. -

+

+
-j
-

+

+

When loading a zone file, read the journal if it exists. The journal file name is assumed to be the zone file name appended with the string .jnl. -

+

+
-J filename
-

+

+

When loading the zone file read the journal from the given file, if it exists. (Implies -j.) -

+

+
-c class
-

+

+

Specify the class of the zone. If not specified, "IN" is assumed. -

+

+
-i mode
-

+

Perform post-load zone integrity checks. Possible modes are "full" (default), "full-sibling", @@ -106,19 +193,19 @@ "local-sibling" and "none".

-

+

Mode "full" checks that MX records refer to A or AAAA record (both in-zone and out-of-zone hostnames). Mode "local" only checks MX records which refer to in-zone hostnames.

-

+

Mode "full" checks that SRV records refer to A or AAAA record (both in-zone and out-of-zone hostnames). Mode "local" only checks SRV records which refer to in-zone hostnames.

-

+

Mode "full" checks that delegation NS records refer to A or AAAA record (both in-zone and out-of-zone hostnames). It also checks that glue address records @@ -127,31 +214,33 @@ refer to in-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.

-

+

Mode "full-sibling" and "local-sibling" disable sibling glue checks but are otherwise the same as "full" and "local" respectively.

-

+

Mode "none" disables the checks.

-
+
-f format
-

+

+

Specify the format of the zone file. Possible formats are "text" (default), "raw", and "map". -

+

+
-F format
-

+

Specify the format of the output file specified. For named-checkzone, this does not cause any effects unless it dumps the zone contents.

-

+

Possible formats are "text" (default), which is the standard textual representation of the zone, and "map", "raw", @@ -162,9 +251,10 @@ any version of named; if N is 1, the file can be read by release 9.9.0 or higher; the default is 1.

-
+
-k mode
-

+

+

Perform "check-names" checks with the specified failure mode. Possible modes are "fail" @@ -172,38 +262,48 @@ "warn" (default for named-checkzone) and "ignore". -

+

+
-l ttl
-

+

+

Sets a maximum permissible TTL for the input file. Any record with a TTL higher than this value will cause the zone to be rejected. This is similar to using the max-zone-ttl option in named.conf. -

+

+
-L serial
-

+

+

When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) -

+

+
-m mode
-

+

+

Specify whether MX records should be checked to see if they are addresses. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-M mode
-

+

+

Check if a MX record refers to a CNAME. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-n mode
-

+

+

Specify whether NS records should be checked to see if they are addresses. Possible modes are "fail" @@ -211,24 +311,30 @@ "warn" (default for named-checkzone) and "ignore". -

+

+
-o filename
-

+

+

Write zone output to filename. If filename is - then write to standard out. This is mandatory for named-compilezone. -

+

+
-r mode
-

+

+

Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-s style
-

+

+

Specify the style of the dumped zone file. Possible styles are "full" (default) and "relative". @@ -241,75 +347,102 @@ contents. It also does not have any meaning if the output format is not text. -

+

+
-S mode
-

+

+

Check if a SRV record refers to a CNAME. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-t directory
-

+

+

Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named. -

+

+
-T mode
-

+

+

Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are "warn" (default), "ignore". -

+

+
-w directory
-

+

+

chdir to directory so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in named.conf. -

+

+
-D
-

+

+

Dump zone file in canonical format. This is always enabled for named-compilezone. -

+

+
-W mode
-

+

+

Specify whether to check for non-terminal wildcards. Non-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are "warn" (default) and "ignore". -

+

+
zonename
-

+

+

The domain name of the zone being checked. -

+

+
filename
-

+

+

The name of the zone file. -

+

+
-
-
+ +
+ +

RETURN VALUES

-

named-checkzone + +

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-
-
+
+ +

SEE ALSO

-

named(8), - named-checkconf(8), + +

+ named(8) + , + + named-checkconf(8) + , RFC 1035, BIND 9 Administrator Reference Manual.

-
+
+
@@ -330,6 +463,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 9e2ee57070..9949d8b142 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -10,7 +10,7 @@ named-journalprint - + @@ -32,22 +32,38 @@
-
+ + + + + +

Name

-

named-journalprint — print zone journal in human-readable form

-
-
-

Synopsis

-

named-journalprint {journal}

-
-
-

DESCRIPTION

+ named-journalprint + — print zone journal in human-readable form +

+
+ + + +
+

Synopsis

+

+ named-journalprint + {journal} +

+
+ +
+

DESCRIPTION

+ +

named-journalprint prints the contents of a zone journal file in a human-readable form.

-

+

Journal files are automatically created by named when changes are made to dynamic zones (e.g., by nsupdate). They record each addition @@ -58,22 +74,29 @@ .jnl to the name of the corresponding zone file.

-

+

named-journalprint converts the contents of a given journal file into a human-readable text format. Each line begins with "add" or "del", to indicate whether the record was added or deleted, and continues with the resource record in master-file format.

-
-
+
+ +

SEE ALSO

-

- named(8), - nsupdate(1), + +

+ + named(8) + , + + nsupdate(1) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -94,6 +117,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 3c2413e741..7a99f28e0c 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -10,7 +10,7 @@ named-nzd2nzf - + @@ -32,19 +32,34 @@
-
+ + + + +

Name

-

named-nzd2nzf — - Convert an NZD database to NZF text format -

-
-
-

Synopsis

-

named-nzd2nzf {filename}

-
-
-

DESCRIPTION

+ named-nzd2nzf + — + Convert an NZD database to NZF text format + +

+
+ + + +
+

Synopsis

+

+ named-nzd2nzf + {filename} +

+
+ +
+

DESCRIPTION

+ +

named-nzd2nzf converts an NZD database to NZF format and prints it to standard output. This can be used to review the configuration of zones that were added to @@ -53,28 +68,37 @@ when rolling back from a newer version of BIND to an older version.

-
-
+
+ +

ARGUMENTS

-
+ +
filename
-

+

+

The name of the .nzd file whose contents should be printed. -

+

+
-
-
+
+ +

SEE ALSO

-

+ +

BIND 9 Administrator Reference Manual

-
-
+
+ +

AUTHOR

-

Internet Systems Consortium + +

Internet Systems Consortium

-
+
+
@@ -95,6 +119,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 70c449cd0d..b32ceb779c 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -10,7 +10,7 @@ named-rrchecker - + @@ -32,50 +32,75 @@
-
+ + + +

Name

-

named-rrchecker — syntax checker for individual DNS resource records

+

+ named-rrchecker + — syntax checker for individual DNS resource records +

-
+ + + +

Synopsis

-

named-rrchecker [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

-
-
+

+ named-rrchecker + [-h] + [-o origin] + [-p] + [-u] + [-C] + [-T] + [-P] +

+
+ +

DESCRIPTION

-

named-rrchecker + +

named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct.

-

+

The -h prints out the help menu.

-

+

The -o origin option specifies a origin to be used when interpreting the record.

-

+

The -p prints out the resulting record in canonical form. If there is no canonical form defined then the record will be printed in unknown record format.

-

+

The -u prints out the resulting record in unknown record form.

-

+

The -C, -T and -P print out the known class, standard type and private type mnemonics respectively.

-
-
+
+ +

SEE ALSO

-

+ +

RFC 1034, RFC 1035, - named(8) + + named(8) +

-
+
+
@@ -96,6 +121,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 47306badf2..addde781bf 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -10,7 +10,7 @@ named.conf - + @@ -32,42 +32,59 @@
-
+ + + + + +

Name

-

named.conf — configuration file for named

+

+ named.conf + — configuration file for named +

-
+ + + +

Synopsis

-

named.conf

-
-
+

+ named.conf +

+
+ +

DESCRIPTION

-

named.conf is the configuration file + +

named.conf is the configuration file for named. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported:

-

+

C style: /* */

-

+

C++ style: // to end of line

-

+

Unix style: # to end of line

-
-
+
+ +

ACL

-


+


acl string { address_match_element; ... };

-
-
+
+ +

CONTROLS

-


+


controls {
inet ( ipv4_address | ipv6_address |
    * ) [ port ( integer | * ) ] allow
@@ -80,19 +97,21 @@ controls     boolean ];
};

-
-
+
+ +

DLZ

-


+


dlz string {
database string;
search boolean;
};

-
-
+
+ +

DNSSEC-POLICY

-


+


dnssec-policy string {
dnskey-ttl duration;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( duration | unlimited )
@@ -109,26 +128,29 @@ dnssec-policy zone-propagation-delay duration;
};

-
-
+
+ +

DYNDB

-


+


dyndb string quoted_string {
    unspecified-text };

-
-
+
+ +

KEY

-


+


key string {
algorithm string;
secret string;
};

-
-
+
+ +

LOGGING

-


+


logging {
category string { string; ... };
channel string {
@@ -145,29 +167,32 @@ logging };
};

-
-
+
+ +

MANAGED-KEYS

-

Deprecated - see DNSSEC-KEYS.

-


+

Deprecated - see DNSSEC-KEYS.

+


managed-keys { string ( static-key
    | initial-key | static-ds |
    initial-ds ) integer integer
    integer quoted_string; ... }; deprecated

-
-
+
+ +

MASTERS

-


+


masters string [ port integer ] [ dscp
    integer ] { ( masters | ipv4_address [
    port integer ] | ipv6_address [ port
    integer ] ) [ key string ]; ... };

-
-
+
+ +

OPTIONS

-


+


options {
allow-new-zones boolean;
allow-notify { address_match_element; ... };
@@ -463,17 +488,19 @@ options zone-statistics ( full | terse | none | boolean );
};

-
-
+
+ +

PLUGIN

-


+


plugin ( query ) string [ { unspecified-text
    } ];

-
-
+
+ +

SERVER

-


+


server netprefix {
bogus boolean;
edns boolean;
@@ -507,10 +534,11 @@ server transfers integer;
};

-
-
+
+ +

STATISTICS-CHANNELS

-


+


statistics-channels {
inet ( ipv4_address | ipv6_address |
    * ) [ port ( integer | * ) ] [
@@ -518,28 +546,31 @@ statistics-channels     } ];
};

-
-
+
+ +

TRUST-ANCHORS

-


+


trust-anchors { string ( static-key |
    initial-key | static-ds | initial-ds )
    integer integer integer
    quoted_string; ... };

-
-
+
+ +

TRUSTED-KEYS

-

Deprecated - see DNSSEC-KEYS.

-


+

Deprecated - see DNSSEC-KEYS.

+


trusted-keys { string integer
    integer integer
    quoted_string; ... }; deprecated

-
-
+
+ +

VIEW

-


+


view string [ class ] {
allow-new-zones boolean;
allow-notify { address_match_element; ... };
@@ -915,10 +946,11 @@ view zone-statistics ( full | terse | none | boolean );
};

-
-
+
+ +

ZONE

-


+


zone string [ class ] {
allow-notify { address_match_element; ... };
allow-query { address_match_element; ... };
@@ -1014,22 +1046,37 @@ zone zone-statistics ( full | terse | none | boolean );
};

-
-
+
+ +

FILES

-

/etc/named.conf + +

/etc/named.conf

-
-
+
+ +

SEE ALSO

-

ddns-confgen(8), - named(8), - named-checkconf(8), - rndc(8), - rndc-confgen(8), + +

+ ddns-confgen(8) + , + + named(8) + , + + named-checkconf(8) + , + + rndc(8) + , + + rndc-confgen(8) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -1050,6 +1097,6 @@ zone
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 738f24ade8..2519ff73e3 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -10,7 +10,7 @@ named - + @@ -32,46 +32,93 @@
-
+ + + + + +

Name

-

named — Internet domain name server

+

+ named + — Internet domain name server +

-
+ + + +

Synopsis

-

named [[-4] | [-6]] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

-
-
+

+ named + [ + [-4] + | [-6] + ] + [-c config-file] + [-d debug-level] + [-D string] + [-E engine-name] + [-f] + [-g] + [-L logfile] + [-M option] + [-m flag] + [-n #cpus] + [-p port] + [-s] + [-S #max-socks] + [-t directory] + [-U #listeners] + [-u user] + [-v] + [-V] + [-X lock-file] + [-x cache-file] +

+
+ +

DESCRIPTION

-

named + +

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035.

-

+

When invoked without arguments, named will read the default configuration file /etc/named.conf, read any initial data, and listen for queries.

-
-
+
+ +

OPTIONS

-
+ + +
-4
-

+

+

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive. -

+

+
-6
-

+

+

Use IPv6 only even if the host machine is capable of IPv4. -4 and -6 are mutually exclusive. -

+

+
-c config-file
-

+

+

Use config-file as the configuration file instead of the default, /etc/named.conf. To @@ -81,28 +128,33 @@ directory option in the configuration file, config-file should be an absolute pathname. -

+

+
-d debug-level
-

+

+

Set the daemon's debug level to debug-level. Debugging traces from named become more verbose as the debug level increases. -

+

+
-D string
-

+

+

Specifies a string that is used to identify a instance of named in a process listing. The contents of string are not examined. -

+

+
-E engine-name
-

+

When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -110,23 +162,30 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-f
-

+

+

Run the server in the foreground (i.e. do not daemonize). -

+

+
-g
-

+

+

Run the server in the foreground and force all logging to stderr. -

+

+
-L logfile
-

+

+

Log to the file logfile by default instead of the system log. -

+

+
-M option
-

+

+

Sets the default memory context options. If set to external, this causes the internal memory manager to be bypassed @@ -138,9 +197,11 @@ disables this behavior, and is the default unless named has been compiled with developer options.) -

+

+
-m flag
-

+

+

Turn on memory usage debugging flags. Possible flags are usage, trace, @@ -149,46 +210,51 @@ mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>. -

+

+
-n #cpus
-

+

+

Create #cpus worker threads to take advantage of multiple CPUs. If not specified, named will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -

+

+
-p port
-

+

+

Listen for queries on port port. If not specified, the default is port 53. -

+

+
-s
-

+

Write memory usage statistics to stdout on exit.

-
+

Note

-

+

This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.

-
-
+
+
-S #max-socks
-

+

Allow named to use up to #max-socks sockets. The default value is 21000 on systems built with default configuration options, and 4096 on systems built with "configure --with-tuning=small".

-
+

Warning

-

+

This option should be unnecessary for the vast majority of users. The use of this option could even be harmful because the @@ -203,18 +269,18 @@ named reserves some file descriptors for its internal use.

-
-
+
+
-t directory
-

Chroot +

Chroot to directory after processing the command line arguments, but before reading the configuration file.

-
+

Warning

-

+

This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most @@ -222,10 +288,11 @@ defined allows a process with root privileges to escape a chroot jail.

-
-
+
+
-U #listeners
-

+

+

Use #listeners worker threads to listen for incoming UDP packets on each address. If not specified, named will @@ -238,17 +305,18 @@ be increased as high as that value, but no higher. On Windows, the number of UDP listeners is hardwired to 1 and this option has no effect. -

+

+
-u user
-

Setuid +

Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports.

-
+

Note

-

+

On Linux, named uses the kernel's capability mechanism to drop all root privileges except the ability to bind(2) to @@ -261,18 +329,23 @@ later, since previous kernels did not allow privileges to be retained after setuid(2).

-
-
+
+
-v
-

+

+

Report the version number and exit. -

+

+
-V
-

+

+

Report the version number and build options, and exit. -

+

+
-X lock-file
-

+

+

Acquire a lock on the specified file at runtime; this helps to prevent duplicate named instances from running simultaneously. @@ -280,54 +353,68 @@ option in named.conf. If set to none, the lock file check is disabled. -

+

+
-x cache-file
-

+

Load data from cache-file into the cache of the default view.

-
+

Warning

-

+

This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.

-
-
+
+
-
-
+ +
+ +

SIGNALS

-

+ +

In routine operation, signals should not be used to control the nameserver; rndc should be used instead.

-
+ +
SIGHUP
-

+

+

Force a reload of the server. -

+

+
SIGINT, SIGTERM
-

+

+

Shut down the server. -

+

+
-

+ +

The result of sending any other signals to the server is undefined.

-
-
+ +
+ +

CONFIGURATION

-

+ +

The named configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual.

-

+ +

named inherits the umask (file creation mode mask) from the parent process. If files created by named, such as journal files, @@ -335,32 +422,56 @@ should be set explicitly in the script used to start the named process.

-
-
+ +
+ +

FILES

-
+ + +
/etc/named.conf
-

+

+

The default configuration file. -

+

+
/var/run/named/named.pid
-

+

+

The default process-id file. -

+

+
-
-
+ +
+ +

SEE ALSO

-

RFC 1033, + +

RFC 1033, RFC 1034, RFC 1035, - named-checkconf(8), - named-checkzone(8), - rndc(8), - named.conf(5), + + named-checkconf + (8) + , + + named-checkzone + (8) + , + + rndc + (8) + , + + named.conf + (5) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -381,6 +492,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 5df96cf402..98c514fa15 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -10,7 +10,7 @@ nsec3hash - + @@ -32,23 +32,50 @@
-
+ + + + + +

Name

-

nsec3hash — generate NSEC3 hash

-
-
-

Synopsis

-

nsec3hash {salt} {algorithm} {iterations} {domain}

-

nsec3hash -r {algorithm} {flags} {iterations} {salt} {domain}

-
-
-

DESCRIPTION

+ nsec3hash + — generate NSEC3 hash +

+
+ + + +
+

Synopsis

+

+ nsec3hash + {salt} + {algorithm} + {iterations} + {domain} +

+

+ nsec3hash -r + {algorithm} + {flags} + {iterations} + {salt} + {domain} +

+
+ +
+

DESCRIPTION

+ +

nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity of NSEC3 records in a signed zone.

-

+ +

If this command is invoked as nsec3hash -r, it takes arguments in an order matching the first four fields of an NSEC3 record, followed by the domain name: algorithm, flags, @@ -56,43 +83,59 @@ paste a portion of an NSEC3 or NSEC3PARAM record into a command line to confirm the correctness of an NSEC3 hash.

-
-
+ +
+ +

ARGUMENTS

-
+ +
salt
-

+

+

The salt provided to the hash algorithm. -

+

+
algorithm
-

+

+

A number indicating the hash algorithm. Currently the only supported hash algorithm for NSEC3 is SHA-1, which is indicated by the number 1; consequently "1" is the only useful value for this argument. -

+

+
flags
-

+

+

Provided for compatibility with NSEC3 record presentation format, but ignored since the flags do not affect the hash. -

+

+
iterations
-

+

+

The number of additional times the hash should be performed. -

+

+
domain
-

+

+

The domain name to be hashed. -

+

+
-
-
+
+ +

SEE ALSO

-

+ +

BIND 9 Administrator Reference Manual, RFC 5155.

-
+
+
@@ -112,6 +155,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 79448be831..55ed84d0aa 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -10,7 +10,7 @@ nslookup - + @@ -32,17 +32,35 @@
-
+ + + + + +

Name

-

nslookup — query Internet name servers interactively

+

+ nslookup + — query Internet name servers interactively +

-
+ + + +

Synopsis

-

nslookup [-option] [name | -] [server]

-
-
+

+ nslookup + [-option] + [name | -] + [server] +

+
+ +

DESCRIPTION

-

Nslookup + +

Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and @@ -51,29 +69,37 @@ used to print just the name and requested information for a host or domain.

-
-
+
+ +

ARGUMENTS

-

+ +

Interactive mode is entered in the following cases:

    -

  1. +

  2. +

    when no arguments are given (the default name server will be used) -

    3. -

  3. +

    +
    4. +
  4. +

    when the first argument is a hyphen (-) and the second argument is the host name or Internet address of a name server. -

    5. +

    +

-

+ +

Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.

-

+ +

Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial @@ -86,238 +112,283 @@ nslookup -query=hinfo -timeout=10

-

+

The -version option causes nslookup to print the version number and immediately exits.

-
-
+ +
+ +

INTERACTIVE COMMANDS

-
+ +
host [server]
-

+

Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.

-

+ +

To look up a host not in the current domain, append a period to the name.

-
+
server domain
-

+
+

+
lserver domain
-

+

+

Change the default server to domain; lserver uses the initial server to look up information about domain, while server uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. -

+

+
root
-

+

+

not implemented -

+

+
finger
-

+

+

not implemented -

+

+
ls
-

+

+

not implemented -

+

+
view
-

+

+

not implemented -

+

+
help
-

+

+

not implemented -

+

+
?
-

+

+

not implemented -

+

+
exit
-

+

+

Exits the program. -

+

+
set keyword[=value]
-

+

This command is used to change state information that affects the lookups. Valid keywords are:

all
-

+

+

Prints the current values of the frequently used options to set. Information about the current default server and host is also printed. -

+

+
class=value
-

+

Change the query class to one of:

IN
-

+

+

the Internet class -

+

+
CH
-

+

+

the Chaos class -

+

+
HS
-

+

+

the Hesiod class -

+

+
ANY
-

+

+

wildcard -

+

+

The class specifies the protocol group of the information.

-

+

(Default = IN; abbreviation = cl)

- +
[no]debug
-

+

Turn on or off the display of the full response packet and any intermediate response packets when searching.

-

+

(Default = nodebug; abbreviation = [no]deb)

-
+
[no]d2
-

+

Turn debugging mode on or off. This displays more about what nslookup is doing.

-

+

(Default = nod2)

-
+
domain=name
-

+

+

Sets the search list to name. -

+

+
[no]search
-

+

If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.

-

+

(Default = search)

-
+
port=value
-

+

Change the default TCP/UDP name server port to value.

-

+

(Default = 53; abbreviation = po)

-
+
querytype=value
-

+
+

+
type=value
-

+

Change the type of the information query.

-

+

(Default = A and then AAAA; abbreviations = q, ty)

-

+

Note: It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified.

-
+
[no]recurse
-

+

Tell the name server to query other servers if it does not have the information.

-

+

(Default = recurse; abbreviation = [no]rec)

-
+
ndots=number
-

+

+

Set the number of dots (label separators) in a domain that will disable searching. Absolute names always stop searching. -

+

+
retry=number
-

+

+

Set the number of retries to number. -

+

+
timeout=number
-

+

+

Change the initial timeout interval for waiting for a reply to number seconds. -

+

+
[no]vc
-

+

Always use a virtual circuit when sending requests to the server.

-

+

(Default = novc)

-
+
[no]fail
-

+

Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.

-

+

(Default = nofail)

-
+

- +
-
-
+
+ +

RETURN VALUES

-

+

nslookup returns with an exit status of 1 if any query failed, and 0 otherwise.

-
-
+
+ +

IDN SUPPORT

-

+ +

If nslookup has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. nslookup appropriately converts character encoding of @@ -329,19 +400,29 @@ nslookup -query=hinfo -timeout=10 nslookup runs or when the standard output is not a tty.

-
-
+
+ +

FILES

-

/etc/resolv.conf + +

/etc/resolv.conf

-
-
+
+ +

SEE ALSO

-

dig(1), - host(1), - named(8). + +

+ dig(1) + , + + host(1) + , + + named(8) + .

-
+
@@ -362,6 +443,6 @@ nslookup -query=hinfo -timeout=10
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index daeabce4fc..37cb94d42f 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -10,7 +10,7 @@ nsupdate - + @@ -32,17 +32,54 @@
-
+ + + + +

Name

-

nsupdate — Dynamic DNS update utility

+

+ nsupdate + — Dynamic DNS update utility +

-
+ + + +

Synopsis

-

nsupdate [-d] [-D] [-i] [-L level] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-v] [-T] [-P] [-V] [[-4] | [-6]] [filename]

-
-
+

+ nsupdate + [-d] + [-D] + [-i] + [-L level] + [ + [-g] + | [-o] + | [-l] + | [-y [hmac:]keyname:secret] + | [-k keyfile] + ] + [-t timeout] + [-u udptimeout] + [-r udpretries] + [-v] + [-T] + [-P] + [-V] + [ + [-4] + | [-6] + ] + [filename] +

+
+ +

DESCRIPTION

-

nsupdate + +

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. This allows resource records to be added or removed from a zone @@ -51,27 +88,27 @@ one resource record.

-

+

Zones that are under dynamic control via nsupdate or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.

-

+

The resource records that are dynamically added or removed with nsupdate have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.

-

+

Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS-TSIG as described in RFC 3645.

-

+

TSIG relies on a shared secret that should only be known to nsupdate and the name server. @@ -86,45 +123,59 @@ uses the -y or -k options to provide the TSIG shared secret. These options are mutually exclusive.

-

+

SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.

-

+

GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode is switched on with the -g flag. A non-standards-compliant variant of GSS-TSIG used by Windows 2000 can be switched on with the -o flag.

-
-
+
+ +

OPTIONS

-
+ + +
-4
-

+

+

Use IPv4 only. -

+

+
-6
-

+

+

Use IPv6 only. -

+

+
-d
-

+

+

Debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. -

+

+
-D
-

+

+

Extra debug mode. -

+

+
-i
-

+

+

Force interactive mode, even when standard input is not a terminal. -

+

+
-k keyfile
-

+

+

The file containing the TSIG authentication key. Keyfiles may be in two formats: a single file containing a named.conf-format key @@ -136,9 +187,11 @@ The -k may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key. -

+

+
-l
-

+

+

Local-host only mode. This sets the server address to localhost (disabling the server so that the server address cannot be overridden). Connections to the local server will @@ -147,72 +200,89 @@ local master zone has set update-policy to local. The location of this key file can be overridden with the -k option. -

+

+
-L level
-

+

+

Set the logging debug level. If zero, logging is disabled. -

+

+
-p port
-

+

+

Set the port to use for connections to a name server. The default is 53. -

+

+
-P
-

+

+

Print the list of private BIND-specific resource record types whose format is understood by nsupdate. See also the -T option. -

+

+
-r udpretries
-

+

+

The number of UDP retries. The default is 3. If zero, only one update request will be made. -

+

+
-t timeout
-

+

+

The maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. -

+

+
-T
-

+

Print the list of IANA standard resource record types whose format is understood by nsupdate. nsupdate will exit after the lists are printed. The -T option can be combined with the -P option.

-

+

Other types can be entered using "TYPEXXXXX" where "XXXXX" is the decimal value of the type with no leading zeros. The rdata, if present, will be parsed using the UNKNOWN rdata format, (<backslash> <hash> <space> <length> <space> <hexstring>).

-
+
-u udptimeout
-

+

+

The UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries. -

+

+
-v
-

+

+

Use TCP even for small update requests. By default, nsupdate uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. TCP may be preferable when a batch of update requests is made. -

+

+
-V
-

+

+

Print the version number and exit. -

+

+
-y [hmac:]keyname:secret
-

+

Literal TSIG authentication key. keyname is the name of the key, and secret is the base64 encoded shared secret. @@ -224,19 +294,23 @@ is not specified, the default is hmac-md5 or if MD5 was disabled hmac-sha256.

-

+

NOTE: Use of the -y option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from - ps(1) + + ps(1) + or in a history file maintained by the user's shell.

-
+
-
-
+
+ +

INPUT FORMAT

-

nsupdate + +

nsupdate reads input from filename or standard input. @@ -250,7 +324,7 @@ Updates will be rejected if the tests for the prerequisite conditions fail.

-

+

Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some @@ -260,7 +334,7 @@ accumulated commands to be sent as one Dynamic DNS update request to the name server.

-

+

The command formats and their meaning are as follows:

@@ -269,7 +343,8 @@ {servername} [port] -

+

+

Sends all dynamic update requests to the name server servername. When no server statement is provided, @@ -285,13 +360,15 @@ If no port number is specified, the default DNS port number of 53 is used. -

+

+
local {address} [port]
-

+

+

Sends all dynamic update requests using the local address. @@ -303,12 +380,14 @@ can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. -

+

+
zone {zonename}
-

+

+

Specifies that all updates are to be made to the zone zonename. If no @@ -317,32 +396,38 @@ nsupdate will attempt determine the correct zone to update based on the rest of the input. -

+

+
class {classname}
-

+

+

Specify the default class. If no class is specified, the default class is IN. -

+

+
ttl {seconds}
-

+

+

Specify the default time to live for records to be added. The value none will clear the default ttl. -

+

+
key [hmac:] {keyname} {secret}
-

+

+

Specifies that all updates are to be TSIG-signed using the keyname secret pair. If hmac is specified, then it sets the @@ -351,66 +436,80 @@ hmac-sha256. The key command overrides any key specified on the command line via -y or -k. -

+

+
gsstsig
-

+

+

Use GSS-TSIG to sign the updated. This is equivalent to specifying -g on the command line. -

+

+
oldgsstsig
-

+

+

Use the Windows 2000 version of GSS-TSIG to sign the updated. This is equivalent to specifying -o on the command line. -

+

+
realm {[realm_name]}
-

+

+

When using GSS-TSIG use realm_name rather than the default realm in krb5.conf. If no realm is specified the saved realm is cleared. -

+

+
check-names {[yes_or_no]}
-

+

+

Turn on or off check-names processing on records to be added. Check-names has no effect on prerequisites or records to be deleted. By default check-names processing is on. If check-names processing fails the record will not be added to the UPDATE message. -

+

+
[prereq] nxdomain {domain-name}
-

+

+

Requires that no resource record of any type exists with name domain-name. -

+

+
[prereq] yxdomain {domain-name}
-

+

+

Requires that domain-name exists (has as at least one resource record, of any type). -

+

+
[prereq] nxrrset {domain-name} [class] {type}
-

+

+

Requires that no resource record exists of the specified type, class @@ -419,14 +518,16 @@ If class is omitted, IN (internet) is assumed. -

+

+
[prereq] yxrrset {domain-name} [class] {type}
-

+

+

This requires that a resource record of the specified type, class @@ -436,7 +537,8 @@ If class is omitted, IN (internet) is assumed. -

+

+
[prereq] yxrrset {domain-name} @@ -444,7 +546,8 @@ {type} {data...}
-

+

+

The data from each set of prerequisites of this form @@ -465,7 +568,8 @@ are written in the standard text representation of the resource record's RDATA. -

+

+
[update] del[ete] {domain-name} @@ -473,7 +577,8 @@ [class] [type [data...]]
-

+

+

Deletes any resource records named domain-name. If @@ -486,7 +591,8 @@ is not supplied. The ttl is ignored, and is only allowed for compatibility. -

+

+
[update] add {domain-name} @@ -495,62 +601,80 @@ {type} {data...}
-

+

+

Adds a new resource record with the specified ttl, class and data. -

+

+
show
-

+

+

Displays the current message, containing all of the prerequisites and updates specified since the last send. -

+

+
send
-

+

+

Sends the current message. This is equivalent to entering a blank line. -

+

+
answer
-

+

+

Displays the answer. -

+

+
debug
-

+

+

Turn on debugging. -

+

+
version
-

+

+

Print version number. -

+

+
help
-

+

+

Print a list of commands. -

+

+

-

+ +

Lines beginning with a semicolon are comments and are ignored.

-
-
+ +
+ +

EXAMPLES

-

+ +

The examples below show how nsupdate could be used to insert and delete resource records from the @@ -571,7 +695,7 @@

-

+

Any A records for oldhost.example.com are deleted. @@ -588,7 +712,7 @@

-

+

The prerequisite condition gets the name server to check that there are no resource records of any type for nickname.example.com. @@ -601,33 +725,50 @@ (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)

-
-
+
+ +

FILES

-
+ + +
/etc/resolv.conf
-

+

+

used to identify default name server -

+

+
/var/run/named/session.key
-

+

+

sets the default TSIG key for use in local-only mode -

+

+
K{name}.+157.+{random}.key
-

+

+

base-64 encoding of HMAC-MD5 key created by - dnssec-keygen(8). -

+ + dnssec-keygen(8) + . +

+
K{name}.+157.+{random}.private
-

+

+

base-64 encoding of HMAC-MD5 key created by - dnssec-keygen(8). -

+ + dnssec-keygen(8) + . +

+
-
-
+
+ +

SEE ALSO

-

+ +

RFC 2136, RFC 3007, RFC 2104, @@ -635,20 +776,29 @@ RFC 1034, RFC 2535, RFC 2931, - named(8), - ddns-confgen(8), - dnssec-keygen(8). + + named(8) + , + + ddns-confgen(8) + , + + dnssec-keygen(8) + .

-
-
+
+ +

BUGS

-

+ +

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.

-
+
+
@@ -668,6 +818,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index 3829cc3167..b2cd17ea5e 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -10,7 +10,7 @@ pkcs11-destroy - + @@ -32,70 +32,116 @@
-
+ + + + + +

Name

-

pkcs11-destroy — destroy PKCS#11 objects

-
-
-

Synopsis

-

pkcs11-destroy [-m module] [-s slot] { -i ID | -l label } [-p PIN] [-w seconds]

-
-
-

DESCRIPTION

+ pkcs11-destroy + — destroy PKCS#11 objects +

+
+ + + +
+

Synopsis

+

+ pkcs11-destroy + [-m module] + [-s slot] + { + -i ID + | -l label + } + [-p PIN] + [-w seconds] +

+
+ +
+

DESCRIPTION

+ +

pkcs11-destroy destroys keys stored in a PKCS#11 device, identified by their ID or label.

-

+

Matching keys are displayed before being destroyed. By default, there is a five second delay to allow the user to interrupt the process before the destruction takes place.

-
-
+
+ +

ARGUMENTS

-
+ +
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-s slot
-

+

+

Open the session with the given PKCS#11 slot. The default is slot 0. -

+

+
-i ID
-

+

+

Destroy keys with the given object ID. -

+

+
-l label
-

+

+

Destroy keys with the given label. -

+

+
-p PIN
-

+

+

Specify the PIN for the device. If no PIN is provided on the command line, pkcs11-destroy will prompt for it. -

+

+
-w seconds
-

+

+

Specify how long to pause before carrying out key destruction. The default is five seconds. If set to 0, destruction will be immediate. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-keygen(8), - pkcs11-list(8), - pkcs11-tokens(8) + +

+ + pkcs11-keygen(8) + , + + pkcs11-list(8) + , + + pkcs11-tokens(8) +

-
+
+
@@ -116,6 +162,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index 6e62341e4f..46e0539413 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -10,7 +10,7 @@ pkcs11-keygen - + @@ -32,95 +32,154 @@
-
+ + + + + +

Name

-

pkcs11-keygen — generate keys on a PKCS#11 device

-
-
-

Synopsis

-

pkcs11-keygen {-a algorithm} [-b keysize] [-e] [-i id] [-m module] [-P] [-p PIN] [-q] [-S] [-s slot] {label}

-
-
-

DESCRIPTION

+ pkcs11-keygen + — generate keys on a PKCS#11 device +

+
+ + + +
+

Synopsis

+

+ pkcs11-keygen + {-a algorithm} + [-b keysize] + [-e] + [-i id] + [-m module] + [-P] + [-p PIN] + [-q] + [-S] + [-s slot] + {label} +

+
+ +
+

DESCRIPTION

+ +

pkcs11-keygen causes a PKCS#11 device to generate a new key pair with the given label (which must be unique) and with keysize bits of prime.

-
-
+
+ +

ARGUMENTS

-
+ +
-a algorithm
-

+

+

Specify the key algorithm class: Supported classes are RSA, DSA, DH, ECC and ECX. In addition to these strings, the algorithm can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to ECC, and ED25519 to ECX. The default class is "RSA". -

+

+
-b keysize
-

+

+

Create the key pair with keysize bits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256. For ECX kyes, the only valid values are 256 and 456, and the default is 256. -

+

+
-e
-

+

+

For RSA keys only, use a large exponent. -

+

+
-i id
-

+

+

Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number. -

+

+
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-P
-

+

+

Set the new private key to be non-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non-extractable. -

+

+
-p PIN
-

+

+

Specify the PIN for the device. If no PIN is provided on the command line, pkcs11-keygen will prompt for it. -

+

+
-q
-

+

+

Quiet mode: suppress unnecessary output. -

+

+
-S
-

+

+

For Diffie-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024. -

+

+
-s slot
-

+

+

Open the session with the given PKCS#11 slot. The default is slot 0. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-destroy(8), - pkcs11-list(8), - pkcs11-tokens(8), - dnssec-keyfromlabel(8) + +

+ + pkcs11-destroy(8) + , + + pkcs11-list(8) + , + + pkcs11-tokens(8) + , + + dnssec-keyfromlabel(8) +

-
+
+
@@ -141,6 +200,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index b2be2b605d..70193a1337 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -10,7 +10,7 @@ pkcs11-list - + @@ -32,17 +32,38 @@
-
+ + + + + +

Name

-

pkcs11-list — list PKCS#11 objects

-
-
-

Synopsis

-

pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]

-
-
-

DESCRIPTION

+ pkcs11-list + — list PKCS#11 objects +

+
+ + + +
+

Synopsis

+

+ pkcs11-list + [-P] + [-m module] + [-s slot] + [-i ID] + [-l label] + [-p PIN] +

+
+ +
+

DESCRIPTION

+ +

pkcs11-list lists the PKCS#11 objects with ID or label or by default all objects. @@ -51,49 +72,72 @@ attribute is also displayed, as either true, false, or never.

-
-
+
+ +

ARGUMENTS

-
+ +
-P
-

+

+

List only the public objects. (Note that on some PKCS#11 devices, all objects are private.) -

+

+
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-s slot
-

+

+

Open the session with the given PKCS#11 slot. The default is slot 0. -

+

+
-i ID
-

+

+

List only key objects with the given object ID. -

+

+
-l label
-

+

+

List only key objects with the given label. -

+

+
-p PIN
-

+

+

Specify the PIN for the device. If no PIN is provided on the command line, pkcs11-list will prompt for it. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-destroy(8), - pkcs11-keygen(8), - pkcs11-tokens(8) + +

+ + pkcs11-destroy(8) + , + + pkcs11-keygen(8) + , + + pkcs11-tokens(8) +

-
+
+
@@ -114,6 +158,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index ba3dd0d387..60d0ac6003 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -10,7 +10,7 @@ pkcs11-tokens - + @@ -32,45 +32,77 @@
-
+ + + + + +

Name

-

pkcs11-tokens — list PKCS#11 available tokens

-
-
-

Synopsis

-

pkcs11-tokens [-m module] [-v]

-
-
-

DESCRIPTION

+ pkcs11-tokens + — list PKCS#11 available tokens +

+
+ + + +
+

Synopsis

+

+ pkcs11-tokens + [-m module] + [-v] +

+
+ +
+

DESCRIPTION

+ +

pkcs11-tokens lists the PKCS#11 available tokens with defaults from the slot/token scan performed at application initialization.

-
-
+
+ +

ARGUMENTS

-
+ +
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-v
-

+

+

Make the PKCS#11 libisc initialization verbose. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-destroy(8), - pkcs11-keygen(8), - pkcs11-list(8) + +

+ + pkcs11-destroy(8) + , + + pkcs11-keygen(8) + , + + pkcs11-list(8) +

-
+
+
@@ -91,6 +123,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index c30107f79f..c11d2dce0f 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -10,7 +10,7 @@ rndc-confgen - + @@ -32,17 +32,42 @@
-
+ + + + + +

Name

-

rndc-confgen — rndc key generation tool

+

+ rndc-confgen + — rndc key generation tool +

-
+ + + +

Synopsis

-

rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-s address] [-t chrootdir] [-u user]

-
-
+

+ rndc-confgen + [-a] + [-A algorithm] + [-b keysize] + [-c keyfile] + [-h] + [-k keyname] + [-p port] + [-s address] + [-t chrootdir] + [-u user] +

+
+ +

DESCRIPTION

-

rndc-confgen + +

rndc-confgen generates configuration files for rndc. It can be used as a convenient alternative to writing the @@ -55,13 +80,17 @@ avoid the need for a rndc.conf file and a controls statement altogether.

-
-
+ +
+ +

OPTIONS

-
+ + +
-a
-

+

Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever @@ -76,7 +105,7 @@ named on the local host with no further configuration.

-

+

Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in @@ -84,7 +113,7 @@ with no changes to the existing BIND 8 named.conf file.

-

+

If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, @@ -95,58 +124,75 @@ named.conf as directed.

-
+
-A algorithm
-

+

+

Specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The default is hmac-sha256. -

+

+
-b keysize
-

+

+

Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is the hash size. -

+

+
-c keyfile
-

+

+

Used with the -a option to specify an alternate location for rndc.key. -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to rndc-confgen. -

+

+
-k keyname
-

+

+

Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key. -

+

+
-p port
-

+

+

Specifies the command channel port where named listens for connections from rndc. The default is 953. -

+

+
-s address
-

+

+

Specifies the IP address where named listens for command channel connections from rndc. The default is the loopback address 127.0.0.1. -

+

+
-t chrootdir
-

+

+

Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named. -

+

+
-u user
-

+

+

Used with the -a option to set the owner of the rndc.key file generated. @@ -154,34 +200,46 @@ -t is also specified only the file in the chroot area has its owner changed. -

+

+
-
-
+
+ +

EXAMPLES

-

+ +

To allow rndc to be used with no manual configuration, run

-

rndc-confgen -a +

rndc-confgen -a

-

+

To print a sample rndc.conf file and corresponding controls and key statements to be manually inserted into named.conf, run

-

rndc-confgen +

rndc-confgen

-
-
+
+ +

SEE ALSO

-

rndc(8), - rndc.conf(5), - named(8), + +

+ rndc(8) + , + + rndc.conf(5) + , + + named(8) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -202,6 +260,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 89fe14a687..c663b8b93b 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -10,7 +10,7 @@ rndc.conf - + @@ -32,17 +32,32 @@
-
+ + + + + +

Name

-

rndc.conf — rndc configuration file

+

+ rndc.conf + — rndc configuration file +

-
+ + + +

Synopsis

-

rndc.conf

-
-
+

+ rndc.conf +

+
+ +

DESCRIPTION

-

rndc.conf is the configuration file + +

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to named.conf. Statements are enclosed @@ -50,21 +65,21 @@ the statements are also semi-colon terminated. The usual comment styles are supported:

-

+

C style: /* */

-

+

C++ style: // to end of line

-

+

Unix style: # to end of line

-

rndc.conf is much simpler than +

rndc.conf is much simpler than named.conf. The file uses three statements: an options statement, a server statement and a key statement.

-

+

The options statement contains five clauses. The default-server clause is followed by the name or address of a name server. This host will be used when @@ -87,7 +102,7 @@ can be used to set the IPv4 and IPv6 source addresses respectively.

-

+

After the server keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: @@ -101,7 +116,7 @@ of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.

-

+

The key statement begins with an identifying string, the name of the key. The statement has two clauses. algorithm identifies the authentication algorithm @@ -112,7 +127,7 @@ the base-64 encoding of the algorithm's authentication key. The base-64 string is enclosed in double quotes.

-

+

There are two common ways to generate the base-64 string for the secret. The BIND 9 program rndc-confgen can @@ -125,10 +140,13 @@ ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.

-
-
+
+ +

EXAMPLE

-
+
+
+    
       options {
         default-server  localhost;
         default-key     samplekey;
@@ -136,14 +154,14 @@
 

 

     

-
+    
       server localhost {
         key             samplekey;
       };
 

 

     

-
+    
       server testserver {
         key		testkey;
         addresses	{ localhost port 5353; };
@@ -151,7 +169,7 @@
 

 

     

-
+    
       key samplekey {
         algorithm       hmac-sha256;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
@@ -159,7 +177,7 @@
 

 

     

-
+    
       key testkey {
         algorithm	hmac-sha256;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
@@ -167,7 +185,8 @@
     

 

     

-

+
+    

       In the above example, rndc will by
       default use
       the server at localhost (127.0.0.1) and the key called samplekey.
@@ -177,16 +196,16 @@
       uses the HMAC-SHA256 algorithm and its secret clause contains the
       base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
     

-

+    

       If rndc -s testserver is used then rndc will
       connect to server on localhost port 5353 using the key testkey.
     

-

+    

       To generate a random secret with rndc-confgen:
     

-
rndc-confgen
+    
rndc-confgen
     

-

+    

       A complete rndc.conf file, including
       the
       randomly generated key, will be written to the standard
@@ -194,30 +213,41 @@
       controls statements for
       named.conf are also printed.
     

-

+    

       To generate a base-64 secret with mmencode:
     

-
echo "known plaintext for a secret" | mmencode
+    
echo "known plaintext for a secret" | mmencode
     

-
-
+
+ +

NAME SERVER CONFIGURATION

-

+ +

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf file, using the controls statement in named.conf. See the sections on the controls statement in the BIND 9 Administrator Reference Manual for details.

-
-
+
+ +

SEE ALSO

-

rndc(8), - rndc-confgen(8), - mmencode(1), + +

+ rndc(8) + , + + rndc-confgen(8) + , + + mmencode(1) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -238,6 +268,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 9c580e5d64..eb342989f5 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -10,7 +10,7 @@ rndc - + @@ -30,17 +30,46 @@
-
+ + + + + +

Name

-

rndc — name server control utility

+

+ rndc + — name server control utility +

-
+ + + +

Synopsis

-

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-r] [-V] [-y key_id] [[-4] | [-6]] {command}

-
-
+

+ rndc + [-b source-address] + [-c config-file] + [-k key-file] + [-s server] + [-p port] + [-q] + [-r] + [-V] + [-y key_id] + [ + [-4] + | [-6] + ] + {command} +

+
+ +

DESCRIPTION

-

rndc + +

rndc controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If @@ -49,7 +78,7 @@ supported commands and the available options and their arguments.

-

rndc +

rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of @@ -63,38 +92,50 @@ over the channel must be signed by a key_id known to the server.

-

rndc +

rndc reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.

-
-
+
+ +

OPTIONS

-
+ + +
-4
-

+

+

Use IPv4 only. -

+

+
-6
-

+

+

Use IPv6 only. -

+

+
-b source-address
-

+

+

Use source-address as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses. -

+

+
-c config-file
-

+

+

Use config-file as the configuration file instead of the default, /etc/rndc.conf. -

+

+
-k key-file
-

+

+

Use key-file as the key file instead of the default, /etc/rndc.key. The key in @@ -102,40 +143,52 @@ authenticate commands sent to the server if the config-file does not exist. -

+

+
-s server
-

server is +

+

server is the name or address of the server which matches a server statement in the configuration file for rndc. If no server is supplied on the command line, the host named by the default-server clause in the options statement of the rndc configuration file will be used. -

+

+
-p port
-

+

+

Send commands to TCP port port instead of BIND 9's default control channel port, 953. -

+

+
-q
-

+

+

Quiet mode: Message text returned by the server will not be printed except when there is an error. -

+

+
-r
-

+

+

Instructs rndc to print the result code returned by named after executing the requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc). -

+

+
-V
-

+

+

Enable verbose logging. -

+

+
-y key_id
-

+

+

Use the key key_id from the configuration file. key_id @@ -151,22 +204,26 @@ which are used to send authenticated control commands to name servers. It should therefore not have general read or write access. -

+

+
-
-
+
+ +

COMMANDS

-

+ +

A list of commands supported by rndc can be seen by running rndc without arguments.

-

+

Currently supported commands are:

-
+ +
addzone zone [class [view]] configuration
-

+

Add a zone while the server is running. This command requires the allow-new-zones option to be set @@ -176,7 +233,7 @@ configuration text that would ordinarily be placed in named.conf.

-

+

The configuration is saved in a file called viewname.nzf (or, if named is compiled with @@ -191,28 +248,28 @@ configuration, so that zones that were added can persist after a restart.

-

+

This sample addzone command would add the zone example.com to the default view:

-

+

$ rndc addzone example.com '{ type master; file "example.com.db"; };'

-

+

(Note the brackets and semi-colon around the zone configuration text.)

-

+

See also rndc delzone and rndc modzone.

-
+
delzone [-clean] zone [class [view]]
-

+

Delete a zone while the server is running.

-

+

If the -clean argument is specified, the zone's master file (and journal file, if any) will be deleted along with the zone. Without the @@ -222,7 +279,7 @@ be cleaned up will be reported in the output of the rndc delzone command.)

-

+

If the zone was originally added via rndc addzone, then it will be removed permanently. However, if it was originally @@ -232,12 +289,13 @@ come back. To remove it permanently, it must also be removed from named.conf

-

+

See also rndc addzone and rndc modzone.

-
+
dnstap ( -reopen | -roll [number] )
-

+

+

Close and re-open DNSTAP output files. rndc dnstap -reopen allows the output file to be renamed externally, so @@ -248,34 +306,43 @@ previous most recent output file is moved to ".1", and so on. If number is specified, then the number of backup log files is limited to that number. -

+

+
dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
-

+

+

Dump the server's caches (default) and/or zones to the dump file for the specified views. If no view is specified, all views are dumped. (See the dump-file option in the BIND 9 Administrator Reference Manual.) -

+

+
flush
-

+

+

Flushes the server's cache. -

+

+
flushname name [view]
-

+

+

Flushes the given name from the view's DNS cache and, if applicable, from the view's nameserver address database, bad server cache and SERVFAIL cache. -

+

+
flushtree name [view]
-

+

+

Flushes the given name, and all of its subdomains, from the view's DNS cache, address database, bad server cache, and SERVFAIL cache. -

+

+
freeze [zone [class [view]]]
-

+

Suspend updates to a dynamic zone. If no zone is specified, then all zones are suspended. This allows manual edits to be made to a zone normally updated by @@ -284,13 +351,13 @@ All dynamic update attempts will be refused while the zone is frozen.

-

+

See also rndc thaw.

-
+
halt [-p]
-

+

Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the @@ -299,13 +366,13 @@ This allows an external process to determine when named had completed halting.

-

+

See also rndc stop.

-
+
loadkeys zone [class [view]]
-

+

Fetch all DNSSEC keys for the given zone from the key directory. If they are within their publication period, merge them into the @@ -314,7 +381,7 @@ immediately re-signed by the new keys, but is allowed to incrementally re-sign over time.

-

+

This command requires that the zone is configured with a dnssec-policy, or that the auto-dnssec zone option @@ -324,28 +391,33 @@ (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.)

-
+
managed-keys (status | refresh | sync | destroy) [class [view]]
-

+

Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance. If a view is specified, these commands are applied to that view; otherwise they are applied to all views.

-
    -

  • +

      +
    • +

      When run with the status keyword, prints the current status of the managed keys database. -

      • -

    • +

      +
      • +
    • +

      When run with the refresh keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval. -

      • -

    • +

      +
      • +
    • +

      When run with the sync keyword, forces an immediate dump of the managed keys database to disk (in the file managed-keys.bind or @@ -353,15 +425,16 @@ This synchronizes the database with its journal file, so that the database's current contents can be inspected visually. -

      • +

      +
    • -

      +

      When run with the destroy keyword, the managed keys database is shut down and deleted, and all key maintenance is terminated. This command should be used only with extreme caution.

      -

      +

      Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used. However, key maintenance operations will @@ -369,7 +442,7 @@ reconfigured, and all existing key maintenance state will be deleted.

      -

      +

      Running rndc reconfig or restarting named immediately after this command will cause key maintenance to be reinitialized from scratch, @@ -379,12 +452,12 @@ in the event of a trust anchor rollover, or as a brute-force repair for key maintenance problems.

      -
      • +
    -
+
modzone zone [class [view]] configuration
-

+

Modify the configuration of a zone while the server is running. This command requires the allow-new-zones option to be @@ -395,7 +468,7 @@ configuration text that would ordinarily be placed in named.conf.

-

+

If the zone was originally added via rndc addzone, the configuration changes will be recorded permanently and will still be @@ -408,30 +481,32 @@ permanent, it must also be modified in named.conf

-

+

See also rndc addzone and rndc delzone.

-
+
notify zone [class [view]]
-

+

+

Resend NOTIFY messages for the zone. -

+

+
notrace
-

+

Sets the server's debugging level to 0.

-

+

See also rndc trace.

-
+
nta [( -class class | -dump | -force | -remove | -lifetime duration)] domain [view]
-

+

Sets a DNSSEC negative trust anchor (NTA) for domain, with a lifetime of duration. The default lifetime is @@ -439,7 +514,7 @@ nta-lifetime option, and defaults to one hour. The lifetime cannot exceed one week.

-

+

A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration rather than @@ -450,7 +525,7 @@ insecure rather than bogus. This continues until the NTA's lifetime is elapsed.

-

+

NTAs persist across restarts of the named server. The NTAs for a view are saved in a file called name.nta, @@ -460,11 +535,11 @@ cryptographic hash generated from the name of the view.

-

+

An existing NTA can be removed by using the -remove option.

-

+

An NTA's lifetime can be specified with the -lifetime option. TTL-style suffixes can be used to specify the lifetime in @@ -473,13 +548,13 @@ new value. Setting lifetime to zero is equivalent to -remove.

-

+

If the -dump is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up).

-

+

Normally, named will periodically test to see whether data below an NTA can now be validated (see the nta-recheck option @@ -491,31 +566,31 @@ lifetime, regardless of whether data could be validated if the NTA were not present.

-

+

The view class can be specified with -class. The default is class IN, which is the only class for which DNSSEC is currently supported.

-

+

All of these options can be shortened, i.e., to -l, -r, -d, -f, and -c.

-

+

Unrecognized options are treated as errors. To reference a domain or view name that begins with a hyphen, use a double-hyphen on the command line to indicate the end of options.

-
+
querylog [ on | off ]
-

+

Enable or disable query logging. (For backward compatibility, this command can also be used without an argument to toggle query logging on and off.)

-

+

Query logging can also be enabled by explicitly directing the queries category to a @@ -526,9 +601,10 @@ options section of named.conf.

-
+
reconfig
-

+

+

Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. @@ -536,34 +612,43 @@ is a large number of zones because it avoids the need to examine the modification times of the zones files. -

+

+
recursing
-

+

+

Dump the list of queries named is currently recursing on, and the list of domains to which iterative queries are currently being sent. (The second list includes the number of fetches currently active for the given domain, and how many have been passed or dropped because of the fetches-per-zone option.) -

+

+
refresh zone [class [view]]
-

+

+

Schedule zone maintenance for the given zone. -

+

+
reload
-

+

+

Reload configuration file and zones. -

+

+
reload zone [class [view]]
-

+

+

Reload the given zone. -

+

+
retransfer zone [class [view]]
-

+

Retransfer the given slave zone from the master server.

-

+

If the zone is configured to use inline-signing, the signed version of the zone is discarded; after the @@ -571,17 +656,19 @@ signed version will be regenerated with all new signatures.

-
+
scan
-

+

+

Scan the list of available network interfaces for changes, without performing a full reconfig or waiting for the interface-interval timer. -

+

+
secroots [-] [view ...]
-

+

Dump the security roots (i.e., trust anchors configured via trust-anchors statements, or the managed-keys or trusted-keys statements (both deprecated), or @@ -592,7 +679,7 @@ initializing managed keys (managed keys that have not yet been updated by a successful key refresh query).

-

+

If the first argument is "-", then the output is returned via the rndc response channel and printed to the standard output. @@ -601,18 +688,18 @@ overridden via the secroots-file option in named.conf.

-

+

See also rndc managed-keys.

-
+
serve-stale ( on | off | reset | status ) [class [view]]
-

+

Enable, disable, reset, or report the current status of the serving of stale answers as configured in named.conf.

-

+

If serving of stale answers is disabled by rndc-serve-stale off, then it will remain disabled even if named @@ -620,7 +707,7 @@ rndc serve-stale reset restores the setting as configured in named.conf.

-

+

rndc serve-stale status will report whether serving of stale answers is currently enabled, disabled by the configuration, or disabled by @@ -628,19 +715,19 @@ values of stale-answer-ttl and max-stale-ttl.

-
+
showzone zone [class [view]]
-

+

Print the configuration of a running zone.

-

+

See also rndc zonestatus.

-
+
sign zone [class [view]]
-

+

Fetch all DNSSEC keys for the given zone from the key directory (see the key-directory option in @@ -650,7 +737,7 @@ is changed, then the zone is automatically re-signed with the new key set.

-

+

This command requires that the zone is configured with a dnssec-policy, or that the auto-dnssec zone option be set @@ -661,13 +748,13 @@ (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.)

-

+

See also rndc loadkeys.

-
+
signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) | -serial value ) ] zone [class [view]]
-

+

List, edit, or remove the DNSSEC signing state records for the specified zone. The status of ongoing DNSSEC operations (such as signing or generating @@ -680,7 +767,7 @@ or have finished signing the zone, and which NSEC3 chains are being created or removed.

-

+

rndc signing -clear can remove a single key (specified in the same format that rndc signing -list uses to @@ -689,7 +776,7 @@ that a key has not yet finished signing the zone will be retained.

-

+

rndc signing -nsec3param sets the NSEC3 parameters for a zone. This is the only supported mechanism for using NSEC3 with @@ -698,7 +785,7 @@ an NSEC3PARAM resource record: hash algorithm, flags, iterations, and salt, in that order.

-

+

Currently, the only defined value for hash algorithm is 1, representing SHA-1. The flags may be set to @@ -713,7 +800,7 @@ which causes named to generate a random 64-bit salt.

-

+

So, for example, to create an NSEC3 chain using the SHA-1 hash algorithm, no opt-out flag, 10 iterations, and a salt value of "FFFF", use: @@ -722,36 +809,40 @@ salt, use: rndc signing -nsec3param 1 1 15 - zone.

-

+

rndc signing -nsec3param none removes an existing NSEC3 chain and replaces it with NSEC.

-

+

rndc signing -serial value sets the serial number of the zone to value. If the value would cause the serial number to go backwards it will be rejected. The primary use is to set the serial on inline signed zones.

-
+
stats
-

+

+

Write server statistics to the statistics file. (See the statistics-file option in the BIND 9 Administrator Reference Manual.) -

+

+
status
-

+

+

Display status of the server. Note that the number of zones includes the internal bind/CH zone and the default ./IN hint zone if there is not an explicit root zone configured. -

+

+
stop [-p]
-

+

Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. @@ -759,17 +850,20 @@ This allows an external process to determine when named had completed stopping.

-

See also rndc halt.

-
+

See also rndc halt.

+
sync [-clean] [zone [class [view]]]
-

+

+

Sync changes in the journal file for a dynamic zone to the master file. If the "-clean" option is specified, the journal file is also removed. If no zone is specified, then all zones are synced. -

+

+
tcp-timeouts [initial idle keepalive advertised]
-

+

+

When called without arguments, display the current values of the tcp-initial-timeout, tcp-idle-timeout, @@ -780,10 +874,11 @@ under a denial of service attack. See the descriptions of these options in the BIND 9 Administrator Reference Manual for details of their use. -

+

+
thaw [zone [class [view]]]
-

+

Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen zones are enabled. This causes the server to reload the zone @@ -797,45 +892,53 @@ zone has changed, any existing journal file will be removed.

-

See also rndc freeze.

-
+

See also rndc freeze.

+
trace
-

+

+

Increment the servers debugging level by one. -

+

+
trace level
-

+

Sets the server's debugging level to an explicit value.

-

+

See also rndc notrace.

-
+
tsig-delete keyname [view]
-

+

+

Delete a given TKEY-negotiated key from the server. (This does not apply to statically configured TSIG keys.) -

+

+
tsig-list
-

+

+

List the names of all TSIG keys currently configured for use by named in each view. The list includes both statically configured keys and dynamic TKEY-negotiated keys. -

+

+
validation ( on | off | status ) [view ...]
-

+

+

Enable, disable, or check the current status of DNSSEC validation. By default, validation is enabled. The cache is flushed when validation is turned on or off to avoid using data that might differ between states. -

+

+
zonestatus zone [class [view]]
-

+

Displays the current status of the given zone, including the master file name and any include files from which it was loaded, when it was most @@ -846,12 +949,13 @@ management or inline signing, and the scheduled refresh or expiry times for the zone.

-

+

See also rndc showzone.

-
+
-

+ +

rndc commands that specify zone names, such as reload, retransfer or zonestatus, can be ambiguous when applied @@ -863,27 +967,42 @@ (With a trailing period, this would specify a zone called "-redirect".)

-
-
+
+ +

LIMITATIONS

-

+ +

There is currently no way to provide the shared secret for a key_id without using the configuration file.

-

+

Several error messages could be clearer.

-
-
+
+ +

SEE ALSO

-

rndc.conf(5), - rndc-confgen(8), - named(8), - named.conf(5), - ndc(8), + +

+ rndc.conf(5) + , + + rndc-confgen(8) + , + + named(8) + , + + named.conf(5) + , + + ndc(8) + , BIND 9 Administrator Reference Manual.

-
+
+
@@ -902,6 +1021,6 @@
-

BIND 9.17.0 (Development Release)

+

BIND 9.17.1 (Development Release)

diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 094a0cbef8..6cef9ed8f0 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

-Release Notes for BIND Version 9.17.0

+Release Notes for BIND Version 9.17.1

@@ -72,6 +72,100 @@

+Notes for BIND 9.17.1

+ +
+

+Security Fixes

+
  • +

    + DNS rebinding protection was ineffective when BIND 9 is configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] +

    +
+
+ +
+

+Known Issues

+
  • +

    + We have received reports that in some circumstances, receipt of an + IXFR can cause the processing of queries to slow significantly. Some + of these were related to RPZ processing, which has been fixed in this + release (see below). Others appear to occur where there are + NSEC3-related changes (such as an operator changing the NSEC3 salt + used in the hash calculation). These are being investigated. + [GL #1685] +

    +
+
+ +
+

+New Features

+
  • +

    + A new option, nsdname-wait-recurse, has been added + to the response-policy clause in the configuration + file. When set to no, RPZ NSDNAME rules are only + applied if the authoritative nameservers for the query name have been + looked up and are present in the cache. If this information is not + present, the RPZ NSDNAME rules are ignored, but the information is + looked up in the background and applied to subsequent queries. The + default is yes, meaning that RPZ NSDNAME rules + should always be applied, even if the information needs to be looked + up first. [GL #1138] +

    +
+
+ +
+

+Feature Changes

+
  • +

    + The previous DNSSEC sign statistics used lots of memory. The number of + keys to track is reduced to four per zone, which should be enough for + 99% of all signed zones. [GL #1179] +

    +
+
+ +
+

+Bug Fixes

+
    +
  • +

    + When an RPZ policy zone was updated via zone transfer and a large + number of records was deleted, named could become + nonresponsive for a short period while deleted names were removed from + the RPZ summary database. This database cleanup is now done + incrementally over a longer period of time, reducing such delays. + [GL #1447] +

    +
    • +
  • +

    + When trying to migrate an already-signed zone from + auto-dnssec maintain to one based on + dnssec-policy, the existing keys were immediately + deleted and replaced with new ones. As the key rollover timing + constraints were not being followed, it was possible that some clients + would not have been able to validate responses until all old DNSSEC + information had timed out from caches. BIND now looks at the time + metadata of the existing keys and incorporates it into its DNSSEC + policy operation. [GL #1706] +

    +
    • +
+
+ +
+
+

Notes for BIND 9.17.0

@@ -96,7 +190,8 @@

New Features

-
  • +
      +

    • When a secondary server receives a large incremental zone transfer (IXFR), it can have a negative impact on query @@ -112,7 +207,21 @@ to the size of a full zone transfer. The default is 100%. [GL #1515]

      -
    +
    • +
  • +

    + A new RPZ option nsdname-wait-recurse + controls whether RPZ-NSDNAME rules should always be applied + even if the names of authoritative name servers for the query + name need to be looked up recurively first. The default is + yes. Setting it to + no speeds up initial responses by skipping + RPZ-NSDNAME rules when name server domain names are not yet + in the cache. The names will be looked up in the background and + the rule will be applied for subsequent queries. [GL #1138] +

    +
    • +
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index b04e5e57b8..336ab44c59 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index 061d585d68..d3f88c9fed 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.17.0 +Release Notes for BIND Version 9.17.1 Introduction @@ -36,6 +36,59 @@ www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +Notes for BIND 9.17.1 + +Security Fixes + + * DNS rebinding protection was ineffective when BIND 9 is configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] + +Known Issues + + * We have received reports that in some circumstances, receipt of an + IXFR can cause the processing of queries to slow significantly. Some + of these were related to RPZ processing, which has been fixed in this + release (see below). Others appear to occur where there are + NSEC3-related changes (such as an operator changing the NSEC3 salt + used in the hash calculation). These are being investigated. [GL + #1685] + +New Features + + * A new option, nsdname-wait-recurse, has been added to the + response-policy clause in the configuration file. When set to no, RPZ + NSDNAME rules are only applied if the authoritative nameservers for + the query name have been looked up and are present in the cache. If + this information is not present, the RPZ NSDNAME rules are ignored, + but the information is looked up in the background and applied to + subsequent queries. The default is yes, meaning that RPZ NSDNAME rules + should always be applied, even if the information needs to be looked + up first. [GL #1138] + +Feature Changes + + * The previous DNSSEC sign statistics used lots of memory. The number of + keys to track is reduced to four per zone, which should be enough for + 99% of all signed zones. [GL #1179] + +Bug Fixes + + * When an RPZ policy zone was updated via zone transfer and a large + number of records was deleted, named could become nonresponsive for a + short period while deleted names were removed from the RPZ summary + database. This database cleanup is now done incrementally over a + longer period of time, reducing such delays. [GL #1447] + + * When trying to migrate an already-signed zone from auto-dnssec + maintain to one based on dnssec-policy, the existing keys were + immediately deleted and replaced with new ones. As the key rollover + timing constraints were not being followed, it was possible that some + clients would not have been able to validate responses until all old + DNSSEC information had timed out from caches. BIND now looks at the + time metadata of the existing keys and incorporates it into its DNSSEC + policy operation. [GL #1706] + Notes for BIND 9.17.0 Known Issues @@ -62,6 +115,14 @@ New Features percentage value representing the ratio of IXFR size to the size of a full zone transfer. The default is 100%. [GL #1515] + * A new RPZ option nsdname-wait-recurse controls whether RPZ-NSDNAME + rules should always be applied even if the names of authoritative name + servers for the query name need to be looked up recurively first. The + default is yes. Setting it to no speeds up initial responses by + skipping RPZ-NSDNAME rules when name server domain names are not yet + in the cache. The names will be looked up in the background and the + rule will be applied for subsequent queries. [GL #1138] + Feature Changes * The system-provided POSIX Threads read-write lock implementation is diff --git a/doc/misc/options b/doc/misc/options index da91545aca..2962f839ad 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -339,10 +339,11 @@ options { nsdname-enable ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ - nsip-wait-recurse ] [ qname-wait-recurse ] - [ recursive-only ] [ nsip-enable ] [ - nsdname-enable ] [ dnsrps-enable ] [ - dnsrps-options { } ]; + nsip-wait-recurse ] [ nsdname-wait-recurse + ] [ qname-wait-recurse ] [ recursive-only ] + [ nsip-enable ] [ nsdname-enable ] [ + dnsrps-enable ] [ dnsrps-options { + } ]; rfc2308-type1 ; // ancient root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; @@ -689,10 +690,11 @@ view [ ] { nsdname-enable ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ - nsip-wait-recurse ] [ qname-wait-recurse ] - [ recursive-only ] [ nsip-enable ] [ - nsdname-enable ] [ dnsrps-enable ] [ - dnsrps-options { } ]; + nsip-wait-recurse ] [ nsdname-wait-recurse + ] [ qname-wait-recurse ] [ recursive-only ] + [ nsip-enable ] [ nsdname-enable ] [ + dnsrps-enable ] [ dnsrps-options { + } ]; rfc2308-type1 ; // ancient root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; diff --git a/doc/misc/options.active b/doc/misc/options.active index a73efddc88..c44b0d4fb7 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -306,10 +306,11 @@ options { nsdname-enable ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ - nsip-wait-recurse ] [ qname-wait-recurse ] - [ recursive-only ] [ nsip-enable ] [ - nsdname-enable ] [ dnsrps-enable ] [ - dnsrps-options { } ]; + nsip-wait-recurse ] [ nsdname-wait-recurse + ] [ qname-wait-recurse ] [ recursive-only ] + [ nsip-enable ] [ nsdname-enable ] [ + dnsrps-enable ] [ dnsrps-options { + } ]; root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; rrset-order { [ class ] [ type ] [ name @@ -621,10 +622,11 @@ view [ ] { nsdname-enable ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ - nsip-wait-recurse ] [ qname-wait-recurse ] - [ recursive-only ] [ nsip-enable ] [ - nsdname-enable ] [ dnsrps-enable ] [ - dnsrps-options { } ]; + nsip-wait-recurse ] [ nsdname-wait-recurse + ] [ qname-wait-recurse ] [ recursive-only ] + [ nsip-enable ] [ nsdname-enable ] [ + dnsrps-enable ] [ dnsrps-options { + } ]; root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; rrset-order { [ class ] [ type ] [ name diff --git a/lib/dns/api b/lib/dns/api index fe671a43ac..88c9b9df52 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1700 +LIBINTERFACE = 1701 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index fe671a43ac..88c9b9df52 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1700 +LIBINTERFACE = 1701 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isccc/api b/lib/isccc/api index fe671a43ac..9a50ec3feb 100644 --- a/lib/isccc/api +++ b/lib/isccc/api @@ -12,5 +12,5 @@ # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 LIBINTERFACE = 1700 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/isccfg/api b/lib/isccfg/api index fe671a43ac..9a50ec3feb 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -12,5 +12,5 @@ # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 LIBINTERFACE = 1700 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index fe671a43ac..88c9b9df52 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -11,6 +11,6 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 # 9.17/9.18: 1700-1899 -LIBINTERFACE = 1700 +LIBINTERFACE = 1701 LIBREVISION = 0 LIBAGE = 0 diff --git a/version b/version index f5f7dcda2c..66268e7f1a 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Development Release)" MAJORVER=9 MINORVER=17 -PATCHVER=0 +PATCHVER=1 RELEASETYPE= RELEASEVER= EXTENSIONS=