From 7911e6f9de303bca5a3d8b34f4330c8f7cecffae Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Wed, 7 Dec 2016 01:09:50 +0000 Subject: [PATCH] regen v9_11 --- bin/check/named-checkconf.html | 118 +- bin/check/named-checkzone.html | 293 +- bin/confgen/ddns-confgen.html | 131 +- bin/confgen/rndc-confgen.html | 153 +- bin/delv/delv.html | 348 ++- bin/dig/dig.html | 660 ++-- bin/dig/host.html | 207 +- bin/dig/nslookup.html | 279 +- bin/dnssec/dnssec-dsfromkey.html | 204 +- bin/dnssec/dnssec-importkey.html | 161 +- bin/dnssec/dnssec-keyfromlabel.html | 301 +- bin/dnssec/dnssec-keygen.html | 340 ++- bin/dnssec/dnssec-revoke.html | 107 +- bin/dnssec/dnssec-settime.html | 206 +- bin/dnssec/dnssec-signzone.html | 411 ++- bin/dnssec/dnssec-verify.html | 116 +- bin/named/lwresd.html | 210 +- bin/named/named.conf.html | 160 +- bin/named/named.html | 312 +- bin/nsupdate/nsupdate.html | 400 ++- bin/pkcs11/pkcs11-destroy.html | 110 +- bin/pkcs11/pkcs11-keygen.html | 139 +- bin/pkcs11/pkcs11-list.html | 106 +- bin/pkcs11/pkcs11-tokens.html | 78 +- bin/python/dnssec-checkds.html | 97 +- bin/python/dnssec-coverage.html | 141 +- bin/python/dnssec-keymgr.html | 258 +- bin/rndc/rndc.conf.html | 106 +- bin/rndc/rndc.html | 426 ++- bin/tools/arpaname.html | 44 +- bin/tools/dnstap-read.html | 83 +- bin/tools/genrandom.html | 81 +- bin/tools/isc-hmac-fixup.html | 58 +- bin/tools/mdig.html | 371 ++- bin/tools/named-journalprint.html | 57 +- bin/tools/named-nzd2nzf.8 | 1 + bin/tools/named-nzd2nzf.html | 1 + bin/tools/named-rrchecker.html | 59 +- bin/tools/nsec3hash.html | 80 +- doc/arm/Bv9ARM.ch01.html | 187 +- doc/arm/Bv9ARM.ch02.html | 40 +- doc/arm/Bv9ARM.ch03.html | 248 +- doc/arm/Bv9ARM.ch04.html | 1132 ++++--- doc/arm/Bv9ARM.ch05.html | 34 +- doc/arm/Bv9ARM.ch06.html | 3649 ++++++++++++++--------- doc/arm/Bv9ARM.ch07.html | 98 +- doc/arm/Bv9ARM.ch08.html | 40 +- doc/arm/Bv9ARM.ch09.html | 589 ++-- doc/arm/Bv9ARM.ch10.html | 23 +- doc/arm/Bv9ARM.ch11.html | 913 ++++-- doc/arm/Bv9ARM.ch12.html | 232 +- doc/arm/Bv9ARM.ch13.html | 40 +- doc/arm/Bv9ARM.html | 29 +- doc/arm/man.arpaname.html | 44 +- doc/arm/man.ddns-confgen.html | 131 +- doc/arm/man.delv.html | 348 ++- doc/arm/man.dig.html | 660 ++-- doc/arm/man.dnssec-checkds.html | 97 +- doc/arm/man.dnssec-coverage.html | 141 +- doc/arm/man.dnssec-dsfromkey.html | 204 +- doc/arm/man.dnssec-importkey.html | 161 +- doc/arm/man.dnssec-keyfromlabel.html | 301 +- doc/arm/man.dnssec-keygen.html | 340 ++- doc/arm/man.dnssec-keymgr.html | 258 +- doc/arm/man.dnssec-revoke.html | 107 +- doc/arm/man.dnssec-settime.html | 206 +- doc/arm/man.dnssec-signzone.html | 411 ++- doc/arm/man.dnssec-verify.html | 116 +- doc/arm/man.dnstap-read.html | 83 +- doc/arm/man.genrandom.html | 81 +- doc/arm/man.host.html | 207 +- doc/arm/man.isc-hmac-fixup.html | 58 +- doc/arm/man.lwresd.html | 210 +- doc/arm/man.mdig.html | 371 ++- doc/arm/man.named-checkconf.html | 118 +- doc/arm/man.named-checkzone.html | 293 +- doc/arm/man.named-journalprint.html | 57 +- doc/arm/man.named-nzd2nzf.html | 70 +- doc/arm/man.named-rrchecker.html | 59 +- doc/arm/man.named.conf.html | 160 +- doc/arm/man.named.html | 312 +- doc/arm/man.nsec3hash.html | 80 +- doc/arm/man.nslookup.html | 279 +- doc/arm/man.nsupdate.html | 400 ++- doc/arm/man.pkcs11-destroy.html | 110 +- doc/arm/man.pkcs11-keygen.html | 139 +- doc/arm/man.pkcs11-list.html | 106 +- doc/arm/man.pkcs11-tokens.html | 78 +- doc/arm/man.rndc-confgen.html | 153 +- doc/arm/man.rndc.conf.html | 106 +- doc/arm/man.rndc.html | 426 ++- doc/arm/notes.html | 590 ++-- isc-config.sh.html | 89 +- lib/lwres/man/lwres.html | 139 +- lib/lwres/man/lwres_buffer.html | 91 +- lib/lwres/man/lwres_config.html | 75 +- lib/lwres/man/lwres_context.html | 93 +- lib/lwres/man/lwres_gabn.html | 69 +- lib/lwres/man/lwres_gai_strerror.html | 120 +- lib/lwres/man/lwres_getaddrinfo.html | 165 +- lib/lwres/man/lwres_gethostent.html | 161 +- lib/lwres/man/lwres_getipnode.html | 165 +- lib/lwres/man/lwres_getnameinfo.html | 119 +- lib/lwres/man/lwres_getrrsetbyname.html | 93 +- lib/lwres/man/lwres_gnba.html | 75 +- lib/lwres/man/lwres_hstrerror.html | 85 +- lib/lwres/man/lwres_inetntop.html | 59 +- lib/lwres/man/lwres_noop.html | 72 +- lib/lwres/man/lwres_packet.html | 126 +- lib/lwres/man/lwres_resutil.html | 85 +- 110 files changed, 16478 insertions(+), 8141 deletions(-) diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 3b41974ef4..f85080a540 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -14,26 +14,45 @@
-
+ + + + + + + +

Name

-

named-checkconf — named configuration file syntax checking tool

+

+ named-checkconf + — named configuration file syntax checking tool +

-
+ +

Synopsis

-

named-checkconf [-hjvz] [-p +

+ named-checkconf + [-hjvz] + [-p [-x - ]] [-t directory] {filename}

-
-
+ ]] + [-t directory] + {filename} +

+
+ +

DESCRIPTION

-

named-checkconf + +

named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified, /etc/named.conf is read by default.

-

+

Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read @@ -43,37 +62,50 @@ successful. named-checkconf can be run on these files explicitly, however.

-
-
+
+ +

OPTIONS

-
+ +
-h
-

+

+

Print the usage summary and exit. -

+

+
-j
-

+

+

When loading a zonefile read the journal if it exists. -

+

+
-p
-

+

+

Print out the named.conf and included files in canonical form if no errors were detected. See also the -x option. -

+

+
-t directory
-

+

+

Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named. -

+

+
-v
-

+

+

Print the version of the named-checkconf program and exit. -

+

+
-x
-

+

+

When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks ('?'). This allows the @@ -81,32 +113,46 @@ files to be shared — for example, when submitting bug reports — without compromising private data. This option cannot be used without -p. -

+

+
-z
-

+

+

Perform a test load of all master zones found in named.conf. -

+

+
filename
-

+

+

The name of the configuration file to be checked. If not specified, it defaults to /etc/named.conf. -

+

+
-
-
+ +
+ +

RETURN VALUES

-

named-checkconf + +

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-
-
+
+ +

SEE ALSO

-

named(8), - named-checkzone(8), + +

+ named(8) + , + + named-checkzone(8) + , BIND 9 Administrator Reference Manual.

-
+
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 8abefe5788..491f0892c0 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -14,24 +14,94 @@
-
+ + + + + + + +

Name

-

named-checkzone, named-compilezone — zone file validity checking or converting tool

+

+ named-checkzone, + named-compilezone + — zone file validity checking or converting tool +

-
+ +

Synopsis

-

named-checkzone [-d] [-h] [-j] [-q] [-v] [-c class] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-M mode] [-n mode] [-l ttl] [-L serial] [-o filename] [-r mode] [-s style] [-S mode] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {zonename} {filename}

-

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-
-
+

+ named-checkzone + [-d] + [-h] + [-j] + [-q] + [-v] + [-c class] + [-f format] + [-F format] + [-J filename] + [-i mode] + [-k mode] + [-m mode] + [-M mode] + [-n mode] + [-l ttl] + [-L serial] + [-o filename] + [-r mode] + [-s style] + [-S mode] + [-t directory] + [-T mode] + [-w directory] + [-D] + [-W mode] + {zonename} + {filename} +

+

+ named-compilezone + [-d] + [-j] + [-q] + [-v] + [-c class] + [-C mode] + [-f format] + [-F format] + [-J filename] + [-i mode] + [-k mode] + [-m mode] + [-n mode] + [-l ttl] + [-L serial] + [-r mode] + [-s style] + [-t directory] + [-T mode] + [-w directory] + [-D] + [-W mode] + {-o filename} + {zonename} + {filename} +

+
+ +

DESCRIPTION

-

named-checkzone + +

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named-checkzone useful for checking zone files before configuring them into a name server.

-

+

named-compilezone is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format. @@ -42,45 +112,62 @@ least be as strict as those specified in the named configuration file.

-
-
+
+ +

OPTIONS

-
+ + +
-d
-

+

+

Enable debugging. -

+

+
-h
-

+

+

Print the usage summary and exit. -

+

+
-q
-

+

+

Quiet mode - exit code only. -

+

+
-v
-

+

+

Print the version of the named-checkzone program and exit. -

+

+
-j
-

+

+

When loading a zone file, read the journal if it exists. The journal file name is assumed to be the zone file name appended with the string .jnl. -

+

+
-J filename
-

+

+

When loading the zone file read the journal from the given file, if it exists. (Implies -j.) -

+

+
-c class
-

+

+

Specify the class of the zone. If not specified, "IN" is assumed. -

+

+
-i mode
-

+

Perform post-load zone integrity checks. Possible modes are "full" (default), "full-sibling", @@ -88,19 +175,19 @@ "local-sibling" and "none".

-

+

Mode "full" checks that MX records refer to A or AAAA record (both in-zone and out-of-zone hostnames). Mode "local" only checks MX records which refer to in-zone hostnames.

-

+

Mode "full" checks that SRV records refer to A or AAAA record (both in-zone and out-of-zone hostnames). Mode "local" only checks SRV records which refer to in-zone hostnames.

-

+

Mode "full" checks that delegation NS records refer to A or AAAA record (both in-zone and out-of-zone hostnames). It also checks that glue address records @@ -109,31 +196,33 @@ refer to in-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.

-

+

Mode "full-sibling" and "local-sibling" disable sibling glue checks but are otherwise the same as "full" and "local" respectively.

-

+

Mode "none" disables the checks.

-
+
-f format
-

+

+

Specify the format of the zone file. Possible formats are "text" (default), "raw", and "map". -

+

+
-F format
-

+

Specify the format of the output file specified. For named-checkzone, this does not cause any effects unless it dumps the zone contents.

-

+

Possible formats are "text" (default), which is the standard textual representation of the zone, and "map", "raw", @@ -144,9 +233,10 @@ any version of named; if N is 1, the file can be read by release 9.9.0 or higher; the default is 1.

-
+
-k mode
-

+

+

Perform "check-names" checks with the specified failure mode. Possible modes are "fail" @@ -154,38 +244,48 @@ "warn" (default for named-checkzone) and "ignore". -

+

+
-l ttl
-

+

+

Sets a maximum permissible TTL for the input file. Any record with a TTL higher than this value will cause the zone to be rejected. This is similar to using the max-zone-ttl option in named.conf. -

+

+
-L serial
-

+

+

When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) -

+

+
-m mode
-

+

+

Specify whether MX records should be checked to see if they are addresses. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-M mode
-

+

+

Check if a MX record refers to a CNAME. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-n mode
-

+

+

Specify whether NS records should be checked to see if they are addresses. Possible modes are "fail" @@ -193,24 +293,30 @@ "warn" (default for named-checkzone) and "ignore". -

+

+
-o filename
-

+

+

Write zone output to filename. If filename is - then write to standard out. This is mandatory for named-compilezone. -

+

+
-r mode
-

+

+

Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-s style
-

+

+

Specify the style of the dumped zone file. Possible styles are "full" (default) and "relative". @@ -223,74 +329,101 @@ contents. It also does not have any meaning if the output format is not text. -

+

+
-S mode
-

+

+

Check if a SRV record refers to a CNAME. Possible modes are "fail", "warn" (default) and "ignore". -

+

+
-t directory
-

+

+

Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named. -

+

+
-T mode
-

+

+

Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are "warn" (default), "ignore". -

+

+
-w directory
-

+

+

chdir to directory so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in named.conf. -

+

+
-D
-

+

+

Dump zone file in canonical format. This is always enabled for named-compilezone. -

+

+
-W mode
-

+

+

Specify whether to check for non-terminal wildcards. Non-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are "warn" (default) and "ignore". -

+

+
zonename
-

+

+

The domain name of the zone being checked. -

+

+
filename
-

+

+

The name of the zone file. -

+

+
-
-
+ +
+ +

RETURN VALUES

-

named-checkzone + +

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-
-
+
+ +

SEE ALSO

-

named(8), - named-checkconf(8), + +

+ named(8) + , + + named-checkconf(8) + , RFC 1035, BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/confgen/ddns-confgen.html b/bin/confgen/ddns-confgen.html index d67aa80b49..9fcc8bf910 100644 --- a/bin/confgen/ddns-confgen.html +++ b/bin/confgen/ddns-confgen.html @@ -14,31 +14,63 @@
-
+ + + + + +

Name

-

ddns-confgen — ddns key generation tool

-
-
-

Synopsis

-

tsig-keygen [-a algorithm] [-h] [-r randomfile] [name]

-

ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name | -z zone ]

-
-
-

DESCRIPTION

+ ddns-confgen + — ddns key generation tool +

+
+ + + +
+

Synopsis

+

+ tsig-keygen + [-a algorithm] + [-h] + [-r randomfile] + [name] +

+

+ ddns-confgen + [-a algorithm] + [-h] + [-k keyname] + [-q] + [-r randomfile] + [ + -s name + | -z zone + ] +

+
+ +
+

DESCRIPTION

+ +

tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use in TSIG signing. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the rndc command channel.

-

+ +

When run as tsig-keygen, a domain name can be specified on the command line which will be used as the name of the generated key. If no name is specified, the default is tsig-key.

-

+ +

When run as ddns-confgen, the generated key is accompanied by configuration text and instructions that can be used with nsupdate and @@ -48,7 +80,8 @@ rndc-confgen command for setting up command channel security.)

-

+ +

Note that named itself can configure a local DDNS key for use with nsupdate -l: it does this when a zone is configured with @@ -58,24 +91,32 @@ if nsupdate is to be used from a remote system.

-
-
+
+ +

OPTIONS

-
+ + +
-a algorithm
-

+

+

Specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The default is hmac-sha256. Options are case-insensitive, and the "hmac-" prefix may be omitted. -

+

+
-h
-

+

+

Prints a short summary of options and arguments. -

+

+
-k keyname
-

+

+

Specifies the key name of the DDNS authentication key. The default is ddns-key when neither the -s nor -z option is @@ -85,15 +126,19 @@ ddns-key.example.com. The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods. -

+

+
-q
-

+

+

(ddns-confgen only.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to tsig-keygen. -

+

+
-r randomfile
-

+

+

Specifies a source of random data for generating the authorization. If the operating system does not provide a /dev/random or equivalent device, the @@ -103,9 +148,11 @@ instead of the default. The special value keyboard indicates that keyboard input should be used. -

+

+
-s name
-

+

+

(ddns-confgen only.) Generate configuration example to allow dynamic updates of a single hostname. The example named.conf @@ -116,9 +163,11 @@ Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the -z option. -

+

+
-z zone
-

+

+

(ddns-confgen only.) Generate configuration example to allow dynamic updates of a zone: The example named.conf text @@ -128,16 +177,26 @@ all subdomain names within that zone. This option cannot be used with the -s option. -

+

+
-
-
+
+ +

SEE ALSO

-

nsupdate(1), - named.conf(5), - named(8), + +

+ nsupdate(1) + , + + named.conf(5) + , + + named(8) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/confgen/rndc-confgen.html b/bin/confgen/rndc-confgen.html index 59c485b5c6..f7a0a8cda1 100644 --- a/bin/confgen/rndc-confgen.html +++ b/bin/confgen/rndc-confgen.html @@ -14,17 +14,43 @@
-
+ + + + + +

Name

-

rndc-confgen — rndc key generation tool

+

+ rndc-confgen + — rndc key generation tool +

-
+ + + +

Synopsis

-

rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-
-
+

+ rndc-confgen + [-a] + [-A algorithm] + [-b keysize] + [-c keyfile] + [-h] + [-k keyname] + [-p port] + [-r randomfile] + [-s address] + [-t chrootdir] + [-u user] +

+
+ +

DESCRIPTION

-

rndc-confgen + +

rndc-confgen generates configuration files for rndc. It can be used as a convenient alternative to writing the @@ -37,13 +63,17 @@ avoid the need for a rndc.conf file and a controls statement altogether.

-
-
+ +
+ +

OPTIONS

-
+ + +
-a
-

+

Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever @@ -58,7 +88,7 @@ named on the local host with no further configuration.

-

+

Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in @@ -66,7 +96,7 @@ with no changes to the existing BIND 8 named.conf file.

-

+

If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, @@ -77,44 +107,57 @@ named.conf as directed.

-
+
-A algorithm
-

+

+

Specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The default is hmac-md5 or if MD5 was disabled hmac-sha256. -

+

+
-b keysize
-

+

+

Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is the hash size. -

+

+
-c keyfile
-

+

+

Used with the -a option to specify an alternate location for rndc.key. -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to rndc-confgen. -

+

+
-k keyname
-

+

+

Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key. -

+

+
-p port
-

+

+

Specifies the command channel port where named listens for connections from rndc. The default is 953. -

+

+
-r randomfile
-

+

+

Specifies a source of random data for generating the authorization. If the operating system does not provide a /dev/random @@ -125,24 +168,30 @@ data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -

+

+
-s address
-

+

+

Specifies the IP address where named listens for command channel connections from rndc. The default is the loopback address 127.0.0.1. -

+

+
-t chrootdir
-

+

+

Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named. -

+

+
-u user
-

+

+

Used with the -a option to set the owner of the rndc.key file generated. @@ -150,33 +199,45 @@ -t is also specified only the file in the chroot area has its owner changed. -

+

+
-
-
+
+ +

EXAMPLES

-

+ +

To allow rndc to be used with no manual configuration, run

-

rndc-confgen -a +

rndc-confgen -a

-

+

To print a sample rndc.conf file and corresponding controls and key statements to be manually inserted into named.conf, run

-

rndc-confgen +

rndc-confgen

-
-
+
+ +

SEE ALSO

-

rndc(8), - rndc.conf(5), - named(8), + +

+ rndc(8) + , + + rndc.conf(5) + , + + named(8) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/delv/delv.html b/bin/delv/delv.html index ac09c92015..776ec75877 100644 --- a/bin/delv/delv.html +++ b/bin/delv/delv.html @@ -14,25 +14,70 @@
-
+ + + + + +

Name

-

delv — DNS lookup and validation utility

+

+ delv + — DNS lookup and validation utility +

-
+ + + +

Synopsis

-

delv [@server] [-4] [-6] [-a anchor-file] [-b address] [-c class] [-d level] [-i] [-m] [-p port#] [-q name] [-t type] [-x addr] [name] [type] [class] [queryopt...]

-

delv [-h]

-

delv [-v]

-

delv [queryopt...] [query...]

-
-
+

+ delv + [@server] + [-4] + [-6] + [-a anchor-file] + [-b address] + [-c class] + [-d level] + [-i] + [-m] + [-p port#] + [-q name] + [-t type] + [-x addr] + [name] + [type] + [class] + [queryopt...] +

+ +

+ delv + [-h] +

+ +

+ delv + [-v] +

+ +

+ delv + [queryopt...] + [query...] +

+
+ +

DESCRIPTION

-

delv + +

delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as named.

-

+

delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow @@ -42,7 +87,7 @@ behavior of a name server configured for DNSSEC validating and forwarding.

-

+

By default, responses are validated using built-in DNSSEC trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org"). Records returned by @@ -54,7 +99,7 @@ be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.

-

+

Unless it is told to query a specific name server, delv will try each of the servers listed in /etc/resolv.conf. If no usable server @@ -62,15 +107,18 @@ queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).

-

+

When no command line arguments or options are given, delv will perform an NS query for "." (the root zone).

-
-
+
+ +

SIMPLE USAGE

-

+ + +

A typical invocation of delv looks like: 

 delv @server name type
@@ -81,7 +129,7 @@
server
-

+

is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied @@ -91,7 +139,7 @@ initial lookup is not validated by DNSSEC).

-

+

If no server argument is provided, delv consults /etc/resolv.conf; if an @@ -104,13 +152,16 @@ the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).

-
+
name
-

+

+

is the domain name to be looked up. -

+

+
type
-

+

+

indicates what type of query is required — ANY, A, MX, etc. type can be any valid query @@ -118,30 +169,34 @@ type argument is supplied, delv will perform a lookup for an A record. -

+

+

-
-
+ +
+ +

OPTIONS

-
+ +
-a anchor-file
-

+

Specifies a file from which to read DNSSEC trust anchors. The default is /etc/bind.keys, which is included with BIND 9 and contains trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org").

-

+

Keys that do not match the root or DLV trust-anchor names are ignored; these key names can be overridden using the +dlv=NAME or +root=NAME options.

-

+

Note: When reading the trust anchor file, delv treats managed-keys statements and trusted-keys statements @@ -155,23 +210,28 @@ /etc/bind.keys to use DNSSEC validation in delv.

-
+
-b address
-

+

+

Sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional source port may be specified by appending "#<port>" -

+

+
-c class
-

+

+

Sets the query class for the requested data. Currently, only class "IN" is supported in delv and any other value is ignored. -

+

+
-d level
-

+

+

Set the systemwide debug level to level. The allowed range is from 0 to 99. The default is 0 (no debugging). @@ -180,13 +240,17 @@ See the +mtrace, +rtrace, and +vtrace options below for additional debugging details. -

+

+
-h
-

+

+

Display the delv help usage output and exit. -

+

+
-i
-

+

+

Insecure mode. This disables internal DNSSEC validation. (Note, however, this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC @@ -194,30 +258,37 @@ can cause delv to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use dig +cd.) -

+

+
-m
-

+

+

Enables memory usage debugging. -

+

+
-p port#
-

+

+

Specifies a destination port to use for queries instead of the standard DNS port number 53. This option would be used with a name server that has been configured to listen for queries on a non-standard port number. -

+

+
-q name
-

+

+

Sets the query name to name. While the query name can be specified without using the -q, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH). -

+

+
-t type
-

+

Sets the query type to type, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR. As with @@ -225,18 +296,21 @@ query name type or class when they are ambiguous. it is sometimes necessary to disambiguate names from types.

-

+

The default query type is "A", unless the -x option is supplied to indicate a reverse lookup, in which case it is "PTR".

-
+
-v
-

+

+

Print the delv version and exit. -

+

+
-x addr
-

+

+

Performs a reverse lookup, mapping an addresses to a name. addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. @@ -246,24 +320,33 @@ lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type to PTR. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. -

+

+
-4
-

+

+

Forces delv to only use IPv4. -

+

+
-6
-

+

+

Forces delv to only use IPv6. -

+

+
-
-
+
+ +

QUERY OPTIONS

-

delv + + +

delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed.

-

+ +

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string @@ -275,7 +358,8 @@

+[no]cdflag
-

+

+

Controls whether to set the CD (checking disabled) bit in queries sent by delv. This may be useful when troubleshooting DNSSEC problems from behind a validating @@ -284,20 +368,25 @@ the CD flag on queries will cause the resolver to return invalid responses, which delv can then validate internally and report the errors in detail. -

+

+
+[no]class
-

+

+

Controls whether to display the CLASS when printing a record. The default is to display the CLASS. -

+

+
+[no]ttl
-

+

+

Controls whether to display the TTL when printing a record. The default is to display the TTL. -

+

+
+[no]rtrace
-

+

Toggle resolver fetch logging. This reports the name and type of each query sent by delv in the process of carrying out the resolution and validation @@ -305,62 +394,69 @@ all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation.

-

+

This is equivalent to setting the debug level to 1 in the "resolver" logging category. Setting the systemwide debug level to 1 using the -d option will product the same output (but will affect other logging categories as well).

-
+
+[no]mtrace
-

+

Toggle message logging. This produces a detailed dump of the responses received by delv in the process of carrying out the resolution and validation process.

-

+

This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category. Setting the systemwide debug level to 10 using the -d option will produce the same output (but will affect other logging categories as well).

-
+
+[no]vtrace
-

+

Toggle validation logging. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid.

-

+

This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category. Setting the systemwide debug level to 3 using the -d option will produce the same output (but will affect other logging categories as well).

-
+
+[no]short
-

+

+

Provide a terse answer. The default is to print the answer in a verbose form. -

+

+
+[no]comments
-

+

+

Toggle the display of comment lines in the output. The default is to print comments. -

+

+
+[no]rrcomments
-

+

+

Toggle the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is to print per-record comments. -

+

+
+[no]crypto
-

+

+

Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see @@ -368,14 +464,18 @@ When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]". -

+

+
+[no]trust
-

+

+

Controls whether to display the trust level when printing a record. The default is to display the trust level. -

+

+
+[no]split[=W]
-

+

+

Split long hex- or base64-formatted fields in resource records into chunks of W characters (where W is rounded up to the nearest @@ -384,24 +484,30 @@ +split=0 causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -

+

+
+[no]all
-

+

+

Set or clear the display options +[no]comments, +[no]rrcomments, and +[no]trust as a group. -

+

+
+[no]multiline
-

+

+

Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the delv output. -

+

+
+[no]dnssec
-

+

+

Indicates whether to display RRSIG records in the delv output. The default is to do so. Note that (unlike in dig) @@ -411,9 +517,11 @@ will always occur unless suppressed by the use of -i or +noroot and +nodlv. -

+

+
+[no]root[=ROOT]
-

+

+

Indicates whether to perform conventional (non-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using @@ -421,9 +529,11 @@ a built-in key. If specifying a different trust anchor, then -a must be used to specify a file containing the key. -

+

+
+[no]dlv[=DLV]
-

+

+

Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor. The default is to perform lookaside validation using @@ -431,39 +541,53 @@ built-in key. If specifying a different name, then -a must be used to specify a file containing the DLV key. -

+

+
+[no]tcp
-

+

+

Controls whether to use TCP when sending queries. The default is to use UDP unless a truncated response has been received. -

+

+
+[no]unknownformat
-

+

+

Print all RDATA in unknown RR type presentation format (RFC 3597). The default is to print RDATA for known types in the type's presentation format. -

+

+

-
-
+
+ +

FILES

-

/etc/bind.keys

-

/etc/resolv.conf

-
-
+ +

/etc/bind.keys

+

/etc/resolv.conf

+
+ +

SEE ALSO

-

dig(1), - named(8), + +

+ dig(1) + , + + named(8) + , RFC4034, RFC4035, RFC4431, RFC5074, RFC5155.

-
+
+
diff --git a/bin/dig/dig.html b/bin/dig/dig.html index ddddb5ddf5..606903e255 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -14,19 +14,61 @@
-
+ + + + + +

Name

-

dig — DNS lookup utility

+

+ dig + — DNS lookup utility +

-
+ + + +

Synopsis

-

dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [-4] [-6] [name] [type] [class] [queryopt...]

-

dig [-h]

-

dig [global-queryopt...] [query...]

-
-
+

+ dig + [@server] + [-b address] + [-c class] + [-f filename] + [-k filename] + [-m] + [-p port#] + [-q name] + [-t type] + [-v] + [-x addr] + [-y [hmac:]name:key] + [-4] + [-6] + [name] + [type] + [class] + [queryopt...] +

+ +

+ dig + [-h] +

+ +

+ dig + [global-queryopt...] + [query...] +

+
+ +

DESCRIPTION

-

dig + +

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that @@ -35,7 +77,8 @@ clarity of output. Other lookup tools tend to have less functionality than dig.

-

+ +

Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup @@ -46,34 +89,42 @@ from the command line.

-

+ +

Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. If no usable server addresses are found, dig will send the query to the local host.

-

+ +

When no command line arguments or options are given, dig will perform an NS query for "." (the root).

-

+ +

It is possible to set per-user defaults for dig via ${HOME}/.digrc. This file is read and any options in it are applied before the command line arguments.

-

+ +

The IN and CH class names overlap with the IN and CH top level domain names. Either use the -t and -c options to specify the type and class, use the -q the specify the domain name, or use "IN." and "CH." when looking up these top level domains.

-
-
+ +
+ +

SIMPLE USAGE

-

+ + +

A typical invocation of dig looks like: 

 dig @server name type
@@ -84,7 +135,7 @@
server
-

+

is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied @@ -92,7 +143,7 @@ dig resolves that name before querying that name server.

-

+

If no server argument is provided, dig consults /etc/resolv.conf; if an @@ -105,13 +156,16 @@ local host. The reply from the name server that responds is displayed.

-
+
name
-

+

+

is the name of the resource record that is to be looked up. -

+

+
type
-

+

+

indicates what type of query is required — ANY, A, MX, SIG, etc. type can be any valid query @@ -119,81 +173,109 @@ type argument is supplied, dig will perform a lookup for an A record. -

+

+

-
-
+ +
+ +

OPTIONS

-
+ + +
-4
-

+

+

Use IPv4 only. -

+

+
-6
-

+

+

Use IPv6 only. -

+

+
-b address[#port]
-

+

+

Set the source IP address of the query. The address must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>" -

+

+
-c class
-

+

+

Set the query class. The default class is IN; other classes are HS for Hesiod records or CH for Chaosnet records. -

+

+
-f file
-

+

+

Batch mode: dig reads a list of lookup requests to process from the given file. Each line in the file should be organized in the same way they would be presented as queries to dig using the command-line interface. -

+

+
-i
-

+

+

Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT domain, which is no longer in use. Obsolete bit string label queries (RFC2874) are not attempted. -

+

+
-k keyfile
-

+

+

Sign queries using TSIG using a key read from the given file. Key files can be generated using - tsig-keygen(8). + + tsig-keygen(8) + . When using TSIG authentication with dig, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf. -

+

+
-m
-

+

+

Enable memory usage debugging. -

+

+
-p port
-

+

+

Send the query to a non-standard port on the server, instead of the default port 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number. -

+

+
-q name
-

+

+

The domain name to query. This is useful to distinguish the name from other arguments. -

+

+
-t type
-

+

+

The resource record type to query. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the @@ -205,13 +287,17 @@ made to the zone since the serial number in the zone's SOA record was N. -

+

+
-v
-

+

+

Print the version number and exit. -

+

+
-x addr
-

+

+

Simplified reverse lookups, for mapping addresses to names. The addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 @@ -226,10 +312,11 @@ addresses are looked up using nibble format under the IP6.ARPA domain (but see also the -i option). -

+

+
-y [hmac:]keyname:secret
-

+

Sign queries using TSIG with the given authentication key. keyname is the name of the key, and secret is the base64 encoded shared secret. @@ -241,28 +328,34 @@ is not specified, the default is hmac-md5 or if MD5 was disabled hmac-sha256.

-

+

NOTE: You should use the -k option and avoid the -y option, because with -y the shared secret is supplied as a command line argument in clear text. This may be visible in the output from - ps(1) + + ps(1) + or in a history file maintained by the user's shell.

-
+
-
-
+
+ +

QUERY OPTIONS

-

dig + + +

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.

-

+ +

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded @@ -278,20 +371,27 @@

+[no]aaflag
-

+

+

A synonym for +[no]aaonly. -

+

+
+[no]aaonly
-

+

+

Sets the "aa" flag in the query. -

+

+
+[no]additional
-

+

+

Display [do not display] the additional section of a reply. The default is to display it. -

+

+
+[no]adflag
-

+

+

Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all @@ -301,80 +401,102 @@ from a OPT-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. This bit is set by default. -

+

+
+[no]all
-

+

+

Set or clear all display flags. -

+

+
+[no]answer
-

+

+

Display [do not display] the answer section of a reply. The default is to display it. -

+

+
+[no]authority
-

+

+

Display [do not display] the authority section of a reply. The default is to display it. -

+

+
+[no]badcookie
-

+

+

Retry lookup with the new server cookie if a BADCOOKIE response is received. -

+

+
+[no]besteffort
-

+

+

Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -

+

+
+bufsize=B
-

+

+

Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent. -

+

+
+[no]cdflag
-

+

+

Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -

+

+
+[no]class
-

+

+

Display [do not display] the CLASS when printing the record. -

+

+
+[no]cmd
-

+

+

Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default. -

+

+
+[no]comments
-

+

+

Toggle the display of comment lines in the output. The default is to print comments. -

+

+
+[no]cookie[=####]
-

+

Send a COOKIE EDNS option, with optional value. Replaying a COOKIE from a previous response will allow the server to identify a previous client. The default is +cookie.

-

+

+cookie is also set when +trace is set to better emulate the default queries from a nameserver.

-
+
+[no]crypto
-

+

+

Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing @@ -383,117 +505,153 @@ are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]". -

+

+
+[no]defname
-

+

+

Deprecated, treated as a synonym for +[no]search -

+

+
+[no]dnssec
-

+

+

Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -

+

+
+domain=somename
-

+

+

Set the search list to contain the single domain somename, as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if the +search option were given. -

+

+
+dscp=value
-

+

+

Set the DSCP code point to be used when sending the query. Valid DSCP code points are in the range [0..63]. By default no code point is explicitly set. -

+

+
+[no]edns[=#]
-

+

+

Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +noedns clears the remembered EDNS version. EDNS is set to 0 by default. -

+

+
+[no]ednsflags[=#]
-

+

+

Set the must-be-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set. -

+

+
+[no]ednsnegotiation
-

+

+

Enable / disable EDNS version negotiation. By default EDNS version negotiation is enabled. -

+

+
+[no]ednsopt[=code[:value]]
-

+

+

Specify EDNS option with code point code and optionally payload of value as a hexadecimal string. +noednsopt clears the EDNS options to be sent. -

+

+
+[no]expire
-

+

+

Send an EDNS Expire option. -

+

+
+[no]fail
-

+

+

Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior. -

+

+
+[no]header-only
-

+

+

Send a query with a DNS header without a question section. The default is to add a question section. The query type and query name are ignored when this is set. -

+

+
+[no]identify
-

+

+

Show [or do not show] the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. -

+

+
+[no]idnout
-

+

+

Convert [do not convert] puny code on output. This requires IDN SUPPORT to have been enabled at compile time. The default is to convert output. -

+

+
+[no]ignore
-

+

+

Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. -

+

+
+[no]keepopen
-

+

+

Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup. The default is +nokeepopen. -

+

+
+[no]mapped
-

+

+

Allow mapped IPv4 over IPv6 addresses to be used. The default is +mapped. -

+

+
+[no]multiline
-

+

+

Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the dig output. -

+

+
+ndots=D
-

+

+

Set the number of dots that have to appear in name to D for it to be considered absolute. The default value @@ -505,102 +663,130 @@ or domain directive in /etc/resolv.conf if +search is set. -

+

+
+[no]nsid
-

+

+

Include an EDNS name server ID request when sending a query. -

+

+
+[no]nssearch
-

+

+

When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. -

+

+
+[no]onesoa
-

+

+

Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records. -

+

+
+[no]opcode=value
-

+

+

Set [restore] the DNS message opcode to the specified value. The default value is QUERY (0). -

+

+
+[no]qr
-

+

+

Print [do not print] the query as it is sent. By default, the query is not printed. -

+

+
+[no]question
-

+

+

Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. -

+

+
+[no]rdflag
-

+

+

A synonym for +[no]recurse. -

+

+
+[no]recurse
-

+

+

Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when the +nssearch or +trace query options are used. -

+

+
+retry=T
-

+

+

Sets the number of times to retry UDP queries to server to T instead of the default, 2. Unlike +tries, this does not include the initial query. -

+

+
+[no]rrcomments
-

+

+

Toggle the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active. -

+

+
+[no]search
-

+

Use [do not use] the search list defined by the searchlist or domain directive in resolv.conf (if any). The search list is not used by default.

-

+

'ndots' from resolv.conf (default 1) which may be overridden by +ndots determines if the name will be treated as relative or not and hence whether a search is eventually performed or not.

-
+
+[no]short
-

+

+

Provide a terse answer. The default is to print the answer in a verbose form. -

+

+
+[no]showsearch
-

+

+

Perform [do not perform] a search showing intermediate results. -

+

+
+[no]sigchase
-

+

+

Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE. -

+

+
+split=W
-

+

+

Split long hex- or base64-formatted fields in resource records into chunks of W characters (where W is rounded @@ -609,21 +795,24 @@ +split=0 causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -

+

+
+[no]stats
-

+

+

This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics. -

+

+
+[no]subnet=addr[/prefix-length]
-

+

Send (don't send) an EDNS Client Subnet option with the specified IP address or network prefix.

-

+

dig +subnet=0.0.0.0/0, or simply dig +subnet=0 for short, sends an EDNS CLIENT-SUBNET option with an empty address and a source @@ -632,17 +821,20 @@ not be used when resolving this query.

-
+
+[no]tcp
-

+

+

Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an ixfr=N query is requested, in which case the default is TCP. AXFR queries always use TCP. -

+

+
+timeout=T
-

+

+

Sets the timeout for a query to T seconds. The default @@ -650,15 +842,18 @@ An attempt to set T to less than 1 will result in a query timeout of 1 second being applied. -

+

+
+[no]topdown
-

+

+

When chasing DNSSEC signature chains perform a top-down validation. Requires dig be compiled with -DDIG_SIGCHASE. -

+

+
+[no]trace
-

+

Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, @@ -666,79 +861,90 @@ resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. -

-

+

If @server is also specified, it affects only the initial query for the root zone name servers. -

-

+

+dnssec is also set when +trace is set to better emulate the default queries from a nameserver.

-
+
+tries=T
-

+

+

Sets the number of times to try UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of tries is silently rounded up to 1. -

+

+
+trusted-key=####
-

+

Specifies a file containing trusted keys to be used with +sigchase. Each DNSKEY record must be on its own line. -

-

+

If not specified, dig will look for /etc/trusted-key.key then trusted-key.key in the current directory. -

-

+

Requires dig be compiled with -DDIG_SIGCHASE.

-
+
+[no]ttlid
-

+

+

Display [do not display] the TTL when printing the record. -

+

+
+[no]ttlunits
-

+

+

Display [do not display] the TTL in friendly human-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks. Implies +ttlid. -

+

+
+[no]unknownformat
-

+

+

Print all RDATA in unknown RR type presentation format (RFC 3597). The default is to print RDATA for known types in the type's presentation format. -

+

+
+[no]vc
-

+

+

Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit". -

+

+
+[no]zflag
-

+

+

Set [do not set] the last unassigned DNS header flag in a DNS query. This flag is off by default. -

+

+

-
-
+
+ +

MULTIPLE QUERIES

-

+ + +

The BIND 9 implementation of dig supports specifying multiple queries on the command line (in addition to @@ -746,7 +952,8 @@ queries can be supplied with its own set of flags, options and query options.

-

+ +

In this case, each query argument represent an individual query in the command-line syntax described above. Each @@ -754,7 +961,8 @@ looked up, an optional query type and class and any query options that should be applied to that query.

-

+ +

A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options @@ -781,10 +989,13 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr will not print the initial query when it looks up the NS records for isc.org.

-
-
+ +
+ +

IDN SUPPORT

-

+ +

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. dig appropriately converts character encoding of @@ -795,27 +1006,40 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr The IDN support is disabled if the variable is set when dig runs.

-
-
+
+ +

FILES

-

/etc/resolv.conf + +

/etc/resolv.conf

-

${HOME}/.digrc +

${HOME}/.digrc

-
-
+
+ +

SEE ALSO

-

host(1), - named(8), - dnssec-keygen(8), + +

+ host(1) + , + + named(8) + , + + dnssec-keygen(8) + , RFC1035.

-
-
+
+ +

BUGS

-

+ +

There are probably too many query options.

-
+
+
diff --git a/bin/dig/host.html b/bin/dig/host.html index 158712463a..a8cfb4ce77 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -14,24 +14,54 @@
-
+ + + + + +

Name

-

host — DNS lookup utility

+

+ host + — DNS lookup utility +

-
+ + + +

Synopsis

-

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

-
-
+

+ host + [-aCdlnrsTwv] + [-c class] + [-N ndots] + [-R number] + [-t type] + [-W wait] + [-m flag] + [-4] + [-6] + [-v] + [-V] + {name} + [server] +

+
+ +

DESCRIPTION

-

host + + +

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.

-

name is the domain name that is to be + +

name is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which case host will by @@ -43,68 +73,86 @@ should query instead of the server or servers listed in /etc/resolv.conf.

-
-
+ +
+ +

OPTIONS

-
+ +
-4
-

+

+

Use IPv4 only for query transport. See also the -6 option. -

+

+
-6
-

+

+

Use IPv6 only for query transport. See also the -4 option. -

+

+
-a
-

+

+

"All". The -a option is normally equivalent to -v -t ANY. It also affects the behaviour of the -l list zone option. -

+

+
-c class
-

+

+

Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records. The default class is IN (Internet). -

+

+
-C
-

+

+

Check consistency: host will query the SOA records for zone name from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone. -

+

+
-d
-

+

+

Print debugging traces. Equivalent to the -v verbose option. -

+

+
-i
-

+

+

Obsolete. Use the IP6.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159. The default is to use IP6.ARPA as specified in RFC3596. -

+

+
-l
-

+

List zone: The host command performs a zone transfer of zone name and prints out the NS, PTR and address records (A/AAAA).

-

+

Together, the -l -a options print all records in the zone.

-
+
-N ndots
-

+

+

The number of dots that have to be in name for it to be considered absolute. The default value is that defined using the @@ -114,9 +162,11 @@ searched for in the domains listed in the search or domain directive in /etc/resolv.conf. -

+

+
-r
-

+

+

Non-recursive query: Setting this option clears the RD (recursion desired) bit in the query. This should mean that the name server @@ -127,30 +177,35 @@ name server by making non-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers. -

+

+
-R number
-

+

+

Number of retries for UDP queries: If number is negative or zero, the number of retries will default to 1. The default value is 1, or the value of the attempts option in /etc/resolv.conf, if set. -

+

+
-s
-

+

+

Do not send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior. -

+

+
-t type
-

+

Query type: The type argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.

-

+

When no query type is specified, host automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records. @@ -161,70 +216,83 @@ address, host will query for PTR records.

-

+

If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like -t IXFR=12345678).

-
+
-T
-

+

+

TCP: By default, host uses UDP when making queries. The -T option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests. -

+

+
-m flag
-

+

+

Memory usage debugging: the flag can be record, usage, or trace. You can specify the -m option more than once to set multiple flags. -

+

+
-v
-

+

+

Verbose output. Equivalent to the -d debug option. Verbose output can also be enabled by setting the debug option in /etc/resolv.conf. -

+

+
-V
-

+

+

Print the version number and exit. -

+

+
-w
-

+

+

Wait forever: The query timeout is set to the maximum possible. See also the -W option. -

+

+
-W wait
-

+

Timeout: Wait for up to wait seconds for a reply. If wait is less than one, the wait interval is set to one second.

-

+

By default, host will wait for 5 seconds for UDP responses and 10 seconds for TCP connections. These defaults can be overridden by the timeout option in /etc/resolv.conf.

-

+

See also the -w option.

-
+
-
-
+ +
+ +

IDN SUPPORT

-

+ +

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. host appropriately converts character encoding of @@ -235,17 +303,26 @@ The IDN support is disabled if the variable is set when host runs.

-
-
+
+ +

FILES

-

/etc/resolv.conf + +

/etc/resolv.conf

-
-
+
+ +

SEE ALSO

-

dig(1), - named(8). + +

+ dig(1) + , + + named(8) + .

-
+
+
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html index af193245c6..3677c27b6a 100644 --- a/bin/dig/nslookup.html +++ b/bin/dig/nslookup.html @@ -14,17 +14,35 @@
-
+ + + + + +

Name

-

nslookup — query Internet name servers interactively

+

+ nslookup + — query Internet name servers interactively +

-
+ + + +

Synopsis

-

nslookup [-option] [name | -] [server]

-
-
+

+ nslookup + [-option] + [name | -] + [server] +

+
+ +

DESCRIPTION

-

Nslookup + +

Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and @@ -33,29 +51,37 @@ used to print just the name and requested information for a host or domain.

-
-
+
+ +

ARGUMENTS

-

+ +

Interactive mode is entered in the following cases:

    -

  1. +

  2. +

    when no arguments are given (the default name server will be used) -

    3. -

  3. +

    +
    4. +
  4. +

    when the first argument is a hyphen (-) and the second argument is the host name or Internet address of a name server. -

    5. +

    +

-

+ +

Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.

-

+ +

Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial @@ -68,246 +94,299 @@ nslookup -query=hinfo -timeout=10

-

+

The -version option causes nslookup to print the version number and immediately exits.

-
-
+ +
+ +

INTERACTIVE COMMANDS

-
+ +
host [server]
-

+

Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.

-

+ +

To look up a host not in the current domain, append a period to the name.

-
+
server domain
-

+
+

+
lserver domain
-

+

+

Change the default server to domain; lserver uses the initial server to look up information about domain, while server uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. -

+

+
root
-

+

+

not implemented -

+

+
finger
-

+

+

not implemented -

+

+
ls
-

+

+

not implemented -

+

+
view
-

+

+

not implemented -

+

+
help
-

+

+

not implemented -

+

+
?
-

+

+

not implemented -

+

+
exit
-

+

+

Exits the program. -

+

+
set keyword[=value]
-

+

This command is used to change state information that affects the lookups. Valid keywords are:

all
-

+

+

Prints the current values of the frequently used options to set. Information about the current default server and host is also printed. -

+

+
class=value
-

+

Change the query class to one of:

IN
-

+

+

the Internet class -

+

+
CH
-

+

+

the Chaos class -

+

+
HS
-

+

+

the Hesiod class -

+

+
ANY
-

+

+

wildcard -

+

+

The class specifies the protocol group of the information.

-

+

(Default = IN; abbreviation = cl)

- +
[no]debug
-

+

Turn on or off the display of the full response packet and any intermediate response packets when searching.

-

+

(Default = nodebug; abbreviation = [no]deb)

-
+
[no]d2
-

+

Turn debugging mode on or off. This displays more about what nslookup is doing.

-

+

(Default = nod2)

-
+
domain=name
-

+

+

Sets the search list to name. -

+

+
[no]search
-

+

If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.

-

+

(Default = search)

-
+
port=value
-

+

Change the default TCP/UDP name server port to value.

-

+

(Default = 53; abbreviation = po)

-
+
querytype=value
-

+
+

+
type=value
-

+

Change the type of the information query.

-

+

(Default = A; abbreviations = q, ty)

-
+
[no]recurse
-

+

Tell the name server to query other servers if it does not have the information.

-

+

(Default = recurse; abbreviation = [no]rec)

-
+
ndots=number
-

+

+

Set the number of dots (label separators) in a domain that will disable searching. Absolute names always stop searching. -

+

+
retry=number
-

+

+

Set the number of retries to number. -

+

+
timeout=number
-

+

+

Change the initial timeout interval for waiting for a reply to number seconds. -

+

+
[no]vc
-

+

Always use a virtual circuit when sending requests to the server.

-

+

(Default = novc)

-
+
[no]fail
-

+

Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.

-

+

(Default = nofail)

-
+

- +
-
-
+
+ +

RETURN VALUES

-

+

nslookup returns with an exit status of 1 if any query failed, and 0 otherwise.

-
-
+
+ +

FILES

-

/etc/resolv.conf + +

/etc/resolv.conf

-
-
+
+ +

SEE ALSO

-

dig(1), - host(1), - named(8). + +

+ dig(1) + , + + host(1) + , + + named(8) + .

-
+
diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index 24f49f38fc..d6ef854ab5 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -14,158 +14,242 @@
-
+ + + + + +

Name

-

dnssec-dsfromkey — DNSSEC DS RR generation tool

+

+ dnssec-dsfromkey + — DNSSEC DS RR generation tool +

-
+ + + +

Synopsis

-

dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] [-C] [-l domain] [-T TTL] {keyfile}

-

dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-T TTL] [-f file] [-A] [-v level] {dnsname}

-

dnssec-dsfromkey [-h] [-V]

-
-
+

+ dnssec-dsfromkey + [-v level] + [-1] + [-2] + [-a alg] + [-C] + [-l domain] + [-T TTL] + {keyfile} +

+

+ dnssec-dsfromkey + {-s} + [-1] + [-2] + [-a alg] + [-K directory] + [-l domain] + [-s] + [-c class] + [-T TTL] + [-f file] + [-A] + [-v level] + {dnsname} +

+

+ dnssec-dsfromkey + [-h] + [-V] +

+
+ +

DESCRIPTION

-

dnssec-dsfromkey + +

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-
-
+
+ +

OPTIONS

-
+ + +
-1
-

+

+

Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256). -

+

+
-2
-

+

+

Use SHA-256 as the digest algorithm. -

+

+
-a algorithm
-

+

+

Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1), SHA-256 (SHA256), GOST or SHA-384 (SHA384). These values are case insensitive. -

+

+
-C
-

+

+

Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records. -

+

+
-T TTL
-

+

+

Specifies the TTL of the DS records. -

+

+
-K directory
-

+

+

Look for key files (or, in keyset mode, keyset- files) in directory. -

+

+
-f file
-

+

Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from file. If the zone name is the same as file, then it may be omitted.

-

+

If file is set to "-", then the zone data is read from the standard input. This makes it possible to use the output of the dig command as input, as in:

-

+

dig dnskey example.com | dnssec-dsfromkey -f - example.com

-
+
-A
-

+

+

Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode. -

+

+
-l domain
-

+

+

Generate a DLV set instead of a DS set. The specified domain is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431. This is mutually exclusive with generating CDS records. -

+

+
-s
-

+

+

Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. -

+

+
-c class
-

+

+

Specifies the DNS class (default is IN). Useful only in keyset or zone file mode. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-h
-

+

+

Prints usage information. -

+

+
-V
-

+

+

Prints version information. -

+

+
-
-
+
+ +

EXAMPLE

-

+ +

To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, the following command would be issued:

-

dnssec-dsfromkey -2 Kexample.com.+003+26160 +

dnssec-dsfromkey -2 Kexample.com.+003+26160

-

+

The command would print something like:

-

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94 +

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94

-
-
+
+ +

FILES

-

+ +

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

-

+

The keyset file name is built from the directory, the string keyset- and the dnsname.

-
-
+
+ +

CAVEAT

-

+ +

A keyfile error can give a "file not found" even if the file exists.

-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 3658, RFC 4431. RFC 4509.

-
+
+
diff --git a/bin/dnssec/dnssec-importkey.html b/bin/dnssec/dnssec-importkey.html index 199eb19d8d..4248295c55 100644 --- a/bin/dnssec/dnssec-importkey.html +++ b/bin/dnssec/dnssec-importkey.html @@ -14,18 +14,56 @@
-
+ + + + + +

Name

-

dnssec-importkey — import DNSKEY records from external systems so they can be managed

+

+ dnssec-importkey + — import DNSKEY records from external systems so they can be managed +

-
+ + + +

Synopsis

-

dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] {keyfile}

-

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

-
-
+

+ dnssec-importkey + [-K directory] + [-L ttl] + [-P date/offset] + [-P sync date/offset] + [-D date/offset] + [-D sync date/offset] + [-h] + [-v level] + [-V] + {keyfile} +

+

+ dnssec-importkey + {-f filename} + [-K directory] + [-L ttl] + [-P date/offset] + [-P sync date/offset] + [-D date/offset] + [-D sync date/offset] + [-h] + [-v level] + [-V] + [dnsname] +

+
+ +

DESCRIPTION

-

dnssec-importkey + +

dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an existing .key file, in which case a corresponding .private file @@ -33,7 +71,7 @@ from the standard input, in which case both .key and .private files will be generated.

-

+

The newly-created .private file does not contain private key data, and cannot be used for signing. However, having a .private file makes it possible to set @@ -42,53 +80,68 @@ public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline.

-
-
+
+ +

OPTIONS

-
+ + +
-f filename
-

+

Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from file. If the domain name is the same as file, then it may be omitted.

-

+

If file is set to "-", then the zone data is read from the standard input.

-
+
-K directory
-

+

+

Sets the directory in which the key files are to reside. -

+

+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to 0 or none removes it. -

+

+
-h
-

+

+

Emit usage message and exit. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-
-
+
+ +

TIMING OPTIONS

-

+ +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -99,47 +152,65 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. -

+

+
-P sync date/offset
-

+

+

Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. -

+

+
-
-
+
+ +

FILES

-

+ +

A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 5011.

-
+
+
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index d9f5d1a140..360df1934d 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -14,17 +14,58 @@
-
+ + + + + +

Name

-

dnssec-keyfromlabel — DNSSEC key generation tool

+

+ dnssec-keyfromlabel + — DNSSEC key generation tool +

-
+ + + +

Synopsis

-

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

-
-
+

+ dnssec-keyfromlabel + {-l label} + [-3] + [-a algorithm] + [-A date/offset] + [-c class] + [-D date/offset] + [-D sync date/offset] + [-E engine] + [-f flag] + [-G] + [-I date/offset] + [-i interval] + [-k] + [-K directory] + [-L ttl] + [-n nametype] + [-P date/offset] + [-P sync date/offset] + [-p protocol] + [-R date/offset] + [-S key] + [-t type] + [-v level] + [-V] + [-y] + {name} +

+
+ +

DESCRIPTION

-

dnssec-keyfromlabel + +

dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key file can be used for DNSSEC signing of zone data as if it were a @@ -32,52 +73,57 @@ but the key material is stored within the HSM, and the actual signing takes place there.

-

+

The name of the key is specified on the command line. This must match the name of the zone for which the key is being generated.

-
-
+
+ +

OPTIONS

-
+ + +
-a algorithm
-

+

Selects the cryptographic algorithm. The value of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.

-

+

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, in which case NSEC3RSASHA1 will be used instead. (If -3 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)

-

+

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.

-

+

Note 2: DH automatically sets the -k flag.

-
+
-3
-

+

+

Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -85,20 +131,20 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-l label
-

+

Specifies the label for a key pair in the crypto hardware.

-

+

When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is an arbitrary string that identifies a particular key. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:keylabel".

-

+

When BIND 9 is built with native PKCS#11 support, the label is a PKCS#11 URI string in the format "pkcs11:keyword=value[;keyword=value;...]" @@ -107,7 +153,7 @@ which the HSM's PIN code can be obtained. The label will be stored in the on-disk "private" file.

-

+

If the label contains a pin-source field, tools using the generated key files will be able to use the HSM for signing and other @@ -116,18 +162,21 @@ may reduce the security advantage of using an HSM; be sure this is what you want to do before making use of this feature.

-
+
-n nametype
-

+

+

Specifies the owner type of the key. The value of nametype must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. -

+

+
-C
-

+

+

Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keyfromlabel will include the key's creation date in the metadata stored @@ -135,53 +184,71 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

+
-c class
-

+

+

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -

+

+
-f flag
-

+

+

Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+

+
-G
-

+

+

Generate a key, but do not publish it or sign with it. This option is incompatible with -P and -A. -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to dnssec-keyfromlabel. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to be written. -

+

+
-k
-

+

+

Generate KEY records rather than DNSKEY records. -

+

+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to 0 or none removes it. -

+

+
-p protocol
-

+

+

Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -

+

+
-S key
-

+

+

Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new @@ -189,35 +256,47 @@ one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

+
-t type
-

+

+

Indicates the use of the key. type must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-y
-

+

+

Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.) -

+

+
-
-
+
+ +

TIMING OPTIONS

-

+ + +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -228,52 +307,67 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the -G option has not been used, the default is "now". -

+

+
-P sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone. -

+

+
-A date/offset
-

+

+

Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the -G option has not been used, the default is "now". -

+

+
-R date/offset
-

+

+

Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it. -

+

+
-I date/offset
-

+

+

Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted. -

+

+
-i interval
-

+

Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the @@ -282,68 +376,83 @@ the publication date is specified but activation date isn't, then activation will be set to this much time after publication.

-

+

If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.

-

+

As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.

-
+
-
-
+
+ +

GENERATED KEY FILES

-

+ +

When dnssec-keyfromlabel completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to the standard output. This is an identification string for the key files it has generated.

-
    -

  • nnnn is the key name. -

    • -

  • aaa is the numeric representation +

      +
    • +

      nnnn is the key name. +

      +
      • +
    • +

      aaa is the numeric representation of the algorithm. -

      • -

    • iiiii is the key identifier (or +

      +
      • +
    • +

      iiiii is the key identifier (or footprint). -

      • +

      +
    -

    dnssec-keyfromlabel +

    dnssec-keyfromlabel creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private key.

    -

    +

    The .key file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).

    -

    +

    The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.

    -
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 4034, The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13).

-
+
+
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 86e357e665..0df7d2bb80 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -14,34 +14,84 @@
-
+ + + + + +

Name

-

dnssec-keygen — DNSSEC key generation tool

+

+ dnssec-keygen + — DNSSEC key generation tool +

-
+ + + +

Synopsis

-

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-k] [-L ttl] [-P date/offset] [-P sync date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-V] [-v level] [-z] {name}

-
-
+

+ dnssec-keygen + [-a algorithm] + [-b keysize] + [-n nametype] + [-3] + [-A date/offset] + [-C] + [-c class] + [-D date/offset] + [-D sync date/offset] + [-E engine] + [-f flag] + [-G] + [-g generator] + [-h] + [-I date/offset] + [-i interval] + [-K directory] + [-k] + [-L ttl] + [-P date/offset] + [-P sync date/offset] + [-p protocol] + [-q] + [-R date/offset] + [-r randomdev] + [-S key] + [-s strength] + [-t type] + [-V] + [-v level] + [-z] + {name} +

+
+ +

DESCRIPTION

-

dnssec-keygen + +

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.

-

+

The name of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.

-
-
+
+ +

OPTIONS

-
+ + +
-a algorithm
-

+

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, @@ -51,26 +101,26 @@ HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are case insensitive.

-

+

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, in which case NSEC3RSASHA1 will be used instead. (If -3 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)

-

+

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.

-

+

Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 automatically set the -T KEY option.

-
+
-b keysize
-

+

Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between @@ -79,7 +129,7 @@ between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.

-

+

The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, @@ -88,9 +138,10 @@ then there is no default key size, and the -b must be used.

-
+
-n nametype
-

+

+

Specifies the owner type of the key. The value of nametype must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with @@ -98,18 +149,22 @@ USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation. -

+

+
-3
-

+

+

Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. -

+

+
-C
-

+

+

Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keygen will include the key's creation date in the metadata stored @@ -117,18 +172,21 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

+
-c class
-

+

+

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -136,39 +194,52 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-f flag
-

+

+

Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+

+
-G
-

+

+

Generate a key, but do not publish it or sign with it. This option is incompatible with -P and -A. -

+

+
-g generator
-

+

+

If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to dnssec-keygen. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to be written. -

+

+
-k
-

+

+

Deprecated in favor of -T KEY. -

+

+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was @@ -177,16 +248,20 @@ is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to 0 or none is the same as leaving it unset. -

+

+
-p protocol
-

+

+

Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -

+

+
-q
-

+

+

Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when dnssec-keygen is run interactively @@ -198,9 +273,11 @@ round of the Miller-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key. -

+

+
-r randomdev
-

+

+

Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness @@ -210,9 +287,11 @@ data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -

+

+
-S key
-

+

+

Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation @@ -220,16 +299,19 @@ the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

+
-s strength
-

+

+

Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -

+

+
-T rrtype
-

+

Specifies the resource record type to use for the key. rrtype must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be @@ -241,27 +323,36 @@ Using any TSIG algorithm (HMAC-* or DH) forces this option to KEY.

-
+
-t type
-

+

+

Indicates the use of the key. type must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-
-
+
+ +

TIMING OPTIONS

-

+ + +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -272,54 +363,69 @@ is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the -G option has not been used, the default is "now". -

+

+
-P sync date/offset
-

+

+

Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. -

+

+
-A date/offset
-

+

+

Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the -G option has not been used, the default is "now". If set, if and -P is not set, then the publication date will be set to the activation date minus the prepublication interval. -

+

+
-R date/offset
-

+

+

Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it. -

+

+
-I date/offset
-

+

+

Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. -

+

+
-i interval
-

+

Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the @@ -328,42 +434,51 @@ the publication date is specified but activation date isn't, then activation will be set to this much time after publication.

-

+

If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.

-

+

As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.

-
+
-
-
+
+ + +

GENERATED KEYS

-

+ +

When dnssec-keygen completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to the standard output. This is an identification string for the key it has generated.

-
    -

  • nnnn is the key name. -

    • -

  • aaa is the numeric representation +

      +
    • +

      nnnn is the key name. +

      +
      • +
    • +

      aaa is the numeric representation of the algorithm. -

      • -

    • iiiii is the key identifier (or +

      +
      • +
    • +

      iiiii is the key identifier (or footprint). -

      • +

      +
    -

    dnssec-keygen +

    dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and @@ -371,53 +486,60 @@ private key.

    -

    +

    The .key file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).

    -

    +

    The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.

    -

    +

    Both .key and .private files are generated for symmetric cryptography algorithms such as HMAC-MD5, even though the public and private key are equivalent.

    -
-
+
+ +

EXAMPLE

-

+ +

To generate a 768-bit DSA key for the domain example.com, the following command would be issued:

-

dnssec-keygen -a DSA -b 768 -n ZONE example.com +

dnssec-keygen -a DSA -b 768 -n ZONE example.com

-

+

The command would print a string of the form:

-

Kexample.com.+003+26160 +

Kexample.com.+003+26160

-

+

In this example, dnssec-keygen creates the files Kexample.com.+003+26160.key and Kexample.com.+003+26160.private.

-
-
+
+ +

SEE ALSO

-

dnssec-signzone(8), + +

+ dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, RFC 4034.

-
+
+
diff --git a/bin/dnssec/dnssec-revoke.html b/bin/dnssec/dnssec-revoke.html index ee8f8be76b..c54f868858 100644 --- a/bin/dnssec/dnssec-revoke.html +++ b/bin/dnssec/dnssec-revoke.html @@ -14,52 +14,88 @@
-
+ + + + + +

Name

-

dnssec-revoke — set the REVOKED bit on a DNSSEC key

+

+ dnssec-revoke + — set the REVOKED bit on a DNSSEC key +

-
+ + + +

Synopsis

-

dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

-
-
+

+ dnssec-revoke + [-hr] + [-v level] + [-V] + [-K directory] + [-E engine] + [-f] + [-R] + {keyfile} +

+
+ +

DESCRIPTION

-

dnssec-revoke + +

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now-revoked key.

-
-
+
+ +

OPTIONS

-
+ + +
-h
-

+

+

Emit usage message and exit. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to reside. -

+

+
-r
-

+

+

After writing the new keyset files remove the original keyset files. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -67,26 +103,35 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-f
-

+

+

Force overwrite: Causes dnssec-revoke to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key. -

+

+
-R
-

+

+

Print the key tag of the key with the REVOKE bit set but do not revoke the key. -

+

+
-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), + +

+ dnssec-keygen(8) + , BIND 9 Administrator Reference Manual, RFC 5011.

-
+
+
diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index 6caea849cc..2684a0cf9f 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -14,17 +14,47 @@
-
+ + + + + +

Name

-

dnssec-settime — set the key timing metadata for a DNSSEC key

+

+ dnssec-settime + — set the key timing metadata for a DNSSEC key +

-
+ + + +

Synopsis

-

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-D sync date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

-
-
+

+ dnssec-settime + [-f] + [-K directory] + [-L ttl] + [-P date/offset] + [-P sync date/offset] + [-A date/offset] + [-R date/offset] + [-I date/offset] + [-D date/offset] + [-D sync date/offset] + [-h] + [-V] + [-v level] + [-E engine] + {keyfile} +

+
+ +

DESCRIPTION

-

dnssec-settime + +

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, -R, -I, and -D @@ -33,12 +63,12 @@ determine when a key is to be published, whether it should be used for signing a zone, etc.

-

+

If none of these options is set on the command line, then dnssec-settime simply prints the key timing metadata already stored in the key.

-

+

When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated. @@ -47,12 +77,16 @@ file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).

-
-
+
+ +

OPTIONS

-
+ + +
-f
-

+

+

Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail when attempting to update a legacy key. With this option, @@ -61,13 +95,17 @@ set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time. -

+

+
-K directory
-

+

+

Sets the directory in which the key files are to reside. -

+

+
-L ttl
-

+

+

Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was @@ -76,25 +114,32 @@ is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to 0 or none removes it from the key. -

+

+
-h
-

+

+

Emit usage message and exit. -

+

+
-V
-

+

+

Prints version information. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -102,12 +147,14 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-
-
+
+ +

TIMING OPTIONS

-

+ +

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset @@ -117,49 +164,65 @@ days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none' or 'never'.

-
+ +
-P date/offset
-

+

+

Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. -

+

+
-P sync date/offset
-

+

+

Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. -

+

+
-A date/offset
-

+

+

Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. -

+

+
-R date/offset
-

+

+

Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it. -

+

+
-I date/offset
-

+

+

Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it. -

+

+
-D date/offset
-

+

+

Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.) -

+

+
-D sync date/offset
-

+

+

Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. -

+

+
-S predecessor key
-

+

+

Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being @@ -167,10 +230,11 @@ to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

+
-i interval
-

+

Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the @@ -179,34 +243,40 @@ the publication date is specified but activation date isn't, then activation will be set to this much time after publication.

-

+

If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.

-

+

As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.

-
+
-
-
+
+ +

PRINTING OPTIONS

-

+ +

dnssec-settime can also be used to print the timing metadata associated with a key.

-
+ +
-u
-

+

+

Print times in UNIX epoch format. -

+

+
-p C/P/Psync/A/R/I/D/Dsync/all
-

+

+

Print a specific metadata value or set of metadata values. The -p option may be followed by one or more of the following letters or strings to indicate which value @@ -220,16 +290,24 @@ D for the deletion date, and Dsync for the CDS and CDNSKEY deletion date To print all of the metadata, use -p all. -

+

+
-
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-keygen(8) + , + + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 5011.

-
+
+
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index d43a829fe0..dc06356b12 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -14,17 +14,72 @@
-
+ + + + + +

Name

-

dnssec-signzone — DNSSEC zone signing tool

+

+ dnssec-signzone + — DNSSEC zone signing tool +

-
+ + + +

Synopsis

-

dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-
-
+

+ dnssec-signzone + [-a] + [-c class] + [-d directory] + [-D] + [-E engine] + [-e end-time] + [-f output-file] + [-g] + [-h] + [-K directory] + [-k key] + [-L serial] + [-l domain] + [-M domain] + [-i interval] + [-I input-format] + [-j jitter] + [-N soa-serial-format] + [-o origin] + [-O output-format] + [-P] + [-p] + [-Q] + [-R] + [-r randomdev] + [-S] + [-s start-time] + [-T ttl] + [-t] + [-u] + [-v level] + [-V] + [-X extended end-time] + [-x] + [-z] + [-3 salt] + [-H iterations] + [-A] + {zonefile} + [key...] +

+
+ +

DESCRIPTION

-

dnssec-signzone + +

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone @@ -32,34 +87,46 @@ determined by the presence or absence of a keyset file for each child zone.

-
-
+
+ +

OPTIONS

-
+ + +
-a
-

+

+

Verify all generated signatures. -

+

+
-c class
-

+

+

Specifies the DNS class of the zone. -

+

+
-C
-

+

+

Compatibility mode: Generate a keyset-zonename file in addition to dsset-zonename when signing a zone, for use by older versions of dnssec-signzone. -

+

+
-d directory
-

+

+

Look for dsset- or keyset- files in directory. -

+

+
-D
-

+

+

Output only those record types automatically managed by dnssec-signzone, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing @@ -68,15 +135,16 @@ zone file with $INCLUDE. This option cannot be combined with -O raw, -O map, or serial number updating. -

+

+
-E engine
-

+

When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -84,30 +152,39 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-g
-

+

+

Generate DS records for child zones from dsset- or keyset- file. Existing DS records will be removed. -

+

+
-K directory
-

+

+

Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory. -

+

+
-k key
-

+

+

Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. -

+

+
-l domain
-

+

+

Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. -

+

+
-M maxttl
-

+

+

Sets the maximum TTL for the signed zone. Any TTL higher than maxttl in the input zone will be reduced to maxttl @@ -120,9 +197,11 @@ max-zone-ttl in named.conf. (Note: This option is incompatible with -D, because it modifies non-DNSSEC data in the output zone.) -

+

+
-s start-time
-

+

+

Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number @@ -131,9 +210,11 @@ indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time minus 1 hour (to allow for clock skew) is used. -

+

+
-e end-time
-

+

+

Specify the date and time when the generated RRSIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative @@ -143,10 +224,11 @@ specified, 30 days from the start time is used as a default. end-time must be later than start-time. -

+

+
-X extended end-time
-

+

Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire. This is to be used in cases when the DNSKEY signatures need to persist longer than @@ -154,7 +236,7 @@ of the KSK is kept offline and the KSK signature is to be refreshed manually.

-

+

As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from @@ -165,28 +247,34 @@ 30 days from the start time.) extended end-time must be later than start-time.

-
+
-f output-file
-

+

+

The name of the output file containing the signed zone. The default is to append .signed to the input filename. If output-file is set to "-", then the signed zone is written to the standard output, with a default output format of "full". -

+

+
-h
-

+

+

Prints a short summary of the options and arguments to dnssec-signzone. -

+

+
-V
-

+

+

Prints version information. -

+

+
-i interval
-

+

When a previously-signed zone is passed as input, records may be resigned. The interval option specifies the cycle interval as an offset from the current @@ -194,7 +282,7 @@ cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

-

+

The default cycle interval is one quarter of the difference between the signature end and start times. So if neither end-time or start-time @@ -205,9 +293,10 @@ are due to expire in less than 7.5 days, they would be replaced.

-
+
-I input-format
-

+

+

The format of the input zone file. Possible formats are "text" (default), "raw", and "map". @@ -216,10 +305,11 @@ format containing updates can be signed directly. The use of this option does not make much sense for non-dynamic zones. -

+

+
-j jitter
-

+

When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. @@ -230,55 +320,72 @@ expire time, thus spreading incremental signature regeneration over time.

-

+

Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.

-
+
-L serial
-

+

+

When writing a signed zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) -

+

+
-n ncpus
-

+

+

Specifies the number of threads to use. By default, one thread is started for each detected CPU. -

+

+
-N soa-serial-format
-

+

The SOA serial number format of the signed zone. Possible formats are "keep" (default), "increment", "unixtime", and "date".

-
+ +
"keep"
-

Do not modify the SOA serial number.

+
+

Do not modify the SOA serial number.

+
"increment"
-

Increment the SOA serial number using RFC 1982 - arithmetics.

+
+

Increment the SOA serial number using RFC 1982 + arithmetics.

+
"unixtime"
-

Set the SOA serial number to the number of seconds - since epoch.

+
+

Set the SOA serial number to the number of seconds + since epoch.

+
"date"
-

Set the SOA serial number to today's date in - YYYYMMDDNN format.

+
+

Set the SOA serial number to today's date in + YYYYMMDDNN format.

+
-
+ +
-o origin
-

+

+

The zone origin. If not specified, the name of the zone file is assumed to be the origin. -

+

+
-O output-format
-

+

+

The format of the output file containing the signed zone. Possible formats are "text" (default), which is the standard textual representation of the zone; @@ -291,33 +398,36 @@ the raw zone file: if N is 0, the raw file can be read by any version of named; if N is 1, the file can be read by release 9.9.0 or higher; the default is 1. -

+

+
-p
-

+

+

Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -

+

+
-P
-

+

Disable post sign verification tests.

-

+

The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.

-
+
-Q
-

+

Remove signatures from keys that are no longer active.

-

+

Normally, when a previously-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key @@ -329,22 +439,23 @@ enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").

-
+
-R
-

+

Remove signatures from keys that are no longer published.

-

+

This option is similar to -Q, except it forces dnssec-signzone to signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.2 ("Double Signature Zone Signing Key Rollover").

-
+
-r randomdev
-

+

+

Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness @@ -354,53 +465,65 @@ data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -

+

+
-S
-

+

Smart signing: Instructs dnssec-signzone to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.

-

+

When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:

-
+
-

+

+

If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone. -

+

+
-

+

+

If the key's publication date is set and is in the past, the key is published in the zone. -

+

+
-

+

+

If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone. -

+

+
-

+

+

If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone. -

+

+
-

+

+

If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata. -

+

+
- +
-T ttl
-

+

+

Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the TTL value from the zone's SOA @@ -412,81 +535,102 @@ them, or if any of the imported DNSKEY records had a default TTL value. In the event of a a conflict between TTL values in imported keys, the shortest one is used. -

+

+
-t
-

+

+

Print statistics at completion. -

+

+
-u
-

+

+

Update NSEC/NSEC3 chain when re-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option, dnssec-signzone will retain the existing chain when re-signing. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-x
-

+

+

Only sign the DNSKEY RRset with key-signing keys, and omit signatures from zone-signing keys. (This is similar to the dnssec-dnskey-kskonly yes; zone option in named.) -

+

+
-z
-

+

+

Ignore KSK flag on key when determining what to sign. This causes KSK-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the update-check-ksk no; zone option in named.) -

+

+
-3 salt
-

+

+

Generate an NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain. -

+

+
-H iterations
-

+

+

When generating an NSEC3 chain, use this many iterations. The default is 10. -

+

+
-A
-

+

When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.

-

+

Using this option twice (i.e., -AA) turns the OPTOUT flag off for all records. This is useful when using the -u option to modify an NSEC3 chain which previously had OPTOUT set.

-
+
zonefile
-

+

+

The file containing the zone to be signed. -

+

+
key
-

+

+

Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing. -

+

+
-
-
+
+ +

EXAMPLE

-

+ +

The following command signs the example.com zone with the DSA key generated by dnssec-keygen (Kexample.com.+003+17247). Because the -S option @@ -499,13 +643,13 @@ Kexample.com.+003+17247 db.example.com.signed % -

+

In the above example, dnssec-signzone creates the file db.example.com.signed. This file should be referenced in a zone statement in a named.conf file.

-

+

This example re-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.

@@ -513,13 +657,18 @@ db.example.com.signed % dnssec-signzone -o example.com db.example.com db.example.com.signed % -
-
+
+ +

SEE ALSO

-

dnssec-keygen(8), + +

+ dnssec-keygen(8) + , BIND 9 Administrator Reference Manual, RFC 4033, RFC 4641.

-
+
+
diff --git a/bin/dnssec/dnssec-verify.html b/bin/dnssec/dnssec-verify.html index 09138c989e..7a31186c85 100644 --- a/bin/dnssec/dnssec-verify.html +++ b/bin/dnssec/dnssec-verify.html @@ -14,35 +14,64 @@
-
+ + + + + +

Name

-

dnssec-verify — DNSSEC zone verification tool

+

+ dnssec-verify + — DNSSEC zone verification tool +

-
+ + + +

Synopsis

-

dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

-
-
+

+ dnssec-verify + [-c class] + [-E engine] + [-I input-format] + [-o origin] + [-v level] + [-V] + [-x] + [-z] + {zonefile} +

+
+ +

DESCRIPTION

-

dnssec-verify + +

dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.

-
-
+
+ +

OPTIONS

-
+ + +
-c class
-

+

+

Specifies the DNS class of the zone. -

+

+
-E engine
-

+

Specifies the cryptographic hardware to use, when applicable.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -50,9 +79,10 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-I input-format
-

+

+

The format of the input zone file. Possible formats are "text" (default) and "raw". @@ -61,32 +91,41 @@ format containing updates can be verified independently. The use of this option does not make much sense for non-dynamic zones. -

+

+
-o origin
-

+

+

The zone origin. If not specified, the name of the zone file is assumed to be the origin. -

+

+
-v level
-

+

+

Sets the debugging level. -

+

+
-V
-

+

+

Prints version information. -

+

+
-x
-

+

+

Only verify that the DNSKEY RRset is signed with key-signing keys. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone-signing keys. This corresponds to the -x option in dnssec-signzone. -

+

+
-z
-

+

Ignore the KSK flag on the keys when determining whether the zone if correctly signed. Without this flag it is assumed that there will be a non-revoked, self-signed @@ -94,7 +133,7 @@ that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set.

-

+

With this flag set, we only require that for each algorithm, there will be at least one non-revoked, self-signed DNSKEY, regardless of the KSK flag state, and that other RRsets @@ -103,20 +142,27 @@ for both purposes. This corresponds to the -z option in dnssec-signzone.

-
+
zonefile
-

+

+

The file containing the zone to be signed. -

+

+
-
-
+
+ +

SEE ALSO

-

- dnssec-signzone(8), + +

+ + dnssec-signzone(8) + , BIND 9 Administrator Reference Manual, RFC 4033.

-
+
+
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index 021f11fd08..85f61eeed1 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -14,24 +14,57 @@
-
+ + + + + +

Name

-

lwresd — lightweight resolver daemon

+

+ lwresd + — lightweight resolver daemon +

-
+ + + +

Synopsis

-

lwresd [-c config-file] [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-m flag] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v] [-4] [-6]

-
-
+

+ lwresd + [-c config-file] + [-C config-file] + [-d debug-level] + [-f] + [-g] + [-i pid-file] + [-m flag] + [-n #cpus] + [-P port] + [-p port] + [-s] + [-t directory] + [-u user] + [-v] + [-4] + [-6] +

+
+ +

DESCRIPTION

-

lwresd + + +

lwresd is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped-down, caching-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.

-

lwresd + +

lwresd listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that lwresd can only be used by @@ -39,14 +72,14 @@ number 921 is used for lightweight resolver requests and responses.

-

+

Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes, lwresd encodes the answers in the lightweight resolver format and returns them to the client that made the request.

-

+

If /etc/resolv.conf contains any nameserver entries, lwresd sends recursive DNS queries to those servers. This is similar @@ -56,60 +89,80 @@ queries autonomously starting at the root name servers, using a built-in list of root server hints.

-
-
+
+ +

OPTIONS

-
+ + +
-4
-

+

+

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive. -

+

+
-6
-

+

+

Use IPv6 only even if the host machine is capable of IPv4. -4 and -6 are mutually exclusive. -

+

+
-c config-file
-

+

+

Use config-file as the configuration file instead of the default, /etc/lwresd.conf. -c can not be used with -C. -

+

+
-C config-file
-

+

+

Use config-file as the configuration file instead of the default, /etc/resolv.conf. -C can not be used with -c. -

+

+
-d debug-level
-

+

+

Set the daemon's debug level to debug-level. Debugging traces from lwresd become more verbose as the debug level increases. -

+

+
-f
-

+

+

Run the server in the foreground (i.e. do not daemonize). -

+

+
-g
-

+

+

Run the server in the foreground and force all logging to stderr. -

+

+
-i pid-file
-

+

+

Use pid-file as the PID file instead of the default, /var/run/lwresd/lwresd.pid. -

+

+
-m flag
-

+

+

Turn on memory usage debugging flags. Possible flags are usage, trace, @@ -118,54 +171,61 @@ mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>. -

+

+
-n #cpus
-

+

+

Create #cpus worker threads to take advantage of multiple CPUs. If not specified, lwresd will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -

+

+
-P port
-

+

+

Listen for lightweight resolver queries on port port. If not specified, the default is port 921. -

+

+
-p port
-

+

+

Send DNS lookups to port port. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non-standard port number. -

+

+
-s
-

+

Write memory usage statistics to stdout on exit.

-
+

Note

-

+

This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.

-
-
+
+
-t directory
-

Chroot +

Chroot to directory after processing the command line arguments, but before reading the configuration file.

-
+

Warning

-

+

This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most @@ -173,39 +233,61 @@ defined allows a process with root privileges to escape a chroot jail.

-
-
+
+
-u user
-

Setuid +

+

Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports. -

+

+
-v
-

+

+

Report the version number and exit. -

+

+
-
-
+ +
+ +

FILES

-
+ + +
/etc/resolv.conf
-

+

+

The default configuration file. -

+

+
/var/run/lwresd.pid
-

+

+

The default process-id file. -

+

+
-
-
+ +
+ +

SEE ALSO

-

named(8), - lwres(3), - resolver(5). + +

+ named(8) + , + + lwres(3) + , + + resolver(5) + .

-
+
+
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index f22501a677..054d5d0c97 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -14,61 +14,84 @@
-
+ + + + + +

Name

-

named.conf — configuration file for named

+

+ named.conf + — configuration file for named +

-
+ + + +

Synopsis

-

named.conf

-
-
+

+ named.conf +

+
+ +

DESCRIPTION

-

named.conf is the configuration file + +

named.conf is the configuration file for named. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported:

-

+

C style: /* */

-

+

C++ style: // to end of line

-

+

Unix style: # to end of line

-
-
+
+ +

ACL

-


+ +


acl string { address_match_element; ... };

-
-
+
+ +

KEY

-


+ +


key domain_name {
algorithm string;
secret string;
};

-
-
+
+ +

MASTERS

-


+ +


masters string [ port integer ] {
masters | ipv4_address [port integer] |
ipv6_address [port integer] ) [ key string ]; ...
};

-
-
+
+ +

SERVER

-


+ +


server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
bogus boolean;
edns boolean;
@@ -88,26 +111,32 @@ server support-ixfr boolean; // obsolete
};

-
-
+
+ +

TRUSTED-KEYS

-


+ +


trusted-keys {
domain_name flags protocol algorithm key; ...
};

-
-
+
+ +

MANAGED-KEYS

-


+ +


managed-keys {
domain_name initial-key flags protocol algorithm key; ...
};

-
-
+
+ +

CONTROLS

-


+ +


controls {
inet ( ipv4_address | ipv6_address | * )
[ port ( integer | * ) ]
@@ -116,10 +145,12 @@ controls unix unsupported; // not implemented
};

-
-
+
+ +

LOGGING

-


+ +


logging {
channel string {
file log_file;
@@ -134,10 +165,12 @@ logging category string { string; ... };
};

-
-
+
+ +

LWRES

-


+ +


lwres {
listen-on [ port integer ] {
ipv4_address | ipv6_address ) [ port integer ]; ...
@@ -149,10 +182,12 @@ lwres lwres-clients integer;
};

-
-
+
+ +

OPTIONS

-


+ +


options {
avoid-v4-udp-ports { port; ... };
avoid-v6-udp-ports { port; ... };
@@ -388,10 +423,12 @@ options use-ixfr boolean; // obsolete
};

-
-
+
+ +

VIEW

-


+ +


view string optional_class {
match-clients { address_match_element; ... };
match-destinations { address_match_element; ... };
@@ -564,10 +601,12 @@ view max-ixfr-log-size size; // obsolete
};

-
-
+
+ +

ZONE

-


+ +


zone string optional_class {
type ( master | slave | stub | hint | redirect |
forward | delegation-only );
@@ -662,19 +701,30 @@ zone pubkey integer integer integer quoted_string; // obsolete
};

-
-
+
+ +

FILES

-

/etc/named.conf + +

/etc/named.conf

-
-
+
+ +

SEE ALSO

-

named(8), - named-checkconf(8), - rndc(8), + +

+ named(8) + , + + named-checkconf(8) + , + + rndc(8) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/named/named.html b/bin/named/named.html index 61d3917e15..bc7a88ac70 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -14,46 +14,91 @@
-
+ + + + + +

Name

-

named — Internet domain name server

+

+ named + — Internet domain name server +

-
+ + + +

Synopsis

-

named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]

-
-
+

+ named + [-4] + [-6] + [-c config-file] + [-d debug-level] + [-D string] + [-E engine-name] + [-f] + [-g] + [-L logfile] + [-M option] + [-m flag] + [-n #cpus] + [-p port] + [-s] + [-S #max-socks] + [-t directory] + [-U #listeners] + [-u user] + [-v] + [-V] + [-X lock-file] + [-x cache-file] +

+
+ +

DESCRIPTION

-

named + +

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035.

-

+

When invoked without arguments, named will read the default configuration file /etc/named.conf, read any initial data, and listen for queries.

-
-
+
+ +

OPTIONS

-
+ + +
-4
-

+

+

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive. -

+

+
-6
-

+

+

Use IPv6 only even if the host machine is capable of IPv4. -4 and -6 are mutually exclusive. -

+

+
-c config-file
-

+

+

Use config-file as the configuration file instead of the default, /etc/named.conf. To @@ -63,28 +108,33 @@ directory option in the configuration file, config-file should be an absolute pathname. -

+

+
-d debug-level
-

+

+

Set the daemon's debug level to debug-level. Debugging traces from named become more verbose as the debug level increases. -

+

+
-D string
-

+

+

Specifies a string that is used to identify a instance of named in a process listing. The contents of string are not examined. -

+

+
-E engine-name
-

+

When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.

-

+

When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service @@ -92,31 +142,40 @@ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".

-
+
-f
-

+

+

Run the server in the foreground (i.e. do not daemonize). -

+

+
-g
-

+

+

Run the server in the foreground and force all logging to stderr. -

+

+
-L logfile
-

+

+

Log to the file logfile by default instead of the system log. -

+

+
-M option
-

+

+

Sets the default memory context options. Currently the only supported option is external, which causes the internal memory manager to be bypassed in favor of system-provided memory allocation functions. -

+

+
-m flag
-

+

+

Turn on memory usage debugging flags. Possible flags are usage, trace, @@ -125,46 +184,51 @@ mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>. -

+

+
-n #cpus
-

+

+

Create #cpus worker threads to take advantage of multiple CPUs. If not specified, named will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -

+

+
-p port
-

+

+

Listen for queries on port port. If not specified, the default is port 53. -

+

+
-s
-

+

Write memory usage statistics to stdout on exit.

-
+

Note

-

+

This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.

-
-
+
+
-S #max-socks
-

+

Allow named to use up to #max-socks sockets. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure --with-tuning=large".

-
+

Warning

-

+

This option should be unnecessary for the vast majority of users. The use of this option could even be harmful because the @@ -179,18 +243,18 @@ named reserves some file descriptors for its internal use.

-
-
+
+
-t directory
-

Chroot +

Chroot to directory after processing the command line arguments, but before reading the configuration file.

-
+

Warning

-

+

This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most @@ -198,10 +262,11 @@ defined allows a process with root privileges to escape a chroot jail.

-
-
+
+
-U #listeners
-

+

+

Use #listeners worker threads to listen for incoming UDP packets on each address. If not specified, named will @@ -214,17 +279,18 @@ be increased as high as that value, but no higher. On Windows, the number of UDP listeners is hardwired to 1 and this option has no effect. -

+

+
-u user
-

Setuid +

Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports.

-
+

Note

-

+

On Linux, named uses the kernel's capability mechanism to drop all root privileges except the ability to bind(2) to @@ -237,18 +303,23 @@ later, since previous kernels did not allow privileges to be retained after setuid(2).

-
-
+
+
-v
-

+

+

Report the version number and exit. -

+

+
-V
-

+

+

Report the version number and build options, and exit. -

+

+
-X lock-file
-

+

+

Acquire a lock on the specified file at runtime; this helps to prevent duplicate named instances from running simultaneously. @@ -256,54 +327,68 @@ option in named.conf. If set to none, the lock file check is disabled. -

+

+
-x cache-file
-

+

Load data from cache-file into the cache of the default view.

-
+

Warning

-

+

This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.

-
-
+
+
-
-
+ +
+ +

SIGNALS

-

+ +

In routine operation, signals should not be used to control the nameserver; rndc should be used instead.

-
+ +
SIGHUP
-

+

+

Force a reload of the server. -

+

+
SIGINT, SIGTERM
-

+

+

Shut down the server. -

+

+
-

+ +

The result of sending any other signals to the server is undefined.

-
-
+ +
+ +

CONFIGURATION

-

+ +

The named configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual.

-

+ +

named inherits the umask (file creation mode mask) from the parent process. If files created by named, such as journal files, @@ -311,32 +396,59 @@ should be set explicitly in the script used to start the named process.

-
-
+ +
+ +

FILES

-
+ + +
/etc/named.conf
-

+

+

The default configuration file. -

+

+
/var/run/named/named.pid
-

+

+

The default process-id file. -

+

+
-
-
+ +
+ +

SEE ALSO

-

RFC 1033, + +

RFC 1033, RFC 1034, RFC 1035, - named-checkconf(8), - named-checkzone(8), - rndc(8), - lwresd(8), - named.conf(5), + + named-checkconf + (8) + , + + named-checkzone + (8) + , + + rndc + (8) + , + + lwresd + (8) + , + + named.conf + (5) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html index f77d054333..50463597b6 100644 --- a/bin/nsupdate/nsupdate.html +++ b/bin/nsupdate/nsupdate.html @@ -14,17 +14,50 @@
-
+ + + + +

Name

-

nsupdate — Dynamic DNS update utility

+

+ nsupdate + — Dynamic DNS update utility +

-
+ + + +

Synopsis

-

nsupdate [-d] [-D] [-L level] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

-
-
+

+ nsupdate + [-d] + [-D] + [-L level] + [ + [-g] + | [-o] + | [-l] + | [-y [hmac:]keyname:secret] + | [-k keyfile] + ] + [-t timeout] + [-u udptimeout] + [-r udpretries] + [-R randomdev] + [-v] + [-T] + [-P] + [-V] + [filename] +

+
+ +

DESCRIPTION

-

nsupdate + +

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. This allows resource records to be added or removed from a zone @@ -33,27 +66,27 @@ one resource record.

-

+

Zones that are under dynamic control via nsupdate or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.

-

+

The resource records that are dynamically added or removed with nsupdate have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.

-

+

Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS-TSIG as described in RFC 3645.

-

+

TSIG relies on a shared secret that should only be known to nsupdate and the name server. @@ -68,33 +101,41 @@ uses the -y or -k options to provide the TSIG shared secret. These options are mutually exclusive.

-

+

SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.

-

+

GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode is switched on with the -g flag. A non-standards-compliant variant of GSS-TSIG used by Windows 2000 can be switched on with the -o flag.

-
-
+
+ +

OPTIONS

-
+ + +
-d
-

+

+

Debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. -

+

+
-D
-

+

+

Extra debug mode. -

+

+
-k keyfile
-

+

+

The file containing the TSIG authentication key. Keyfiles may be in two formats: a single file containing a named.conf-format key @@ -106,9 +147,11 @@ The -k may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key. -

+

+
-l
-

+

+

Local-host only mode. This sets the server address to localhost (disabling the server so that the server address cannot be overridden). Connections to the local server will @@ -117,30 +160,40 @@ local master zone has set update-policy to local. The location of this key file can be overridden with the -k option. -

+

+
-L level
-

+

+

Set the logging debug level. If zero, logging is disabled. -

+

+
-p port
-

+

+

Set the port to use for connections to a name server. The default is 53. -

+

+
-P
-

+

+

Print the list of private BIND-specific resource record types whose format is understood by nsupdate. See also the -T option. -

+

+
-r udpretries
-

+

+

The number of UDP retries. The default is 3. If zero, only one update request will be made. -

+

+
-R randomdev
-

+

+

Where to obtain randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard @@ -149,51 +202,60 @@ instead of the default. The special value keyboard indicates that keyboard input should be used. This option may be specified multiple times. -

+

+
-t timeout
-

+

+

The maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. -

+

+
-T
-

+

Print the list of IANA standard resource record types whose format is understood by nsupdate. nsupdate will exit after the lists are printed. The -T option can be combined with the -P option.

-

+

Other types can be entered using "TYPEXXXXX" where "XXXXX" is the decimal value of the type with no leading zeros. The rdata, if present, will be parsed using the UNKNOWN rdata format, (<backslash> <hash> <space> <length> <space> <hexstring>).

-
+
-u udptimeout
-

+

+

The UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries. -

+

+
-v
-

+

+

Use TCP even for small update requests. By default, nsupdate uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. TCP may be preferable when a batch of update requests is made. -

+

+
-V
-

+

+

Print the version number and exit. -

+

+
-y [hmac:]keyname:secret
-

+

Literal TSIG authentication key. keyname is the name of the key, and secret is the base64 encoded shared secret. @@ -205,19 +267,23 @@ is not specified, the default is hmac-md5 or if MD5 was disabled hmac-sha256.

-

+

NOTE: Use of the -y option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from - ps(1) + + ps(1) + or in a history file maintained by the user's shell.

-
+
-
-
+
+ +

INPUT FORMAT

-

nsupdate + +

nsupdate reads input from filename or standard input. @@ -231,7 +297,7 @@ Updates will be rejected if the tests for the prerequisite conditions fail.

-

+

Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some @@ -241,7 +307,7 @@ accumulated commands to be sent as one Dynamic DNS update request to the name server.

-

+

The command formats and their meaning are as follows:

@@ -250,7 +316,8 @@ {servername} [port] -

+

+

Sends all dynamic update requests to the name server servername. When no server statement is provided, @@ -266,13 +333,15 @@ If no port number is specified, the default DNS port number of 53 is used. -

+

+
local {address} [port]
-

+

+

Sends all dynamic update requests using the local address. @@ -284,12 +353,14 @@ can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. -

+

+
zone {zonename}
-

+

+

Specifies that all updates are to be made to the zone zonename. If no @@ -298,32 +369,38 @@ nsupdate will attempt determine the correct zone to update based on the rest of the input. -

+

+
class {classname}
-

+

+

Specify the default class. If no class is specified, the default class is IN. -

+

+
ttl {seconds}
-

+

+

Specify the default time to live for records to be added. The value none will clear the default ttl. -

+

+
key [hmac:] {keyname} {secret}
-

+

+

Specifies that all updates are to be TSIG-signed using the keyname secret pair. If hmac is specified, then it sets the @@ -332,66 +409,80 @@ hmac-sha256. The key command overrides any key specified on the command line via -y or -k. -

+

+
gsstsig
-

+

+

Use GSS-TSIG to sign the updated. This is equivalent to specifying -g on the command line. -

+

+
oldgsstsig
-

+

+

Use the Windows 2000 version of GSS-TSIG to sign the updated. This is equivalent to specifying -o on the command line. -

+

+
realm {[realm_name]}
-

+

+

When using GSS-TSIG use realm_name rather than the default realm in krb5.conf. If no realm is specified the saved realm is cleared. -

+

+
check-names {[yes_or_no]}
-

+

+

Turn on or off check-names processing on records to be added. Check-names has no effect on prerequisites or records to be deleted. By default check-names processing is on. If check-names processing fails the record will not be added to the UPDATE message. -

+

+
[prereq] nxdomain {domain-name}
-

+

+

Requires that no resource record of any type exists with name domain-name. -

+

+
[prereq] yxdomain {domain-name}
-

+

+

Requires that domain-name exists (has as at least one resource record, of any type). -

+

+
[prereq] nxrrset {domain-name} [class] {type}
-

+

+

Requires that no resource record exists of the specified type, class @@ -400,14 +491,16 @@ If class is omitted, IN (internet) is assumed. -

+

+
[prereq] yxrrset {domain-name} [class] {type}
-

+

+

This requires that a resource record of the specified type, class @@ -417,7 +510,8 @@ If class is omitted, IN (internet) is assumed. -

+

+
[prereq] yxrrset {domain-name} @@ -425,7 +519,8 @@ {type} {data...}
-

+

+

The data from each set of prerequisites of this form @@ -446,7 +541,8 @@ are written in the standard text representation of the resource record's RDATA. -

+

+
[update] del[ete] {domain-name} @@ -454,7 +550,8 @@ [class] [type [data...]]
-

+

+

Deletes any resource records named domain-name. If @@ -467,7 +564,8 @@ is not supplied. The ttl is ignored, and is only allowed for compatibility. -

+

+
[update] add {domain-name} @@ -476,62 +574,80 @@ {type} {data...}
-

+

+

Adds a new resource record with the specified ttl, class and data. -

+

+
show
-

+

+

Displays the current message, containing all of the prerequisites and updates specified since the last send. -

+

+
send
-

+

+

Sends the current message. This is equivalent to entering a blank line. -

+

+
answer
-

+

+

Displays the answer. -

+

+
debug
-

+

+

Turn on debugging. -

+

+
version
-

+

+

Print version number. -

+

+
help
-

+

+

Print a list of commands. -

+

+

-

+ +

Lines beginning with a semicolon are comments and are ignored.

-
-
+ +
+ +

EXAMPLES

-

+ +

The examples below show how nsupdate could be used to insert and delete resource records from the @@ -552,7 +668,7 @@

-

+

Any A records for oldhost.example.com are deleted. @@ -569,7 +685,7 @@

-

+

The prerequisite condition gets the name server to check that there are no resource records of any type for nickname.example.com. @@ -582,33 +698,50 @@ (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)

-
-
+
+ +

FILES

-
+ + +
/etc/resolv.conf
-

+

+

used to identify default name server -

+

+
/var/run/named/session.key
-

+

+

sets the default TSIG key for use in local-only mode -

+

+
K{name}.+157.+{random}.key
-

+

+

base-64 encoding of HMAC-MD5 key created by - dnssec-keygen(8). -

+ + dnssec-keygen(8) + . +

+
K{name}.+157.+{random}.private
-

+

+

base-64 encoding of HMAC-MD5 key created by - dnssec-keygen(8). -

+ + dnssec-keygen(8) + . +

+
-
-
+
+ +

SEE ALSO

-

+ +

RFC 2136, RFC 3007, RFC 2104, @@ -616,19 +749,28 @@ RFC 1034, RFC 2535, RFC 2931, - named(8), - ddns-confgen(8), - dnssec-keygen(8). + + named(8) + , + + ddns-confgen(8) + , + + dnssec-keygen(8) + .

-
-
+
+ +

BUGS

-

+ +

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.

-
+
+
diff --git a/bin/pkcs11/pkcs11-destroy.html b/bin/pkcs11/pkcs11-destroy.html index 3d0044bc72..8f9f75af1c 100644 --- a/bin/pkcs11/pkcs11-destroy.html +++ b/bin/pkcs11/pkcs11-destroy.html @@ -14,69 +14,115 @@
-
+ + + + + +

Name

-

pkcs11-destroy — destroy PKCS#11 objects

-
-
-

Synopsis

-

pkcs11-destroy [-m module] [-s slot] { -i ID | -l label } [-p PIN] [-w seconds]

-
-
-

DESCRIPTION

+ pkcs11-destroy + — destroy PKCS#11 objects +

+
+ + + +
+

Synopsis

+

+ pkcs11-destroy + [-m module] + [-s slot] + { + -i ID + | -l label + } + [-p PIN] + [-w seconds] +

+
+ +
+

DESCRIPTION

+ +

pkcs11-destroy destroys keys stored in a PKCS#11 device, identified by their ID or label.

-

+

Matching keys are displayed before being destroyed. By default, there is a five second delay to allow the user to interrupt the process before the destruction takes place.

-
-
+
+ +

ARGUMENTS

-
+ +
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-s slot
-

+

+

Open the session with the given PKCS#11 slot. The default is slot 0. -

+

+
-i ID
-

+

+

Destroy keys with the given object ID. -

+

+
-l label
-

+

+

Destroy keys with the given label. -

+

+
-p PIN
-

+

+

Specify the PIN for the device. If no PIN is provided on the command line, pkcs11-destroy will prompt for it. -

+

+
-w seconds
-

+

+

Specify how long to pause before carrying out key destruction. The default is five seconds. If set to 0, destruction will be immediate. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-keygen(8), - pkcs11-list(8), - pkcs11-tokens(8) + +

+ + pkcs11-keygen(8) + , + + pkcs11-list(8) + , + + pkcs11-tokens(8) +

-
+
+
diff --git a/bin/pkcs11/pkcs11-keygen.html b/bin/pkcs11/pkcs11-keygen.html index 4d2283ca04..85b78a9316 100644 --- a/bin/pkcs11/pkcs11-keygen.html +++ b/bin/pkcs11/pkcs11-keygen.html @@ -14,93 +14,152 @@
-
+ + + + + +

Name

-

pkcs11-keygen — generate keys on a PKCS#11 device

-
-
-

Synopsis

-

pkcs11-keygen {-a algorithm} [-b keysize] [-e] [-i id] [-m module] [-P] [-p PIN] [-q] [-S] [-s slot] {label}

-
-
-

DESCRIPTION

+ pkcs11-keygen + — generate keys on a PKCS#11 device +

+
+ + + +
+

Synopsis

+

+ pkcs11-keygen + {-a algorithm} + [-b keysize] + [-e] + [-i id] + [-m module] + [-P] + [-p PIN] + [-q] + [-S] + [-s slot] + {label} +

+
+ +
+

DESCRIPTION

+ +

pkcs11-keygen causes a PKCS#11 device to generate a new key pair with the given label (which must be unique) and with keysize bits of prime.

-
-
+
+ +

ARGUMENTS

-
+ +
-a algorithm
-

+

+

Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC. In addition to these strings, the algorithm can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC. The default class is "RSA". -

+

+
-b keysize
-

+

+

Create the key pair with keysize bits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256. -

+

+
-e
-

+

+

For RSA keys only, use a large exponent. -

+

+
-i id
-

+

+

Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number. -

+

+
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-P
-

+

+

Set the new private key to be non-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non-extractable. -

+

+
-p PIN
-

+

+

Specify the PIN for the device. If no PIN is provided on the command line, pkcs11-keygen will prompt for it. -

+

+
-q
-

+

+

Quiet mode: suppress unnecessary output. -

+

+
-S
-

+

+

For Diffie-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024. -

+

+
-s slot
-

+

+

Open the session with the given PKCS#11 slot. The default is slot 0. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-destroy(8), - pkcs11-list(8), - pkcs11-tokens(8), - dnssec-keyfromlabel(8) + +

+ + pkcs11-destroy(8) + , + + pkcs11-list(8) + , + + pkcs11-tokens(8) + , + + dnssec-keyfromlabel(8) +

-
+
+
diff --git a/bin/pkcs11/pkcs11-list.html b/bin/pkcs11/pkcs11-list.html index 5e3eeee954..ae741ce943 100644 --- a/bin/pkcs11/pkcs11-list.html +++ b/bin/pkcs11/pkcs11-list.html @@ -14,17 +14,38 @@
-
+ + + + + +

Name

-

pkcs11-list — list PKCS#11 objects

-
-
-

Synopsis

-

pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]

-
-
-

DESCRIPTION

+ pkcs11-list + — list PKCS#11 objects +

+
+ + + +
+

Synopsis

+

+ pkcs11-list + [-P] + [-m module] + [-s slot] + [-i ID] + [-l label] + [-p PIN] +

+
+ +
+

DESCRIPTION

+ +

pkcs11-list lists the PKCS#11 objects with ID or label or by default all objects. @@ -33,48 +54,71 @@ attribute is also displayed, as either true, false, or never.

-
-
+
+ +

ARGUMENTS

-
+ +
-P
-

+

+

List only the public objects. (Note that on some PKCS#11 devices, all objects are private.) -

+

+
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-s slot
-

+

+

Open the session with the given PKCS#11 slot. The default is slot 0. -

+

+
-i ID
-

+

+

List only key objects with the given object ID. -

+

+
-l label
-

+

+

List only key objects with the given label. -

+

+
-p PIN
-

+

+

Specify the PIN for the device. If no PIN is provided on the command line, pkcs11-list will prompt for it. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-destroy(8), - pkcs11-keygen(8), - pkcs11-tokens(8) + +

+ + pkcs11-destroy(8) + , + + pkcs11-keygen(8) + , + + pkcs11-tokens(8) +

-
+
+
diff --git a/bin/pkcs11/pkcs11-tokens.html b/bin/pkcs11/pkcs11-tokens.html index 01c319a984..7bf89c0628 100644 --- a/bin/pkcs11/pkcs11-tokens.html +++ b/bin/pkcs11/pkcs11-tokens.html @@ -14,44 +14,76 @@
-
+ + + + + +

Name

-

pkcs11-tokens — list PKCS#11 available tokens

-
-
-

Synopsis

-

pkcs11-tokens [-m module] [-v]

-
-
-

DESCRIPTION

+ pkcs11-tokens + — list PKCS#11 available tokens +

+
+ + + +
+

Synopsis

+

+ pkcs11-tokens + [-m module] + [-v] +

+
+ +
+

DESCRIPTION

+ +

pkcs11-tokens lists the PKCS#11 available tokens with defaults from the slot/token scan performed at application initialization.

-
-
+
+ +

ARGUMENTS

-
+ +
-m module
-

+

+

Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -

+

+
-v
-

+

+

Make the PKCS#11 libisc initialization verbose. -

+

+
-
-
+
+ +

SEE ALSO

-

- pkcs11-destroy(8), - pkcs11-keygen(8), - pkcs11-list(8) + +

+ + pkcs11-destroy(8) + , + + pkcs11-keygen(8) + , + + pkcs11-list(8) +

-
+
+
diff --git a/bin/python/dnssec-checkds.html b/bin/python/dnssec-checkds.html index 0b75e49e22..0283bcf171 100644 --- a/bin/python/dnssec-checkds.html +++ b/bin/python/dnssec-checkds.html @@ -14,58 +14,105 @@
-
+ + + + + +

Name

-

dnssec-checkds — DNSSEC delegation consistency checking tool

+

+ dnssec-checkds + — DNSSEC delegation consistency checking tool +

-
+ + + +

Synopsis

-

dnssec-checkds [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-

dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-
-
+

+ dnssec-checkds + [-l domain] + [-f file] + [-d dig path] + [-D dsfromkey path] + {zone} +

+

+ dnssec-dsfromkey + [-l domain] + [-f file] + [-d dig path] + [-D dsfromkey path] + {zone} +

+
+ +

DESCRIPTION

-

dnssec-checkds + +

dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone.

-
-
+
+ +

OPTIONS

-
+ + +
-f file
-

+

+

If a file is specified, then the zone is read from that file to find the DNSKEY records. If not, then the DNSKEY records for the zone are looked up in the DNS. -

+

+
-l domain
-

+

+

Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone's parent. For example, to check for DLV records for "example.com" in ISC's DLV zone, use: dnssec-checkds -l dlv.isc.org example.com -

+

+
-d dig path
-

+

+

Specifies a path to a dig binary. Used for testing. -

+

+
-D dsfromkey path
-

+

+

Specifies a path to a dnssec-dsfromkey binary. Used for testing. -

+

+
-
-
+
+ +

SEE ALSO

-

dnssec-dsfromkey(8), - dnssec-keygen(8), - dnssec-signzone(8), + +

+ dnssec-dsfromkey(8) + , + + dnssec-keygen(8) + , + + dnssec-signzone(8) + ,

-
+
+
diff --git a/bin/python/dnssec-coverage.html b/bin/python/dnssec-coverage.html index 280fddf2e2..cf323444f8 100644 --- a/bin/python/dnssec-coverage.html +++ b/bin/python/dnssec-coverage.html @@ -14,22 +14,47 @@
-
+ + + + + +

Name

-

dnssec-coverage — checks future DNSKEY coverage for a zone

+

+ dnssec-coverage + — checks future DNSKEY coverage for a zone +

-
+ + + +

Synopsis

-

dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone...]

-
-
+

+ dnssec-coverage + [-K directory] + [-l length] + [-f file] + [-d DNSKEY TTL] + [-m max TTL] + [-r interval] + [-c compilezone path] + [-k] + [-z] + [zone...] +

+
+ +

DESCRIPTION

-

dnssec-coverage + +

dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage.

-

+

If zone is specified, then keys found in the key repository matching that zone are scanned, and an ordered list is generated of the events scheduled for that key (i.e., @@ -42,47 +67,54 @@ key is rolled, and cached data signed by the prior key has not had time to expire from resolver caches.

-

+

If zone is not specified, then all keys in the key repository will be scanned, and all zones for which there are keys will be analyzed. (Note: This method of reporting is only accurate if all the zones that have keys in a given repository share the same TTL parameters.)

-
-
+
+ +

OPTIONS

-
+ + +
-K directory
-

+

+

Sets the directory in which keys can be found. Defaults to the current working directory. -

+

+
-f file
-

+

+

If a file is specified, then the zone is read from that file; the largest TTL and the DNSKEY TTL are determined directly from the zone data, and the -m and -d options do not need to be specified on the command line. -

+

+
-l duration
-

+

The length of time to check for DNSSEC coverage. Key events scheduled further into the future than duration will be ignored, and assumed to be correct.

-

+

The value of duration can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-
+
-m maximum TTL
-

+

Sets the value to be used as the maximum TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure. When a zone-signing key is @@ -91,26 +123,26 @@ before that key can be purged from the DNSKEY RRset. If that condition does not apply, a warning will be generated.

-

+

The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-

+

This option is not necessary if the -f has been used to specify a zone file. If -f has been specified, this option may still be used; it will override the value found in the file.

-

+

If this option is not used and the maximum TTL cannot be retrieved from a zone file, a warning is generated and a default value of 1 week is used.

-
+
-d DNSKEY TTL
-

+

Sets the value to be used as the DNSKEY TTL for the zone or zones being analyzed when determining whether there is a possibility of validation failure. When a key is rolled (that @@ -119,12 +151,12 @@ the new key is activated and begins generating signatures. If that condition does not apply, a warning will be generated.

-

+

The length of the TTL can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-

+

This option is not necessary if -f has been used to specify a zone file from which the TTL of the DNSKEY RRset can be read, or if a default key TTL was @@ -133,15 +165,15 @@ this option may still be used; it will override the values found in the zone file or the key file.

-

+

If this option is not used and the key TTL cannot be retrieved from the zone file or the key file, then a warning is generated and a default value of 1 day is used.

-
+
-r resign interval
-

+

Sets the value to be used as the resign interval for the zone or zones being analyzed when determining whether there is a possibility of validation failure. This value defaults to @@ -151,37 +183,54 @@ named.conf, then it should also be changed here.

-

+

The length of the interval can be set in seconds, or in larger units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

-
+
-k
-

+

+

Only check KSK coverage; ignore ZSK events. Cannot be used with -z. -

+

+
-z
-

+

+

Only check ZSK coverage; ignore KSK events. Cannot be used with -k. -

+

+
-c compilezone path
-

+

+

Specifies a path to a named-compilezone binary. Used for testing. -

+

+
-
-
+
+ +

SEE ALSO

-

- dnssec-checkds(8), - dnssec-dsfromkey(8), - dnssec-keygen(8), - dnssec-signzone(8) + +

+ + dnssec-checkds(8) + , + + dnssec-dsfromkey(8) + , + + dnssec-keygen(8) + , + + dnssec-signzone(8) +

-
+
+
diff --git a/bin/python/dnssec-keymgr.html b/bin/python/dnssec-keymgr.html index 012d622330..c8409a8281 100644 --- a/bin/python/dnssec-keymgr.html +++ b/bin/python/dnssec-keymgr.html @@ -14,24 +14,49 @@
-
+ + + + + +

Name

-

dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy

-
-
-

Synopsis

-

dnssec-keymgr [-K directory] [-c file] [-f] [-k] [-q] [-v] [-z] [-g path] [-r path] [-s path] [zone...]

-
-
-

DESCRIPTION

+ dnssec-keymgr + — Ensures correct DNSKEY coverage for a zone based on a defined policy +

+
+ + + +
+

Synopsis

+

+ dnssec-keymgr + [-K directory] + [-c file] + [-f] + [-k] + [-q] + [-v] + [-z] + [-g path] + [-r path] + [-s path] + [zone...] +

+
+ +
+

DESCRIPTION

+

dnssec-keymgr is a high level Python wrapper to facilitate the key rollover process for zones handled by BIND. It uses the BIND commands for manipulating DNSSEC key metadata: dnssec-keygen and dnssec-settime.

-

+

DNSSEC policy can be read from a configuration file (default /etc/dnssec-policy.conf), from which the key parameters, publication and rollover schedule, and desired @@ -39,14 +64,14 @@ file may be used to define individual DNSSEC policies on a per-zone basis, or to set a default policy used for all zones.

-

+

When dnssec-keymgr runs, it examines the DNSSEC keys for one or more zones, comparing their timing metadata against the policies for those zones. If key settings do not conform to the DNSSEC policy (for example, because the policy has been changed), they are automatically corrected.

-

+

A zone policy can specify a duration for which we want to ensure the key correctness (coverage). It can also specify a rollover period (roll-period). @@ -54,37 +79,41 @@ coverage period ends, then a successor key will automatically be created and added to the end of the key series.

-

+

If zones are specified on the command line, dnssec-keymgr will examine only those zones. If a specified zone does not already have keys in place, then keys will be generated for it according to policy.

-

+

If zones are not specified on the command line, then dnssec-keymgr will search the key directory (either the current working directory or the directory set by the -K option), and check the keys for all the zones represented in the directory.

-

+

It is expected that this tool will be run automatically and unattended (for example, by cron).

-
-
+
+ +

OPTIONS

-
+
-c file
-

+

+

If -c is specified, then the DNSSEC policy is read from file. (If not specified, then the policy is read from /etc/dnssec-policy.conf; if that file doesn't exist, a built-in global default policy is used.) -

+

+
-f
-

+

+

Force: allow updating of key events even if they are already in the past. This is not recommended for use with zones in which keys have already been published. However, @@ -93,65 +122,86 @@ keys have not been published in a zone as yet, then this option can be used to clean them up and turn them into a proper series of keys with appropriate rollover intervals. -

+

+
-g keygen-path
-

+

+

Specifies a path to a dnssec-keygen binary. Used for testing. See also the -s option. -

+

+
-h
-

+

+

Print the dnssec-keymgr help summary and exit. -

+

+
-K directory
-

+

+

Sets the directory in which keys can be found. Defaults to the current working directory. -

+

+
-k
-

+

+

Only apply policies to KSK keys. See also the -z option. -

+

+
-q
-

+

+

Quiet: suppress printing of dnssec-keygen and dnssec-settime. -

+

+
-r randomdev
-

+

+

Specifies a path to a file containing random data. This is passed to the dnssec-keygen binary using its -r option. -

+

+
-s settime-path
-

+

+

Specifies a path to a dnssec-settime binary. Used for testing. See also the -g option. -

+

+
-v
-

+

+

Print the dnssec-keymgr version and exit. -

+

+
-z
-

+

+

Only apply policies to ZSK keys. See also the -k option. -

+

+
-
-
+
+ +

POLICY CONFIGURATION

-

+

The dnssec-policy.conf file can specify three kinds of policies:

-
    -

  • +

      +
    • +

      Policy classes (policy name { ... };) can be inherited by zone policies or other policy classes; these @@ -160,33 +210,41 @@ 1024-bit key sizes, but a class extra might specify 2048 bits instead; extra would be used for zones that had unusually high security needs. -

      • -

    • +

      +
      • +
    • +

      Algorithm policies: (algorithm-policy algorithm { ... }; ) override default per-algorithm settings. For example, by default, RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This can be modified using algorithm-policy, and the new key sizes would then be used for any key of type RSASHA256. -

      • -

    • +

      +
      • +
    • +

      Zone policies: (zone name { ... }; ) set policy for a single zone by name. A zone policy can inherit a policy class by including a policy option. -

      • +

      +
    -

    +

    Options that can be specified in policies:

    -
    +
    algorithm
    -

    +

    +

    The key algorithm. If no policy is defined, the default is RSASHA256. -

    +

    +
    coverage
    -

    +

    +

    The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. This can be represented as a number of seconds, or as a duration using @@ -194,82 +252,112 @@ A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is six months. -

    +

    +
    directory
    -

    +

    +

    Specifies the directory in which keys should be stored. -

    +

    +
    key-size
    -

    +

    +

    Specifies the number of bits to use in creating keys. Takes two arguments: keytype (eihter "zsk" or "ksk") and size. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA. -

    +

    +
    keyttl
    -

    +

    +

    The key TTL. If no policy is defined, the default is one hour. -

    +

    +
    post-publish
    -

    +

    +

    How long after inactivation a key should be deleted from the zone. Note: If roll-period is not set, this value is ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. -

    +

    +
    pre-publish
    -

    +

    +

    How long before activation a key should be published. Note: If roll-period is not set, this value is ignored. Takes two arguments: keytype (either "zsk" or "ksk") and a duration. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. -

    +

    +
    roll-period
    -

    +

    +

    How frequently keys should be rolled over. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is one year for ZSK's. KSK's do not roll over by default. -

    +

    +
    standby
    -

    +

    +

    Not yet implemented. -

    +

    +
    -
    -
    +
    + +

    REMAINING WORK

    -
      -

    • +

        +
      • +

        Enable scheduling of KSK rollovers using the -P sync and -D sync options to dnssec-keygen and dnssec-settime. Check the parent zone (as in dnssec-checkds) to determine when it's safe for the key to roll. -

        • -

      • +

        +
        • +
      • +

        Allow configuration of standby keys and use of the REVOKE bit, for keys that use RFC 5011 semantics. -

        • +

        +
      -
    -
    +
    + +

    SEE ALSO

    -

    - dnssec-coverage(8), - dnssec-keygen(8), - dnssec-settime(8), - dnssec-checkds(8) +

    + + dnssec-coverage(8) + , + + dnssec-keygen(8) + , + + dnssec-settime(8) + , + + dnssec-checkds(8) +

    -
    +
    +
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html index 208b507898..8c51be80ce 100644 --- a/bin/rndc/rndc.conf.html +++ b/bin/rndc/rndc.conf.html @@ -14,17 +14,32 @@
-
+ + + + + +

Name

-

rndc.conf — rndc configuration file

+

+ rndc.conf + — rndc configuration file +

-
+ + + +

Synopsis

-

rndc.conf

-
-
+

+ rndc.conf +

+
+ +

DESCRIPTION

-

rndc.conf is the configuration file + +

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to named.conf. Statements are enclosed @@ -32,21 +47,21 @@ the statements are also semi-colon terminated. The usual comment styles are supported:

-

+

C style: /* */

-

+

C++ style: // to end of line

-

+

Unix style: # to end of line

-

rndc.conf is much simpler than +

rndc.conf is much simpler than named.conf. The file uses three statements: an options statement, a server statement and a key statement.

-

+

The options statement contains five clauses. The default-server clause is followed by the name or address of a name server. This host will be used when @@ -69,7 +84,7 @@ can be used to set the IPv4 and IPv6 source addresses respectively.

-

+

After the server keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: @@ -83,7 +98,7 @@ of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.

-

+

The key statement begins with an identifying string, the name of the key. The statement has two clauses. algorithm identifies the authentication algorithm @@ -94,7 +109,7 @@ the base-64 encoding of the algorithm's authentication key. The base-64 string is enclosed in double quotes.

-

+

There are two common ways to generate the base-64 string for the secret. The BIND 9 program rndc-confgen can @@ -107,10 +122,13 @@ ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.

-
-
+
+ +

EXAMPLE

-
+
+
+    
       options {
         default-server  localhost;
         default-key     samplekey;
@@ -118,14 +136,14 @@
 

 

     

-
+    
       server localhost {
         key             samplekey;
       };
 

 

     

-
+    
       server testserver {
         key		testkey;
         addresses	{ localhost port 5353; };
@@ -133,7 +151,7 @@
 

 

     

-
+    
       key samplekey {
         algorithm       hmac-sha256;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
@@ -141,7 +159,7 @@
 

 

     

-
+    
       key testkey {
         algorithm	hmac-sha256;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
@@ -149,7 +167,8 @@
     

 

     

-

+
+    

       In the above example, rndc will by
       default use
       the server at localhost (127.0.0.1) and the key called samplekey.
@@ -159,16 +178,16 @@
       uses the HMAC-SHA256 algorithm and its secret clause contains the
       base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
     

-

+    

       If rndc -s testserver is used then rndc will
       connect to server on localhost port 5353 using the key testkey.
     

-

+    

       To generate a random secret with rndc-confgen:
     

-
rndc-confgen
+    
rndc-confgen
     

-

+    

       A complete rndc.conf file, including
       the
       randomly generated key, will be written to the standard
@@ -176,29 +195,40 @@
       controls statements for
       named.conf are also printed.
     

-

+    

       To generate a base-64 secret with mmencode:
     

-
echo "known plaintext for a secret" | mmencode
+    
echo "known plaintext for a secret" | mmencode
     

-
-
+
+ +

NAME SERVER CONFIGURATION

-

+ +

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf file, using the controls statement in named.conf. See the sections on the controls statement in the BIND 9 Administrator Reference Manual for details.

-
-
+
+ +

SEE ALSO

-

rndc(8), - rndc-confgen(8), - mmencode(1), + +

+ rndc(8) + , + + rndc-confgen(8) + , + + mmencode(1) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index d4dd9c303b..63e02d326a 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -14,17 +14,42 @@
-
+ + + + + +

Name

-

rndc — name server control utility

+

+ rndc + — name server control utility +

-
+ + + +

Synopsis

-

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-r] [-V] [-y key_id] {command}

-
-
+

+ rndc + [-b source-address] + [-c config-file] + [-k key-file] + [-s server] + [-p port] + [-q] + [-r] + [-V] + [-y key_id] + {command} +

+
+ +

DESCRIPTION

-

rndc + +

rndc controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If @@ -33,7 +58,7 @@ supported commands and the available options and their arguments.

-

rndc +

rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of @@ -47,30 +72,38 @@ over the channel must be signed by a key_id known to the server.

-

rndc +

rndc reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.

-
-
+
+ +

OPTIONS

-
+ + +
-b source-address
-

+

+

Use source-address as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses. -

+

+
-c config-file
-

+

+

Use config-file as the configuration file instead of the default, /etc/rndc.conf. -

+

+
-k key-file
-

+

+

Use key-file as the key file instead of the default, /etc/rndc.key. The key in @@ -78,40 +111,52 @@ authenticate commands sent to the server if the config-file does not exist. -

+

+
-s server
-

server is +

+

server is the name or address of the server which matches a server statement in the configuration file for rndc. If no server is supplied on the command line, the host named by the default-server clause in the options statement of the rndc configuration file will be used. -

+

+
-p port
-

+

+

Send commands to TCP port port instead of BIND 9's default control channel port, 953. -

+

+
-q
-

+

+

Quiet mode: Message text returned by the server will not be printed except when there is an error. -

+

+
-r
-

+

+

Instructs rndc to print the result code returned by named after executing the requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc). -

+

+
-V
-

+

+

Enable verbose logging. -

+

+
-y key_id
-

+

+

Use the key key_id from the configuration file. key_id @@ -127,22 +172,26 @@ which are used to send authenticated control commands to name servers. It should therefore not have general read or write access. -

+

+
-
-
+
+ +

COMMANDS

-

+ +

A list of commands supported by rndc can be seen by running rndc without arguments.

-

+

Currently supported commands are:

-
+ +
addzone zone [class [view]] configuration
-

+

Add a zone while the server is running. This command requires the allow-new-zones option to be set @@ -152,7 +201,7 @@ configuration text that would ordinarily be placed in named.conf.

-

+

The configuration is saved in a file called name.nzf, where name is the @@ -165,28 +214,28 @@ configuration, so that zones that were added can persist after a restart.

-

+

This sample addzone command would add the zone example.com to the default view:

-

+

$ rndc addzone example.com '{ type master; file "example.com.db"; };'

-

+

(Note the brackets and semi-colon around the zone configuration text.)

-

+

See also rndc delzone and rndc modzone.

-
+
delzone [-clean] zone [class [view]]
-

+

Delete a zone while the server is running.

-

+

If the -clean argument is specified, the zone's master file (and journal file, if any) will be deleted along with the zone. Without the @@ -196,7 +245,7 @@ be cleaned up will be reported in the output of the rndc delzone command.)

-

+

If the zone was originally added via rndc addzone, then it will be removed permanently. However, if it was originally @@ -206,12 +255,13 @@ come back. To remove it permanently, it must also be removed from named.conf

-

+

See also rndc addzone and rndc modzone.

-
+
dnstap ( -reopen | -roll [number] )
-

+

+

Close and re-open DNSTAP output files. rndc dnstap -reopen allows the output file to be renamed externally, so @@ -222,9 +272,11 @@ previous most recent output file is moved to ".1", and so on. If number is specified, then the number of backup log files is limited to that number. -

+

+
dumpdb [-all|-cache|-zone|-adb|-bad|-fail] [view ...]
-

+

+

Dump the server's caches (default) and/or zones to the dump file for the specified views. If no view is @@ -232,26 +284,33 @@ views are dumped. (See the dump-file option in the BIND 9 Administrator Reference Manual.) -

+

+
flush
-

+

+

Flushes the server's cache. -

+

+
flushname name [view]
-

+

+

Flushes the given name from the view's DNS cache and, if applicable, from the view's nameserver address database, bad server cache and SERVFAIL cache. -

+

+
flushtree name [view]
-

+

+

Flushes the given name, and all of its subdomains, from the view's DNS cache, address database, bad server cache, and SERVFAIL cache. -

+

+
freeze [zone [class [view]]]
-

+

Suspend updates to a dynamic zone. If no zone is specified, then all zones are suspended. This allows manual edits to be made to a zone normally updated by @@ -260,13 +319,13 @@ All dynamic update attempts will be refused while the zone is frozen.

-

+

See also rndc thaw.

-
+
halt [-p]
-

+

Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the @@ -275,13 +334,13 @@ This allows an external process to determine when named had completed halting.

-

+

See also rndc stop.

-
+
loadkeys zone [class [view]]
-

+

Fetch all DNSSEC keys for the given zone from the key directory. If they are within their publication period, merge them into the @@ -290,7 +349,7 @@ immediately re-signed by the new keys, but is allowed to incrementally re-sign over time.

-

+

This command requires that the auto-dnssec zone option be set to maintain, @@ -299,9 +358,10 @@ (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.)

-
+
managed-keys (status | refresh | sync) [class [view]]
-

+

+

When run with the "status" keyword, print the current status of the managed-keys database for the specified view, or for all views if none is specified. When run @@ -311,10 +371,11 @@ immediate dump of the managed-keys database to disk (in the file managed-keys.bind or (viewname.mkeys). -

+

+
modzone zone [class [view]] configuration
-

+

Modify the configuration of a zone while the server is running. This command requires the allow-new-zones option to be @@ -325,7 +386,7 @@ configuration text that would ordinarily be placed in named.conf.

-

+

If the zone was originally added via rndc addzone, the configuration changes will be recorded permanently and will still be @@ -338,30 +399,32 @@ permanent, it must also be modified in named.conf

-

+

See also rndc addzone and rndc delzone.

-
+
notify zone [class [view]]
-

+

+

Resend NOTIFY messages for the zone. -

+

+
notrace
-

+

Sets the server's debugging level to 0.

-

+

See also rndc trace.

-
+
nta [( -d | -f | -r | -l duration)] domain [view]
-

+

Sets a DNSSEC negative trust anchor (NTA) for domain, with a lifetime of duration. The default lifetime is @@ -369,7 +432,7 @@ nta-lifetime option, and defaults to one hour. The lifetime cannot exceed one week.

-

+

A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration rather than @@ -380,7 +443,7 @@ insecure rather than bogus. This continues until the NTA's lifetime is elapsed.

-

+

NTAs persist across restarts of the named server. The NTAs for a view are saved in a file called name.nta, @@ -390,11 +453,11 @@ cryptographic hash generated from the name of the view.

-

+

An existing NTA can be removed by using the -remove option.

-

+

An NTA's lifetime can be specified with the -lifetime option. TTL-style suffixes can be used to specify the lifetime in @@ -403,13 +466,13 @@ new value. Setting lifetime to zero is equivalent to -remove.

-

+

If -dump is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up).

-

+

Normally, named will periodically test to see whether data below an NTA can now be validated (see the nta-recheck option @@ -421,20 +484,20 @@ lifetime, regardless of whether data could be validated if the NTA were not present.

-

+

All of these options can be shortened, i.e., to -l, -r, -d, and -f.

-
+
querylog [on|off]
-

+

Enable or disable query logging. (For backward compatibility, this command can also be used without an argument to toggle query logging on and off.)

-

+

Query logging can also be enabled by explicitly directing the queries category to a @@ -445,9 +508,10 @@ options section of named.conf.

-
+
reconfig
-

+

+

Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. @@ -455,34 +519,43 @@ is a large number of zones because it avoids the need to examine the modification times of the zones files. -

+

+
recursing
-

+

+

Dump the list of queries named is currently recursing on, and the list of domains to which iterative queries are currently being sent. (The second list includes the number of fetches currently active for the given domain, and how many have been passed or dropped because of the fetches-per-zone option.) -

+

+
refresh zone [class [view]]
-

+

+

Schedule zone maintenance for the given zone. -

+

+
reload
-

+

+

Reload configuration file and zones. -

+

+
reload zone [class [view]]
-

+

+

Reload the given zone. -

+

+
retransfer zone [class [view]]
-

+

Retransfer the given slave zone from the master server.

-

+

If the zone is configured to use inline-signing, the signed version of the zone is discarded; after the @@ -490,22 +563,24 @@ signed version will be regenerated with all new signatures.

-
+
scan
-

+

+

Scan the list of available network interfaces for changes, without performing a full reconfig or waiting for the interface-interval timer. -

+

+
secroots [-] [view ...]
-

+

Dump the server's security roots and negative trust anchors for the specified views. If no view is specified, all views are dumped.

-

+

If the first argument is "-", then the output is returned via the rndc response channel and printed to the standard output. @@ -514,22 +589,22 @@ overridden via the secroots-file option in named.conf.

-

+

See also rndc managed-keys.

-
+
showzone zone [class [view]]
-

+

Print the configuration of a running zone.

-

+

See also rndc zonestatus.

-
+
sign zone [class [view]]
-

+

Fetch all DNSSEC keys for the given zone from the key directory (see the key-directory option in @@ -539,7 +614,7 @@ is changed, then the zone is automatically re-signed with the new key set.

-

+

This command requires that the auto-dnssec zone option be set to allow or @@ -549,13 +624,13 @@ (See "Dynamic Update Policies" in the Administrator Reference Manual for more details.)

-

+

See also rndc loadkeys.

-
+
signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) | -serial value ) ] zone [class [view]]
-

+

List, edit, or remove the DNSSEC signing state records for the specified zone. The status of ongoing DNSSEC operations (such as signing or generating @@ -568,7 +643,7 @@ or have finished signing the zone, and which NSEC3 chains are being created or removed.

-

+

rndc signing -clear can remove a single key (specified in the same format that rndc signing -list uses to @@ -577,7 +652,7 @@ that a key has not yet finished signing the zone will be retained.

-

+

rndc signing -nsec3param sets the NSEC3 parameters for a zone. This is the only supported mechanism for using NSEC3 with @@ -586,7 +661,7 @@ an NSEC3PARAM resource record: hash algorithm, flags, iterations, and salt, in that order.

-

+

Currently, the only defined value for hash algorithm is 1, representing SHA-1. The flags may be set to @@ -601,7 +676,7 @@ which causes named to generate a random 64-bit salt.

-

+

So, for example, to create an NSEC3 chain using the SHA-1 hash algorithm, no opt-out flag, 10 iterations, and a salt value of "FFFF", use: @@ -610,36 +685,40 @@ salt, use: rndc signing -nsec3param 1 1 15 - zone.

-

+

rndc signing -nsec3param none removes an existing NSEC3 chain and replaces it with NSEC.

-

+

rndc signing -serial value sets the serial number of the zone to value. If the value would cause the serial number to go backwards it will be rejected. The primary use is to set the serial on inline signed zones.

-
+
stats
-

+

+

Write server statistics to the statistics file. (See the statistics-file option in the BIND 9 Administrator Reference Manual.) -

+

+
status
-

+

+

Display status of the server. Note that the number of zones includes the internal bind/CH zone and the default ./IN hint zone if there is not an explicit root zone configured. -

+

+
stop [-p]
-

+

Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. @@ -647,18 +726,20 @@ This allows an external process to determine when named had completed stopping.

-

See also rndc halt.

-
+

See also rndc halt.

+
sync [-clean] [zone [class [view]]]
-

+

+

Sync changes in the journal file for a dynamic zone to the master file. If the "-clean" option is specified, the journal file is also removed. If no zone is specified, then all zones are synced. -

+

+
thaw [zone [class [view]]]
-

+

Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen zones are enabled. This causes the server to reload the zone @@ -672,47 +753,55 @@ zone has changed, any existing journal file will be removed.

-

See also rndc freeze.

-
+

See also rndc freeze.

+
trace
-

+

+

Increment the servers debugging level by one. -

+

+
trace level
-

+

Sets the server's debugging level to an explicit value.

-

+

See also rndc notrace.

-
+
tsig-delete keyname [view]
-

+

+

Delete a given TKEY-negotiated key from the server. (This does not apply to statically configured TSIG keys.) -

+

+
tsig-list
-

+

+

List the names of all TSIG keys currently configured for use by named in each view. The list both statically configured keys and dynamic TKEY-negotiated keys. -

+

+
validation ( on | off | check ) [view ...]
-

+

+

Enable, disable, or check the current status of DNSSEC validation. Note dnssec-enable also needs to be set to yes or auto to be effective. It defaults to enabled. -

+

+
zonestatus zone [class [view]]
-

+

Displays the current status of the given zone, including the master file name and any include files from which it was loaded, when it was most @@ -723,31 +812,46 @@ management or inline signing, and the scheduled refresh or expiry times for the zone.

-

+

See also rndc showzone.

-
+
-
-
+
+ +

LIMITATIONS

-

+ +

There is currently no way to provide the shared secret for a key_id without using the configuration file.

-

+

Several error messages could be clearer.

-
-
+
+ +

SEE ALSO

-

rndc.conf(5), - rndc-confgen(8), - named(8), - named.conf(5), - ndc(8), + +

+ rndc.conf(5) + , + + rndc-confgen(8) + , + + named(8) + , + + named.conf(5) + , + + ndc(8) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/tools/arpaname.html b/bin/tools/arpaname.html index 104b50c198..7024a126c5 100644 --- a/bin/tools/arpaname.html +++ b/bin/tools/arpaname.html @@ -14,26 +14,44 @@
-
+ + + + +

Name

-

arpaname — translate IP addresses to the corresponding ARPA names

-
-
-

Synopsis

-

arpaname {ipaddress ...}

-
-
-

DESCRIPTION

+ arpaname + — translate IP addresses to the corresponding ARPA names +

+
+ + + +
+

Synopsis

+

+ arpaname + {ipaddress ...} +

+
+ +
+

DESCRIPTION

+ +

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-
-
+
+ +

SEE ALSO

-

+ +

BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/tools/dnstap-read.html b/bin/tools/dnstap-read.html index 1c7924a876..5e975c2561 100644 --- a/bin/tools/dnstap-read.html +++ b/bin/tools/dnstap-read.html @@ -14,17 +14,36 @@
-
+ + + + + +

Name

-

dnstap-read — print dnstap data in human-readable form

-
-
-

Synopsis

-

dnstap-read [-m] [-p] [-y] {file}

-
-
-

DESCRIPTION

+ dnstap-read + — print dnstap data in human-readable form +

+
+ + + +
+

Synopsis

+

+ dnstap-read + [-m] + [-p] + [-y] + {file} +

+
+ +
+

DESCRIPTION

+ +

dnstap-read reads dnstap data from a specified file and prints it in a human-readable format. By default, @@ -32,34 +51,50 @@ format, but if the -y option is specified, then a longer and more detailed YAML format is used instead.

-
-
+
+ +

OPTIONS

-
+ + +
-m
-

+

+

Trace memory allocations; used for debugging memory leaks. -

+

+
-p
-

+

+

After printing the dnstap data, print the text form of the DNS message that was encapsulated in the dnstap frame. -

+

+
-y
-

+

+

Print dnstap data in a detailed YAML format. Implies -p. -

+

+
-
-
+
+ +

SEE ALSO

-

- named(8), - rndc(8), + +

+ + named(8) + , + + rndc(8) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/tools/genrandom.html b/bin/tools/genrandom.html index b47ea3385e..d2b64a7153 100644 --- a/bin/tools/genrandom.html +++ b/bin/tools/genrandom.html @@ -14,47 +14,80 @@
-
+ + + + + +

Name

-

genrandom — generate a file containing random data

-
-
-

Synopsis

-

genrandom [-n number] {size} {filename}

-
-
-

DESCRIPTION

+ genrandom + — generate a file containing random data +

+
+ + + +
+

Synopsis

+

+ genrandom + [-n number] + {size} + {filename} +

+
+ +
+

DESCRIPTION

+ +

genrandom generates a file or a set of files containing a specified quantity of pseudo-random data, which can be used as a source of entropy for other commands on systems with no random device.

-
-
+
+ +

ARGUMENTS

-
+ +
-n number
-

+

+

In place of generating one file, generates number (from 2 to 9) files, appending number to the name. -

+

+
size
-

+

+

The size of the file, in kilobytes, to generate. -

+

+
filename
-

+

+

The file name into which random data should be written. -

+

+
-
-
+
+ +

SEE ALSO

-

- rand(3), - arc4random(3) + +

+ + rand(3) + , + + arc4random(3) +

-
+
+
diff --git a/bin/tools/isc-hmac-fixup.html b/bin/tools/isc-hmac-fixup.html index 4a9f17cb37..b95b0e0fc9 100644 --- a/bin/tools/isc-hmac-fixup.html +++ b/bin/tools/isc-hmac-fixup.html @@ -14,17 +14,34 @@
-
+ + + + + +

Name

-

isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND

-
-
-

Synopsis

-

isc-hmac-fixup {algorithm} {secret}

-
-
-

DESCRIPTION

+ isc-hmac-fixup + — fixes HMAC keys generated by older versions of BIND +

+
+ + + +
+

Synopsis

+

+ isc-hmac-fixup + {algorithm} + {secret} +

+
+ +
+

DESCRIPTION

+ +

Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys @@ -32,13 +49,13 @@ message authentication code that was incompatible with other DNS implementations.

-

+

This bug has been fixed in BIND 9.7. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys. isc-hmac-fixup modifies those keys to restore compatibility.

-

+

To modify a key, run isc-hmac-fixup and specify the key's algorithm and secret on the command line. If the secret is longer than the digest length of the algorithm (64 bytes @@ -47,10 +64,12 @@ secret. (If the secret did not require conversion, then it will be printed without modification.)

-
-
+
+ +

SECURITY CONSIDERATIONS

-

+ +

Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security. RFC 2104 notes, @@ -58,13 +77,16 @@ extra length would not significantly increase the function strength."

-
-
+
+ +

SEE ALSO

-

+ +

BIND 9 Administrator Reference Manual, RFC 2104.

-
+
+
diff --git a/bin/tools/mdig.html b/bin/tools/mdig.html index dd63756a54..720a303a7a 100644 --- a/bin/tools/mdig.html +++ b/bin/tools/mdig.html @@ -14,29 +14,66 @@
-
+ + + +

Name

-

mdig — DNS pipelined lookup utility

+

+ mdig + — DNS pipelined lookup utility +

-
+ + + +

Synopsis

-

mdig {@server} [-f filename] [-h] [-v] [-4] [-6] [-b address] [-p port#] [-c class] [-t type] [-i] [-x addr] [plusopt...]

-

mdig {-h}

-

mdig [@server] {global-opt...} { +

+ mdig + {@server} + [-f filename] + [-h] + [-v] + [-4] + [-6] + [-b address] + [-p port#] + [-c class] + [-t type] + [-i] + [-x addr] + [plusopt...] +

+ +

+ mdig + {-h} +

+ +

+ mdig + [@server] + {global-opt...} + { {local-opt...} {query} - ...}

-
-
+ ...} +

+
+ +

DESCRIPTION

-

mdig + +

mdig is a multiple/pipelined query version of dig: instead of waiting for a response after sending each query, it begins by sending all queries. Responses are displayed in the order in which they are received, not in the order the corresponding queries were sent.

-

+ +

mdig options are a subset of the dig options, and are divided into "anywhere options" which can occur anywhere, "global options" which must @@ -44,7 +81,8 @@ and "local options" which apply to the next query on the command line.

-

+ +

The {@server} option is a mandatory global option. It is the name or IP address of the name server to query. (Unlike dig, this value is not retrieved from @@ -55,14 +93,16 @@ mdig resolves that name before querying the name server.

-

mdig + +

mdig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.

-

+ +

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string no @@ -70,10 +110,13 @@ values to options like the timeout interval. They have the form +keyword=value.

-
-
+
+ +

ANYWHERE OPTIONS

-

+ + +

The -f option makes mdig operate in batch mode by reading a list of lookup requests to process from the file filename. The file @@ -81,33 +124,41 @@ file should be organized in the same way they would be presented as queries to mdig using the command-line interface.

-

+ +

The -h causes mdig to print the detailed help with the full list of options and exit.

-

+ +

The -v causes mdig to print the version number and exit.

-
-
+
+ +

GLOBAL OPTIONS

-

+ + +

The -4 option forces mdig to only use IPv4 query transport.

-

+ +

The -6 option forces mdig to only use IPv6 query transport.

-

+ +

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

-

+ +

The -p option is used when a non-standard port number is to be queried. port# is the port number @@ -116,51 +167,69 @@ test a name server that has been configured to listen for queries on a non-standard port number.

-

+ +

The global query options are:

+[no]additional
-

+

+

Display [do not display] the additional section of a reply. The default is to display it. -

+

+
+[no]all
-

+

+

Set or clear all display flags. -

+

+
+[no]answer
-

+

+

Display [do not display] the answer section of a reply. The default is to display it. -

+

+
+[no]authority
-

+

+

Display [do not display] the authority section of a reply. The default is to display it. -

+

+
+[no]besteffort
-

+

+

Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -

+

+
+[no]cl
-

+

+

Display [do not display] the CLASS when printing the record. -

+

+
+[no]comments
-

+

+

Toggle the display of comment lines in the output. The default is to print comments. -

+

+
+[no]continue
-

+

+

Continue on errors (e.g. timeouts). -

+

+
+[no]crypto
-

+

+

Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing @@ -169,41 +238,53 @@ are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]". -

+

+
+dscp[=value]
-

+

+

Set the DSCP code point to be used when sending the query. Valid DSCP code points are in the range [0..63]. By default no code point is explicitly set. -

+

+
+[no]multiline
-

+

+

Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the mdig output. -

+

+
+[no]question
-

+

+

Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. -

+

+
+[no]rrcomments
-

+

+

Toggle the display of per-record comments in the output (for example, human-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active. -

+

+
+[no]short
-

+

+

Provide a terse answer. The default is to print the answer in a verbose form. -

+

+
+split=W
-

+

+

Split long hex- or base64-formatted fields in resource records into chunks of W characters (where W is rounded @@ -212,54 +293,69 @@ +split=0 causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active. -

+

+
+[no]tcp
-

+

+

Use [do not use] TCP when querying name servers. The default behavior is to use UDP. -

+

+
+[no]ttlid
-

+

+

Display [do not display] the TTL when printing the record. -

+

+
+[no]ttlunits
-

+

+

Display [do not display] the TTL in friendly human-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks. Implies +ttlid. -

+

+
+[no]vc
-

+

+

Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit". -

+

+

-
-
+
+ +

LOCAL OPTIONS

-

+ + +

The -c option sets the query class to class. It can be any valid query class which is supported in BIND 9. The default query class is "IN".

-

+ +

The -t option sets the query type to type. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the -x option is supplied to indicate a reverse lookup with the "PTR" query type.

-

+ +

The -i option sets the reverse domain for IPv6 addresses to IP6.INT.

-

+ +

Reverse lookups — mapping addresses to names — are simplified by the -x option. addr is an IPv4 @@ -271,20 +367,26 @@ under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the -i option.

-

+ +

The local query options are:

+[no]aaflag
-

+

+

A synonym for +[no]aaonly. -

+

+
+[no]aaonly
-

+

+

Sets the "aa" flag in the query. -

+

+
+[no]adflag
-

+

+

Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all @@ -294,87 +396,110 @@ from a OPT-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. This bit is set by default. -

+

+
+bufsize=B
-

+

+

Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent. -

+

+
+[no]cdflag
-

+

+

Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -

+

+
+[no]cookie[=####]
-

+

+

Send a COOKIE EDNS option, with optional value. Replaying a COOKIE from a previous response will allow the server to identify a previous client. The default is +nocookie. -

+

+
+[no]dnssec
-

+

+

Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -

+

+
+[no]edns[=#]
-

+

+

Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +noedns clears the remembered EDNS version. EDNS is set to 0 by default. -

+

+
+[no]ednsflags[=#]
-

+

+

Set the must-be-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set. -

+

+
+[no]ednsopt[=code[:value]]
-

+

+

Specify EDNS option with code point code and optionally payload of value as a hexadecimal string. +noednsopt clears the EDNS options to be sent. -

+

+
+[no]expire
-

+

+

Send an EDNS Expire option. -

+

+
+[no]nsid
-

+

+

Include an EDNS name server ID request when sending a query. -

+

+
+[no]recurse
-

+

+

Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means mdig normally sends recursive queries. -

+

+
+retry=T
-

+

+

Sets the number of times to retry UDP queries to server to T instead of the default, 2. Unlike +tries, this does not include the initial query. -

+

+
+[no]subnet=addr[/prefix-length]
-

+

Send (don't send) an EDNS Client Subnet option with the specified IP address or network prefix.

-

+

mdig +subnet=0.0.0.0/0, or simply mdig +subnet=0 for short, sends an EDNS client-subnet option with an empty address and a source @@ -383,49 +508,63 @@ not be used when resolving this query.

-
+
+timeout=T
-

+

+

Sets the timeout for a query to T seconds. The default timeout is 5 seconds for UDP transport and 10 for TCP. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied. -

+

+
+tries=T
-

+

+

Sets the number of times to try UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of tries is silently rounded up to 1. -

+

+
+udptimeout=T
-

+

+

Sets the timeout between UDP query retries. -

+

+
+[no]unknownformat
-

+

+

Print all RDATA in unknown RR type presentation format (RFC 3597). The default is to print RDATA for known types in the type's presentation format. -

+

+
+[no]zflag
-

+

+

Set [do not set] the last unassigned DNS header flag in a DNS query. This flag is off by default. -

+

+

-
-
+
+ +

SEE ALSO

-

dig(1), + +

+ dig(1) + , RFC1035.

-
+
diff --git a/bin/tools/named-journalprint.html b/bin/tools/named-journalprint.html index a515f393a0..89789a11ba 100644 --- a/bin/tools/named-journalprint.html +++ b/bin/tools/named-journalprint.html @@ -14,22 +14,38 @@
-
+ + + + + +

Name

-

named-journalprint — print zone journal in human-readable form

-
-
-

Synopsis

-

named-journalprint {journal}

-
-
-

DESCRIPTION

+ named-journalprint + — print zone journal in human-readable form +

+
+ + + +
+

Synopsis

+

+ named-journalprint + {journal} +

+
+ +
+

DESCRIPTION

+ +

named-journalprint prints the contents of a zone journal file in a human-readable form.

-

+

Journal files are automatically created by named when changes are made to dynamic zones (e.g., by nsupdate). They record each addition @@ -40,21 +56,28 @@ .jnl to the name of the corresponding zone file.

-

+

named-journalprint converts the contents of a given journal file into a human-readable text format. Each line begins with "add" or "del", to indicate whether the record was added or deleted, and continues with the resource record in master-file format.

-
-
+
+ +

SEE ALSO

-

- named(8), - nsupdate(8), + +

+ + named(8) + , + + nsupdate(8) + , BIND 9 Administrator Reference Manual.

-
+
+
diff --git a/bin/tools/named-nzd2nzf.8 b/bin/tools/named-nzd2nzf.8 index a08b8fef64..c9ed0ba948 100644 --- a/bin/tools/named-nzd2nzf.8 +++ b/bin/tools/named-nzd2nzf.8 @@ -1,3 +1,4 @@ +.\" Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") .\" .\" This Source Code Form is subject to the terms of the Mozilla Public .\" License, v. 2.0. If a copy of the MPL was not distributed with this diff --git a/bin/tools/named-nzd2nzf.html b/bin/tools/named-nzd2nzf.html index 54a0139374..db37200853 100644 --- a/bin/tools/named-nzd2nzf.html +++ b/bin/tools/named-nzd2nzf.html @@ -1,5 +1,6 @@