upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-15 22:09:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Convert the documentation to Sphinx documentation format

Browse source 
The ARM and the manpages have been converted into Sphinx documentation
format.

Sphinx uses reStructuredText as its markup language, and many of its
strengths come from the power and straightforwardness of
reStructuredText and its parsing and translating suite, the Docutils.
This commit is contained in:
Ondřej Surý 2019-03-31 12:49:47 +02:00 committed by Ondřej Surý
parent 287f615ae8
commit 9fb6d11abb
405 changed files with 29589 additions and 104814 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
.gitlab-ci.yml
View file

@ -471,17 +471,29 @@ docs:
<<: *release_branch_triggering_rules
<<: *base_image
stage: docs
before_script:
- test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
- test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
- pip3 install pytest requests || pip install pytest requests || true
- pip3 install sphinx sphinx_rtd_theme || pip install sphinx sphinx_rtd_theme
- apt -yqqq update
- apt -yqqq dist-upgrade
- apt -yqqq install texlive-full texlive-xetex latexmk xindy
script:
- ./configure || cat config.log
- make -C doc/misc docbook
- make -C doc/arm Bv9ARM.html
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} -k maintainer-clean V=1
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
- make -j${BUILD_PARALLEL_JOBS:-1} -k doc V=1
needs:
- job: autoreconf
artifacts: true
allow_failure: true
allow_failure: false
artifacts:
paths:
- doc/arm/
- doc/man/
- doc/misc/
expire_in: "1 month"
push:docs:

4
Makefile.am
View file

@ -1,6 +1,6 @@
include $(top_srcdir)/Makefile.top
SUBDIRS = . libltdl lib bin # doc
SUBDIRS = . libltdl lib doc bin
BUILT_SOURCES = bind.keys.h
CLEANFILES = bind.keys.h
@ -9,3 +9,5 @@ bind.keys.h: bind.keys Makefile
${PERL} ${top_srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
dist_sysconf_DATA = bind.keys
.PHONY: doc

51
Makefile.docs Normal file
View file

@ -0,0 +1,51 @@
SPHINX_V = $(SPHINX_V_@AM_V@)
SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
SPHINX_V_0 = -q
SPHINX_V_1 = -n
AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
AM_V_SPHINX_0 = @echo " SPHINX $@";
SPHINXBUILDDIR = $(builddir)/_build
common_SPHINXOPTS = \
-c $(srcdir) \
-a \
$(SPHINX_V)
ALLSPHINXOPTS = \
$(common_SPHINXOPTS) \
-D version="$(PACKAGE_VERSION)" \
-D today="$(RELEASE_DATE)" \
-D release="$(PACKAGE_VERSION)" \
$(SPHINXOPTS) \
$(srcdir)
man_SPHINXOPTS = \
$(common_SPHINXOPTS) \
-D version="@""PACKAGE_VERSION@"\
-D today="@""RELEASE_DATE@" \
-D release="@""PACKAGE_VERSION@"\
$(SPHINXOPTS) \
$(srcdir)
AM_V_SED = $(AM_V_SED_@AM_V@)
AM_V_SED_ = $(AM_V_SED_@AM_DEFAULT_V@)
AM_V_SED_0 = @echo " SED $@";
AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
AM_V_CFG_TEST_0 = @echo " CFG_GEN $@";
AM_V_RST_OPTIONS = $(AM_V_CFG_TEST_@AM_V@)
AM_V_RST_OPTIONS_ = $(AM_V_RST_OPTIONS_@AM_DEFAULT_V@)
AM_V_RST_OPTIONS_0 = @echo " RST_OPTIONS $@";
AM_V_RST_ZONEOPT = $(AM_V_CFG_TEST_@AM_V@)
AM_V_RST_ZONEOPT_ = $(AM_V_RST_ZONEOPT_@AM_DEFAULT_V@)
AM_V_RST_ZONEOPT_0 = @echo " RST_ZONEOPT $@";
AM_V_RST_GRAMMARS = $(AM_V_CFG_TEST_@AM_V@)
AM_V_RST_GRAMMARS_ = $(AM_V_RST_GRAMMARS_@AM_DEFAULT_V@)
AM_V_RST_GRAMMARS_0 = @echo " RST_GRAMMARS $@";

152
bin/check/named-checkconf.8
View file

@ -1,152 +0,0 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: named-checkconf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-10
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\-CHECKCONF" "8" "2014\-01\-10" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
named-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkconf\fR\ 'u
\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
checks the syntax, but not the semantics, of a
\fBnamed\fR
configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
/etc/named\&.conf
is read by default\&.
.PP
Note: files that
\fBnamed\fR
reads in separate parser contexts, such as
rndc\&.key
and
bind\&.keys, are not automatically read by
\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
\fBnamed\fR
to fail to run, even if
\fBnamed\-checkconf\fR
was successful\&.
\fBnamed\-checkconf\fR
can be run on these files explicitly, however\&.
.SH "OPTIONS"
.PP
\-h
.RS 4
Print the usage summary and exit\&.
.RE
.PP
\-j
.RS 4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
\-l
.RS 4
List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
.RE
.PP
\-c
.RS 4
Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
\fBplugin\fR
statements to be ignored\&.
.RE
.PP
\-i
.RS 4
Ignore warnings on deprecated options\&.
.RE
.PP
\-p
.RS 4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&. See also the
\fB\-x\fR
option\&.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkconf\fR
program and exit\&.
.RE
.PP
\-x
.RS 4
When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
named\&.conf
and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
\fB\-p\fR\&.
.RE
.PP
\-z
.RS 4
Perform a test load of all master zones found in
named\&.conf\&.
.RE
.PP
filename
.RS 4
The name of the configuration file to be checked\&. If not specified, it defaults to
/etc/named\&.conf\&.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkconf\fR
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed-checkzone\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

229
bin/check/named-checkconf.docbook
View file

@ -1,229 +0,0 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
<info>
<date>2014-01-10</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkconf</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkconf</application></refname>
<refpurpose>named configuration file syntax checking tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named-checkconf</command>
<arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
<arg choice="opt" rep="norepeat"><option>-p</option>
<arg choice="opt" rep="norepeat"><option>-x</option>
</arg></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkconf</command>
checks the syntax, but not the semantics, of a
<command>named</command> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <filename>/etc/named.conf</filename> is read
by default.
</para>
<para>
Note: files that <command>named</command> reads in separate
parser contexts, such as <filename>rndc.key</filename> and
<filename>bind.keys</filename>, are not automatically read
by <command>named-checkconf</command>. Configuration
errors in these files may cause <command>named</command> to
fail to run, even if <command>named-checkconf</command> was
successful. <command>named-checkconf</command> can be run
on these files explicitly, however.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zonefile read the journal if it exists.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>
List all the configured zones. Each line of output
contains the zone name, class (e.g. IN), view, and type
(e.g. master or slave).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c</term>
<listitem>
<para>
Check "core" configuration only. This suppresses the loading
of plugin modules, and causes all parameters to
<command>plugin</command> statements to be ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Ignore warnings on deprecated options.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Print out the <filename>named.conf</filename> and included files
in canonical form if no errors were detected.
See also the <option>-x</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkconf</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
contents of <filename>named.conf</filename> and related
files to be shared &mdash; for example, when submitting
bug reports &mdash; without compromising private data.
This option cannot be used without <option>-p</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Perform a test load of all master zones found in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the configuration file to be checked. If not
specified, it defaults to <filename>/etc/named.conf</filename>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkconf</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

180
bin/check/named-checkconf.html
View file

@ -1,180 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkconf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkconf"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">named-checkconf</span>
&#8212; named configuration file syntax checking tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-checkconf</code>
[<code class="option">-chjlvz</code>]
[<code class="option">-p</code>
[<code class="option">-x</code>
]]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span class="command"><strong>named</strong></span> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <code class="filename">/etc/named.conf</code> is read
by default.
</p>
<p>
Note: files that <span class="command"><strong>named</strong></span> reads in separate
parser contexts, such as <code class="filename">rndc.key</code> and
<code class="filename">bind.keys</code>, are not automatically read
by <span class="command"><strong>named-checkconf</strong></span>. Configuration
errors in these files may cause <span class="command"><strong>named</strong></span> to
fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
successful. <span class="command"><strong>named-checkconf</strong></span> can be run
on these files explicitly, however.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the usage summary and exit.
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd>
<p>
When loading a zonefile read the journal if it exists.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
List all the configured zones. Each line of output
contains the zone name, class (e.g. IN), view, and type
(e.g. master or slave).
</p>
</dd>
<dt><span class="term">-c</span></dt>
<dd>
<p>
Check "core" configuration only. This suppresses the loading
of plugin modules, and causes all parameters to
<span class="command"><strong>plugin</strong></span> statements to be ignored.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Ignore warnings on deprecated options.
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
See also the <code class="option">-x</code> option.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkconf</strong></span>
program and exit.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
contents of <code class="filename">named.conf</code> and related
files to be shared &#8212; for example, when submitting
bug reports &#8212; without compromising private data.
This option cannot be used without <code class="option">-p</code>.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd>
<p>
The name of the configuration file to be checked. If not
specified, it defaults to <code class="filename">/etc/named.conf</code>.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

105
bin/check/named-checkconf.rst Normal file
View file

@ -0,0 +1,105 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_named-checkconf:
named-checkconf - named configuration file syntax checking tool
---------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
Description
~~~~~~~~~~~
``named-checkconf`` checks the syntax, but not the semantics, of a
``named`` configuration file. The file is parsed and checked for syntax
errors, along with all files included by it. If no file is specified,
``/etc/named.conf`` is read by default.
Note: files that ``named`` reads in separate parser contexts, such as
``rndc.key`` and ``bind.keys``, are not automatically read by
``named-checkconf``. Configuration errors in these files may cause
``named`` to fail to run, even if ``named-checkconf`` was successful.
``named-checkconf`` can be run on these files explicitly, however.
Options
~~~~~~~
**-h**
Print the usage summary and exit.
**-j**
When loading a zonefile read the journal if it exists.
**-l**
List all the configured zones. Each line of output contains the zone
name, class (e.g. IN), view, and type (e.g. master or slave).
**-c**
Check "core" configuration only. This suppresses the loading of
plugin modules, and causes all parameters to ``plugin`` statements to
be ignored.
**-i**
Ignore warnings on deprecated options.
**-p**
Print out the ``named.conf`` and included files in canonical form if
no errors were detected. See also the ``-x`` option.
**-t** directory
Chroot to ``directory`` so that include directives in the
configuration file are processed as if run by a similarly chrooted
``named``.
**-v**
Print the version of the ``named-checkconf`` program and exit.
**-x**
When printing the configuration files in canonical form, obscure
shared secrets by replacing them with strings of question marks
('?'). This allows the contents of ``named.conf`` and related files
to be shared MDASH for example, when submitting bug reports MDASH
without compromising private data. This option cannot be used without
``-p``.
**-z**
Perform a test load of all master zones found in ``named.conf``.
filename
The name of the configuration file to be checked. If not specified,
it defaults to ``/etc/named.conf``.
Return Values
~~~~~~~~~~~~~
``named-checkconf`` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.

329
bin/check/named-checkzone.8
View file

@ -1,329 +0,0 @@
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: named-checkzone
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-19
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\-CHECKZONE" "8" "2014\-02\-19" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
named-checkzone, named-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkzone\fR\ 'u
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP \w'\fBnamed\-compilezone\fR\ 'u
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkzone\fR
checks the syntax and integrity of a zone file\&. It performs the same checks as
\fBnamed\fR
does when loading a zone\&. This makes
\fBnamed\-checkzone\fR
useful for checking zone files before configuring them into a name server\&.
.PP
\fBnamed\-compilezone\fR
is similar to
\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\fR
configuration file\&.
.SH "OPTIONS"
.PP
\-d
.RS 4
Enable debugging\&.
.RE
.PP
\-h
.RS 4
Print the usage summary and exit\&.
.RE
.PP
\-q
.RS 4
Quiet mode \- exit code only\&.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkzone\fR
program and exit\&.
.RE
.PP
\-j
.RS 4
When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
\&.jnl\&.
.RE
.PP
\-J \fIfilename\fR
.RS 4
When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
.RE
.PP
\-c \fIclass\fR
.RS 4
Specify the class of the zone\&. If not specified, "IN" is assumed\&.
.RE
.PP
\-i \fImode\fR
.RS 4
Perform post\-load zone integrity checks\&. Possible modes are
\fB"full"\fR
(default),
\fB"full\-sibling"\fR,
\fB"local"\fR,
\fB"local\-sibling"\fR
and
\fB"none"\fR\&.
.sp
Mode
\fB"full"\fR
checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks MX records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks SRV records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
\fB"local"\fR
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
.sp
Mode
\fB"full\-sibling"\fR
and
\fB"local\-sibling"\fR
disable sibling glue checks but are otherwise the same as
\fB"full"\fR
and
\fB"local"\fR
respectively\&.
.sp
Mode
\fB"none"\fR
disables the checks\&.
.RE
.PP
\-f \fIformat\fR
.RS 4
Specify the format of the zone file\&. Possible formats are
\fB"text"\fR
(default),
\fB"raw"\fR, and
\fB"map"\fR\&.
.RE
.PP
\-F \fIformat\fR
.RS 4
Specify the format of the output file specified\&. For
\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
.sp
Possible formats are
\fB"text"\fR
(default), which is the standard textual representation of the zone, and
\fB"map"\fR,
\fB"raw"\fR, and
\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
\fBnamed\fR\&.
\fB"raw=N"\fR
specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
.RE
.PP
\-k \fImode\fR
.RS 4
Perform
\fB"check\-names"\fR
checks with the specified failure mode\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR\&.
.RE
.PP
\-l \fIttl\fR
.RS 4
Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
\fBmax\-zone\-ttl\fR
option in
named\&.conf\&.
.RE
.PP
\-L \fIserial\fR
.RS 4
When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
.RE
.PP
\-m \fImode\fR
.RS 4
Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-M \fImode\fR
.RS 4
Check if a MX record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-n \fImode\fR
.RS 4
Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR\&.
.RE
.PP
\-o \fIfilename\fR
.RS 4
Write zone output to
filename\&. If
filename
is
\-
then write to standard out\&. This is mandatory for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-r \fImode\fR
.RS 4
Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-s \fIstyle\fR
.RS 4
Specify the style of the dumped zone file\&. Possible styles are
\fB"full"\fR
(default) and
\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
\fBnamed\-checkzone\fR
this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
.RE
.PP
\-S \fImode\fR
.RS 4
Check if a SRV record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-T \fImode\fR
.RS 4
Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR\&.
.RE
.PP
\-w \fIdirectory\fR
.RS 4
chdir to
directory
so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
named\&.conf\&.
.RE
.PP
\-D
.RS 4
Dump zone file in canonical format\&. This is always enabled for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-W \fImode\fR
.RS 4
Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
zonename
.RS 4
The domain name of the zone being checked\&.
.RE
.PP
filename
.RS 4
The name of the zone file\&.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkzone\fR
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed-checkconf\fR(8),
RFC 1035,
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

529
bin/check/named-checkzone.docbook
View file

@ -1,529 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
<info>
<date>2014-02-19</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkzone</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkzone</application></refname>
<refname><application>named-compilezone</application></refname>
<refpurpose>zone file validity checking or converting tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named-checkzone</command>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-compilezone</command>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkzone</command>
checks the syntax and integrity of a zone file. It performs the
same checks as <command>named</command> does when loading a
zone. This makes <command>named-checkzone</command> useful for
checking zone files before configuring them into a name server.
</para>
<para>
<command>named-compilezone</command> is similar to
<command>named-checkzone</command>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <command>named</command>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<command>named</command> configuration file.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Enable debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode - exit code only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkzone</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <filename>.jnl</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-J <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specify the class of the zone. If not specified, "IN" is assumed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform post-load zone integrity checks. Possible modes are
<command>"full"</command> (default),
<command>"full-sibling"</command>,
<command>"local"</command>,
<command>"local-sibling"</command> and
<command>"none"</command>.
</para>
<para>
Mode <command>"full"</command> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks MX records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks SRV records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <command>"local"</command> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</para>
<para>
Mode <command>"full-sibling"</command> and
<command>"local-sibling"</command> disable sibling glue
checks but are otherwise the same as <command>"full"</command>
and <command>"local"</command> respectively.
</para>
<para>
Mode <command>"none"</command> disables the checks.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the zone file.
Possible formats are <command>"text"</command> (default),
<command>"raw"</command>, and <command>"map"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-F <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the output file specified.
For <command>named-checkzone</command>,
this does not cause any effects unless it dumps the zone
contents.
</para>
<para>
Possible formats are <command>"text"</command> (default),
which is the standard textual representation of the zone,
and <command>"map"</command>, <command>"raw"</command>,
and <command>"raw=N"</command>, which store the zone in a
binary format for rapid loading by <command>named</command>.
<command>"raw=N"</command> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <command>named</command>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform <command>"check-names"</command> checks with the
specified failure mode.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<command>max-zone-ttl</command> option in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">serial</replaceable></term>
<listitem>
<para>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a MX record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
Write zone output to <filename>filename</filename>.
If <filename>filename</filename> is <filename>-</filename> then
write to standard out.
This is mandatory for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">style</replaceable></term>
<listitem>
<para>
Specify the style of the dumped zone file.
Possible styles are <command>"full"</command> (default)
and <command>"relative"</command>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <command>named-checkzone</command>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a SRV record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <command>"warn"</command>
(default), <command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
chdir to <filename>directory</filename> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Dump zone file in canonical format.
This is always enabled for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <command>"warn"</command> (default)
and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonename</term>
<listitem>
<para>
The domain name of the zone being checked.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the zone file.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkzone</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC 1035</citetitle>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

429
bin/check/named-checkzone.html
View file

@ -1,429 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">named-checkzone</span>,
<span class="application">named-compilezone</span>
&#8212; zone file validity checking or converting tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-checkzone</code>
[<code class="option">-d</code>]
[<code class="option">-h</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{zonename}
{filename}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">named-compilezone</code>
[<code class="option">-d</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
{zonename}
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span class="command"><strong>named</strong></span> does when loading a
zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for
checking zone files before configuring them into a name server.
</p>
<p>
<span class="command"><strong>named-compilezone</strong></span> is similar to
<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <span class="command"><strong>named</strong></span>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<span class="command"><strong>named</strong></span> configuration file.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-d</span></dt>
<dd>
<p>
Enable debugging.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the usage summary and exit.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode - exit code only.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkzone</strong></span>
program and exit.
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd>
<p>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <code class="filename">.jnl</code>.
</p>
</dd>
<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specify the class of the zone. If not specified, "IN" is assumed.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform post-load zone integrity checks. Possible modes are
<span class="command"><strong>"full"</strong></span> (default),
<span class="command"><strong>"full-sibling"</strong></span>,
<span class="command"><strong>"local"</strong></span>,
<span class="command"><strong>"local-sibling"</strong></span> and
<span class="command"><strong>"none"</strong></span>.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks MX records which refer to in-zone hostnames.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks SRV records which refer to in-zone hostnames.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</p>
<p>
Mode <span class="command"><strong>"full-sibling"</strong></span> and
<span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
and <span class="command"><strong>"local"</strong></span> respectively.
</p>
<p>
Mode <span class="command"><strong>"none"</strong></span> disables the checks.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
Specify the format of the zone file.
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
</p>
</dd>
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
Specify the format of the output file specified.
For <span class="command"><strong>named-checkzone</strong></span>,
this does not cause any effects unless it dumps the zone
contents.
</p>
<p>
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
which is the standard textual representation of the zone,
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
binary format for rapid loading by <span class="command"><strong>named</strong></span>.
<span class="command"><strong>"raw=N"</strong></span> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform <span class="command"><strong>"check-names"</strong></span> checks with the
specified failure mode.
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<span class="command"><strong>max-zone-ttl</strong></span> option in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd>
<p>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if a MX record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Write zone output to <code class="filename">filename</code>.
If <code class="filename">filename</code> is <code class="filename">-</code> then
write to standard out.
This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd>
<p>
Specify the style of the dumped zone file.
Possible styles are <span class="command"><strong>"full"</strong></span> (default)
and <span class="command"><strong>"relative"</strong></span>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <span class="command"><strong>named-checkzone</strong></span>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if a SRV record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <span class="command"><strong>"warn"</strong></span>
(default), <span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
chdir to <code class="filename">directory</code> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd>
<p>
Dump zone file in canonical format.
This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">zonename</span></dt>
<dd>
<p>
The domain name of the zone being checked.
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd>
<p>
The name of the zone file.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>(8)
</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

214
bin/check/named-checkzone.rst Normal file
View file

@ -0,0 +1,214 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_named-checkzone:
named-checkzone, named-compilezone - zone file validity checking or converting tool
-----------------------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
Description
~~~~~~~~~~~
``named-checkzone`` checks the syntax and integrity of a zone file. It
performs the same checks as ``named`` does when loading a zone. This
makes ``named-checkzone`` useful for checking zone files before
configuring them into a name server.
``named-compilezone`` is similar to ``named-checkzone``, but it always
dumps the zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default, since the
dump output will be used as an actual zone file loaded by ``named``.
When manually specified otherwise, the check levels must at least be as
strict as those specified in the ``named`` configuration file.
Options
~~~~~~~
**-d**
Enable debugging.
**-h**
Print the usage summary and exit.
**-q**
Quiet mode - exit code only.
**-v**
Print the version of the ``named-checkzone`` program and exit.
**-j**
When loading a zone file, read the journal if it exists. The journal
file name is assumed to be the zone file name appended with the
string ``.jnl``.
**-J** filename
When loading the zone file read the journal from the given file, if
it exists. (Implies -j.)
**-c** class
Specify the class of the zone. If not specified, "IN" is assumed.
**-i** mode
Perform post-load zone integrity checks. Possible modes are
``"full"`` (default), ``"full-sibling"``, ``"local"``,
``"local-sibling"`` and ``"none"``.
Mode ``"full"`` checks that MX records refer to A or AAAA record
(both in-zone and out-of-zone hostnames). Mode ``"local"`` only
checks MX records which refer to in-zone hostnames.
Mode ``"full"`` checks that SRV records refer to A or AAAA record
(both in-zone and out-of-zone hostnames). Mode ``"local"`` only
checks SRV records which refer to in-zone hostnames.
Mode ``"full"`` checks that delegation NS records refer to A or AAAA
record (both in-zone and out-of-zone hostnames). It also checks that
glue address records in the zone match those advertised by the child.
Mode ``"local"`` only checks NS records which refer to in-zone
hostnames or that some required glue exists, that is when the
nameserver is in a child zone.
Mode ``"full-sibling"`` and ``"local-sibling"`` disable sibling glue
checks but are otherwise the same as ``"full"`` and ``"local"``
respectively.
Mode ``"none"`` disables the checks.
**-f** format
Specify the format of the zone file. Possible formats are ``"text"``
(default), ``"raw"``, and ``"map"``.
**-F** format
Specify the format of the output file specified. For
``named-checkzone``, this does not cause any effects unless it dumps
the zone contents.
Possible formats are ``"text"`` (default), which is the standard
textual representation of the zone, and ``"map"``, ``"raw"``, and
``"raw=N"``, which store the zone in a binary format for rapid
loading by ``named``. ``"raw=N"`` specifies the format version of the
raw zone file: if N is 0, the raw file can be read by any version of
``named``; if N is 1, the file can be read by release 9.9.0 or
higher; the default is 1.
**-k** mode
Perform ``"check-names"`` checks with the specified failure mode.
Possible modes are ``"fail"`` (default for ``named-compilezone``),
``"warn"`` (default for ``named-checkzone``) and ``"ignore"``.
**-l** ttl
Sets a maximum permissible TTL for the input file. Any record with a
TTL higher than this value will cause the zone to be rejected. This
is similar to using the ``max-zone-ttl`` option in ``named.conf``.
**-L** serial
When compiling a zone to "raw" or "map" format, set the "source
serial" value in the header to the specified serial number. (This is
expected to be used primarily for testing purposes.)
**-m** mode
Specify whether MX records should be checked to see if they are
addresses. Possible modes are ``"fail"``, ``"warn"`` (default) and
``"ignore"``.
**-M** mode
Check if a MX record refers to a CNAME. Possible modes are
``"fail"``, ``"warn"`` (default) and ``"ignore"``.
**-n** mode
Specify whether NS records should be checked to see if they are
addresses. Possible modes are ``"fail"`` (default for
``named-compilezone``), ``"warn"`` (default for ``named-checkzone``)
and ``"ignore"``.
**-o** filename
Write zone output to ``filename``. If ``filename`` is ``-`` then
write to standard out. This is mandatory for ``named-compilezone``.
**-r** mode
Check for records that are treated as different by DNSSEC but are
semantically equal in plain DNS. Possible modes are ``"fail"``,
``"warn"`` (default) and ``"ignore"``.
**-s** style
Specify the style of the dumped zone file. Possible styles are
``"full"`` (default) and ``"relative"``. The full format is most
suitable for processing automatically by a separate script. On the
other hand, the relative format is more human-readable and is thus
suitable for editing by hand. For ``named-checkzone`` this does not
cause any effects unless it dumps the zone contents. It also does not
have any meaning if the output format is not text.
**-S** mode
Check if a SRV record refers to a CNAME. Possible modes are
``"fail"``, ``"warn"`` (default) and ``"ignore"``.
**-t** directory
Chroot to ``directory`` so that include directives in the
configuration file are processed as if run by a similarly chrooted
``named``.
**-T** mode
Check if Sender Policy Framework (SPF) records exist and issues a
warning if an SPF-formatted TXT record is not also present. Possible
modes are ``"warn"`` (default), ``"ignore"``.
**-w** directory
chdir to ``directory`` so that relative filenames in master file
$INCLUDE directives work. This is similar to the directory clause in
``named.conf``.
**-D**
Dump zone file in canonical format. This is always enabled for
``named-compilezone``.
**-W** mode
Specify whether to check for non-terminal wildcards. Non-terminal
wildcards are almost always the result of a failure to understand the
wildcard matching algorithm (:rfc:`1034`). Possible modes are ``"warn"``
(default) and ``"ignore"``.
zonename
The domain name of the zone being checked.
filename
The name of the zone file.
Return Values
~~~~~~~~~~~~~
``named-checkzone`` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference
Manual.

148
bin/confgen/ddns-confgen.8
View file

@ -1,148 +0,0 @@
.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: ddns-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-03-06
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DDNS\-CONFGEN" "8" "2014\-03\-06" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ddns-confgen \- ddns key generation tool
.SH "SYNOPSIS"
.HP \w'\fBtsig\-keygen\fR\ 'u
\fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [name]
.HP \w'\fBddns\-confgen\fR\ 'u
\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
.SH "DESCRIPTION"
.PP
\fBtsig\-keygen\fR
and
\fBddns\-confgen\fR
are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
\fBrndc\fR
command channel\&.
.PP
When run as
\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
\fBtsig\-key\fR\&.
.PP
When run as
\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
\fBnsupdate\fR
and
\fBnamed\fR
when setting up dynamic DNS, including an example
\fBupdate\-policy\fR
statement\&. (This usage similar to the
\fBrndc\-confgen\fR
command for setting up command channel security\&.)
.PP
Note that
\fBnamed\fR
itself can configure a local DDNS key for use with
\fBnsupdate \-l\fR: it does this when a zone is configured with
\fBupdate\-policy local;\fR\&.
\fBddns\-confgen\fR
is only needed when a more elaborate configuration is required: for instance, if
\fBnsupdate\fR
is to be used from a remote system\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of options and arguments\&.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the DDNS authentication key\&. The default is
\fBddns\-key\fR
when neither the
\fB\-s\fR
nor
\fB\-z\fR
option is specified; otherwise, the default is
\fBddns\-key\fR
as a separate label followed by the argument of the option, e\&.g\&.,
\fBddns\-key\&.example\&.com\&.\fR
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
.RE
.PP
\-q
.RS 4
(\fBddns\-confgen\fR
only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
\fBtsig\-keygen\fR\&.
.RE
.PP
\-s \fIname\fR
.RS 4
(\fBddns\-confgen\fR
only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIname\fR
using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
\fB\-z\fR
option\&.
.RE
.PP
\-z \fIzone\fR
.RS 4
(\fBddns\-confgen\fR
only\&.) Generate configuration example to allow dynamic updates of a zone: The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIzone\fR
using the "zonesub" nametype, allowing updates to all subdomain names within that
\fIzone\fR\&. This option cannot be used with the
\fB\-s\fR
option\&.
.RE
.SH "SEE ALSO"
.PP
\fBnsupdate\fR(1),
\fBnamed.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

213
bin/confgen/ddns-confgen.docbook
View file

@ -1,213 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
<info>
<date>2014-03-06</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>ddns-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>ddns-confgen</application></refname>
<refpurpose>ddns key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>tsig-keygen</command>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat">name</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>ddns-confgen</command>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="plain" rep="norepeat">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain" rep="norepeat">-z <replaceable class="parameter">zone</replaceable></arg>
</group>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>tsig-keygen</command> and <command>ddns-confgen</command>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<command>rndc</command> command channel.
</para>
<para>
When run as <command>tsig-keygen</command>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <constant>tsig-key</constant>.
</para>
<para>
When run as <command>ddns-confgen</command>, the generated
key is accompanied by configuration text and instructions
that can be used with <command>nsupdate</command> and
<command>named</command> when setting up dynamic DNS,
including an example <command>update-policy</command>
statement. (This usage similar to the
<command>rndc-confgen</command> command for setting
up command channel security.)
</para>
<para>
Note that <command>named</command> itself can configure a
local DDNS key for use with <command>nsupdate -l</command>:
it does this when a zone is configured with
<command>update-policy local;</command>.
<command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance,
if <command>nsupdate</command> is to be used from a remote
system.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of options and arguments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the DDNS authentication key.
The default is <constant>ddns-key</constant> when neither
the <option>-s</option> nor <option>-z</option> option is
specified; otherwise, the default
is <constant>ddns-key</constant> as a separate label
followed by the argument of the option, e.g.,
<constant>ddns-key.example.com.</constant>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
(<command>ddns-confgen</command> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <command>tsig-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <command>named.conf</command>
text shows how to set an update policy for the specified
<replaceable class="parameter">name</replaceable>
using the "name" nametype. The default key name is
ddns-key.<replaceable class="parameter">name</replaceable>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <option>-z</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z <replaceable class="parameter">zone</replaceable></term>
<listitem>
<para>
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">zone</replaceable>
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<replaceable class="parameter">zone</replaceable>.
This option cannot be used with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

187
bin/confgen/ddns-confgen.html
View file

@ -1,187 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">ddns-confgen</span>
&#8212; ddns key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">tsig-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[name]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">ddns-confgen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[
-s <em class="replaceable"><code>name</code></em>
| -z <em class="replaceable"><code>zone</code></em>
]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<span class="command"><strong>rndc</strong></span> command channel.
</p>
<p>
When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <code class="constant">tsig-key</code>.
</p>
<p>
When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
key is accompanied by configuration text and instructions
that can be used with <span class="command"><strong>nsupdate</strong></span> and
<span class="command"><strong>named</strong></span> when setting up dynamic DNS,
including an example <span class="command"><strong>update-policy</strong></span>
statement. (This usage similar to the
<span class="command"><strong>rndc-confgen</strong></span> command for setting
up command channel security.)
</p>
<p>
Note that <span class="command"><strong>named</strong></span> itself can configure a
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with
<span class="command"><strong>update-policy local;</strong></span>.
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance,
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of options and arguments.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd>
<p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code> when neither
the <code class="option">-s</code> nor <code class="option">-z</code> option is
specified; otherwise, the default
is <code class="constant">ddns-key</code> as a separate label
followed by the argument of the option, e.g.,
<code class="constant">ddns-key.example.com.</code>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <span class="command"><strong>named.conf</strong></span>
text shows how to set an update policy for the specified
<em class="replaceable"><code>name</code></em>
using the "name" nametype. The default key name is
ddns-key.<em class="replaceable"><code>name</code></em>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <code class="option">-z</code> option.
</p>
</dd>
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <span class="command"><strong>named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>zone</code></em>
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<em class="replaceable"><code>zone</code></em>.
This option cannot be used with the <code class="option">-s</code> option.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

103
bin/confgen/ddns-confgen.rst Normal file
View file

@ -0,0 +1,103 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_ddns-confgen:
ddns-confgen - ddns key generation tool
---------------------------------------
Synopsis
~~~~~~~~
:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [**-s** name]
:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
Description
~~~~~~~~~~~
``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
utility that generates keys for use in TSIG signing. The resulting keys
can be used, for example, to secure dynamic DNS updates to a zone or for
the ``rndc`` command channel.
When run as ``tsig-keygen``, a domain name can be specified on the
command line which will be used as the name of the generated key. If no
name is specified, the default is ``tsig-key``.
When run as ``ddns-confgen``, the generated key is accompanied by
configuration text and instructions that can be used with ``nsupdate``
and ``named`` when setting up dynamic DNS, including an example
``update-policy`` statement. (This usage similar to the ``rndc-confgen``
command for setting up command channel security.)
Note that ``named`` itself can configure a local DDNS key for use with
``nsupdate -l``: it does this when a zone is configured with
``update-policy local;``. ``ddns-confgen`` is only needed when a more
elaborate configuration is required: for instance, if ``nsupdate`` is to
be used from a remote system.
Options
~~~~~~~
**-a** algorithm
Specifies the algorithm to use for the TSIG key. Available choices
are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
hmac-sha512. The default is hmac-sha256. Options are
case-insensitive, and the "hmac-" prefix may be omitted.
**-h**
Prints a short summary of options and arguments.
**-k** keyname
Specifies the key name of the DDNS authentication key. The default is
``ddns-key`` when neither the ``-s`` nor ``-z`` option is specified;
otherwise, the default is ``ddns-key`` as a separate label followed
by the argument of the option, e.g., ``ddns-key.example.com.`` The
key name must have the format of a valid domain name, consisting of
letters, digits, hyphens and periods.
**-q**
(``ddns-confgen`` only.) Quiet mode: Print only the key, with no
explanatory text or usage examples; This is essentially identical to
``tsig-keygen``.
**-s** name
(``ddns-confgen`` only.) Generate configuration example to allow
dynamic updates of a single hostname. The example ``named.conf`` text
shows how to set an update policy for the specified name using the
"name" nametype. The default key name is ddns-key.name. Note that the
"self" nametype cannot be used, since the name to be updated may
differ from the key name. This option cannot be used with the ``-z``
option.
**-z** zone
(``ddns-confgen`` only.) Generate configuration example to allow
dynamic updates of a zone: The example ``named.conf`` text shows how
to set an update policy for the specified zone using the "zonesub"
nametype, allowing updates to all subdomain names within that zone.
This option cannot be used with the ``-s`` option.
See Also
~~~~~~~~
:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

210
bin/confgen/rndc-confgen.8
View file

@ -1,210 +0,0 @@
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: rndc-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2013-03-14
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "RNDC\-CONFGEN" "8" "2013\-03\-14" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
rndc-confgen \- rndc key generation tool
.SH "SYNOPSIS"
.HP \w'\fBrndc\-confgen\fR\ 'u
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-A\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
.SH "DESCRIPTION"
.PP
\fBrndc\-confgen\fR
generates configuration files for
\fBrndc\fR\&. It can be used as a convenient alternative to writing the
rndc\&.conf
file and the corresponding
\fBcontrols\fR
and
\fBkey\fR
statements in
named\&.conf
by hand\&. Alternatively, it can be run with the
\fB\-a\fR
option to set up a
rndc\&.key
file and avoid the need for a
rndc\&.conf
file and a
\fBcontrols\fR
statement altogether\&.
.SH "OPTIONS"
.PP
\-a
.RS 4
Do automatic
\fBrndc\fR
configuration\&. This creates a file
rndc\&.key
in
/etc
(or whatever
\fIsysconfdir\fR
was specified as when
BIND
was built) that is read by both
\fBrndc\fR
and
\fBnamed\fR
on startup\&. The
rndc\&.key
file defines a default command channel and authentication key allowing
\fBrndc\fR
to communicate with
\fBnamed\fR
on the local host with no further configuration\&.
.sp
Running
\fBrndc\-confgen \-a\fR
allows BIND 9 and
\fBrndc\fR
to be used as drop\-in replacements for BIND 8 and
\fBndc\fR, with no changes to the existing BIND 8
named\&.conf
file\&.
.sp
If a more elaborate configuration than that generated by
\fBrndc\-confgen \-a\fR
is required, for example if rndc is to be used remotely, you should run
\fBrndc\-confgen\fR
without the
\fB\-a\fR
option and set up a
rndc\&.conf
and
named\&.conf
as directed\&.
.RE
.PP
\-A \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is the hash size\&.
.RE
.PP
\-c \fIkeyfile\fR
.RS 4
Used with the
\fB\-a\fR
option to specify an alternate location for
rndc\&.key\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBrndc\-confgen\fR\&.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is
\fBrndc\-key\fR\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Specifies the command channel port where
\fBnamed\fR
listens for connections from
\fBrndc\fR\&. The default is 953\&.
.RE
.PP
\-s \fIaddress\fR
.RS 4
Specifies the IP address where
\fBnamed\fR
listens for command channel connections from
\fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
.RE
.PP
\-t \fIchrootdir\fR
.RS 4
Used with the
\fB\-a\fR
option to specify a directory where
\fBnamed\fR
will run chrooted\&. An additional copy of the
rndc\&.key
will be written relative to this directory so that it will be found by the chrooted
\fBnamed\fR\&.
.RE
.PP
\-u \fIuser\fR
.RS 4
Used with the
\fB\-a\fR
option to set the owner of the
rndc\&.key
file generated\&. If
\fB\-t\fR
is also specified only the file in the chroot area has its owner changed\&.
.RE
.SH "EXAMPLES"
.PP
To allow
\fBrndc\fR
to be used with no manual configuration, run
.PP
\fBrndc\-confgen \-a\fR
.PP
To print a sample
rndc\&.conf
file and corresponding
\fBcontrols\fR
and
\fBkey\fR
statements to be manually inserted into
named\&.conf, run
.PP
\fBrndc\-confgen\fR
.SH "SEE ALSO"
.PP
\fBrndc\fR(8),
\fBrndc.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

271
bin/confgen/rndc-confgen.docbook
View file

@ -1,271 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
<info>
<date>2013-03-14</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>rndc-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>rndc-confgen</application></refname>
<refpurpose>rndc key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2001</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>rndc-confgen</command>
<arg choice="opt" rep="norepeat"><option>-a</option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>rndc-confgen</command>
generates configuration files
for <command>rndc</command>. It can be used as a
convenient alternative to writing the
<filename>rndc.conf</filename> file
and the corresponding <command>controls</command>
and <command>key</command>
statements in <filename>named.conf</filename> by hand.
Alternatively, it can be run with the <command>-a</command>
option to set up a <filename>rndc.key</filename> file and
avoid the need for a <filename>rndc.conf</filename> file
and a <command>controls</command> statement altogether.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Do automatic <command>rndc</command> configuration.
This creates a file <filename>rndc.key</filename>
in <filename>/etc</filename> (or whatever
<varname>sysconfdir</varname>
was specified as when <acronym>BIND</acronym> was
built)
that is read by both <command>rndc</command>
and <command>named</command> on startup. The
<filename>rndc.key</filename> file defines a default
command channel and authentication key allowing
<command>rndc</command> to communicate with
<command>named</command> on the local host
with no further configuration.
</para>
<para>
Running <command>rndc-confgen -a</command> allows
BIND 9 and <command>rndc</command> to be used as
drop-in
replacements for BIND 8 and <command>ndc</command>,
with no changes to the existing BIND 8
<filename>named.conf</filename> file.
</para>
<para>
If a more elaborate configuration than that
generated by <command>rndc-confgen -a</command>
is required, for example if rndc is to be used remotely,
you should run <command>rndc-confgen</command> without
the
<command>-a</command> option and set up a
<filename>rndc.conf</filename> and
<filename>named.conf</filename>
as directed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">keyfile</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
an alternate location for <filename>rndc.key</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>rndc-confgen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <constant>rndc-key</constant>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Specifies the command channel port where <command>named</command>
listens for connections from <command>rndc</command>.
The default is 953.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">address</replaceable></term>
<listitem>
<para>
Specifies the IP address where <command>named</command>
listens for command channel connections from
<command>rndc</command>. The default is the loopback
address 127.0.0.1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">chrootdir</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
a directory where <command>named</command> will run
chrooted. An additional copy of the <filename>rndc.key</filename>
will be written relative to this directory so that
it will be found by the chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to set the
owner
of the <filename>rndc.key</filename> file generated.
If
<command>-t</command> is also specified only the file
in
the chroot area has its owner changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
<para>
To allow <command>rndc</command> to be used with
no manual configuration, run
</para>
<para><userinput>rndc-confgen -a</userinput>
</para>
<para>
To print a sample <filename>rndc.conf</filename> file and
corresponding <command>controls</command> and <command>key</command>
statements to be manually inserted into <filename>named.conf</filename>,
run
</para>
<para><userinput>rndc-confgen</userinput>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

226
bin/confgen/rndc-confgen.html
View file

@ -1,226 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">rndc-confgen</span>
&#8212; rndc key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">rndc-confgen</code>
[<code class="option">-a</code>]
[<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>rndc-confgen</strong></span>
generates configuration files
for <span class="command"><strong>rndc</strong></span>. It can be used as a
convenient alternative to writing the
<code class="filename">rndc.conf</code> file
and the corresponding <span class="command"><strong>controls</strong></span>
and <span class="command"><strong>key</strong></span>
statements in <code class="filename">named.conf</code> by hand.
Alternatively, it can be run with the <span class="command"><strong>-a</strong></span>
option to set up a <code class="filename">rndc.key</code> file and
avoid the need for a <code class="filename">rndc.conf</code> file
and a <span class="command"><strong>controls</strong></span> statement altogether.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a</span></dt>
<dd>
<p>
Do automatic <span class="command"><strong>rndc</strong></span> configuration.
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
<code class="varname">sysconfdir</code>
was specified as when <acronym class="acronym">BIND</acronym> was
built)
that is read by both <span class="command"><strong>rndc</strong></span>
and <span class="command"><strong>named</strong></span> on startup. The
<code class="filename">rndc.key</code> file defines a default
command channel and authentication key allowing
<span class="command"><strong>rndc</strong></span> to communicate with
<span class="command"><strong>named</strong></span> on the local host
with no further configuration.
</p>
<p>
Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
drop-in
replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>,
with no changes to the existing BIND 8
<code class="filename">named.conf</code> file.
</p>
<p>
If a more elaborate configuration than that
generated by <span class="command"><strong>rndc-confgen -a</strong></span>
is required, for example if rndc is to be used remotely,
you should run <span class="command"><strong>rndc-confgen</strong></span> without
the
<span class="command"><strong>-a</strong></span> option and set up a
<code class="filename">rndc.conf</code> and
<code class="filename">named.conf</code>
as directed.
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
an alternate location for <code class="filename">rndc.key</code>.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>rndc-confgen</strong></span>.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd>
<p>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <code class="constant">rndc-key</code>.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Specifies the command channel port where <span class="command"><strong>named</strong></span>
listens for connections from <span class="command"><strong>rndc</strong></span>.
The default is 953.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
<dd>
<p>
Specifies the IP address where <span class="command"><strong>named</strong></span>
listens for command channel connections from
<span class="command"><strong>rndc</strong></span>. The default is the loopback
address 127.0.0.1.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
a directory where <span class="command"><strong>named</strong></span> will run
chrooted. An additional copy of the <code class="filename">rndc.key</code>
will be written relative to this directory so that
it will be found by the chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to set the
owner
of the <code class="filename">rndc.key</code> file generated.
If
<span class="command"><strong>-t</strong></span> is also specified only the file
in
the chroot area has its owner changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLES</h2>
<p>
To allow <span class="command"><strong>rndc</strong></span> to be used with
no manual configuration, run
</p>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
</p>
<p>
To print a sample <code class="filename">rndc.conf</code> file and
corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
statements to be manually inserted into <code class="filename">named.conf</code>,
run
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

120
bin/confgen/rndc-confgen.rst Normal file
View file

@ -0,0 +1,120 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_rndc-confgen:
rndc-confgen - rndc key generation tool
---------------------------------------
Synopsis
~~~~~~~~
:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
Description
~~~~~~~~~~~
``rndc-confgen`` generates configuration files for ``rndc``. It can be
used as a convenient alternative to writing the ``rndc.conf`` file and
the corresponding ``controls`` and ``key`` statements in ``named.conf``
by hand. Alternatively, it can be run with the ``-a`` option to set up a
``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
``controls`` statement altogether.
Arguments
~~~~~~~~~
**-a**
Do automatic ``rndc`` configuration. This creates a file ``rndc.key``
in ``/etc`` (or whatever ``sysconfdir`` was specified as when BIND
was built) that is read by both ``rndc`` and ``named`` on startup.
The ``rndc.key`` file defines a default command channel and
authentication key allowing ``rndc`` to communicate with ``named`` on
the local host with no further configuration.
Running ``rndc-confgen -a`` allows BIND 9 and ``rndc`` to be used as
drop-in replacements for BIND 8 and ``ndc``, with no changes to the
existing BIND 8 ``named.conf`` file.
If a more elaborate configuration than that generated by
``rndc-confgen -a`` is required, for example if rndc is to be used
remotely, you should run ``rndc-confgen`` without the ``-a`` option
and set up a ``rndc.conf`` and ``named.conf`` as directed.
**-A** algorithm
Specifies the algorithm to use for the TSIG key. Available choices
are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
hmac-sha512. The default is hmac-sha256.
**-b** keysize
Specifies the size of the authentication key in bits. Must be between
1 and 512 bits; the default is the hash size.
**-c** keyfile
Used with the ``-a`` option to specify an alternate location for
``rndc.key``.
**-h**
Prints a short summary of the options and arguments to
``rndc-confgen``.
**-k** keyname
Specifies the key name of the rndc authentication key. This must be a
valid domain name. The default is ``rndc-key``.
**-p** port
Specifies the command channel port where ``named`` listens for
connections from ``rndc``. The default is 953.
**-s** address
Specifies the IP address where ``named`` listens for command channel
connections from ``rndc``. The default is the loopback address
127.0.0.1.
**-t** chrootdir
Used with the ``-a`` option to specify a directory where ``named``
will run chrooted. An additional copy of the ``rndc.key`` will be
written relative to this directory so that it will be found by the
chrooted ``named``.
**-u** user
Used with the ``-a`` option to set the owner of the ``rndc.key`` file
generated. If ``-t`` is also specified only the file in the chroot
area has its owner changed.
Examples
~~~~~~~~
To allow ``rndc`` to be used with no manual configuration, run
``rndc-confgen -a``
To print a sample ``rndc.conf`` file and corresponding ``controls`` and
``key`` statements to be manually inserted into ``named.conf``, run
``rndc-confgen``
See Also
~~~~~~~~
:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

437
bin/delv/delv.1
View file

@ -1,437 +0,0 @@
.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: delv
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-04-23
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DELV" "1" "2014\-04\-23" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
delv \- DNS lookup and validation utility
.SH "SYNOPSIS"
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [@server] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [\fB\-h\fR]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [\fB\-v\fR]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdelv\fR
is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
\fBnamed\fR\&.
.PP
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy\&.
.PP
Unless it is told to query a specific name server,
\fBdelv\fR
will try each of the servers listed in
/etc/resolv\&.conf\&. If no usable server addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.PP
When no command line arguments or options are given,
\fBdelv\fR
will perform an NS query for "\&." (the root zone)\&.
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdelv\fR
looks like:
.sp
.if n \{\
.RS 4
.\}
.nf
delv @server name type
.fi
.if n \{\
.RE
.\}
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
\fIserver\fR
argument is a hostname,
\fBdelv\fR
resolves that name before querying that name server (note, however, that this initial lookup is
\fInot\fR
validated by DNSSEC)\&.
.sp
If no
\fIserver\fR
argument is provided,
\fBdelv\fR
consults
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.RE
.PP
\fBname\fR
.RS 4
is the domain name to be looked up\&.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, etc\&.
\fItype\fR
can be any valid query type\&. If no
\fItype\fR
argument is supplied,
\fBdelv\fR
will perform a lookup for an A record\&.
.RE
.SH "OPTIONS"
.PP
\-a \fIanchor\-file\fR
.RS 4
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBtrust\-anchors\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
\fBdelv\fR
as if it had been configured as a
\fBstatic\-key\fR\&.
\fBdelv\fR
does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update
/etc/bind\&.keys
to use DNSSEC validation in
\fBdelv\fR\&.
.RE
.PP
\-b \fIaddress\fR
.RS 4
Sets the source IP address of the query to
\fIaddress\fR\&. This must be a valid address on one of the host\*(Aqs network interfaces or "0\&.0\&.0\&.0" or "::"\&. An optional source port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS 4
Sets the query class for the requested data\&. Currently, only class "IN" is supported in
\fBdelv\fR
and any other value is ignored\&.
.RE
.PP
\-d \fIlevel\fR
.RS 4
Set the systemwide debug level to
\fBlevel\fR\&. The allowed range is from 0 to 99\&. The default is 0 (no debugging)\&. Debugging traces from
\fBdelv\fR
become more verbose as the debug level increases\&. See the
\fB+mtrace\fR,
\fB+rtrace\fR, and
\fB+vtrace\fR
options below for additional debugging details\&.
.RE
.PP
\-h
.RS 4
Display the
\fBdelv\fR
help usage output and exit\&.
.RE
.PP
\-i
.RS 4
Insecure mode\&. This disables internal DNSSEC validation\&. (Note, however, this does not set the CD bit on upstream queries\&. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
\fBdelv\fR
to time out\&. When it is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fR\&.)
.RE
.PP
\-m
.RS 4
Enables memory usage debugging\&.
.RE
.PP
\-p \fIport#\fR
.RS 4
Specifies a destination port to use for queries instead of the standard DNS port number 53\&. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number\&.
.RE
.PP
\-q \fIname\fR
.RS 4
Sets the query name to
\fIname\fR\&. While the query name can be specified without using the
\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH)\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Sets the query type to
\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR\&. As with
\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous\&. it is sometimes necessary to disambiguate names from types\&.
.sp
The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup, in which case it is "PTR"\&.
.RE
.PP
\-v
.RS 4
Print the
\fBdelv\fR
version and exit\&.
.RE
.PP
\-x \fIaddr\fR
.RS 4
Performs a reverse lookup, mapping an addresses to a name\&.
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR
or
\fItype\fR
arguments\&.
\fBdelv\fR
automatically performs a lookup for a name like
11\&.12\&.13\&.10\&.in\-addr\&.arpa
and sets the query type to PTR\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-4
.RS 4
Forces
\fBdelv\fR
to only use IPv4\&.
.RE
.PP
\-6
.RS 4
Forces
\fBdelv\fR
to only use IPv6\&.
.RE
.SH "QUERY OPTIONS"
.PP
\fBdelv\fR
provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed\&.
.PP
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
no
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. The query options are:
.PP
\fB+[no]cdflag\fR
.RS 4
Controls whether to set the CD (checking disabled) bit in queries sent by
\fBdelv\fR\&. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver\&. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis\&. Setting the CD flag on queries will cause the resolver to return invalid responses, which
\fBdelv\fR
can then validate internally and report the errors in detail\&.
.RE
.PP
\fB+[no]class\fR
.RS 4
Controls whether to display the CLASS when printing a record\&. The default is to display the CLASS\&.
.RE
.PP
\fB+[no]ttl\fR
.RS 4
Controls whether to display the TTL when printing a record\&. The default is to display the TTL\&.
.RE
.PP
\fB+[no]rtrace\fR
.RS 4
Toggle resolver fetch logging\&. This reports the name and type of each query sent by
\fBdelv\fR
in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation\&.
.sp
This is equivalent to setting the debug level to 1 in the "resolver" logging category\&. Setting the systemwide debug level to 1 using the
\fB\-d\fR
option will product the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]mtrace\fR
.RS 4
Toggle message logging\&. This produces a detailed dump of the responses received by
\fBdelv\fR
in the process of carrying out the resolution and validation process\&.
.sp
This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category\&. Setting the systemwide debug level to 10 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]vtrace\fR
.RS 4
Toggle validation logging\&. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid\&.
.sp
This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category\&. Setting the systemwide debug level to 3 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggle the display of comment lines in the output\&. The default is to print comments\&.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is to print per\-record comments\&.
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
.RE
.PP
\fB+[no]trust\fR
.RS 4
Controls whether to display the trust level when printing a record\&. The default is to display the trust level\&.
.RE
.PP
\fB+[no]split[=W]\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4)\&.
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear the display options
\fB+[no]comments\fR,
\fB+[no]rrcomments\fR, and
\fB+[no]trust\fR
as a group\&.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdelv\fR
output\&.
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Indicates whether to display RRSIG records in the
\fBdelv\fR
output\&. The default is to do so\&. Note that (unlike in
\fBdig\fR) this does
\fInot\fR
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR\&.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS 4
Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
.RE
.PP
\fB+[no]unknownformat\fR
.RS 4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
.PP
\fB+[no]yaml\fR
.RS 4
Print response data in YAML format\&.
.RE
.SH "FILES"
.PP
/etc/bind\&.keys
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8),
RFC4034,
RFC4035,
RFC4431,
RFC5074,
RFC5155\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

699
bin/delv/delv.docbook
View file

@ -1,699 +0,0 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
<info>
<date>2014-04-23</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>delv</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>delv</refname>
<refpurpose>DNS lookup and validation utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat">@server</arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option></arg>
<arg choice="opt" rep="norepeat"><option>-m</option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">type</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="opt" rep="repeat">queryopt</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="repeat">queryopt</arg>
<arg choice="opt" rep="repeat">query</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>delv</command>
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <command>named</command>.
</para>
<para>
<command>delv</command> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
anchor for the root zone ("."). Records returned by
<command>delv</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <command>delv</command> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</para>
<para>
Unless it is told to query a specific name server,
<command>delv</command> will try each of the servers listed in
<filename>/etc/resolv.conf</filename>. If no usable server
addresses are found, <command>delv</command> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</para>
<para>
When no command line arguments or options are given,
<command>delv</command> will perform an NS query for "."
(the root zone).
</para>
</refsection>
<refsection><info><title>SIMPLE USAGE</title></info>
<para>
A typical invocation of <command>delv</command> looks like:
<programlisting> delv @server name type </programlisting>
where:
<variablelist>
<varlistentry>
<term><constant>server</constant></term>
<listitem>
<para>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<parameter>server</parameter> argument is a hostname,
<command>delv</command> resolves that name before
querying that name server (note, however, that this
initial lookup is <emphasis>not</emphasis> validated
by DNSSEC).
</para>
<para>
If no <parameter>server</parameter> argument is
provided, <command>delv</command> consults
<filename>/etc/resolv.conf</filename>; if an
address is found there, it queries the name server at
that address. If either of the <option>-4</option> or
<option>-6</option> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<command>delv</command> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>name</constant></term>
<listitem>
<para>
is the domain name to be looked up.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type</constant></term>
<listitem>
<para>
indicates what type of query is required &mdash;
ANY, A, MX, etc.
<parameter>type</parameter> can be any valid query
type. If no
<parameter>type</parameter> argument is supplied,
<command>delv</command> will perform a lookup for an
A record.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">anchor-file</replaceable></term>
<listitem>
<para>
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
one or more trust anchors for the root zone (".").
</para>
<para>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options.
</para>
<para>
Note: When reading the trust anchor file,
<command>delv</command> treats <option>trust-anchors</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <command>delv</command>
as if it had been configured as a <command>static-key</command>.
<command>delv</command> does not consult the managed keys
database maintained by <command>named</command>. This means
that if either of the keys in
<filename>/etc/bind.keys</filename> is revoked
and rolled over, it will be necessary to update
<filename>/etc/bind.keys</filename> to use DNSSEC
validation in <command>delv</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">address</replaceable></term>
<listitem>
<para>
Sets the source IP address of the query to
<parameter>address</parameter>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <command>delv</command>
and any other value is ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Set the systemwide debug level to <option>level</option>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
Debugging traces from <command>delv</command> become
more verbose as the debug level increases.
See the <option>+mtrace</option>, <option>+rtrace</option>,
and <option>+vtrace</option> options below for additional
debugging details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Display the <command>delv</command> help usage output and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <command>delv</command> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <command>dig +cd</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m</term>
<listitem>
<para>
Enables memory usage debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port#</replaceable></term>
<listitem>
<para>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
Sets the query name to <parameter>name</parameter>.
While the query name can be specified without using the
<option>-q</option>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Sets the query type to <parameter>type</parameter>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<option>-q</option>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</para>
<para>
The default query type is "A", unless the <option>-x</option>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the <command>delv</command> version and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x <replaceable class="parameter">addr</replaceable></term>
<listitem>
<para>
Performs a reverse lookup, mapping an addresses to
a name. <parameter>addr</parameter> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <option>-x</option> is used, there is no need to provide
the <parameter>name</parameter> or <parameter>type</parameter>
arguments. <command>delv</command> automatically performs a
lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Forces <command>delv</command> to only use IPv4.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Forces <command>delv</command> to only use IPv6.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>QUERY OPTIONS</title></info>
<para><command>delv</command>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</para>
<para>
Each query option is identified by a keyword preceded by a plus sign
(<literal>+</literal>). Some keywords set or reset an
option. These may be preceded by the string
<literal>no</literal> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <option>+keyword=value</option>.
The query options are:
<variablelist>
<varlistentry>
<term><option>+[no]cdflag</option></term>
<listitem>
<para>
Controls whether to set the CD (checking disabled) bit in
queries sent by <command>delv</command>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <command>delv</command> can then
validate internally and report the errors in detail.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]class</option></term>
<listitem>
<para>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]ttl</option></term>
<listitem>
<para>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rtrace</option></term>
<listitem>
<para>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <command>delv</command>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</para>
<para>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <option>-d</option> option will
product the same output (but will affect other logging
categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]mtrace</option></term>
<listitem>
<para>
Toggle message logging. This produces a detailed dump of
the responses received by <command>delv</command> in the
process of carrying out the resolution and validation process.
</para>
<para>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]vtrace</option></term>
<listitem>
<para>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</para>
<para>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]short</option></term>
<listitem>
<para>
Provide a terse answer. The default is to print the answer in a
verbose form.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]comments</option></term>
<listitem>
<para>
Toggle the display of comment lines in the output. The default
is to print comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rrcomments</option></term>
<listitem>
<para>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]crypto</option></term>
<listitem>
<para>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]trust</option></term>
<listitem>
<para>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]split[=W]</option></term>
<listitem>
<para>
Split long hex- or base64-formatted fields in resource
records into chunks of <parameter>W</parameter> characters
(where <parameter>W</parameter> is rounded up to the nearest
multiple of 4).
<parameter>+nosplit</parameter> or
<parameter>+split=0</parameter> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]all</option></term>
<listitem>
<para>
Set or clear the display options
<option>+[no]comments</option>,
<option>+[no]rrcomments</option>, and
<option>+[no]trust</option> as a group.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]multiline</option></term>
<listitem>
<para>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <command>delv</command>
output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]dnssec</option></term>
<listitem>
<para>
Indicates whether to display RRSIG records in the
<command>delv</command> output. The default is to
do so. Note that (unlike in <command>dig</command>)
this does <emphasis>not</emphasis> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<option>-i</option> or <option>+noroot</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]root[=ROOT]</option></term>
<listitem>
<para>
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <option>-a</option> must be used to specify a file
containing the key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]tcp</option></term>
<listitem>
<para>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]unknownformat</option></term>
<listitem>
<para>
Print all RDATA in unknown RR type presentation format
(RFC 3597). The default is to print RDATA for known types
in the type's presentation format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]yaml</option></term>
<listitem>
<para>
Print response data in YAML format.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/bind.keys</filename></para>
<para><filename>/etc/resolv.conf</filename></para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC4034</citetitle>,
<citetitle>RFC4035</citetitle>,
<citetitle>RFC4431</citetitle>,
<citetitle>RFC5074</citetitle>,
<citetitle>RFC5155</citetitle>.
</para>
</refsection>
</refentry>

588
bin/delv/delv.html
View file

@ -1,588 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>delv</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.delv"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
delv
&#8212; DNS lookup and validation utility
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[@server]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-i</code>]
[<code class="option">-m</code>]
[<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
[<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
[name]
[type]
[class]
[queryopt...]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-h</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-v</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[queryopt...]
[query...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>delv</strong></span>
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <span class="command"><strong>named</strong></span>.
</p>
<p>
<span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchor for the root zone ("."). Records returned by
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <span class="command"><strong>delv</strong></span> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</p>
<p>
Unless it is told to query a specific name server,
<span class="command"><strong>delv</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server
addresses are found, <span class="command"><strong>delv</strong></span> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</p>
<p>
When no command line arguments or options are given,
<span class="command"><strong>delv</strong></span> will perform an NS query for "."
(the root zone).
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
</p>
<pre class="programlisting"> delv @server name type </pre>
<p>
where:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a hostname,
<span class="command"><strong>delv</strong></span> resolves that name before
querying that name server (note, however, that this
initial lookup is <span class="emphasis"><em>not</em></span> validated
by DNSSEC).
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span class="command"><strong>delv</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span class="command"><strong>delv</strong></span> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd>
<p>
is the domain name to be looked up.
</p>
</dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd>
<p>
indicates what type of query is required &#8212;
ANY, A, MX, etc.
<em class="parameter"><code>type</code></em> can be any valid query
type. If no
<em class="parameter"><code>type</code></em> argument is supplied,
<span class="command"><strong>delv</strong></span> will perform a lookup for an
A record.
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
<dd>
<p>
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
one or more trust anchors for the root zone (".").
</p>
<p>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<code class="option">+root=NAME</code> options.
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
<span class="command"><strong>delv</strong></span> does not consult the managed keys
database maintained by <span class="command"><strong>named</strong></span>. This means
that if either of the keys in
<code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
<dd>
<p>
Sets the source IP address of the query to
<em class="parameter"><code>address</code></em>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <span class="command"><strong>delv</strong></span>
and any other value is ignored.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Set the systemwide debug level to <code class="option">level</code>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
Debugging traces from <span class="command"><strong>delv</strong></span> become
more verbose as the debug level increases.
See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
and <code class="option">+vtrace</code> options below for additional
debugging details.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <span class="command"><strong>delv</strong></span> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <span class="command"><strong>dig +cd</strong></span>.)
</p>
</dd>
<dt><span class="term">-m</span></dt>
<dd>
<p>
Enables memory usage debugging.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
<dd>
<p>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</p>
</dd>
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
Sets the query name to <em class="parameter"><code>name</code></em>.
While the query name can be specified without using the
<code class="option">-q</code>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Sets the query type to <em class="parameter"><code>type</code></em>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<code class="option">-q</code>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</p>
<p>
The default query type is "A", unless the <code class="option">-x</code>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the <span class="command"><strong>delv</strong></span> version and exit.
</p>
</dd>
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
<dd>
<p>
Performs a reverse lookup, mapping an addresses to
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <code class="option">-x</code> is used, there is no need to provide
the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
arguments. <span class="command"><strong>delv</strong></span> automatically performs a
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</p>
</dd>
<dt><span class="term">-4</span></dt>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
<p><span class="command"><strong>delv</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded by the string
<code class="literal">no</code> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <code class="option">+keyword=value</code>.
The query options are:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd>
<p>
Controls whether to set the CD (checking disabled) bit in
queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <span class="command"><strong>delv</strong></span> can then
validate internally and report the errors in detail.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
<dd>
<p>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
<dd>
<p>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
<p>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <span class="command"><strong>delv</strong></span>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</p>
<p>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <code class="option">-d</code> option will
product the same output (but will affect other logging
categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
<p>
Toggle message logging. This produces a detailed dump of
the responses received by <span class="command"><strong>delv</strong></span> in the
process of carrying out the resolution and validation process.
</p>
<p>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
<p>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</p>
<p>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd>
<p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd>
<p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd>
<p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
<dd>
<p>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</p>
</dd>
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
<dd>
<p>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
<dd>
<p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
multiple of 4).
<em class="parameter"><code>+nosplit</code></em> or
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd>
<p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd>
<p>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
output.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd>
<p>
Indicates whether to display RRSIG records in the
<span class="command"><strong>delv</strong></span> output. The default is to
do so. Note that (unlike in <span class="command"><strong>dig</strong></span>)
this does <span class="emphasis"><em>not</em></span> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd>
<p>
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <code class="option">-a</code> must be used to specify a file
containing the key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd>
<p>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
<dd>
<p>
Print all RDATA in unknown RR type presentation format
(RFC 3597). The default is to print RDATA for known types
in the type's presentation format.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
<dd>
<p>
Print response data in YAML format.
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">RFC4034</em>,
<em class="citetitle">RFC4035</em>,
<em class="citetitle">RFC4431</em>,
<em class="citetitle">RFC5074</em>,
<em class="citetitle">RFC5155</em>.
</p>
</div>
</div></body>
</html>

336
bin/delv/delv.rst Normal file
View file

@ -0,0 +1,336 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_delv:
delv - DNS lookup and validation utility
----------------------------------------
Synopsis
~~~~~~~~
:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
:program:`delv` [**-h**]
:program:`delv` [**-v**]
:program:`delv` [queryopt...] [query...]
Description
~~~~~~~~~~~
``delv`` is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as ``named``.
``delv`` will send to a specified name server all queries needed to
fetch and validate the requested data; this includes the original
requested query, subsequent queries to follow CNAME or DNAME chains, and
queries for DNSKEY, and DS records to establish a chain of trust for
DNSSEC validation. It does not perform iterative resolution, but
simulates the behavior of a name server configured for DNSSEC validating
and forwarding.
By default, responses are validated using built-in DNSSEC trust anchor
for the root zone ("."). Records returned by ``delv`` are either fully
validated or were not signed. If validation fails, an explanation of the
failure is included in the output; the validation process can be traced
in detail. Because ``delv`` does not rely on an external server to carry
out validation, it can be used to check the validity of DNS responses in
environments where local name servers may not be trustworthy.
Unless it is told to query a specific name server, ``delv`` will try
each of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, ``delv`` will send queries to the localhost
addresses (127.0.0.1 for IPv4, ::1 for IPv6).
When no command line arguments or options are given, ``delv`` will
perform an NS query for "." (the root zone).
Simple Usage
~~~~~~~~~~~~
A typical invocation of ``delv`` looks like:
::
delv @server name type
where:
``server``
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, ``delv`` resolves that name before querying that name
server (note, however, that this initial lookup is *not* validated by
DNSSEC).
If no ``server`` argument is provided, ``delv`` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the ``-4`` or ``-6``
options are in use, then only addresses for the corresponding
transport will be tried. If no usable addresses are found, ``delv``
will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
``name``
is the domain name to be looked up.
``type``
indicates what type of query is required MDASH ANY, A, MX, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, ``delv`` will perform a lookup for an A record.
Options
~~~~~~~
**-a** anchor-file
Specifies a file from which to read DNSSEC trust anchors. The default
is ``/etc/bind.keys``, which is included with BIND 9 and contains one
or more trust anchors for the root zone (".").
Keys that do not match the root zone name are ignored. An alternate
key name can be specified using the ``+root=NAME`` options.
Note: When reading the trust anchor file, ``delv`` treat ``trust-anchors``
``initial-key`` and ``static-key`` identically. That is, for a managed key,
it is the *initial* key that is trusted; :rfc:`5011` key management is not
supported. ``delv`` will not consult the managed-keys database maintained by
``named``. This means that if either of the keys in ``/etc/bind.keys`` is
revoked and rolled over, it will be necessary to update ``/etc/bind.keys`` to
use DNSSEC validation in ``delv``.
**-b** address
Sets the source IP address of the query to ``address``. This must be
a valid address on one of the host's network interfaces or "0.0.0.0"
or "::". An optional source port may be specified by appending
"#<port>"
**-c** class
Sets the query class for the requested data. Currently, only class
"IN" is supported in ``delv`` and any other value is ignored.
**-d** level
Set the systemwide debug level to ``level``. The allowed range is
from 0 to 99. The default is 0 (no debugging). Debugging traces from
``delv`` become more verbose as the debug level increases. See the
``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
additional debugging details.
**-h**
Display the ``delv`` help usage output and exit.
**-i**
Insecure mode. This disables internal DNSSEC validation. (Note,
however, this does not set the CD bit on upstream queries. If the
server being queried is performing DNSSEC validation, then it will
not return invalid data; this can cause ``delv`` to time out. When it
is necessary to examine invalid data to debug a DNSSEC problem, use
``dig +cd``.)
**-m**
Enables memory usage debugging.
**-p** port#
Specifies a destination port to use for queries instead of the
standard DNS port number 53. This option would be used with a name
server that has been configured to listen for queries on a
non-standard port number.
**-q** name
Sets the query name to ``name``. While the query name can be
specified without using the ``-q``, it is sometimes necessary to
disambiguate names from types or classes (for example, when looking
up the name "ns", which could be misinterpreted as the type NS, or
"ch", which could be misinterpreted as class CH).
**-t** type
Sets the query type to ``type``, which can be any valid query type
supported in BIND 9 except for zone transfer types AXFR and IXFR. As
with ``-q``, this is useful to distinguish query name type or class
when they are ambiguous. it is sometimes necessary to disambiguate
names from types.
The default query type is "A", unless the ``-x`` option is supplied
to indicate a reverse lookup, in which case it is "PTR".
**-v**
Print the ``delv`` version and exit.
**-x** addr
Performs a reverse lookup, mapping an addresses to a name. ``addr``
is an IPv4 address in dotted-decimal notation, or a colon-delimited
IPv6 address. When ``-x`` is used, there is no need to provide the
``name`` or ``type`` arguments. ``delv`` automatically performs a
lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
query type to PTR. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
**-4**
Forces ``delv`` to only use IPv4.
**-6**
Forces ``delv`` to only use IPv6.
Query Options
~~~~~~~~~~~~~
``delv`` provides a number of query options which affect the way results
are displayed, and in some cases the way lookups are performed.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option. These may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options like the timeout interval. They have the form
``+keyword=value``. The query options are:
``+[no]cdflag``
Controls whether to set the CD (checking disabled) bit in queries
sent by ``delv``. This may be useful when troubleshooting DNSSEC
problems from behind a validating resolver. A validating resolver
will block invalid responses, making it difficult to retrieve them
for analysis. Setting the CD flag on queries will cause the resolver
to return invalid responses, which ``delv`` can then validate
internally and report the errors in detail.
``+[no]class``
Controls whether to display the CLASS when printing a record. The
default is to display the CLASS.
``+[no]ttl``
Controls whether to display the TTL when printing a record. The
default is to display the TTL.
``+[no]rtrace``
Toggle resolver fetch logging. This reports the name and type of each
query sent by ``delv`` in the process of carrying out the resolution
and validation process: this includes including the original query
and all subsequent queries to follow CNAMEs and to establish a chain
of trust for DNSSEC validation.
This is equivalent to setting the debug level to 1 in the "resolver"
logging category. Setting the systemwide debug level to 1 using the
``-d`` option will product the same output (but will affect other
logging categories as well).
``+[no]mtrace``
Toggle message logging. This produces a detailed dump of the
responses received by ``delv`` in the process of carrying out the
resolution and validation process.
This is equivalent to setting the debug level to 10 for the "packets"
module of the "resolver" logging category. Setting the systemwide
debug level to 10 using the ``-d`` option will produce the same
output (but will affect other logging categories as well).
``+[no]vtrace``
Toggle validation logging. This shows the internal process of the
validator as it determines whether an answer is validly signed,
unsigned, or invalid.
This is equivalent to setting the debug level to 3 for the
"validator" module of the "dnssec" logging category. Setting the
systemwide debug level to 3 using the ``-d`` option will produce the
same output (but will affect other logging categories as well).
``+[no]short``
Provide a terse answer. The default is to print the answer in a
verbose form.
``+[no]comments``
Toggle the display of comment lines in the output. The default is to
print comments.
``+[no]rrcomments``
Toggle the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
to print per-record comments.
``+[no]crypto``
Toggle the display of cryptographic fields in DNSSEC records. The
contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted
they are replaced by the string "[omitted]" or in the DNSKEY case the
key id is displayed as the replacement, e.g. "[ key id = value ]".
``+[no]trust``
Controls whether to display the trust level when printing a record.
The default is to display the trust level.
``+[no]split[=W]``
Split long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
``+[no]all``
Set or clear the display options ``+[no]comments``,
``+[no]rrcomments``, and ``+[no]trust`` as a group.
``+[no]multiline``
Print long records (such as RRSIG, DNSKEY, and SOA records) in a
verbose multi-line format with human-readable comments. The default
is to print each record on a single line, to facilitate machine
parsing of the ``delv`` output.
``+[no]dnssec``
Indicates whether to display RRSIG records in the ``delv`` output.
The default is to do so. Note that (unlike in ``dig``) this does
*not* control whether to request DNSSEC records or whether to
validate them. DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of ``-i`` or
``+noroot``.
``+[no]root[=ROOT]``
Indicates whether to perform conventional DNSSEC validation, and if so,
specifies the name of a trust anchor. The default is to validate using a
trust anchor of "." (the root zone), for which there is a built-in key. If
specifying a different trust anchor, then ``-a`` must be used to specify a
file containing the key.
``+[no]tcp``
Controls whether to use TCP when sending queries. The default is to
use UDP unless a truncated response has been received.
``+[no]unknownformat``
Print all RDATA in unknown RR type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
``+[no]yaml``
Print response data in YAML format.
Files
~~~~~
``/etc/bind.keys``
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

853
bin/dig/dig.1
View file

@ -1,853 +0,0 @@
.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dig
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-19
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DIG" "1" "2014\-02\-19" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dig \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [\fB\-h\fR]
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [global\-queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdig\fR
is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
\fBdig\fR
to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
\fBdig\fR\&.
.PP
Although
\fBdig\fR
is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file\&. A brief summary of its command\-line arguments and options is printed when the
\fB\-h\fR
option is given\&. Unlike earlier versions, the BIND 9 implementation of
\fBdig\fR
allows multiple lookups to be issued from the command line\&.
.PP
Unless it is told to query a specific name server,
\fBdig\fR
will try each of the servers listed in
/etc/resolv\&.conf\&. If no usable server addresses are found,
\fBdig\fR
will send the query to the local host\&.
.PP
When no command line arguments or options are given,
\fBdig\fR
will perform an NS query for "\&." (the root)\&.
.PP
It is possible to set per\-user defaults for
\fBdig\fR
via
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
\fB\-r\fR
option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
and
\fB\-c\fR
options to specify the type and class, use the
\fB\-q\fR
the specify the domain name, or use "IN\&." and "CH\&." when looking up these top level domains\&.
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdig\fR
looks like:
.sp
.if n \{\
.RS 4
.\}
.nf
dig @server name type
.fi
.if n \{\
.RE
.\}
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
\fIserver\fR
argument is a hostname,
\fBdig\fR
resolves that name before querying that name server\&.
.sp
If no
\fIserver\fR
argument is provided,
\fBdig\fR
consults
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
\fBdig\fR
will send the query to the local host\&. The reply from the name server that responds is displayed\&.
.RE
.PP
\fBname\fR
.RS 4
is the name of the resource record that is to be looked up\&.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, SIG, etc\&.
\fItype\fR
can be any valid query type\&. If no
\fItype\fR
argument is supplied,
\fBdig\fR
will perform a lookup for an A record\&.
.RE
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only\&.
.RE
.PP
\-b \fIaddress\fR\fI[#port]\fR
.RS 4
Set the source IP address of the query\&. The
\fIaddress\fR
must be a valid address on one of the host\*(Aqs network interfaces, or "0\&.0\&.0\&.0" or "::"\&. An optional port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS 4
Set the query class\&. The default
\fIclass\fR
is IN; other classes are HS for Hesiod records or CH for Chaosnet records\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
Batch mode:
\fBdig\fR
reads a list of lookup requests to process from the given
\fIfile\fR\&. Each line in the file should be organized in the same way they would be presented as queries to
\fBdig\fR
using the command\-line interface\&.
.RE
.PP
\-k \fIkeyfile\fR
.RS 4
Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
\fBtsig-keygen\fR(8)\&. When using TSIG authentication with
\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used\&. In BIND, this is done by providing appropriate
\fBkey\fR
and
\fBserver\fR
statements in
named\&.conf\&.
.RE
.PP
\-m
.RS 4
Enable memory usage debugging\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Send the query to a non\-standard port on the server, instead of the default port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&.
.RE
.PP
\-q \fIname\fR
.RS 4
The domain name to query\&. This is useful to distinguish the
\fIname\fR
from other arguments\&.
.RE
.PP
\-r
.RS 4
Do not read options from
${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
.RE
.PP
\-t \fItype\fR
.RS 4
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
\fItype\fR
to
ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
\fIN\fR\&.
.sp
All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
.RE
.PP
\-u
.RS 4
Print query times in microseconds instead of milliseconds\&.
.RE
.PP
\-v
.RS 4
Print the version number and exit\&.
.RE
.PP
\-x \fIaddr\fR
.RS 4
Simplified reverse lookups, for mapping addresses to names\&. The
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When the
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR,
\fIclass\fR
and
\fItype\fR
arguments\&.
\fBdig\fR
automatically performs a lookup for a name like
94\&.2\&.0\&.192\&.in\-addr\&.arpa
and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-y \fI[hmac:]\fR\fIkeyname:secret\fR
.RS 4
Sign queries using TSIG with the given authentication key\&.
\fIkeyname\fR
is the name of the key, and
\fIsecret\fR
is the base64 encoded shared secret\&.
\fIhmac\fR
is the name of the key algorithm; valid choices are
hmac\-md5,
hmac\-sha1,
hmac\-sha224,
hmac\-sha256,
hmac\-sha384, or
hmac\-sha512\&. If
\fIhmac\fR
is not specified, the default is
hmac\-md5
or if MD5 was disabled
hmac\-sha256\&.
.sp
NOTE: You should use the
\fB\-k\fR
option and avoid the
\fB\-y\fR
option, because with
\fB\-y\fR
the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
\fBps\fR(1)
or in a history file maintained by the user\*(Aqs shell\&.
.RE
.SH "QUERY OPTIONS"
.PP
\fBdig\fR
provides a number of query options which affect the way in which lookups are made and the results displayed\&. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies\&.
.PP
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
no
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
+cd
is equivalent to
+cdflag\&. The query options are:
.PP
\fB+[no]aaflag\fR
.RS 4
A synonym for
\fI+[no]aaonly\fR\&.
.RE
.PP
\fB+[no]aaonly\fR
.RS 4
Sets the "aa" flag in the query\&.
.RE
.PP
\fB+[no]additional\fR
.RS 4
Display [do not display] the additional section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]adflag\fR
.RS 4
Set [do not set] the AD (authentic data) bit in the query\&. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server\&. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range\&. AD=0 indicate that some part of the answer was insecure or not validated\&. This bit is set by default\&.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear all display flags\&.
.RE
.PP
\fB+[no]answer\fR
.RS 4
Display [do not display] the answer section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]authority\fR
.RS 4
Display [do not display] the authority section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]badcookie\fR
.RS 4
Retry lookup with the new server cookie if a BADCOOKIE response is received\&.
.RE
.PP
\fB+[no]besteffort\fR
.RS 4
Attempt to display the contents of messages which are malformed\&. The default is to not display malformed answers\&.
.RE
.PP
\fB+bufsize=B\fR
.RS 4
Set the UDP message buffer size advertised using EDNS0 to
\fIB\fR
bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0 respectively\&. Values outside this range are rounded up or down appropriately\&. Values other than zero will cause a EDNS query to be sent\&.
.RE
.PP
\fB+[no]cdflag\fR
.RS 4
Set [do not set] the CD (checking disabled) bit in the query\&. This requests the server to not perform DNSSEC validation of responses\&.
.RE
.PP
\fB+[no]class\fR
.RS 4
Display [do not display] the CLASS when printing the record\&.
.RE
.PP
\fB+[no]cmd\fR
.RS 4
Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR
and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
.sp
Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
\fB+[no]cmd\fR,
\fB+[no]question\fR,
\fB+[no]stats\fR, and
\fB+[no]rrcomments\fR\&.
.RE
.PP
\fB+[no]cookie\fR\fB[=####]\fR
.RS 4
Send a COOKIE EDNS option, with optional value\&. Replaying a COOKIE from a previous response will allow the server to identify a previous client\&. The default is
\fB+cookie\fR\&.
.sp
\fB+cookie\fR
is also set when +trace is set to better emulate the default queries from a nameserver\&.
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
.RE
.PP
\fB+[no]defname\fR
.RS 4
Deprecated, treated as a synonym for
\fI+[no]search\fR
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query\&.
.RE
.PP
\fB+domain=somename\fR
.RS 4
Set the search list to contain the single domain
\fIsomename\fR, as if specified in a
\fBdomain\fR
directive in
/etc/resolv\&.conf, and enable search list processing as if the
\fI+search\fR
option were given\&.
.RE
.PP
\fB+dscp=value\fR
.RS 4
Set the DSCP code point to be used when sending the query\&. Valid DSCP code points are in the range [0\&.\&.63]\&. By default no code point is explicitly set\&.
.RE
.PP
\fB+[no]edns[=#]\fR
.RS 4
Specify the EDNS version to query with\&. Valid values are 0 to 255\&. Setting the EDNS version will cause a EDNS query to be sent\&.
\fB+noedns\fR
clears the remembered EDNS version\&. EDNS is set to 0 by default\&.
.RE
.PP
\fB+[no]ednsflags[=#]\fR
.RS 4
Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value\&. Decimal, hex and octal encodings are accepted\&. Setting a named flag (e\&.g\&. DO) will silently be ignored\&. By default, no Z bits are set\&.
.RE
.PP
\fB+[no]ednsnegotiation\fR
.RS 4
Enable / disable EDNS version negotiation\&. By default EDNS version negotiation is enabled\&.
.RE
.PP
\fB+[no]ednsopt[=code[:value]]\fR
.RS 4
Specify EDNS option with code point
\fBcode\fR
and optionally payload of
\fBvalue\fR
as a hexadecimal string\&.
\fBcode\fR
can be either an EDNS option name (for example,
NSID
or
ECS), or an arbitrary numeric value\&.
\fB+noednsopt\fR
clears the EDNS options to be sent\&.
.RE
.PP
\fB+[no]expire\fR
.RS 4
Send an EDNS Expire option\&.
.RE
.PP
\fB+[no]expandaaaa\fR
.RS 4
When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
.RE
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
.RE
.PP
\fB+[no]header\-only\fR
.RS 4
Send a query with a DNS header without a question section\&. The default is to add a question section\&. The query type and query name are ignored when this is set\&.
.RE
.PP
\fB+[no]identify\fR
.RS 4
Show [or do not show] the IP address and port number that supplied the answer when the
\fI+short\fR
option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
.RE
.PP
\fB+[no]idnin\fR
.RS 4
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
.RS 4
Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
.RE
.PP
\fB+[no]keepalive\fR
.RS 4
Send [or do not send] an EDNS Keepalive option\&.
.RE
.PP
\fB+[no]keepopen\fR
.RS 4
Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup\&. The default is
\fB+nokeepopen\fR\&.
.RE
.PP
\fB+[no]mapped\fR
.RS 4
Allow mapped IPv4 over IPv6 addresses to be used\&. The default is
\fB+mapped\fR\&.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print records like the SOA records in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdig\fR
output\&.
.RE
.PP
\fB+ndots=D\fR
.RS 4
Set the number of dots that have to appear in
\fIname\fR
to
\fID\fR
for it to be considered absolute\&. The default value is that defined using the ndots statement in
/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
/etc/resolv\&.conf
if
\fB+search\fR
is set\&.
.RE
.PP
\fB+[no]nsid\fR
.RS 4
Include an EDNS name server ID request when sending a query\&.
.RE
.PP
\fB+[no]nssearch\fR
.RS 4
When this option is set,
\fBdig\fR
attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&. Addresses of servers that that did not respond are also printed\&.
.RE
.PP
\fB+[no]onesoa\fR
.RS 4
Print only one (starting) SOA record when performing an AXFR\&. The default is to print both the starting and ending SOA records\&.
.RE
.PP
\fB+[no]opcode=value\fR
.RS 4
Set [restore] the DNS message opcode to the specified value\&. The default value is QUERY (0)\&.
.RE
.PP
\fB+padding=value\fR
.RS 4
Pad the size of the query packet using the EDNS Padding option to blocks of
\fIvalue\fR
bytes\&. For example,
\fB+padding=32\fR
would cause a 48\-byte query to be padded to 64 bytes\&. The default block size is 0, which disables padding\&. The maximum is 512\&. Values are ordinarily expected to be powers of two, such as 128; however, this is not mandatory\&. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE\&.
.RE
.PP
\fB+[no]qr\fR
.RS 4
Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE
.PP
\fB+[no]question\fR
.RS 4
Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE
.PP
\fB+[no]raflag\fR
.RS 4
Set [do not set] the RA (Recursion Available) bit in the query\&. The default is +noraflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]rdflag\fR
.RS 4
A synonym for
\fI+[no]recurse\fR\&.
.RE
.PP
\fB+[no]recurse\fR
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
option, and when using
\fI+trace\fR
except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR
.RS 4
Sets the number of times to retry UDP queries to server to
\fIT\fR
instead of the default, 2\&. Unlike
\fI+tries\fR, this does not include the initial query\&.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is not to print record comments unless multiline mode is active\&.
.RE
.PP
\fB+[no]search\fR
.RS 4
Use [do not use] the search list defined by the searchlist or domain directive in
resolv\&.conf
(if any)\&. The search list is not used by default\&.
.sp
\*(Aqndots\*(Aq from
resolv\&.conf
(default 1) which may be overridden by
\fI+ndots\fR
determines if the name will be treated as relative or not and hence whether a search is eventually performed or not\&.
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE
.PP
\fB+[no]showsearch\fR
.RS 4
Perform [do not perform] a search showing intermediate results\&.
.RE
.PP
\fB+[no]sigchase\fR
.RS 4
This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+split=W\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4)\&.
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
.RE
.PP
\fB+[no]stats\fR
.RS 4
Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE
.PP
\fB+[no]subnet=addr[/prefix\-length]\fR
.RS 4
Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address or network prefix\&.
.sp
\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
\fBdig +subnet=0\fR
for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
\fInot\fR
be used when resolving this query\&.
.RE
.PP
\fB+[no]tcflag\fR
.RS 4
Set [do not set] the TC (TrunCation) bit in the query\&. The default is +notcflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless a type
any
or
ixfr=N
query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
.RE
.PP
\fB+timeout=T\fR
.RS 4
Sets the timeout for a query to
\fIT\fR
seconds\&. The default timeout is 5 seconds\&. An attempt to set
\fIT\fR
to less than 1 will result in a query timeout of 1 second being applied\&.
.RE
.PP
\fB+[no]topdown\fR
.RS 4
This feature is related to
\fBdig +sigchase\fR, which is obsolete and has been removed\&. Use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]trace\fR
.RS 4
Toggle tracing of the delegation path from the root name servers for the name being looked up\&. Tracing is disabled by default\&. When tracing is enabled,
\fBdig\fR
makes iterative queries to resolve the name being looked up\&. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup\&.
.sp
If @server is also specified, it affects only the initial query for the root zone name servers\&.
.sp
\fB+dnssec\fR
is also set when +trace is set to better emulate the default queries from a nameserver\&.
.RE
.PP
\fB+tries=T\fR
.RS 4
Sets the number of times to try UDP queries to server to
\fIT\fR
instead of the default, 3\&. If
\fIT\fR
is less than or equal to zero, the number of tries is silently rounded up to 1\&.
.RE
.PP
\fB+trusted\-key=####\fR
.RS 4
Formerly specified trusted keys for use with
\fBdig +sigchase\fR\&. This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]ttlid\fR
.RS 4
Display [do not display] the TTL when printing the record\&.
.RE
.PP
\fB+[no]ttlunits\fR
.RS 4
Display [do not display] the TTL in friendly human\-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks\&. Implies +ttlid\&.
.RE
.PP
\fB+[no]unexpected\fR
.RS 4
Accept [do not accept] answers from unexpected sources\&. By default,
\fBdig\fR
won\*(Aqt accept a reply from a source other than the one to which it sent the query\&.
.RE
.PP
\fB+[no]unknownformat\fR
.RS 4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
.PP
\fB+[no]vc\fR
.RS 4
Use [do not use] TCP when querying name servers\&. This alternate syntax to
\fI+[no]tcp\fR
is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
.RE
.PP
\fB+[no]yaml\fR
.RS 4
Print the responses (and, if
\fB+qr\fR
is in use, also the outgoing queries) in a detailed YAML format\&.
.RE
.PP
\fB+[no]zflag\fR
.RS 4
Set [do not set] the last unassigned DNS header flag in a DNS query\&. This flag is off by default\&.
.RE
.SH "MULTIPLE QUERIES"
.PP
The BIND 9 implementation of
\fBdig \fR
supports specifying multiple queries on the command line (in addition to supporting the
\fB\-f\fR
batch file option)\&. Each of those queries can be supplied with its own set of flags, options and query options\&.
.PP
In this case, each
\fIquery\fR
argument represent an individual query in the command\-line syntax described above\&. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query\&.
.PP
A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except
\fB+[no]cmd\fR
and
\fB+[no]short\fR
options) can be overridden by a query\-specific set of query options\&. For example:
.sp
.if n \{\
.RS 4
.\}
.nf
dig +qr www\&.isc\&.org any \-x 127\&.0\&.0\&.1 isc\&.org ns +noqr
.fi
.if n \{\
.RE
.\}
.sp
shows how
\fBdig\fR
could be used from the command line to make three lookups: an ANY query for
www\&.isc\&.org, a reverse lookup of 127\&.0\&.0\&.1 and a query for the NS records of
isc\&.org\&. A global query option of
\fI+qr\fR
is applied, so that
\fBdig\fR
shows the initial query it made for each lookup\&. The final query has a local query option of
\fI+noqr\fR
which means that
\fBdig\fR
will not print the initial query when it looks up the NS records for
isc\&.org\&.
.SH "IDN SUPPORT"
.PP
If
\fBdig\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBdig\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
\fI+noidnin\fR
and
\fI+noidnout\fR
or define the
\fBIDN_DISABLE\fR
environment variable\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.PP
${HOME}/\&.digrc
.SH "SEE ALSO"
.PP
\fBdelv\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8),
\fBdnssec-keygen\fR(8),
RFC 1035\&.
.SH "BUGS"
.PP
There are probably too many query options\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

1431
bin/dig/dig.docbook
View file

File diff suppressed because it is too large Load diff

1155
bin/dig/dig.html
View file

File diff suppressed because it is too large Load diff

634
bin/dig/dig.rst Normal file
View file

@ -0,0 +1,634 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dig:
dig - DNS lookup utility
----------------------------------
Synopsis
~~~~~~~~
:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
:program:`dig` [**-h**]
:program:`dig` [global-queryopt...] [query...]
Description
~~~~~~~~~~~
``dig`` is a flexible tool for interrogating DNS name servers. It
performs DNS lookups and displays the answers that are returned from the
name server(s) that were queried. Most DNS administrators use ``dig`` to
troubleshoot DNS problems because of its flexibility, ease of use and
clarity of output. Other lookup tools tend to have less functionality
than ``dig``.
Although ``dig`` is normally used with command-line arguments, it also
has a batch mode of operation for reading lookup requests from a file. A
brief summary of its command-line arguments and options is printed when
the ``-h`` option is given. Unlike earlier versions, the BIND 9
implementation of ``dig`` allows multiple lookups to be issued from the
command line.
Unless it is told to query a specific name server, ``dig`` will try each
of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, ``dig`` will send the query to the local host.
When no command line arguments or options are given, ``dig`` will
perform an NS query for "." (the root).
It is possible to set per-user defaults for ``dig`` via
``${HOME}/.digrc``. This file is read and any options in it are applied
before the command line arguments. The ``-r`` option disables this
feature, for scripts that need predictable behaviour.
The IN and CH class names overlap with the IN and CH top level domain
names. Either use the ``-t`` and ``-c`` options to specify the type and
class, use the ``-q`` the specify the domain name, or use "IN." and
"CH." when looking up these top level domains.
Simple Usage
~~~~~~~~~~~~
A typical invocation of ``dig`` looks like:
::
dig @server name type
where:
``server``
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, ``dig`` resolves that name before querying that name
server.
If no ``server`` argument is provided, ``dig`` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the ``-4`` or ``-6``
options are in use, then only addresses for the corresponding
transport will be tried. If no usable addresses are found, ``dig``
will send the query to the local host. The reply from the name server
that responds is displayed.
``name``
is the name of the resource record that is to be looked up.
``type``
indicates what type of query is required MDASH ANY, A, MX, SIG, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, ``dig`` will perform a lookup for an A record.
Options
~~~~~~~
**-4**
Use IPv4 only.
**-6**
Use IPv6 only.
**-b** address[#port]
Set the source IP address of the query. The ``address`` must be a
valid address on one of the host's network interfaces, or "0.0.0.0"
or "::". An optional port may be specified by appending "#<port>"
**-c** class
Set the query class. The default ``class`` is IN; other classes are
HS for Hesiod records or CH for Chaosnet records.
**-f** file
Batch mode: ``dig`` reads a list of lookup requests to process from
the given ``file``. Each line in the file should be organized in the
same way they would be presented as queries to ``dig`` using the
command-line interface.
**-k** keyfile
Sign queries using TSIG using a key read from the given file. Key
files can be generated using tsig-keygen8. When using TSIG
authentication with ``dig``, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is done
by providing appropriate ``key`` and ``server`` statements in
``named.conf``.
**-m**
Enable memory usage debugging.
**-p** port
Send the query to a non-standard port on the server, instead of the
default port 53. This option would be used to test a name server that
has been configured to listen for queries on a non-standard port
number.
**-q** name
The domain name to query. This is useful to distinguish the ``name``
from other arguments.
**-r**
Do not read options from ``${HOME}/.digrc``. This is useful for
scripts that need predictable behaviour.
**-t** type
The resource record type to query. It can be any valid query type. If
it is a resource record type supported in BIND 9, it can be given by
the type mnemonic (such as "NS" or "AAAA"). The default query type is
"A", unless the ``-x`` option is supplied to indicate a reverse
lookup. A zone transfer can be requested by specifying a type of
AXFR. When an incremental zone transfer (IXFR) is required, set the
``type`` to ``ixfr=N``. The incremental zone transfer will contain
the changes made to the zone since the serial number in the zone's
SOA record was ``N``.
All resource record types can be expressed as "TYPEnn", where "nn" is
the number of the type. If the resource record type is not supported
in BIND 9, the result will be displayed as described in :rfc:`3597`.
**-u**
Print query times in microseconds instead of milliseconds.
**-v**
Print the version number and exit.
**-x** addr
Simplified reverse lookups, for mapping addresses to names. The
``addr`` is an IPv4 address in dotted-decimal notation, or a
colon-delimited IPv6 address. When the ``-x`` is used, there is no
need to provide the ``name``, ``class`` and ``type`` arguments.
``dig`` automatically performs a lookup for a name like
``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
and IN respectively. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
**-y** [hmac:]keyname:secret
Sign queries using TSIG with the given authentication key.
``keyname`` is the name of the key, and ``secret`` is the base64
encoded shared secret. ``hmac`` is the name of the key algorithm;
valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
not specified, the default is ``hmac-md5`` or if MD5 was disabled
``hmac-sha256``.
.. note:: You should use the ``-k`` option and avoid the ``-y`` option,
because with ``-y`` the shared secret is supplied as a command line
argument in clear text. This may be visible in the output from ps1 or
in a history file maintained by the user's shell.
Query Options
~~~~~~~~~~~~~
``dig`` provides a number of query options which affect the way in which
lookups are made and the results displayed. Some of these set or reset
flag bits in the query header, some determine which sections of the
answer get printed, and others determine the timeout and retry
strategies.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option. These may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options like the timeout interval. They have the form
``+keyword=value``. Keywords may be abbreviated, provided the
abbreviation is unambiguous; for example, ``+cd`` is equivalent to
``+cdflag``. The query options are:
``+[no]aaflag``
A synonym for ``+[no]aaonly``.
``+[no]aaonly``
Sets the "aa" flag in the query.
``+[no]additional``
Display [do not display] the additional section of a reply. The
default is to display it.
``+[no]adflag``
Set [do not set] the AD (authentic data) bit in the query. This
requests the server to return whether all of the answer and authority
sections have all been validated as secure according to the security
policy of the server. AD=1 indicates that all records have been
validated as secure and the answer is not from a OPT-OUT range. AD=0
indicate that some part of the answer was insecure or not validated.
This bit is set by default.
``+[no]all``
Set or clear all display flags.
``+[no]answer``
Display [do not display] the answer section of a reply. The default
is to display it.
``+[no]authority``
Display [do not display] the authority section of a reply. The
default is to display it.
``+[no]badcookie``
Retry lookup with the new server cookie if a BADCOOKIE response is
received.
``+[no]besteffort``
Attempt to display the contents of messages which are malformed. The
default is to not display malformed answers.
``+bufsize=B``
Set the UDP message buffer size advertised using EDNS0 to ``B``
bytes. The maximum and minimum sizes of this buffer are 65535 and 0
respectively. Values outside this range are rounded up or down
appropriately. Values other than zero will cause a EDNS query to be
sent.
``+[no]cdflag``
Set [do not set] the CD (checking disabled) bit in the query. This
requests the server to not perform DNSSEC validation of responses.
``+[no]class``
Display [do not display] the CLASS when printing the record.
``+[no]cmd``
Toggles the printing of the initial comment in the output, identifying the
version of ``dig`` and the query options that have been applied. This option
always has global effect; it cannot be set globally and then overridden on a
per-lookup basis. The default is to print this comment.
``+[no]comments``
Toggles the display of some comment lines in the output, containing
information about the packet header and OPT pseudosection, and the names of
the response section. The default is to print these comments.
Other types of comments in the output are not affected by this option, but
can be controlled using other command line switches. These include
``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
``+[no]cookie=####``
Send a COOKIE EDNS option, with optional value. Replaying a COOKIE
from a previous response will allow the server to identify a previous
client. The default is ``+cookie``.
``+cookie`` is also set when +trace is set to better emulate the
default queries from a nameserver.
``+[no]crypto``
Toggle the display of cryptographic fields in DNSSEC records. The
contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted
they are replaced by the string "[omitted]" or in the DNSKEY case the
key id is displayed as the replacement, e.g. "[ key id = value ]".
``+[no]defname``
Deprecated, treated as a synonym for ``+[no]search``
``+[no]dnssec``
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in
the OPT record in the additional section of the query.
``+domain=somename``
Set the search list to contain the single domain ``somename``, as if
specified in a ``domain`` directive in ``/etc/resolv.conf``, and
enable search list processing as if the ``+search`` option were
given.
``+dscp=value``
Set the DSCP code point to be used when sending the query. Valid DSCP
code points are in the range [0..63]. By default no code point is
explicitly set.
``+[no]edns[=#]``
Specify the EDNS version to query with. Valid values are 0 to 255.
Setting the EDNS version will cause a EDNS query to be sent.
``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
default.
``+[no]ednsflags[=#]``
Set the must-be-zero EDNS flags bits (Z bits) to the specified value.
Decimal, hex and octal encodings are accepted. Setting a named flag
(e.g. DO) will silently be ignored. By default, no Z bits are set.
``+[no]ednsnegotiation``
Enable / disable EDNS version negotiation. By default EDNS version
negotiation is enabled.
``+[no]ednsopt[=code[:value]]``
Specify EDNS option with code point ``code`` and optionally payload
of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
option name (for example, ``NSID`` or ``ECS``), or an arbitrary
numeric value. ``+noednsopt`` clears the EDNS options to be sent.
``+[no]expire``
Send an EDNS Expire option.
``+[no]fail``
Do not try the next server if you receive a SERVFAIL. The default is
to not try the next server which is the reverse of normal stub
resolver behavior.
``+[no]header-only``
Send a query with a DNS header without a question section. The
default is to add a question section. The query type and query name
are ignored when this is set.
``+[no]identify``
Show [or do not show] the IP address and port number that supplied
the answer when the ``+short`` option is enabled. If short form
answers are requested, the default is not to show the source address
and port number of the server that provided the answer.
``+[no]idnin``
Process [do not process] IDN domain names on input. This requires IDN
SUPPORT to have been enabled at compile time.
The default is to process IDN input when standard output is a tty.
The IDN processing on input is disabled when dig output is redirected
to files, pipes, and other non-tty file descriptors.
``+[no]idnout``
Convert [do not convert] puny code on output. This requires IDN
SUPPORT to have been enabled at compile time.
The default is to process puny code on output when standard output is
a tty. The puny code processing on output is disabled when dig output
is redirected to files, pipes, and other non-tty file descriptors.
``+[no]ignore``
Ignore truncation in UDP responses instead of retrying with TCP. By
default, TCP retries are performed.
``+[no]keepalive``
Send [or do not send] an EDNS Keepalive option.
``+[no]keepopen``
Keep the TCP socket open between queries and reuse it rather than
creating a new TCP socket for each lookup. The default is
``+nokeepopen``.
``+[no]mapped``
Allow mapped IPv4 over IPv6 addresses to be used. The default is
``+mapped``.
``+[no]multiline``
Print records like the SOA records in a verbose multi-line format
with human-readable comments. The default is to print each record on
a single line, to facilitate machine parsing of the ``dig`` output.
``+ndots=D``
Set the number of dots that have to appear in ``name`` to ``D`` for
it to be considered absolute. The default value is that defined using
the ndots statement in ``/etc/resolv.conf``, or 1 if no ndots
statement is present. Names with fewer dots are interpreted as
relative names and will be searched for in the domains listed in the
``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
``+search`` is set.
``+[no]nsid``
Include an EDNS name server ID request when sending a query.
``+[no]nssearch``
When this option is set, ``dig`` attempts to find the authoritative
name servers for the zone containing the name being looked up and
display the SOA record that each name server has for the zone.
Addresses of servers that that did not respond are also printed.
``+[no]onesoa``
Print only one (starting) SOA record when performing an AXFR. The
default is to print both the starting and ending SOA records.
``+[no]opcode=value``
Set [restore] the DNS message opcode to the specified value. The
default value is QUERY (0).
``+padding=value``
Pad the size of the query packet using the EDNS Padding option to
blocks of ``value`` bytes. For example, ``+padding=32`` would cause a
48-byte query to be padded to 64 bytes. The default block size is 0,
which disables padding. The maximum is 512. Values are ordinarily
expected to be powers of two, such as 128; however, this is not
mandatory. Responses to padded queries may also be padded, but only
if the query uses TCP or DNS COOKIE.
``+[no]qr``
Toggles the display of the query message as it is sent. By default, the query
is not printed.
``+[no]question``
Toggles the display of the question section of a query when an answer is
returned. The default is to print the question section as a comment.
``+[no]raflag``
Set [do not set] the RA (Recursion Available) bit in the query. The
default is +noraflag. This bit should be ignored by the server for
QUERY.
``+[no]rdflag``
A synonym for ``+[no]recurse``.
``+[no]recurse``
Toggle the setting of the RD (recursion desired) bit in the query.
This bit is set by default, which means ``dig`` normally sends
recursive queries. Recursion is automatically disabled when the
``+nssearch`` or ``+trace`` query options are used.
``+retry=T``
Sets the number of times to retry UDP queries to server to ``T``
instead of the default, 2. Unlike ``+tries``, this does not include
the initial query.
``+[no]rrcomments``
Toggle the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
not to print record comments unless multiline mode is active.
``+[no]search``
Use [do not use] the search list defined by the searchlist or domain
directive in ``resolv.conf`` (if any). The search list is not used by
default.
'ndots' from ``resolv.conf`` (default 1) which may be overridden by
``+ndots`` determines if the name will be treated as relative or not
and hence whether a search is eventually performed or not.
``+[no]short``
Provide a terse answer. The default is to print the answer in a verbose
form. This option always has global effect; it cannot be set globally and
then overridden on a per-lookup basis.
``+[no]showsearch``
Perform [do not perform] a search showing intermediate results.
``+[no]sigchase``
This feature is now obsolete and has been removed; use ``delv``
instead.
``+split=W``
Split long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
``+[no]stats``
Toggles the printing of statistics: when the query was made, the size of the
reply and so on. The default behavior is to print the query statistics as a
comment after each lookup.
``+[no]subnet=addr[/prefix-length]``
Send (don't send) an EDNS Client Subnet option with the specified IP
address or network prefix.
``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
sends an EDNS CLIENT-SUBNET option with an empty address and a source
prefix-length of zero, which signals a resolver that the client's
address information must *not* be used when resolving this query.
``+[no]tcflag``
Set [do not set] the TC (TrunCation) bit in the query. The default is
+notcflag. This bit should be ignored by the server for QUERY.
``+[no]tcp``
Use [do not use] TCP when querying name servers. The default behavior
is to use UDP unless a type ``any`` or ``ixfr=N`` query is requested,
in which case the default is TCP. AXFR queries always use TCP.
``+timeout=T``
Sets the timeout for a query to ``T`` seconds. The default timeout is
5 seconds. An attempt to set ``T`` to less than 1 will result in a
query timeout of 1 second being applied.
``+[no]topdown``
This feature is related to ``dig +sigchase``, which is obsolete and
has been removed. Use ``delv`` instead.
``+[no]trace``
Toggle tracing of the delegation path from the root name servers for
the name being looked up. Tracing is disabled by default. When
tracing is enabled, ``dig`` makes iterative queries to resolve the
name being looked up. It will follow referrals from the root servers,
showing the answer from each server that was used to resolve the
lookup.
If @server is also specified, it affects only the initial query for
the root zone name servers.
``+dnssec`` is also set when +trace is set to better emulate the
default queries from a nameserver.
``+tries=T``
Sets the number of times to try UDP queries to server to ``T``
instead of the default, 3. If ``T`` is less than or equal to zero,
the number of tries is silently rounded up to 1.
``+trusted-key=####``
Formerly specified trusted keys for use with ``dig +sigchase``. This
feature is now obsolete and has been removed; use ``delv`` instead.
``+[no]ttlid``
Display [do not display] the TTL when printing the record.
``+[no]ttlunits``
Display [do not display] the TTL in friendly human-readable time
units of "s", "m", "h", "d", and "w", representing seconds, minutes,
hours, days and weeks. Implies +ttlid.
``+[no]unexpected``
Accept [do not accept] answers from unexpected sources. By default, ``dig``
won't accept a reply from a source other than the one to which it sent the
query.
``+[no]unknownformat``
Print all RDATA in unknown RR type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
``+[no]vc``
Use [do not use] TCP when querying name servers. This alternate
syntax to ``+[no]tcp`` is provided for backwards compatibility. The
"vc" stands for "virtual circuit".
``+[no]yaml``
Print the responses (and, if <option>+qr</option> is in use, also the
outgoing queries) in a detailed YAML format.
``+[no]zflag``
Set [do not set] the last unassigned DNS header flag in a DNS query.
This flag is off by default.
Multiple Queries
~~~~~~~~~~~~~~~~
The BIND 9 implementation of ``dig`` supports specifying multiple
queries on the command line (in addition to supporting the ``-f`` batch
file option). Each of those queries can be supplied with its own set of
flags, options and query options.
In this case, each ``query`` argument represent an individual query in
the command-line syntax described above. Each consists of any of the
standard options and flags, the name to be looked up, an optional query
type and class and any query options that should be applied to that
query.
A global set of query options, which should be applied to all queries,
can also be supplied. These global query options must precede the first
tuple of name, class, type, options, flags, and query options supplied
on the command line. Any global query options (except ``+[no]cmd`` and
``+[no]short`` options) can be overridden by a query-specific set of
query options. For example:
::
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
shows how ``dig`` could be used from the command line to make three
lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1
and a query for the NS records of ``isc.org``. A global query option of
``+qr`` is applied, so that ``dig`` shows the initial query it made for
each lookup. The final query has a local query option of ``+noqr`` which
means that ``dig`` will not print the initial query when it looks up the
NS records for ``isc.org``.
IDN Support
~~~~~~~~~~~
If ``dig`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``dig``
appropriately converts character encoding of domain name before sending
a request to DNS server or displaying a reply from the server. If you'd
like to turn off the IDN support for some reason, use parameters
``+noidnin`` and ``+noidnout`` or define the IDN_DISABLE environment
variable.
Files
~~~~~
``/etc/resolv.conf``
``${HOME}/.digrc``
See Also
~~~~~~~~
:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
Bugs
~~~~
There are probably too many query options.

278
bin/dig/host.1
View file

@ -1,278 +0,0 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: host
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2009-01-20
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "HOST" "1" "2009\-01\-20" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
host \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBhost\fR\ 'u
\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
.SH "DESCRIPTION"
.PP
\fBhost\fR
is a simple utility for performing DNS lookups\&. It is normally used to convert names to IP addresses and vice versa\&. When no arguments or options are given,
\fBhost\fR
prints a short summary of its command line arguments and options\&.
.PP
\fIname\fR
is the domain name that is to be looked up\&. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
\fBhost\fR
will by default perform a reverse lookup for that address\&.
\fIserver\fR
is an optional argument which is either the name or IP address of the name server that
\fBhost\fR
should query instead of the server or servers listed in
/etc/resolv\&.conf\&.
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only for query transport\&. See also the
\fB\-6\fR
option\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only for query transport\&. See also the
\fB\-4\fR
option\&.
.RE
.PP
\-a
.RS 4
"All"\&. The
\fB\-a\fR
option is normally equivalent to
\fB\-v \-t \fR\fBANY\fR\&. It also affects the behaviour of the
\fB\-l\fR
list zone option\&.
.RE
.PP
\-A
.RS 4
"Almost all"\&. The
\fB\-A\fR
option is equivalent to
\fB\-a\fR
except RRSIG, NSEC, and NSEC3 records are omitted from the output\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records\&. The default class is IN (Internet)\&.
.RE
.PP
\-C
.RS 4
Check consistency:
\fBhost\fR
will query the SOA records for zone
\fIname\fR
from all the listed authoritative name servers for that zone\&. The list of name servers is defined by the NS records that are found for the zone\&.
.RE
.PP
\-d
.RS 4
Print debugging traces\&. Equivalent to the
\fB\-v\fR
verbose option\&.
.RE
.PP
\-l
.RS 4
List zone: The
\fBhost\fR
command performs a zone transfer of zone
\fIname\fR
and prints out the NS, PTR and address records (A/AAAA)\&.
.sp
Together, the
\fB\-l \-a\fR
options print all records in the zone\&.
.RE
.PP
\-N \fIndots\fR
.RS 4
The number of dots that have to be in
\fIname\fR
for it to be considered absolute\&. The default value is that defined using the ndots statement in
/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
/etc/resolv\&.conf\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Specify the port on the server to query\&. The default is 53\&.
.RE
.PP
\-r
.RS 4
Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
\fIname\fR\&. The
\fB\-r\fR
option enables
\fBhost\fR
to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers\&.
.RE
.PP
\-R \fInumber\fR
.RS 4
Number of retries for UDP queries: If
\fInumber\fR
is negative or zero, the number of retries will default to 1\&. The default value is 1, or the value of the
\fIattempts\fR
option in
/etc/resolv\&.conf, if set\&.
.RE
.PP
\-s
.RS 4
Do
\fInot\fR
send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Query type: The
\fItype\fR
argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc\&.
.sp
When no query type is specified,
\fBhost\fR
automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records\&. If the
\fB\-C\fR
option is given, queries will be made for SOA records\&. If
\fIname\fR
is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
\fBhost\fR
will query for PTR records\&.
.sp
If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like
\fB\-t \fR\fBIXFR=12345678\fR)\&.
.RE
.PP
\-T, \-U
.RS 4
TCP/UDP: By default,
\fBhost\fR
uses UDP when making queries\&. The
\fB\-T\fR
option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&. Type ANY queries default to TCP but can be forced to UDP initially using
\fB\-U\fR\&.
.RE
.PP
\-m \fIflag\fR
.RS 4
Memory usage debugging: the flag can be
\fIrecord\fR,
\fIusage\fR, or
\fItrace\fR\&. You can specify the
\fB\-m\fR
option more than once to set multiple flags\&.
.RE
.PP
\-v
.RS 4
Verbose output\&. Equivalent to the
\fB\-d\fR
debug option\&. Verbose output can also be enabled by setting the
\fIdebug\fR
option in
/etc/resolv\&.conf\&.
.RE
.PP
\-V
.RS 4
Print the version number and exit\&.
.RE
.PP
\-w
.RS 4
Wait forever: The query timeout is set to the maximum possible\&. See also the
\fB\-W\fR
option\&.
.RE
.PP
\-W \fIwait\fR
.RS 4
Timeout: Wait for up to
\fIwait\fR
seconds for a reply\&. If
\fIwait\fR
is less than one, the wait interval is set to one second\&.
.sp
By default,
\fBhost\fR
will wait for 5 seconds for UDP responses and 10 seconds for TCP connections\&. These defaults can be overridden by the
\fItimeout\fR
option in
/etc/resolv\&.conf\&.
.sp
See also the
\fB\-w\fR
option\&.
.RE
.SH "IDN SUPPORT"
.PP
If
\fBhost\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBhost\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBhost\fR
runs\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

416
bin/dig/host.docbook
View file

@ -1,416 +0,0 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
<info>
<date>2009-01-20</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>host</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>host</refname>
<refpurpose>DNS lookup utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>host</command>
<arg choice="opt" rep="norepeat"><option>-aACdlnrsTUwv</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="port">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>host</command>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<command>host</command>
prints a short summary of its command line arguments and options.
</para>
<para><parameter>name</parameter> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <command>host</command> will by
default
perform a reverse lookup for that address.
<parameter>server</parameter> is an optional argument which
is either
the name or IP address of the name server that <command>host</command>
should query instead of the server or servers listed in
<filename>/etc/resolv.conf</filename>.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Use IPv4 only for query transport.
See also the <option>-6</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Use IPv6 only for query transport.
See also the <option>-4</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
<listitem>
<para>
"All". The <option>-a</option> option is normally equivalent
to <option>-v -t <literal>ANY</literal></option>.
It also affects the behaviour of the <option>-l</option>
list zone option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
"Almost all". The <option>-A</option> option is equivalent
to <option>-a</option> except RRSIG, NSEC, and NSEC3
records are omitted from the output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Query class: This can be used to lookup HS (Hesiod) or CH
(Chaosnet) class resource records. The default class is IN
(Internet).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Check consistency: <command>host</command> will query the
SOA records for zone <parameter>name</parameter> from all
the listed authoritative name servers for that zone. The
list of name servers is defined by the NS records that are
found for the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Print debugging traces.
Equivalent to the <option>-v</option> verbose option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>
List zone:
The <command>host</command> command performs a zone transfer of
zone <parameter>name</parameter> and prints out the NS,
PTR and address records (A/AAAA).
</para>
<para>
Together, the <option>-l -a</option>
options print all records in the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-N <replaceable class="parameter">ndots</replaceable></term>
<listitem>
<para>
The number of dots that have to be
in <parameter>name</parameter> for it to be considered
absolute. The default value is that defined using the
ndots statement in <filename>/etc/resolv.conf</filename>,
or 1 if no ndots statement is present. Names with fewer
dots are interpreted as relative names and will be
searched for in the domains listed in
the <type>search</type> or <type>domain</type> directive
in <filename>/etc/resolv.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Specify the port on the server to query. The default is 53.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Non-recursive query:
Setting this option clears the RD (recursion desired) bit
in the query. This should mean that the name server
receiving the query will not attempt to
resolve <parameter>name</parameter>.
The <option>-r</option> option
enables <command>host</command> to mimic the behavior of a
name server by making non-recursive queries and expecting
to receive answers to those queries that can be
referrals to other name servers.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">number</replaceable></term>
<listitem>
<para>
Number of retries for UDP queries:
If <parameter>number</parameter> is negative or zero, the
number of retries will default to 1. The default value is
1, or the value of the <parameter>attempts</parameter>
option in <filename>/etc/resolv.conf</filename>, if set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Do <emphasis>not</emphasis> send the query to the next
nameserver if any server responds with a SERVFAIL
response, which is the reverse of normal stub resolver
behavior.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Query type:
The <parameter>type</parameter> argument can be any
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
</para>
<para>
When no query type is specified, <command>host</command>
automatically selects an appropriate query type. By default, it
looks for A, AAAA, and MX records.
If the <option>-C</option> option is given, queries will
be made for SOA records.
If <parameter>name</parameter> is a dotted-decimal IPv4
address or colon-delimited IPv6
address, <command>host</command> will query for PTR
records.
</para>
<para>
If a query type of IXFR is chosen the starting serial
number can be specified by appending an equal followed by
the starting serial number
(like <option>-t <literal>IXFR=12345678</literal></option>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T</term>
<term>-U</term>
<listitem>
<para>
TCP/UDP:
By default, <command>host</command> uses UDP when making
queries. The <option>-T</option> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <option>-U</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Memory usage debugging: the flag can
be <parameter>record</parameter>, <parameter>usage</parameter>,
or <parameter>trace</parameter>. You can specify
the <option>-m</option> option more than once to set
multiple flags.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Verbose output.
Equivalent to the <option>-d</option> debug option.
Verbose output can also be enabled by setting
the <parameter>debug</parameter> option
in <filename>/etc/resolv.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Print the version number and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>
Wait forever: The query timeout is set to the maximum possible.
See also the <option>-W</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W <replaceable class="parameter">wait</replaceable></term>
<listitem>
<para>
Timeout: Wait for up to <parameter>wait</parameter>
seconds for a reply. If <parameter>wait</parameter> is
less than one, the wait interval is set to one second.
</para>
<para>
By default, <command>host</command> will wait for 5
seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by
the <parameter>timeout</parameter> option
in <filename>/etc/resolv.conf</filename>.
</para>
<para>
See also the <option>-w</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>host</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
</refentry>

339
bin/dig/host.html
View file

@ -1,339 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.host"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
host
&#8212; DNS lookup utility
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">host</code>
[<code class="option">-aACdlnrsTUwv</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-v</code>]
[<code class="option">-V</code>]
{name}
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<span class="command"><strong>host</strong></span>
prints a short summary of its command line arguments and options.
</p>
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
default
perform a reverse lookup for that address.
<em class="parameter"><code>server</code></em> is an optional argument which
is either
the name or IP address of the name server that <span class="command"><strong>host</strong></span>
should query instead of the server or servers listed in
<code class="filename">/etc/resolv.conf</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd>
<p>
Use IPv4 only for query transport.
See also the <code class="option">-6</code> option.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Use IPv6 only for query transport.
See also the <code class="option">-4</code> option.
</p>
</dd>
<dt><span class="term">-a</span></dt>
<dd>
<p>
"All". The <code class="option">-a</code> option is normally equivalent
to <code class="option">-v -t <code class="literal">ANY</code></code>.
It also affects the behaviour of the <code class="option">-l</code>
list zone option.
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
"Almost all". The <code class="option">-A</code> option is equivalent
to <code class="option">-a</code> except RRSIG, NSEC, and NSEC3
records are omitted from the output.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Query class: This can be used to lookup HS (Hesiod) or CH
(Chaosnet) class resource records. The default class is IN
(Internet).
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Check consistency: <span class="command"><strong>host</strong></span> will query the
SOA records for zone <em class="parameter"><code>name</code></em> from all
the listed authoritative name servers for that zone. The
list of name servers is defined by the NS records that are
found for the zone.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Print debugging traces.
Equivalent to the <code class="option">-v</code> verbose option.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
List zone:
The <span class="command"><strong>host</strong></span> command performs a zone transfer of
zone <em class="parameter"><code>name</code></em> and prints out the NS,
PTR and address records (A/AAAA).
</p>
<p>
Together, the <code class="option">-l -a</code>
options print all records in the zone.
</p>
</dd>
<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
<dd>
<p>
The number of dots that have to be
in <em class="parameter"><code>name</code></em> for it to be considered
absolute. The default value is that defined using the
ndots statement in <code class="filename">/etc/resolv.conf</code>,
or 1 if no ndots statement is present. Names with fewer
dots are interpreted as relative names and will be
searched for in the domains listed in
the <span class="type">search</span> or <span class="type">domain</span> directive
in <code class="filename">/etc/resolv.conf</code>.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Specify the port on the server to query. The default is 53.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Non-recursive query:
Setting this option clears the RD (recursion desired) bit
in the query. This should mean that the name server
receiving the query will not attempt to
resolve <em class="parameter"><code>name</code></em>.
The <code class="option">-r</code> option
enables <span class="command"><strong>host</strong></span> to mimic the behavior of a
name server by making non-recursive queries and expecting
to receive answers to those queries that can be
referrals to other name servers.
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Number of retries for UDP queries:
If <em class="parameter"><code>number</code></em> is negative or zero, the
number of retries will default to 1. The default value is
1, or the value of the <em class="parameter"><code>attempts</code></em>
option in <code class="filename">/etc/resolv.conf</code>, if set.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
Do <span class="emphasis"><em>not</em></span> send the query to the next
nameserver if any server responds with a SERVFAIL
response, which is the reverse of normal stub resolver
behavior.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Query type:
The <em class="parameter"><code>type</code></em> argument can be any
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
</p>
<p>
When no query type is specified, <span class="command"><strong>host</strong></span>
automatically selects an appropriate query type. By default, it
looks for A, AAAA, and MX records.
If the <code class="option">-C</code> option is given, queries will
be made for SOA records.
If <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
address or colon-delimited IPv6
address, <span class="command"><strong>host</strong></span> will query for PTR
records.
</p>
<p>
If a query type of IXFR is chosen the starting serial
number can be specified by appending an equal followed by
the starting serial number
(like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
</p>
</dd>
<dt>
<span class="term">-T, </span><span class="term">-U</span>
</dt>
<dd>
<p>
TCP/UDP:
By default, <span class="command"><strong>host</strong></span> uses UDP when making
queries. The <code class="option">-T</code> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <code class="option">-U</code>.
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd>
<p>
Memory usage debugging: the flag can
be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
or <em class="parameter"><code>trace</code></em>. You can specify
the <code class="option">-m</code> option more than once to set
multiple flags.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Verbose output.
Equivalent to the <code class="option">-d</code> debug option.
Verbose output can also be enabled by setting
the <em class="parameter"><code>debug</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Print the version number and exit.
</p>
</dd>
<dt><span class="term">-w</span></dt>
<dd>
<p>
Wait forever: The query timeout is set to the maximum possible.
See also the <code class="option">-W</code> option.
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
<dd>
<p>
Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
seconds for a reply. If <em class="parameter"><code>wait</code></em> is
less than one, the wait interval is set to one second.
</p>
<p>
By default, <span class="command"><strong>host</strong></span> will wait for 5
seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by
the <em class="parameter"><code>timeout</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p>
<p>
See also the <code class="option">-w</code> option.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>host</strong></span> runs.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div></body>
</html>

181
bin/dig/host.rst Normal file
View file

@ -0,0 +1,181 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_host:
host - DNS lookup utility
-------------------------
Synopsis
~~~~~~~~
:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
Description
~~~~~~~~~~~
``host`` is a simple utility for performing DNS lookups. It is normally
used to convert names to IP addresses and vice versa. When no arguments
or options are given, ``host`` prints a short summary of its command
line arguments and options.
``name`` is the domain name that is to be looked up. It can also be a
dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
case ``host`` will by default perform a reverse lookup for that address.
``server`` is an optional argument which is either the name or IP
address of the name server that ``host`` should query instead of the
server or servers listed in ``/etc/resolv.conf``.
Options
~~~~~~~
**-4**
Use IPv4 only for query transport. See also the ``-6`` option.
**-6**
Use IPv6 only for query transport. See also the ``-4`` option.
**-a**
"All". The ``-a`` option is normally equivalent to ``-v -t ANY``. It
also affects the behaviour of the ``-l`` list zone option.
**-A**
"Almost all". The ``-A`` option is equivalent to ``-a`` except RRSIG,
NSEC, and NSEC3 records are omitted from the output.
**-c** class
Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet)
class resource records. The default class is IN (Internet).
**-C**
Check consistency: ``host`` will query the SOA records for zone
``name`` from all the listed authoritative name servers for that
zone. The list of name servers is defined by the NS records that are
found for the zone.
**-d**
Print debugging traces. Equivalent to the ``-v`` verbose option.
**-l**
List zone: The ``host`` command performs a zone transfer of zone
``name`` and prints out the NS, PTR and address records (A/AAAA).
Together, the ``-l -a`` options print all records in the zone.
**-N** ndots
The number of dots that have to be in ``name`` for it to be
considered absolute. The default value is that defined using the
ndots statement in ``/etc/resolv.conf``, or 1 if no ndots statement
is present. Names with fewer dots are interpreted as relative names
and will be searched for in the domains listed in the ``search`` or
``domain`` directive in ``/etc/resolv.conf``.
**-p** port
Specify the port on the server to query. The default is 53.
**-r**
Non-recursive query: Setting this option clears the RD (recursion
desired) bit in the query. This should mean that the name server
receiving the query will not attempt to resolve ``name``. The ``-r``
option enables ``host`` to mimic the behavior of a name server by
making non-recursive queries and expecting to receive answers to
those queries that can be referrals to other name servers.
**-R** number
Number of retries for UDP queries: If ``number`` is negative or zero,
the number of retries will default to 1. The default value is 1, or
the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
**-s**
Do *not* send the query to the next nameserver if any server responds
with a SERVFAIL response, which is the reverse of normal stub
resolver behavior.
**-t** type
Query type: The ``type`` argument can be any recognized query type:
CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
When no query type is specified, ``host`` automatically selects an
appropriate query type. By default, it looks for A, AAAA, and MX
records. If the ``-C`` option is given, queries will be made for SOA
records. If ``name`` is a dotted-decimal IPv4 address or
colon-delimited IPv6 address, ``host`` will query for PTR records.
If a query type of IXFR is chosen the starting serial number can be
specified by appending an equal followed by the starting serial
number (like ``-t IXFR=12345678``).
**-T**; **-U**
TCP/UDP: By default, ``host`` uses UDP when making queries. The
``-T`` option makes it use a TCP connection when querying the name
server. TCP will be automatically selected for queries that require
it, such as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using ``-U``.
**-m** flag
Memory usage debugging: the flag can be ``record``, ``usage``, or
``trace``. You can specify the ``-m`` option more than once to set
multiple flags.
**-v**
Verbose output. Equivalent to the ``-d`` debug option. Verbose output
can also be enabled by setting the ``debug`` option in
``/etc/resolv.conf``.
**-V**
Print the version number and exit.
**-w**
Wait forever: The query timeout is set to the maximum possible. See
also the ``-W`` option.
**-W** wait
Timeout: Wait for up to ``wait`` seconds for a reply. If ``wait`` is
less than one, the wait interval is set to one second.
By default, ``host`` will wait for 5 seconds for UDP responses and 10
seconds for TCP connections. These defaults can be overridden by the
``timeout`` option in ``/etc/resolv.conf``.
See also the ``-w`` option.
IDN Support
~~~~~~~~~~~
If ``host`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``host``
appropriately converts character encoding of domain name before sending
a request to DNS server or displaying a reply from the server. If you'd
like to turn off the IDN support for some reason, define the IDN_DISABLE
environment variable. The IDN support is disabled if the variable is set
when ``host`` runs.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`named(8)`.

308
bin/dig/nslookup.1
View file

@ -1,308 +0,0 @@
.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: nslookup
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-24
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NSLOOKUP" "1" "2014\-01\-24" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
nslookup \- query Internet name servers interactively
.SH "SYNOPSIS"
.HP \w'\fBnslookup\fR\ 'u
\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
.SH "DESCRIPTION"
.PP
\fBNslookup\fR
is a program to query Internet domain name servers\&.
\fBNslookup\fR
has two modes: interactive and non\-interactive\&. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain\&. Non\-interactive mode is used to print just the name and requested information for a host or domain\&.
.SH "ARGUMENTS"
.PP
Interactive mode is entered in the following cases:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
when no arguments are given (the default name server will be used)
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server\&.
.RE
.PP
Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument\&. The optional second argument specifies the host name or address of a name server\&.
.PP
Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen\&. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
.sp
.if n \{\
.RS 4
.\}
.nf
nslookup \-query=hinfo \-timeout=10
.fi
.if n \{\
.RE
.\}
.PP
The
\fB\-version\fR
option causes
\fBnslookup\fR
to print the version number and immediately exits\&.
.SH "INTERACTIVE COMMANDS"
.PP
\fBhost\fR [server]
.RS 4
Look up information for host using the current default server or using server, if specified\&. If host is an Internet address and the query type is A or PTR, the name of the host is returned\&. If host is a name and does not have a trailing period, the search list is used to qualify the name\&.
.sp
To look up a host not in the current domain, append a period to the name\&.
.RE
.PP
\fBserver\fR \fIdomain\fR
.RS 4
.RE
.PP
\fBlserver\fR \fIdomain\fR
.RS 4
Change the default server to
\fIdomain\fR;
\fBlserver\fR
uses the initial server to look up information about
\fIdomain\fR, while
\fBserver\fR
uses the current default server\&. If an authoritative answer can\*(Aqt be found, the names of servers that might have the answer are returned\&.
.RE
.PP
\fBroot\fR
.RS 4
not implemented
.RE
.PP
\fBfinger\fR
.RS 4
not implemented
.RE
.PP
\fBls\fR
.RS 4
not implemented
.RE
.PP
\fBview\fR
.RS 4
not implemented
.RE
.PP
\fBhelp\fR
.RS 4
not implemented
.RE
.PP
\fB?\fR
.RS 4
not implemented
.RE
.PP
\fBexit\fR
.RS 4
Exits the program\&.
.RE
.PP
\fBset\fR \fIkeyword\fR\fI[=value]\fR
.RS 4
This command is used to change state information that affects the lookups\&. Valid keywords are:
.PP
\fBall\fR
.RS 4
Prints the current values of the frequently used options to
\fBset\fR\&. Information about the current default server and host is also printed\&.
.RE
.PP
\fBclass=\fR\fIvalue\fR
.RS 4
Change the query class to one of:
.PP
\fBIN\fR
.RS 4
the Internet class
.RE
.PP
\fBCH\fR
.RS 4
the Chaos class
.RE
.PP
\fBHS\fR
.RS 4
the Hesiod class
.RE
.PP
\fBANY\fR
.RS 4
wildcard
.RE
.sp
The class specifies the protocol group of the information\&.
.sp
(Default = IN; abbreviation = cl)
.RE
.PP
\fB\fI[no]\fR\fR\fBdebug\fR
.RS 4
Turn on or off the display of the full response packet and any intermediate response packets when searching\&.
.sp
(Default = nodebug; abbreviation =
[no]deb)
.RE
.PP
\fB\fI[no]\fR\fR\fBd2\fR
.RS 4
Turn debugging mode on or off\&. This displays more about what nslookup is doing\&.
.sp
(Default = nod2)
.RE
.PP
\fBdomain=\fR\fIname\fR
.RS 4
Sets the search list to
\fIname\fR\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBsearch\fR
.RS 4
If the lookup request contains at least one period but doesn\*(Aqt end with a trailing period, append the domain names in the domain search list to the request until an answer is received\&.
.sp
(Default = search)
.RE
.PP
\fBport=\fR\fIvalue\fR
.RS 4
Change the default TCP/UDP name server port to
\fIvalue\fR\&.
.sp
(Default = 53; abbreviation = po)
.RE
.PP
\fBquerytype=\fR\fIvalue\fR
.RS 4
.RE
.PP
\fBtype=\fR\fIvalue\fR
.RS 4
Change the type of the information query\&.
.sp
(Default = A and then AAAA; abbreviations = q, ty)
.sp
\fBNote:\fR
It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBrecurse\fR
.RS 4
Tell the name server to query other servers if it does not have the information\&.
.sp
(Default = recurse; abbreviation = [no]rec)
.RE
.PP
\fBndots=\fR\fInumber\fR
.RS 4
Set the number of dots (label separators) in a domain that will disable searching\&. Absolute names always stop searching\&.
.RE
.PP
\fBretry=\fR\fInumber\fR
.RS 4
Set the number of retries to number\&.
.RE
.PP
\fBtimeout=\fR\fInumber\fR
.RS 4
Change the initial timeout interval for waiting for a reply to number seconds\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBvc\fR
.RS 4
Always use a virtual circuit when sending requests to the server\&.
.sp
(Default = novc)
.RE
.PP
\fB\fI[no]\fR\fR\fBfail\fR
.RS 4
Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response\&.
.sp
(Default = nofail)
.RE
.sp
.RE
.SH "RETURN VALUES"
.PP
\fBnslookup\fR
returns with an exit status of 1 if any query failed, and 0 otherwise\&.
.SH "IDN SUPPORT"
.PP
If
\fBnslookup\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBnslookup\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBnslookup\fR
runs or when the standard output is not a tty\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

524
bin/dig/nslookup.docbook
View file

@ -1,524 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. Neither the name of the University nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
<info>
<date>2014-01-24</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>nslookup</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>nslookup</refname>
<refpurpose>query Internet name servers interactively</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2010</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>nslookup</command>
<arg choice="opt" rep="norepeat"><option>-option</option></arg>
<arg choice="opt" rep="norepeat">name | -</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>Nslookup</command>
is a program to query Internet domain name servers. <command>Nslookup</command>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</para>
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
<para>
Interactive mode is entered in the following cases:
<orderedlist numeration="loweralpha" inheritnum="ignore" continuation="restarts">
<listitem>
<para>
when no arguments are given (the default name server will be used)
</para>
</listitem>
<listitem>
<para>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</para>
</listitem>
</orderedlist>
</para>
<para>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</para>
<para>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
<!-- <informalexample> produces bad nroff. -->
<programlisting>
nslookup -query=hinfo -timeout=10
</programlisting>
<!-- </informalexample> -->
</para>
<para>
The <option>-version</option> option causes
<command>nslookup</command> to print the version
number and immediately exits.
</para>
</refsection>
<refsection><info><title>INTERACTIVE COMMANDS</title></info>
<variablelist>
<varlistentry>
<term><constant>host</constant> <optional>server</optional></term>
<listitem>
<para>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</para>
<para>
To look up a host not in the current domain, append a period to
the name.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>root</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>finger</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ls</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>view</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>help</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>?</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>exit</constant></term>
<listitem>
<para>
Exits the program.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>set</constant>
<replaceable>keyword<optional>=value</optional></replaceable></term>
<listitem>
<para>
This command is used to change state information that affects
the lookups. Valid keywords are:
<variablelist>
<varlistentry>
<term><constant>all</constant></term>
<listitem>
<para>
Prints the current values of the frequently used
options to <command>set</command>.
Information about the current default
server and host is also printed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>class=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the query class to one of:
<variablelist>
<varlistentry>
<term><constant>IN</constant></term>
<listitem>
<para>
the Internet class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>CH</constant></term>
<listitem>
<para>
the Chaos class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>HS</constant></term>
<listitem>
<para>
the Hesiod class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ANY</constant></term>
<listitem>
<para>
wildcard
</para>
</listitem>
</varlistentry>
</variablelist>
The class specifies the protocol group of the information.
</para>
<para>
(Default = IN; abbreviation = cl)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</para>
<para>
(Default = nodebug; abbreviation = <optional>no</optional>deb)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
<listitem>
<para>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</para>
<para>
(Default = nod2)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>domain=</constant><replaceable>name</replaceable></term>
<listitem>
<para>
Sets the search list to <replaceable>name</replaceable>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
<listitem>
<para>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</para>
<para>
(Default = search)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>port=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
</para>
<para>
(Default = 53; abbreviation = po)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>querytype=</constant><replaceable>value</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the type of the information query.
</para>
<para>
(Default = A and then AAAA; abbreviations = q, ty)
</para>
<para>
<emphasis role="bold">Note:</emphasis> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
<listitem>
<para>
Tell the name server to query other servers if it does not
have the
information.
</para>
<para>
(Default = recurse; abbreviation = [no]rec)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ndots=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>retry=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of retries to number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>timeout=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Change the initial timeout interval for waiting for a
reply to number seconds.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
<listitem>
<para>
Always use a virtual circuit when sending requests to the
server.
</para>
<para>
(Default = novc)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
<listitem>
<para>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</para>
<para>
(Default = nofail)
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para>
<command>nslookup</command> returns with an exit status of 1
if any query failed, and 0 otherwise.
</para>
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>nslookup</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<command>nslookup</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>nslookup</command> runs or when the standard output is not
a tty.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
</refentry>

409
bin/dig/nslookup.html
View file

@ -1,409 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nslookup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.nslookup"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
nslookup
&#8212; query Internet name servers interactively
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">nslookup</code>
[<code class="option">-option</code>]
[name | -]
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>Nslookup</strong></span>
is a program to query Internet domain name servers. <span class="command"><strong>Nslookup</strong></span>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<p>
Interactive mode is entered in the following cases:
</p>
<div class="orderedlist"><ol class="orderedlist" type="a">
<li class="listitem">
<p>
when no arguments are given (the default name server will be used)
</p>
</li>
<li class="listitem">
<p>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</p>
</li>
</ol></div>
<p>
</p>
<p>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</p>
<p>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
</p>
<pre class="programlisting">
nslookup -query=hinfo -timeout=10
</pre>
<p>
</p>
<p>
The <code class="option">-version</code> option causes
<span class="command"><strong>nslookup</strong></span> to print the version
number and immediately exits.
</p>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
<dd>
<p>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</p>
<p>
To look up a host not in the current domain, append a period to
the name.
</p>
</dd>
<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</p>
</dd>
<dt><span class="term"><code class="constant">root</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">finger</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">ls</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">view</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">help</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">?</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">exit</code></span></dt>
<dd>
<p>
Exits the program.
</p>
</dd>
<dt><span class="term"><code class="constant">set</code>
<em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
<dd>
<p>
This command is used to change state information that affects
the lookups. Valid keywords are:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">all</code></span></dt>
<dd>
<p>
Prints the current values of the frequently used
options to <span class="command"><strong>set</strong></span>.
Information about the current default
server and host is also printed.
</p>
</dd>
<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the query class to one of:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">IN</code></span></dt>
<dd>
<p>
the Internet class
</p>
</dd>
<dt><span class="term"><code class="constant">CH</code></span></dt>
<dd>
<p>
the Chaos class
</p>
</dd>
<dt><span class="term"><code class="constant">HS</code></span></dt>
<dd>
<p>
the Hesiod class
</p>
</dd>
<dt><span class="term"><code class="constant">ANY</code></span></dt>
<dd>
<p>
wildcard
</p>
</dd>
</dl></div>
<p>
The class specifies the protocol group of the information.
</p>
<p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</p>
<p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
<dd>
<p>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</p>
<p>
(Default = nod2)
</p>
</dd>
<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
Sets the search list to <em class="replaceable"><code>name</code></em>.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
<dd>
<p>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</p>
<p>
(Default = search)
</p>
</dd>
<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
<p>
(Default = 53; abbreviation = po)
</p>
</dd>
<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the type of the information query.
</p>
<p>
(Default = A and then AAAA; abbreviations = q, ty)
</p>
<p>
<span class="bold"><strong>Note:</strong></span> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
<p>
Tell the name server to query other servers if it does not
have the
information.
</p>
<p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Set the number of retries to number.
</p>
</dd>
<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Change the initial timeout interval for waiting for a
reply to number seconds.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
<dd>
<p>
Always use a virtual circuit when sending requests to the
server.
</p>
<p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</p>
<p>
(Default = nofail)
</p>
</dd>
</dl></div>
<p>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>RETURN VALUES</h2>
<p>
<span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
if any query failed, and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
a tty.
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">host</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div></body>
</html>

226
bin/dig/nslookup.rst Normal file
View file

@ -0,0 +1,226 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_nslookup:
nslookup - query Internet name servers interactively
----------------------------------------------------
Synopsis
~~~~~~~~
:program:`nslookup` [-option] [name | -] [server]
Description
~~~~~~~~~~~
``Nslookup`` is a program to query Internet domain name servers.
``Nslookup`` has two modes: interactive and non-interactive. Interactive
mode allows the user to query name servers for information about various
hosts and domains or to print a list of hosts in a domain.
Non-interactive mode is used to print just the name and requested
information for a host or domain.
Arguments
~~~~~~~~~
Interactive mode is entered in the following cases:
a. when no arguments are given (the default name server will be used)
b. when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to change the
default query type to host information, and the initial timeout to 10
seconds, type:
::
nslookup -query=hinfo -timeout=10
The ``-version`` option causes ``nslookup`` to print the version number
and immediately exits.
Interactive Commands
~~~~~~~~~~~~~~~~~~~~
``host`` [server]
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and the
query type is A or PTR, the name of the host is returned. If host is
a name and does not have a trailing period, the search list is used
to qualify the name.
To look up a host not in the current domain, append a period to the
name.
``server`` domain | ``lserver`` domain
Change the default server to domain; ``lserver`` uses the initial
server to look up information about domain, while ``server`` uses the
current default server. If an authoritative answer can't be found,
the names of servers that might have the answer are returned.
``root``
not implemented
``finger``
not implemented
``ls``
not implemented
``view``
not implemented
``help``
not implemented
``?``
not implemented
``exit``
Exits the program.
``set`` keyword[=value]
This command is used to change state information that affects the
lookups. Valid keywords are:
``all``
Prints the current values of the frequently used options to
``set``. Information about the current default server and host is
also printed.
``class=``\ value
Change the query class to one of:
``IN``
the Internet class
``CH``
the Chaos class
``HS``
the Hesiod class
``ANY``
wildcard
The class specifies the protocol group of the information.
(Default = IN; abbreviation = cl)
``nodebug``
Turn on or off the display of the full response packet and any
intermediate response packets when searching.
(Default = nodebug; abbreviation = [no]deb)
``nod2``
Turn debugging mode on or off. This displays more about what
nslookup is doing.
(Default = nod2)
``domain=``\ name
Sets the search list to name.
``nosearch``
If the lookup request contains at least one period but doesn't end
with a trailing period, append the domain names in the domain
search list to the request until an answer is received.
(Default = search)
``port=``\ value
Change the default TCP/UDP name server port to value.
(Default = 53; abbreviation = po)
``querytype=``\ value | ``type=``\ value
Change the type of the information query.
(Default = A and then AAAA; abbreviations = q, ty)
**Note:** It is only possible to specify one query type, only the default
behavior looks up both when an alternative is not specified.
``norecurse``
Tell the name server to query other servers if it does not have
the information.
(Default = recurse; abbreviation = [no]rec)
``ndots=``\ number
Set the number of dots (label separators) in a domain that will
disable searching. Absolute names always stop searching.
``retry=``\ number
Set the number of retries to number.
``timeout=``\ number
Change the initial timeout interval for waiting for a reply to
number seconds.
``novc``
Always use a virtual circuit when sending requests to the server.
(Default = novc)
``nofail``
Try the next nameserver if a nameserver responds with SERVFAIL or
a referral (nofail) or terminate query (fail) on such a response.
(Default = nofail)
Return Values
~~~~~~~~~~~~~
``nslookup`` returns with an exit status of 1 if any query failed, and 0
otherwise.
IDN Support
~~~~~~~~~~~
If ``nslookup`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``nslookup``
appropriately converts character encoding of domain name before sending
a request to DNS server or displaying a reply from the server. If you'd
like to turn off the IDN support for some reason, define the IDN_DISABLE
environment variable. The IDN support is disabled if the variable is set
when ``nslookup`` runs or when the standard output is not a tty.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.

297
bin/dnssec/dnssec-cds.8
View file

@ -1,297 +0,0 @@
.\" Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-cds
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2017-10-02
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-CDS" "8" "2017\-10\-02" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-cds\fR\ 'u
\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
.SH "DESCRIPTION"
.PP
The
\fBdnssec\-cds\fR
command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&. This enables a child zone to inform its parent of upcoming changes to its key\-signing keys; by polling periodically with
\fBdnssec\-cds\fR, the parent can keep the DS records up to date and enable automatic rolling of KSKs\&.
.PP
Two input files are required\&. The
\fB\-f \fR\fB\fIchild\-file\fR\fR
option specifies a file containing the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The
\fB\-d \fR\fB\fIpath\fR\fR
option specifies the location of a file containing the current DS records\&. For example, this could be a
dsset\-
file generated by
\fBdnssec\-signzone\fR, or the output of
\fBdnssec\-dsfromkey\fR, or the output of a previous run of
\fBdnssec\-cds\fR\&.
.PP
The
\fBdnssec\-cds\fR
command uses special DNSSEC validation logic specified by RFC 7344\&. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records\&. This will typically be the pre\-existing key\-signing key (KSK)\&.
.PP
For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
dsset\-
file, or from the
\fB\-s\fR
option\&.
.PP
To protect against breaking the delegation,
\fBdnssec\-cds\fR
ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&.
.PP
By default, replacement DS records are written to the standard output; with the
\fB\-i\fR
option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&.
.PP
Warning: Be careful not to delete the DS records when
\fBdnssec\-cds\fR
fails!
.PP
Alternatively,
\fBdnssec\-cds \-u\fR
writes an
\fBnsupdate\fR
script to the standard output\&. You can use the
\fB\-u\fR
and
\fB\-i\fR
options together to maintain a
dsset\-
file as well as emit an
\fBnsupdate\fR
script\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zones\&.
.RE
.PP
\-D
.RS 4
Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&.
.RE
.PP
\-d \fIpath\fR
.RS 4
Location of the parent DS records\&. The
\fIpath\fR
can be the name of a file containing the DS records, or if it is a directory,
\fBdnssec\-cds\fR
looks for a
dsset\-
file for the
\fIdomain\fR
inside the directory\&.
.sp
To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the
dsset\-
file\&. This can be adjusted with the
\fB\-s\fR
option\&.
.RE
.PP
\-f \fIchild\-file\fR
.RS 4
File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&.
.sp
The EXAMPLES below describe how to generate this file\&.
.RE
.PP
\-i [\fIextension\fR]
.RS 4
Update the
dsset\-
file in place, instead of writing DS records to the standard output\&.
.sp
There must be no space between the
\fB\-i\fR
and the
\fIextension\fR\&. If you provide no
\fIextension\fR
then the old
dsset\-
is discarded\&. If an
\fIextension\fR
is present, a backup of the old
dsset\-
file is kept with the
\fIextension\fR
appended to its filename\&.
.sp
To protect against replay attacks, the modification time of the
dsset\-
file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&.
.RE
.PP
\-s \fIstart\-time\fR
.RS 4
Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the
dsset\-
file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&.
.sp
If no
\fIstart\-time\fR
is specified, the modification time of the
dsset\-
file is used\&.
.RE
.PP
\-T \fIttl\fR
.RS 4
Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&.
.RE
.PP
\-u
.RS 4
Write an
\fBnsupdate\fR
script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&.
.sp
Note: The TTL of new records needs to be specified, either in the original
dsset\-
file, or with the
\fB\-T\fR
option, or using the
\fBnsupdate\fR\fBttl\fR
command\&.
.RE
.PP
\-V
.RS 4
Print version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&.
.RE
.PP
\fIdomain\fR
.RS 4
The name of the delegation point / child zone apex\&.
.RE
.SH "EXIT STATUS"
.PP
The
\fBdnssec\-cds\fR
command exits 0 on success, or non\-zero if an error occurred\&.
.PP
In the success case, the DS records might or might not need to be changed\&.
.SH "EXAMPLES"
.PP
Before running
\fBdnssec\-signzone\fR, you can ensure that the delegations are up\-to\-date by running
\fBdnssec\-cds\fR
on every
dsset\-
file\&.
.PP
To fetch the child records required by
\fBdnssec\-cds\fR
you can invoke
\fBdig\fR
as in the script below\&. It\*(Aqs okay if the
\fBdig\fR
fails since
\fBdnssec\-cds\fR
performs all the necessary checking\&.
.sp
.if n \{\
.RS 4
.\}
.nf
for f in dsset\-*
do
d=${f#dsset\-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-i \-f /dev/stdin \-d $f $d
done
.fi
.if n \{\
.RE
.\}
.PP
When the parent zone is automatically signed by
\fBnamed\fR, you can use
\fBdnssec\-cds\fR
with
\fBnsupdate\fR
to maintain a delegation as follows\&. The
dsset\-
file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&.
.sp
.if n \{\
.RS 4
.\}
.nf
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
nsupdate \-l
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBdnssec-settime\fR(8),
\fBdnssec-signzone\fR(8),
\fBnsupdate\fR(1),
BIND 9 Administrator Reference Manual,
RFC 7344\&.
.SH "AUTHORS"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.PP
\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&>
.br
.RS 4
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2017-2020 Internet Systems Consortium, Inc. ("ISC")
.br

390
bin/dnssec/dnssec-cds.docbook
View file

@ -1,390 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-cds">
<info>
<date>2017-10-02</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
<author>
<personname>Tony Finch</personname>
<email>dot@dotat.at</email>
<email>fanf2@cam.ac.uk</email>
<affiliation>Cambridge University Information Services</affiliation>
<personblurb></personblurb>
</author>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-cds</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-cds</application></refname>
<refpurpose>change DS records for a child zone based on CDS/CDNSKEY</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-cds</command>
<arg choice="opt" rep="repeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="req" rep="norepeat"><option>-d <replaceable class="parameter">dsset-file</replaceable></option></arg>
<arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">child-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option><arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">domain</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
The <command>dnssec-cds</command> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred. This enables a child zone
to inform its parent of upcoming changes to its key-signing keys;
by polling periodically with <command>dnssec-cds</command>, the
parent can keep the DS records up to date and enable automatic
rolling of KSKs.
</para>
<para>
Two input files are required. The
<option>-f <replaceable class="parameter">child-file</replaceable></option>
option specifies a file containing the child's CDS and/or CDNSKEY
records, plus RRSIG and DNSKEY records so that they can be
authenticated. The
<option>-d <replaceable class="parameter">path</replaceable></option>
option specifies the location of a file containing the current DS
records. For example, this could be a <filename>dsset-</filename>
file generated by <command>dnssec-signzone</command>, or the output of
<command>dnssec-dsfromkey</command>, or the output of a previous
run of <command>dnssec-cds</command>.
</para>
<para>
The <command>dnssec-cds</command> command uses special DNSSEC
validation logic specified by RFC 7344. It requires that the CDS
and/or CDNSKEY records are validly signed by a key represented in the
existing DS records. This will typically be the pre-existing
key-signing key (KSK).
</para>
<para>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <command>dnssec-cds</command>. This time is obtained from the
modification time of the <filename>dsset-</filename> file, or
from the <option>-s</option> option.
</para>
<para>
To protect against breaking the delegation,
<command>dnssec-cds</command> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</para>
<para>
By default, replacement DS records are written to the standard
output; with the <option>-i</option> option the input file is
overwritten in place. The replacement DS records will be the
same as the existing records when no change is required. The
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</para>
<para>
Warning: Be careful not to delete the DS records
when <command>dnssec-cds</command> fails!
</para>
<para>
Alternatively, <command>dnssec-cds -u</command> writes
an <command>nsupdate</command> script to the standard output.
You can use the <option>-u</option> and <option>-i</option>
options together to maintain a <filename>dsset-</filename> file
as well as emit an <command>nsupdate</command> script.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">path</replaceable></term>
<listitem>
<para>
Location of the parent DS records.
The <replaceable>path</replaceable> can be the name of a file
containing the DS records, or if it is a
directory, <command>dnssec-cds</command> looks for
a <filename>dsset-</filename> file for
the <replaceable>domain</replaceable> inside the directory.
</para>
<para>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <filename>dsset-</filename> file. This can be
adjusted with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">child-file</replaceable></term>
<listitem>
<para>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</para>
<para>
The EXAMPLES below describe how to generate this file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i<arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></term>
<listitem>
<para>
Update the <filename>dsset-</filename> file in place,
instead of writing DS records to the standard output.
</para>
<para>
There must be no space between the <option>-i</option> and
the <replaceable>extension</replaceable>. If you provide
no <replaceable>extension</replaceable> then the
old <filename>dsset-</filename> is discarded. If
an <replaceable>extension</replaceable> is present, a
backup of the old <filename>dsset-</filename> file is kept
with the <replaceable>extension</replaceable> appended to
its filename.
</para>
<para>
To protect against replay attacks, the modification time
of the <filename>dsset-</filename> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
UTC on August 27th, 2017. A time relative to
the <filename>dsset-</filename> file is indicated with -N,
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</para>
<para>
If no <replaceable>start-time</replaceable> is specified, the
modification time of the <filename>dsset-</filename> file
is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Write an <command>nsupdate</command> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</para>
<para>
Note: The TTL of new records needs to be specified, either
in the original <filename>dsset-</filename> file, or with
the <option>-T</option> option, or using
the <command>nsupdate</command> <command>ttl</command>
command.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Print version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>domain</replaceable></term>
<listitem>
<para>
The name of the delegation point / child zone apex.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXIT STATUS</title></info>
<para>
The <command>dnssec-cds</command> command exits 0 on success, or
non-zero if an error occurred.
</para>
<para>
In the success case, the DS records might or might not need
to be changed.
</para>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
<para>
Before running <command>dnssec-signzone</command>, you can ensure
that the delegations are up-to-date by running
<command>dnssec-cds</command> on every <filename>dsset-</filename> file.
</para>
<para>
To fetch the child records required by <command>dnssec-cds</command>
you can invoke <command>dig</command> as in the script below. It's
okay if the <command>dig</command> fails since
<command>dnssec-cds</command> performs all the necessary checking.
</para>
<programlisting>for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
</programlisting>
<para>
When the parent zone is automatically signed by
<command>named</command>, you can use <command>dnssec-cds</command>
with <command>nsupdate</command> to maintain a delegation as follows.
The <filename>dsset-</filename> file allows the script to avoid
having to fetch and validate the parent DS records, and it keeps the
replay attack protection time.
</para>
<programlisting>
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</programlisting>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 7344</citetitle>.
</para>
</refsection>
</refentry>

343
bin/dnssec/dnssec-cds.html
View file

@ -1,343 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-cds</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-cds"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-cds</span>
&#8212; change DS records for a child zone based on CDS/CDNSKEY
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-cds</code>
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D</code>]
{<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>}
{<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>}
[<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-u</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
{domain}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred. This enables a child zone
to inform its parent of upcoming changes to its key-signing keys;
by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
parent can keep the DS records up to date and enable automatic
rolling of KSKs.
</p>
<p>
Two input files are required. The
<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
option specifies a file containing the child's CDS and/or CDNSKEY
records, plus RRSIG and DNSKEY records so that they can be
authenticated. The
<code class="option">-d <em class="replaceable"><code>path</code></em></code>
option specifies the location of a file containing the current DS
records. For example, this could be a <code class="filename">dsset-</code>
file generated by <span class="command"><strong>dnssec-signzone</strong></span>, or the output of
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
run of <span class="command"><strong>dnssec-cds</strong></span>.
</p>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
validation logic specified by RFC 7344. It requires that the CDS
and/or CDNSKEY records are validly signed by a key represented in the
existing DS records. This will typically be the pre-existing
key-signing key (KSK).
</p>
<p>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
modification time of the <code class="filename">dsset-</code> file, or
from the <code class="option">-s</code> option.
</p>
<p>
To protect against breaking the delegation,
<span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</p>
<p>
By default, replacement DS records are written to the standard
output; with the <code class="option">-i</code> option the input file is
overwritten in place. The replacement DS records will be the
same as the existing records when no change is required. The
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</p>
<p>
Warning: Be careful not to delete the DS records
when <span class="command"><strong>dnssec-cds</strong></span> fails!
</p>
<p>
Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
You can use the <code class="option">-u</code> and <code class="option">-i</code>
options together to maintain a <code class="filename">dsset-</code> file
as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specifies the DNS class of the zones.
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd>
<p>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
<dd>
<p>
Location of the parent DS records.
The <em class="replaceable"><code>path</code></em> can be the name of a file
containing the DS records, or if it is a
directory, <span class="command"><strong>dnssec-cds</strong></span> looks for
a <code class="filename">dsset-</code> file for
the <em class="replaceable"><code>domain</code></em> inside the directory.
</p>
<p>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <code class="filename">dsset-</code> file. This can be
adjusted with the <code class="option">-s</code> option.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
<dd>
<p>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</p>
<p>
The EXAMPLES below describe how to generate this file.
</p>
</dd>
<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
<dd>
<p>
Update the <code class="filename">dsset-</code> file in place,
instead of writing DS records to the standard output.
</p>
<p>
There must be no space between the <code class="option">-i</code> and
the <em class="replaceable"><code>extension</code></em>. If you provide
no <em class="replaceable"><code>extension</code></em> then the
old <code class="filename">dsset-</code> is discarded. If
an <em class="replaceable"><code>extension</code></em> is present, a
backup of the old <code class="filename">dsset-</code> file is kept
with the <em class="replaceable"><code>extension</code></em> appended to
its filename.
</p>
<p>
To protect against replay attacks, the modification time
of the <code class="filename">dsset-</code> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd>
<p>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
UTC on August 27th, 2017. A time relative to
the <code class="filename">dsset-</code> file is indicated with -N,
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</p>
<p>
If no <em class="replaceable"><code>start-time</code></em> is specified, the
modification time of the <code class="filename">dsset-</code> file
is used.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
</p>
</dd>
<dt><span class="term">-u</span></dt>
<dd>
<p>
Write an <span class="command"><strong>nsupdate</strong></span> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</p>
<p>
Note: The TTL of new records needs to be specified, either
in the original <code class="filename">dsset-</code> file, or with
the <code class="option">-T</code> option, or using
the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
command.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Print version information.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
</p>
</dd>
<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
The name of the delegation point / child zone apex.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXIT STATUS</h2>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
non-zero if an error occurred.
</p>
<p>
In the success case, the DS records might or might not need
to be changed.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>EXAMPLES</h2>
<p>
Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
that the delegations are up-to-date by running
<span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
</p>
<p>
To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
you can invoke <span class="command"><strong>dig</strong></span> as in the script below. It's
okay if the <span class="command"><strong>dig</strong></span> fails since
<span class="command"><strong>dnssec-cds</strong></span> performs all the necessary checking.
</p>
<pre class="programlisting">for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
</pre>
<p>
When the parent zone is automatically signed by
<span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
The <code class="filename">dsset-</code> file allows the script to avoid
having to fetch and validate the parent DS records, and it keeps the
replay attack protection time.
</p>
<pre class="programlisting">
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</pre>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-settime</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 7344</em>.
</p>
</div>
</div></body>
</html>

212
bin/dnssec/dnssec-cds.rst Normal file
View file

@ -0,0 +1,212 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-cds:
dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
--------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i** [extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
Description
~~~~~~~~~~~
The ``dnssec-cds`` command changes DS records at a delegation point
based on CDS or CDNSKEY records published in the child zone. If both CDS
and CDNSKEY records are present in the child zone, the CDS is preferred.
This enables a child zone to inform its parent of upcoming changes to
its key-signing keys; by polling periodically with ``dnssec-cds``, the
parent can keep the DS records up to date and enable automatic rolling
of KSKs.
Two input files are required. The ``-f child-file`` option specifies a
file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
DNSKEY records so that they can be authenticated. The ``-d path`` option
specifies the location of a file containing the current DS records. For
example, this could be a ``dsset-`` file generated by
``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the
output of a previous run of ``dnssec-cds``.
The ``dnssec-cds`` command uses special DNSSEC validation logic
specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
are validly signed by a key represented in the existing DS records. This
will typically be the pre-existing key-signing key (KSK).
For protection against replay attacks, the signatures on the child
records must not be older than they were on a previous run of
``dnssec-cds``. This time is obtained from the modification time of the
``dsset-`` file, or from the ``-s`` option.
To protect against breaking the delegation, ``dnssec-cds`` ensures that
the DNSKEY RRset can be verified by every key algorithm in the new DS
RRset, and that the same set of keys are covered by every DS digest
type.
By default, replacement DS records are written to the standard output;
with the ``-i`` option the input file is overwritten in place. The
replacement DS records will be the same as the existing records when no
change is required. The output can be empty if the CDS / CDNSKEY records
specify that the child zone wants to go insecure.
Warning: Be careful not to delete the DS records when ``dnssec-cds``
fails!
Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
standard output. You can use the ``-u`` and ``-i`` options together to
maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
Options
~~~~~~~
**-a** algorithm
Specify a digest algorithm to use when converting CDNSKEY records to
DS records. This option can be repeated, so that multiple DS records
are created for each CDNSKEY record. This option has no effect when
using CDS records.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
are case insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA-256.
**-c** class
Specifies the DNS class of the zones.
**-D**
Generate DS records from CDNSKEY records if both CDS and CDNSKEY
records are present in the child zone. By default CDS records are
preferred.
**-d** path
Location of the parent DS records. The path can be the name of a file
containing the DS records, or if it is a directory, ``dnssec-cds``
looks for a ``dsset-`` file for the domain inside the directory.
To protect against replay attacks, child records are rejected if they
were signed earlier than the modification time of the ``dsset-``
file. This can be adjusted with the ``-s`` option.
**-f** child-file
File containing the child's CDS and/or CDNSKEY records, plus its
DNSKEY records and the covering RRSIG records so that they can be
authenticated.
The EXAMPLES below describe how to generate this file.
**-iextension**
Update the ``dsset-`` file in place, instead of writing DS records to
the standard output.
There must be no space between the ``-i`` and the extension. If you
provide no extension then the old ``dsset-`` is discarded. If an
extension is present, a backup of the old ``dsset-`` file is kept
with the extension appended to its filename.
To protect against replay attacks, the modification time of the
``dsset-`` file is set to match the signature inception time of the
child records, provided that is later than the file's current
modification time.
**-s** start-time
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative time. An
absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
time relative to the ``dsset-`` file is indicated with -N, which is N
seconds before the file modification time. A time relative to the
current time is indicated with now+N.
If no start-time is specified, the modification time of the
``dsset-`` file is used.
**-T** ttl
Specifies a TTL to be used for new DS records. If not specified, the
default is the TTL of the old DS records. If they had no explicit TTL
then the new DS records also have no explicit TTL.
**-u**
Write an ``nsupdate`` script to the standard output, instead of
printing the new DS reords. The output will be empty if no change is
needed.
Note: The TTL of new records needs to be specified, either in the
original ``dsset-`` file, or with the ``-T`` option, or using the
``nsupdate`` ``ttl`` command.
**-V**
Print version information.
**-v** level
Sets the debugging level. Level 1 is intended to be usefully verbose
for general users; higher levels are intended for developers.
domain
The name of the delegation point / child zone apex.
Exit Status
~~~~~~~~~~~
The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
occurred.
In the success case, the DS records might or might not need to be
changed.
Examples
~~~~~~~~
Before running ``dnssec-signzone``, you can ensure that the delegations
are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
To fetch the child records required by ``dnssec-cds`` you can invoke
``dig`` as in the script below. It's okay if the ``dig`` fails since
``dnssec-cds`` performs all the necessary checking.
::
for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
When the parent zone is automatically signed by ``named``, you can use
``dnssec-cds`` with ``nsupdate`` to maintain a delegation as follows.
The ``dsset-`` file allows the script to avoid having to fetch and
validate the parent DS records, and it keeps the replay attack
protection time.
::
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator
Reference Manual, :rfc:`7344`.

226
bin/dnssec/dnssec-dsfromkey.8
View file

@ -1,226 +0,0 @@
.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-05-08
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
.SH "DESCRIPTION"
.PP
The
\fBdnssec\-dsfromkey\fR
command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
\fB\-C\fR
option\&.
.PP
The input keys can be specified in a number of ways:
.PP
By default,
\fBdnssec\-dsfromkey\fR
reads a key file named like
Knnnn\&.+aaa+iiiii\&.key, as generated by
\fBdnssec\-keygen\fR\&.
.PP
With the
\fB\-f \fR\fB\fIfile\fR\fR
option,
\fBdnssec\-dsfromkey\fR
reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
.PP
With the
\fB\-s\fR
option,
\fBdnssec\-dsfromkey\fR
reads a
keyset\-
file, as generated by
\fBdnssec\-keygen\fR\fB\-C\fR\&.
.SH "OPTIONS"
.PP
\-1
.RS 4
An abbreviation for
\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-2
.RS 4
An abbreviation for
\fB\-a SHA\-256\fR\&.
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-A
.RS 4
Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
\fB\-f\fR
zone file mode\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class (default is IN)\&. Useful only in
\fB\-s\fR
keyset or
\fB\-f\fR
zone file mode\&.
.RE
.PP
\-C
.RS 4
Generate CDS records rather than DS records\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
Zone file mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name of a zone whose master file can be read from
\fBfile\fR\&. If the zone name is the same as
\fBfile\fR, then it may be omitted\&.
.sp
If
\fIfile\fR
is
"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
\fBdig\fR
command as input, as in:
.sp
\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
.RE
.PP
\-h
.RS 4
Prints usage information\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Look for key files or
keyset\-
files in
\fBdirectory\fR\&.
.RE
.PP
\-s
.RS 4
Keyset mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name used to locate a
keyset\-
file\&.
.RE
.PP
\-T \fITTL\fR
.RS 4
Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.SH "EXAMPLE"
.PP
To build the SHA\-256 DS RR from the
\fBKexample\&.com\&.+003+26160\fR
keyfile name, you can issue the following command:
.PP
\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
.PP
The command would print something like:
.PP
\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
.SH "FILES"
.PP
The keyfile can be designated by the key identification
Knnnn\&.+aaa+iiiii
or the full file name
Knnnn\&.+aaa+iiiii\&.key
as generated by
dnssec\-keygen(8)\&.
.PP
The keyset file name is built from the
\fBdirectory\fR, the string
keyset\-
and the
\fBdnsname\fR\&.
.SH "CAVEAT"
.PP
A keyfile error can give a "file not found" even if the file exists\&.
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 3658
(DS RRs),
RFC 4509
(SHA\-256 for DS RRs),
RFC 6605
(SHA\-384 for DS RRs),
RFC 7344
(CDS and CDNSKEY RRs)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

355
bin/dnssec/dnssec-dsfromkey.docbook
View file

@ -1,355 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
<info>
<date>2019-05-08</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-dsfromkey</application></refname>
<refpurpose>DNSSEC DS RR generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain"><option>-1</option></arg>
<arg choice="plain"><option>-2</option></arg>
<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
</group>
<group>
<arg choice="plain" rep="norepeat"><option>-C</option></arg>
<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain"><option>-1</option></arg>
<arg choice="plain"><option>-2</option></arg>
<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
</group>
<group>
<arg choice="plain" rep="norepeat"><option>-C</option></arg>
<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A</option></arg>
<arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat">dnsname</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain"><option>-1</option></arg>
<arg choice="plain"><option>-2</option></arg>
<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
</group>
<group>
<arg choice="plain" rep="norepeat"><option>-C</option></arg>
<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">-s</arg>
<arg choice="req" rep="norepeat">dnsname</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain" rep="norepeat"><option>-h</option></arg>
<arg choice="plain" rep="norepeat"><option>-V</option></arg>
</group>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<option>-C</option> option.
</para>
<para>
The input keys can be specified in a number of ways:
</para>
<para>
By default, <command>dnssec-dsfromkey</command> reads a key file
named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
by <command>dnssec-keygen</command>.
</para>
<para>
With the <option>-f <replaceable>file</replaceable></option>
option, <command>dnssec-dsfromkey</command> reads keys from a zone file
or partial zone file (which can contain just the DNSKEY records).
</para>
<para>
With the <option>-s</option>
option, <command>dnssec-dsfromkey</command> reads
a <filename>keyset-</filename> file, as generated
by <command>dnssec-keygen</command> <option>-C</option>.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-1</term>
<listitem>
<para>
An abbreviation for <option>-a SHA-1</option>.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-2</term>
<listitem>
<para>
An abbreviation for <option>-a SHA-256</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specify a digest algorithm to use when converting DNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each DNSKEY
record.
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
Include ZSKs when generating DS records. Without this option, only
keys which have the KSK flag set will be converted to DS records
and printed. Useful only in <option>-f</option> zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in <option>-s</option> keyset or <option>-f</option>
zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: <command>dnssec-dsfromkey</command>'s
final <replaceable>dnsname</replaceable> argument is
the DNS domain name of a zone whose master file can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <replaceable>file</replaceable> is <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints usage information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files or <filename>keyset-</filename> files in
<option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: <command>dnssec-dsfromkey</command>'s
final <replaceable>dnsname</replaceable> argument is the DNS
domain name used to locate a <filename>keyset-</filename> file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records. By default the TTL is omitted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
<para>
To build the SHA-256 DS RR from the
<userinput>Kexample.com.+003+26160</userinput>
keyfile name, you can issue the following command:
</para>
<para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print something like:
</para>
<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para>
The keyfile can be designated by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
<filename>Knnnn.+aaa+iiiii.key</filename> as generated by
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
</para>
<para>
The keyset file name is built from the <option>directory</option>,
the string <filename>keyset-</filename> and the
<option>dnsname</option>.
</para>
</refsection>
<refsection><info><title>CAVEAT</title></info>
<para>
A keyfile error can give a "file not found" even if the file exists.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle> (DS RRs),
<citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
<citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
<citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
</para>
</refsection>
</refentry>

307
bin/dnssec/dnssec-dsfromkey.html
View file

@ -1,307 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-dsfromkey</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-dsfromkey</span>
&#8212; DNSSEC DS RR generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-1</code>
| <code class="option">-2</code>
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
]
[
<code class="option">-C</code>
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
{keyfile}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-1</code>
| <code class="option">-2</code>
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
]
[
<code class="option">-C</code>
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-A</code>]
{<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
[dnsname]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-1</code>
| <code class="option">-2</code>
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
]
[
<code class="option">-C</code>
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
{-s}
{dnsname}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-h</code>
| <code class="option">-V</code>
]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<code class="option">-C</code> option.
</p>
<p>
The input keys can be specified in a number of ways:
</p>
<p>
By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
by <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
<p>
With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
or partial zone file (which can contain just the DNSKEY records).
</p>
<p>
With the <code class="option">-s</code>
option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
a <code class="filename">keyset-</code> file, as generated
by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA-1</code>.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA-256</code>.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting DNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each DNSKEY
record.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
Include ZSKs when generating DS records. Without this option, only
keys which have the KSK flag set will be converted to DS records
and printed. Useful only in <code class="option">-f</code> zone file mode.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specifies the DNS class (default is IN). Useful only
in <code class="option">-s</code> keyset or <code class="option">-f</code>
zone file mode.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Generate CDS records rather than DS records.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
final <em class="replaceable"><code>dnsname</code></em> argument is
the DNS domain name of a zone whose master file can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints usage information.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Look for key files or <code class="filename">keyset-</code> files in
<code class="option">directory</code>.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
domain name used to locate a <code class="filename">keyset-</code> file.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd>
<p>
Specifies the TTL of the DS records. By default the TTL is omitted.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
keyfile name, you can issue the following command:
</p>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
</p>
<p>
The command would print something like:
</p>
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p>
The keyfile can be designated by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
<p>
The keyset file name is built from the <code class="option">directory</code>,
the string <code class="filename">keyset-</code> and the
<code class="option">dnsname</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em> (DS RRs),
<em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
<em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
<em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
</p>
</div>
</div></body>
</html>

150
bin/dnssec/dnssec-dsfromkey.rst Normal file
View file

@ -0,0 +1,150 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-dsfromkey:
dnssec-dsfromkey - DNSSEC DS RR generation tool
-----------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
Description
~~~~~~~~~~~
The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the ``-C`` option.
The input keys can be specified in a number of ways:
By default, ``dnssec-dsfromkey`` reads a key file named like
``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
file or partial zone file (which can contain just the DNSKEY records).
With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
as generated by ``dnssec-keygen`` ``-C``.
Options
~~~~~~~
**-1**
An abbreviation for ``-a SHA1``
**-2**
An abbreviation for ``-a SHA-256``
**-a** algorithm
Specify a digest algorithm to use when converting DNSKEY records to
DS records. This option can be repeated, so that multiple DS records
are created for each DNSKEY record.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
are case insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA-256.
**-A**
Include ZSKs when generating DS records. Without this option, only
keys which have the KSK flag set will be converted to DS records and
printed. Useful only in ``-f`` zone file mode.
**-c** class
Specifies the DNS class (default is IN). Useful only in ``-s`` keyset
or ``-f`` zone file mode.
**-C**
Generate CDS records rather than DS records.
**-f** file
Zone file mode: ``dnssec-dsfromkey``'s final dnsname argument is the
DNS domain name of a zone whose master file can be read from
``file``. If the zone name is the same as ``file``, then it may be
omitted.
If file is ``"-"``, then the zone data is read from the standard
input. This makes it possible to use the output of the ``dig``
command as input, as in:
``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
**-h**
Prints usage information.
**-K** directory
Look for key files or ``keyset-`` files in ``directory``.
**-s**
Keyset mode: ``dnssec-dsfromkey``'s final dnsname argument is the DNS
domain name used to locate a ``keyset-`` file.
**-T** TTL
Specifies the TTL of the DS records. By default the TTL is omitted.
**-v** level
Sets the debugging level.
**-V**
Prints version information.
Example
~~~~~~~
To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile
name, you can issue the following command:
``dnssec-dsfromkey -2 Kexample.com.+003+26160``
The command would print something like:
``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
Files
~~~~~
The keyfile can be designated by the key identification
``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key`` as
generated by dnssec-keygen8.
The keyset file name is built from the ``directory``, the string
``keyset-`` and the ``dnsname``.
Caveat
~~~~~~
A keyfile error can give a "file not found" even if the file exists.
See Also
~~~~~~~~
:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).

138
bin/dnssec/dnssec-importkey.8
View file

@ -1,138 +0,0 @@
.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-importkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-IMPORTKEY" "8" "August 21, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-importkey \- import DNSKEY records from external systems so they can be managed
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP
\fBdnssec\-importkey\fR
reads a public DNSKEY record and generates a pair of \&.key/\&.private files\&. The DNSKEY record may be read from an existing \&.key file, in which case a corresponding \&.private file will be generated, or it may be read from any other file or from the standard input, in which case both \&.key and \&.private files will be generated\&.
.PP
The newly\-created \&.private file does
\fInot\fR
contain private key data, and cannot be used for signing\&. However, having a \&.private file makes it possible to set publication (\fB\-P\fR) and deletion (\fB\-D\fR) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline\&.
.SH "OPTIONS"
.PP
\-f \fIfilename\fR
.RS 4
Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
\fBfile\fR\&. If the domain name is the same as
\fBfile\fR, then it may be omitted\&.
.sp
If
\fBfile\fR
is set to
"\-", then the zone data is read from the standard input\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to reside\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. Setting the default TTL to
0
or
none
removes it\&.
.RE
.PP
\-h
.RS 4
Emit usage message and exit\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.SH "FILES"
.PP
A keyfile can be designed by the key identification
Knnnn\&.+aaa+iiiii
or the full file name
Knnnn\&.+aaa+iiiii\&.key
as generated by
dnssec\-keygen(8)\&.
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 5011\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

254
bin/dnssec/dnssec-importkey.docbook
View file

@ -1,254 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
<info>
<date>2014-02-20</date>
</info>
<refentryinfo>
<date>August 21, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-importkey</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-importkey</application></refname>
<refpurpose>import DNSKEY records from external systems so they can be managed</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-importkey</command>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat"><option>keyfile</option></arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-importkey</command>
<arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>dnsname</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-importkey</command>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
existing .key file, in which case a corresponding .private file
will be generated, or it may be read from any other file or
from the standard input, in which case both .key and .private
files will be generated.
</para>
<para>
The newly-created .private file does <emphasis>not</emphasis>
contain private key data, and cannot be used for signing.
However, having a .private file makes it possible to set
publication (<option>-P</option>) and deletion
(<option>-D</option>) times for the key, which means the
public key can be added to and removed from the DNSKEY RRset
on schedule even if the true private key is stored offline.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-f <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the domain name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>FILES</title></info>
<para>
A keyfile can be designed by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
<filename>Knnnn.+aaa+iiiii.key</filename> as generated by
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsection>
</refentry>

216
bin/dnssec/dnssec-importkey.html
View file

@ -1,216 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-importkey</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-importkey</span>
&#8212; import DNSKEY records from external systems so they can be managed
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-importkey</code>
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
{<code class="option">keyfile</code>}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-importkey</code>
{<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">dnsname</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-importkey</strong></span>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
existing .key file, in which case a corresponding .private file
will be generated, or it may be read from any other file or
from the standard input, in which case both .key and .private
files will be generated.
</p>
<p>
The newly-created .private file does <span class="emphasis"><em>not</em></span>
contain private key data, and cannot be used for signing.
However, having a .private file makes it possible to set
publication (<code class="option">-P</code>) and deletion
(<code class="option">-D</code>) times for the key, which means the
public key can be added to and removed from the DNSKEY RRset
on schedule even if the true private key is stored offline.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Emit usage message and exit.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p>
A keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
</div></body>
</html>

123
bin/dnssec/dnssec-importkey.rst Normal file
View file

@ -0,0 +1,123 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-importkey:
dnssec-importkey - import DNSKEY records from external systems so they can be managed
-------------------------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-importkey` [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] {keyfile}
:program:`dnssec-importkey` {**-f** filename} [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] [dnsname]
Description
~~~~~~~~~~~
``dnssec-importkey`` reads a public DNSKEY record and generates a pair
of .key/.private files. The DNSKEY record may be read from an existing
.key file, in which case a corresponding .private file will be
generated, or it may be read from any other file or from the standard
input, in which case both .key and .private files will be generated.
The newly-created .private file does *not* contain private key data, and
cannot be used for signing. However, having a .private file makes it
possible to set publication (``-P``) and deletion (``-D``) times for the
key, which means the public key can be added to and removed from the
DNSKEY RRset on schedule even if the true private key is stored offline.
Options
~~~~~~~
**-f** filename
Zone file mode: instead of a public keyfile name, the argument is the
DNS domain name of a zone master file, which can be read from
``file``. If the domain name is the same as ``file``, then it may be
omitted.
If ``file`` is set to ``"-"``, then the zone data is read from the
standard input.
**-K** directory
Sets the directory in which the key files are to reside.
**-L** ttl
Sets the default TTL to use for this key when it is converted into a
DNSKEY RR. If the key is imported into a zone, this is the TTL that
will be used for it, unless there was already a DNSKEY RRset in
place, in which case the existing TTL would take precedence. Setting
the default TTL to ``0`` or ``none`` removes it.
**-h**
Emit usage message and exit.
**-v** level
Sets the debugging level.
**-V**
Prints version information.
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
argument begins with a '+' or '-', it is interpreted as an offset from
the present time. For convenience, if such an offset is followed by one
of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
computed in years (defined as 365 24-hour days, ignoring leap years),
months (defined as 30 24-hour days), weeks, days, hours, or minutes,
respectively. Without a suffix, the offset is computed in seconds. To
explicitly prevent a date from being set, use 'none' or 'never'.
**-P** date/offset
Sets the date on which a key is to be published to the zone. After
that date, the key will be included in the zone but will not be used
to sign it.
**-P** sync date/offset
Sets the date on which CDS and CDNSKEY records that match this key
are to be published to the zone.
**-D** date/offset
Sets the date on which the key is to be deleted. After that date, the
key will no longer be included in the zone. (It may remain in the key
repository, however.)
**-D** sync date/offset
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
Files
~~~~~
A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
or the full file name ``Knnnn.+aaa+iiiii.key`` as generated by
dnssec-keygen8.
See Also
--------
:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
:rfc:`5011`.

311
bin/dnssec/dnssec-keyfromlabel.8
View file

@ -1,311 +0,0 @@
.\" Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-keyfromlabel
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: August 27, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-KEYFROMLABEL" "8" "August 27, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keyfromlabel\fR\ 'u
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM)\&. The private key file can be used for DNSSEC signing of zone data as if it were a conventional signing key created by
\fBdnssec\-keygen\fR, but the key material is stored within the HSM, and the actual signing takes place there\&.
.PP
The
\fBname\fR
of the key is specified on the command line\&. This must match the name of the zone for which the key is being generated\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
.sp
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
\fB\-3\fR
option, then NSEC3RSASHA1 will be used instead\&.
.sp
As of BIND 9\&.12\&.0, this option is mandatory except when using the
\fB\-S\fR
option (which copies the algorithm from the predecessory key)\&. Previously, the default for newly generated keys was RSASHA1\&.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use\&.
.sp
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
.RE
.PP
\-l \fIlabel\fR
.RS 4
Specifies the label for a key pair in the crypto hardware\&.
.sp
When
BIND
9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
.sp
When
BIND
9 is built with native PKCS#11 support, the label is a PKCS#11 URI string in the format "pkcs11:\fBkeyword\fR=\fIvalue\fR[;\fBkeyword\fR=\fIvalue\fR;\&.\&.\&.]" Keywords include "token", which identifies the HSM; "object", which identifies the key; and "pin\-source", which identifies a file from which the HSM\*(Aqs PIN code can be obtained\&. The label will be stored in the on\-disk "private" file\&.
.sp
If the label contains a
\fBpin\-source\fR
field, tools using the generated key files will be able to use the HSM for signing and other operations without any need for an operator to manually enter a PIN\&. Note: Making the HSM\*(Aqs PIN accessible in this manner may reduce the security advantage of using an HSM; be sure this is what you want to do before making use of this feature\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata\&. By default,
\fBdnssec\-keyfromlabel\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
option suppresses them\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
.RE
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
.RE
.PP
\-G
.RS 4
Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBdnssec\-keyfromlabel\fR\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written\&.
.RE
.PP
\-k
.RS 4
Generate KEY records rather than DNSKEY records\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. Setting the default TTL to
0
or
none
removes it\&.
.RE
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-S \fIkey\fR
.RS 4
Generate a key as an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the predecessor\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-y
.RS 4
Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked\&. (This is only safe to use if you are sure you won\*(Aqt be using RFC 5011 trust anchor maintenance with either of the keys involved\&.)
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
.sp
If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
.sp
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
.RE
.SH "GENERATED KEY FILES"
.PP
When
\fBdnssec\-keyfromlabel\fR
completes successfully, it prints a string of the form
Knnnn\&.+aaa+iiiii
to the standard output\&. This is an identification string for the key files it has generated\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
nnnn
is the key name\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
aaa
is the numeric representation of the algorithm\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
iiiii
is the key identifier (or footprint)\&.
.RE
.PP
\fBdnssec\-keyfromlabel\fR
creates two files, with names based on the printed string\&.
Knnnn\&.+aaa+iiiii\&.key
contains the public key, and
Knnnn\&.+aaa+iiiii\&.private
contains the private key\&.
.PP
The
\&.key
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 4034,
The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

556
bin/dnssec/dnssec-keyfromlabel.docbook
View file

@ -1,556 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
<info>
<date>2014-02-27</date>
</info>
<refentryinfo>
<date>August 27, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-keyfromlabel</application></refname>
<refpurpose>DNSSEC key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-keyfromlabel</command>
<arg choice="req" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-y</option></arg>
<arg choice="req" rep="norepeat">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-keyfromlabel</command>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
file can be used for DNSSEC signing of zone data as if it were a
conventional signing key created by <command>dnssec-keygen</command>,
but the key material is stored within the HSM, and the actual signing
takes place there.
</para>
<para>
The <option>name</option> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
will be used instead.
</para>
<para>
As of BIND 9.12.0, this option is mandatory except when using
the <option>-S</option> option (which copies the algorithm from
the predecessory key). Previously, the default for newly
generated keys was RSASHA1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
specifies the NSEC3RSASHA1 algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label for a key pair in the crypto hardware.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</para>
<para>
If the label contains a
<option>pin-source</option> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keyfromlabel</command>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keyfromlabel</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-y</term>
<listitem>
<para>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>GENERATED KEY FILES</title></info>
<para>
When <command>dnssec-keyfromlabel</command> completes
successfully,
it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
to the standard output. This is an identification string for
the key files it has generated.
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keyfromlabel</command>
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
private key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</para>
<para>
The <filename>.private</filename> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4034</citetitle>,
<citetitle>The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</citetitle>.
</para>
</refsection>
</refentry>

462
bin/dnssec/dnssec-keyfromlabel.html
View file

@ -1,462 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keyfromlabel</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-keyfromlabel</span>
&#8212; DNSSEC key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keyfromlabel</code>
{-l <em class="replaceable"><code>label</code></em>}
[<code class="option">-3</code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-y</code>]
{name}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
file can be used for DNSSEC signing of zone data as if it were a
conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
but the key material is stored within the HSM, and the actual signing
takes place there.
</p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
will be used instead.
</p>
<p>
As of BIND 9.12.0, this option is mandatory except when using
the <code class="option">-S</code> option (which copies the algorithm from
the predecessory key). Previously, the default for newly
generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
Specifies the label for a key pair in the crypto hardware.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
<p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd>
<p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p>
</dd>
<dt><span class="term">-G</span></dt>
<dd>
<p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Generate KEY records rather than DNSKEY records.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd>
<p>
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
<dt><span class="term">-y</span></dt>
<dd>
<p>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key files it has generated.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p><code class="filename">nnnn</code> is the key name.
</p>
</li>
<li class="listitem">
<p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p>
</li>
<li class="listitem">
<p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p>
</li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4034</em>,
<em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
</p>
</div>
</div></body>
</html>

276
bin/dnssec/dnssec-keyfromlabel.rst Normal file
View file

@ -0,0 +1,276 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-keyfromlabel:
dnssec-keyfromlabel - DNSSEC key generation tool
------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
Description
~~~~~~~~~~~
``dnssec-keyfromlabel`` generates a key pair of files that referencing a
key object stored in a cryptographic hardware service module (HSM). The
private key file can be used for DNSSEC signing of zone data as if it
were a conventional signing key created by ``dnssec-keygen``, but the
key material is stored within the HSM, and the actual signing takes
place there.
The ``name`` of the key is specified on the command line. This must
match the name of the zone for which the key is being generated.
Options
~~~~~~~
**-a** algorithm
Selects the cryptographic algorithm. The value of ``algorithm`` must
be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
If no algorithm is specified, then RSASHA1 will be used by default,
unless the ``-3`` option is specified, in which case NSEC3RSASHA1
will be used instead. (If ``-3`` is used and an algorithm is
specified, that algorithm will be checked for compatibility with
NSEC3.)
These values are case insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
option, then NSEC3RSASHA1 will be used instead.
As of BIND 9.12.0, this option is mandatory except when using the
``-S`` option (which copies the algorithm from the predecessory key).
Previously, the default for newly generated keys was RSASHA1.
**-3**
Use an NSEC3-capable algorithm to generate a DNSSEC key. If this
option is used with an algorithm that has both NSEC and NSEC3
versions, then the NSEC3 version will be used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
**-E** engine
Specifies the cryptographic hardware to use.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
string "pkcs11", which identifies an OpenSSL engine that can drive a
cryptographic accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography (--enable-native-pkcs11), it
defaults to the path of the PKCS#11 provider library specified via
"--with-pkcs11".
**-l** label
Specifies the label for a key pair in the crypto hardware.
When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
an arbitrary string that identifies a particular key. It may be
preceded by an optional OpenSSL engine name, followed by a colon, as
in "pkcs11:keylabel".
When BIND 9 is built with native PKCS#11 support, the label is a
PKCS#11 URI string in the format
"pkcs11:``keyword``\ =value[;\ ``keyword``\ =value;...]" Keywords
include "token", which identifies the HSM; "object", which identifies
the key; and "pin-source", which identifies a file from which the
HSM's PIN code can be obtained. The label will be stored in the
on-disk "private" file.
If the label contains a ``pin-source`` field, tools using the
generated key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter a PIN.
Note: Making the HSM's PIN accessible in this manner may reduce the
security advantage of using an HSM; be sure this is what you want to
do before making use of this feature.
**-n** nametype
Specifies the owner type of the key. The value of ``nametype`` must
either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
(for a key associated with a host (KEY)), USER (for a key associated
with a user(KEY)) or OTHER (DNSKEY). These values are case
insensitive.
**-C**
Compatibility mode: generates an old-style key, without any metadata.
By default, ``dnssec-keyfromlabel`` will include the key's creation
date in the metadata stored with the private key, and other dates may
be set there as well (publication date, activation date, etc). Keys
that include this data may be incompatible with older versions of
BIND; the ``-C`` option suppresses them.
**-c** class
Indicates that the DNS record containing the key should have the
specified class. If not specified, class IN is used.
**-f** flag
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
**-G**
Generate a key, but do not publish it or sign with it. This option is
incompatible with -P and -A.
**-h**
Prints a short summary of the options and arguments to
``dnssec-keyfromlabel``.
**-K** directory
Sets the directory in which the key files are to be written.
**-k**
Generate KEY records rather than DNSKEY records.
**-L** ttl
Sets the default TTL to use for this key when it is converted into a
DNSKEY RR. If the key is imported into a zone, this is the TTL that
will be used for it, unless there was already a DNSKEY RRset in
place, in which case the existing TTL would take precedence. Setting
the default TTL to ``0`` or ``none`` removes it.
**-p** protocol
Sets the protocol value for the key. The protocol is a number between
0 and 255. The default is 3 (DNSSEC). Other possible values for this
argument are listed in :rfc:`2535` and its successors.
**-S** key
Generate a key as an explicit successor to an existing key. The name,
algorithm, size, and type of the key will be set to match the
predecessor. The activation date of the new key will be set to the
inactivation date of the existing one. The publication date will be
set to the activation date minus the prepublication interval, which
defaults to 30 days.
**-t** type
Indicates the use of the key. ``type`` must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
to the ability to authenticate data, and CONF the ability to encrypt
data.
**-v** level
Sets the debugging level.
**-V**
Prints version information.
**-y**
Allows DNSSEC key files to be generated even if the key ID would
collide with that of an existing key, in the event of either key
being revoked. (This is only safe to use if you are sure you won't be
using :rfc:`5011` trust anchor maintenance with either of the keys
involved.)
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
argument begins with a '+' or '-', it is interpreted as an offset from
the present time. For convenience, if such an offset is followed by one
of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
computed in years (defined as 365 24-hour days, ignoring leap years),
months (defined as 30 24-hour days), weeks, days, hours, or minutes,
respectively. Without a suffix, the offset is computed in seconds. To
explicitly prevent a date from being set, use 'none' or 'never'.
**-P** date/offset
Sets the date on which a key is to be published to the zone. After
that date, the key will be included in the zone but will not be used
to sign it. If not set, and if the -G option has not been used, the
default is "now".
**-P** sync date/offset
Sets the date on which the CDS and CDNSKEY records which match this
key are to be published to the zone.
**-A** date/offset
Sets the date on which the key is to be activated. After that date,
the key will be included in the zone and used to sign it. If not set,
and if the -G option has not been used, the default is "now".
**-R** date/offset
Sets the date on which the key is to be revoked. After that date, the
key will be flagged as revoked. It will be included in the zone and
will be used to sign it.
**-I** date/offset
Sets the date on which the key is to be retired. After that date, the
key will still be included in the zone, but it will not be used to
sign it.
**-D** date/offset
Sets the date on which the key is to be deleted. After that date, the
key will no longer be included in the zone. (It may remain in the key
repository, however.)
**-D** sync date/offset
Sets the date on which the CDS and CDNSKEY records which match this
key are to be deleted.
**-i** interval
Sets the prepublication interval for a key. If set, then the
publication and activation dates must be separated by at least this
much time. If the activation date is specified but the publication
date isn't, then the publication date will default to this much time
before the activation date; conversely, if the publication date is
specified but activation date isn't, then activation will be set to
this much time after publication.
If the key is being created as an explicit successor to another key,
then the default prepublication interval is 30 days; otherwise it is
zero.
As with date offsets, if the argument is followed by one of the
suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is
measured in years, months, weeks, days, hours, or minutes,
respectively. Without a suffix, the interval is measured in seconds.
Generated Key Files
~~~~~~~~~~~~~~~~~~~
When ``dnssec-keyfromlabel`` completes successfully, it prints a string
of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
identification string for the key files it has generated.
- ``nnnn`` is the key name.
- ``aaa`` is the numeric representation of the algorithm.
- ``iiiii`` is the key identifier (or footprint).
``dnssec-keyfromlabel`` creates two files, with names based on the
printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
``Knnnn.+aaa+iiiii.private`` contains the private key.
The ``.key`` file contains a DNS KEY record that can be inserted into a
zone file (directly or with a $INCLUDE statement).
The ``.private`` file contains algorithm-specific fields. For obvious
security reasons, this file does not have general read permission.
See Also
~~~~~~~~
:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
:rfc:`4034`, The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13).

378
bin/dnssec/dnssec-keygen.8
View file

@ -1,378 +0,0 @@
.\" Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-keygen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034\&. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930\&.
.PP
The
\fBname\fR
of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
.PP
The
\fBdnssec\-keymgr\fR
command acts as a wrapper around
\fBdnssec\-keygen\fR, generating and updating keys as needed to enforce defined security policies such as key rollover scheduling\&. Using
\fBdnssec\-keymgr\fR
may be preferable to direct use of
\fBdnssec\-keygen\fR\&.
.SH "OPTIONS"
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
\fB\-T KEY\fR
option as well\&.
.sp
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
\fB\-3\fR
option, then NSEC3RSASHA1 will be used instead\&.
.sp
This parameter
\fImust\fR
be specified except when using the
\fB\-S\fR
option, which copies the algorithm from the predecessor key\&.
.sp
In prior releases, HMAC algorithms could be generated for use as TSIG keys, but that feature has been removed as of BIND 9\&.13\&.0\&. Use
\fBtsig\-keygen\fR
to generate TSIG keys\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
If the key size is not specified, some algorithms have pre\-defined defaults\&. For instance, RSA keys have a default size of 2048 bits\&.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
\fBdnssec\-keygen\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
option suppresses them\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
.RE
.PP
\-d \fIbits\fR
.RS 4
Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use, when applicable\&.
.sp
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
.RE
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
.RE
.PP
\-G
.RS 4
Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
.RE
.PP
\-g \fIgenerator\fR
.RS 4
If generating a Diffie Hellman key, use this generator\&. Allowed values are 2 and 5\&. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written\&.
.RE
.PP
\-k \fIpolicy\fR
.RS 4
Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys,
\fBdnssec\-keygen\fR
will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&.
.sp
This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that
\fBdnssec\-keygen\fR
provides\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
0
or
none
is the same as leaving it unset\&.
.RE
.PP
\-l \fIfile\fR
.RS 4
Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with
\fB\-k\fR)\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
.RE
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the generated key, for use with
\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-q
.RS 4
Quiet mode: Suppresses unnecessary output, including progress indication\&. Without this option, when
\fBdnssec\-keygen\fR
is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
stderr
indicating the progress of the key generation\&. A \*(Aq\&.\*(Aq indicates that a random number has been found which passed an initial sieve test; \*(Aq+\*(Aq means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key\&.
.RE
.PP
\-S \fIkey\fR
.RS 4
Create a new key which is an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the existing key\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
.RE
.PP
\-s \fIstrength\fR
.RS 4
Specifies the strength value of the key\&. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC\&.
.RE
.PP
\-T \fIrrtype\fR
.RS 4
Specifies the resource record type to use for the key\&.
\fBrrtype\fR
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key, for use with
\fB\-T KEY\fR\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&.
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
.sp
If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
.sp
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
.RE
.SH "GENERATED KEYS"
.PP
When
\fBdnssec\-keygen\fR
completes successfully, it prints a string of the form
Knnnn\&.+aaa+iiiii
to the standard output\&. This is an identification string for the key it has generated\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
nnnn
is the key name\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
aaa
is the numeric representation of the algorithm\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
iiiii
is the key identifier (or footprint)\&.
.RE
.PP
\fBdnssec\-keygen\fR
creates two files, with names based on the printed string\&.
Knnnn\&.+aaa+iiiii\&.key
contains the public key, and
Knnnn\&.+aaa+iiiii\&.private
contains the private key\&.
.PP
The
\&.key
file contains a DNSKEY or KEY record\&. When a zone is being signed by
\fBnamed\fR
or
\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
\&.key
file can be inserted into a zone file manually or with a
\fB$INCLUDE\fR
statement\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
.SH "EXAMPLE"
.PP
To generate an ECDSAP256SHA256 zone\-signing key for the zone
\fBexample\&.com\fR, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
.PP
The command would print a string of the form:
.PP
\fBKexample\&.com\&.+013+26160\fR
.PP
In this example,
\fBdnssec\-keygen\fR
creates the files
Kexample\&.com\&.+013+26160\&.key
and
Kexample\&.com\&.+013+26160\&.private\&.
.PP
To generate a matching key\-signing key, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
RFC 2845,
RFC 4034\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

664
bin/dnssec/dnssec-keygen.docbook
View file

@ -1,664 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
<info>
<date>2014-02-06</date>
</info>
<refentryinfo>
<date>August 21, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-keygen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-keygen</application></refname>
<refpurpose>DNSSEC key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-keygen</command>
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">bits</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">policy</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">rrtype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req" rep="norepeat">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</para>
<para>
The <option>name</option> of the key is specified on the command
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
specifies the NSEC3RSASHA1 algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <option>-T KEY</option>
option as well.
</para>
<para>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
will be used instead.
</para>
<para>
This parameter <emphasis>must</emphasis> be specified except
when using the <option>-S</option> option, which copies the
algorithm from the predecessor key.
</para>
<para>
In prior releases, HMAC algorithms could be generated for
use as TSIG keys, but that feature has been removed as of
BIND 9.13.0. Use <command>tsig-keygen</command> to generate
TSIG keys.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 1024 and 4096 bits. Diffie Hellman keys must be between
128 and 4096 bits. Elliptic curve algorithms don't need this
parameter.
</para>
<para>
If the key size is not specified, some algorithms have
pre-defined defaults. For instance, RSA keys have a default
size of 2048 bits.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without any
timing metadata. By default, <command>dnssec-keygen</command>
will include the key's creation date in the metadata stored with
the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include this
data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">bits</replaceable></term>
<listitem>
<para>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">policy</replaceable></term>
<listitem>
<para>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <command>dnssec-keygen</command> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</para>
<para>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <command>dnssec-keygen</command>
provides.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <literal>0</literal>
or <literal>none</literal> is the same as leaving it unset.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <command>-k</command>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key, for use
with <option>-T KEY</option>. The protocol is a number between 0
and 255. The default is 3 (DNSSEC). Other possible values for
this argument are listed in RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<command>dnssec-keygen</command> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <filename>stderr</filename> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
<listitem>
<para>
Specifies the resource record type to use for the key.
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key, for use with <option>-T
KEY</option>. <option>type</option> must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
refers to the ability to authenticate data, and CONF the ability
to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>GENERATED KEYS</title></info>
<para>
When <command>dnssec-keygen</command> completes
successfully,
it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
to the standard output. This is an identification string for
the key it has generated.
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keygen</command>
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
private
key.
</para>
<para>
The <filename>.key</filename> file contains a DNSKEY or KEY record.
When a zone is being signed by <command>named</command>
or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
records are included automatically. In other cases,
the <filename>.key</filename> file can be inserted into a zone file
manually or with a <userinput>$INCLUDE</userinput> statement.
</para>
<para>
The <filename>.private</filename> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
<para>
To generate an ECDSAP256SHA256 zone-signing key for the zone
<userinput>example.com</userinput>, issue the command:
</para>
<para>
<userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para><userinput>Kexample.com.+013+26160</userinput>
</para>
<para>
In this example, <command>dnssec-keygen</command> creates
the files <filename>Kexample.com.+013+26160.key</filename>
and
<filename>Kexample.com.+013+26160.private</filename>.
</para>
<para>
To generate a matching key-signing key, issue the command:
</para>
<para>
<userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4034</citetitle>.
</para>
</refsection>
</refentry>

555
bin/dnssec/dnssec-keygen.html
View file

@ -1,555 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keygen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-keygen</span>
&#8212; DNSSEC key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
{name}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
<p>
The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
as needed to enforce defined security policies such as key rollover
scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code>
option as well.
</p>
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
will be used instead.
</p>
<p>
This parameter <span class="emphasis"><em>must</em></span> be specified except
when using the <code class="option">-S</code> option, which copies the
algorithm from the predecessor key.
</p>
<p>
In prior releases, HMAC algorithms could be generated for
use as TSIG keys, but that feature has been removed as of
BIND 9.13.0. Use <span class="command"><strong>tsig-keygen</strong></span> to generate
TSIG keys.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 1024 and 4096 bits. Diffie Hellman keys must be between
128 and 4096 bits. Elliptic curve algorithms don't need this
parameter.
</p>
<p>
If the key size is not specified, some algorithms have
pre-defined defaults. For instance, RSA keys have a default
size of 2048 bits.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Compatibility mode: generates an old-style key, without any
timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored with
the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include this
data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
<dd>
<p>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd>
<p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p>
</dd>
<dt><span class="term">-G</span></dt>
<dd>
<p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p>
</dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd>
<p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
<dd>
<p>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</p>
<p>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <span class="command"><strong>dnssec-keygen</strong></span>
provides.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
Sets the protocol value for the generated key, for use
with <code class="option">-T KEY</code>. The protocol is a number between 0
and 255. The default is 3 (DNSSEC). Other possible values for
this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd>
<p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd>
<p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Indicates the use of the key, for use with <code class="option">-T
KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
refers to the ability to authenticate data, and CONF the ability
to encrypt data.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>GENERATED KEYS</h2>
<p>
When <span class="command"><strong>dnssec-keygen</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key it has generated.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p><code class="filename">nnnn</code> is the key name.
</p>
</li>
<li class="listitem">
<p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p>
</li>
<li class="listitem">
<p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p>
</li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
When a zone is being signed by <span class="command"><strong>named</strong></span>
or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
records are included automatically. In other cases,
the <code class="filename">.key</code> file can be inserted into a zone file
manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
To generate an ECDSAP256SHA256 zone-signing key for the zone
<strong class="userinput"><code>example.com</code></strong>, issue the command:
</p>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
</p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
</p>
<p>
In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+013+26160.key</code>
and
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
<p>
To generate a matching key-signing key, issue the command:
</p>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 4034</em>.
</p>
</div>
</div></body>
</html>

322
bin/dnssec/dnssec-keygen.rst Normal file
View file

@ -0,0 +1,322 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-keygen:
dnssec-keygen: DNSSEC key generation tool
-----------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-g** generator] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
``dnssec-keygen`` generates keys for DNSSEC (Secure DNS), as defined in
:rfc:`2535` and :rfc:`4034`. It can also generate keys for use with TSIG
(Transaction Signatures) as defined in :rfc:`2845`, or TKEY (Transaction
Key) as defined in :rfc:`2930`.
The ``name`` of the key is specified on the command line. For DNSSEC
keys, this must match the name of the zone for which the key is being
generated.
Options
~~~~~~~
**-3**
Use an NSEC3-capable algorithm to generate a DNSSEC key. If this
option is used with an algorithm that has both NSEC and NSEC3
versions, then the NSEC3 version will be used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
**-a** algorithm
Selects the cryptographic algorithm. For DNSSEC keys, the value of
``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying his value
will automatically set the ``-T KEY`` option as well.
These values are case insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
option, then NSEC3RSASHA1 will be used instead.
This parameter *must* be specified except when using the ``-S``
option, which copies the algorithm from the predecessor key.
In prior releases, HMAC algorithms could be generated for use as TSIG
keys, but that feature has been removed as of BIND 9.13.0. Use
``tsig-keygen`` to generate TSIG keys.
**-b** keysize
Specifies the number of bits in the key. The choice of key size
depends on the algorithm used. RSA keys must be between 1024 and 4096
bits. Diffie Hellman keys must be between 128 and 4096 bits. Elliptic
curve algorithms don't need this parameter.
If the key size is not specified, some algorithms have pre-defined
defaults. For example, RSA keys for use as DNSSEC zone signing keys
have a default size of 1024 bits; RSA keys for use as key signing
keys (KSKs, generated with ``-f KSK``) default to 2048 bits.
**-C**
Compatibility mode: generates an old-style key, without any timing
metadata. By default, ``dnssec-keygen`` will include the key's
creation date in the metadata stored with the private key, and other
dates may be set there as well (publication date, activation date,
etc). Keys that include this data may be incompatible with older
versions of BIND; the ``-C`` option suppresses them.
**-c** class
Indicates that the DNS record containing the key should have the
specified class. If not specified, class IN is used.
**-d** bits
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and
RSASHA512 the key size must be in range 1024-4096. DH size is between 128
and 4096. This option is ignored for algorithms ECDSAP256SHA256,
ECDSAP384SHA384, ED25519 and ED448.
**-E** engine
Specifies the cryptographic hardware to use, when applicable.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
string "pkcs11", which identifies an OpenSSL engine that can drive a
cryptographic accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography (--enable-native-pkcs11), it
defaults to the path of the PKCS#11 provider library specified via
"--with-pkcs11".
**-f** flag
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
**-G**
Generate a key, but do not publish it or sign with it. This option is
incompatible with -P and -A.
**-g** generator
If generating a Diffie Hellman key, use this generator. Allowed
values are 2 and 5. If no generator is specified, a known prime from
:rfc:`2539` will be used if possible; otherwise the default is 2.
**-h**
Prints a short summary of the options and arguments to
``dnssec-keygen``.
**-K** directory
Sets the directory in which the key files are to be written.
**-k** policy
Create keys for a specific dnssec-policy. If a policy uses multiple keys,
``dnssec-keygen`` will generate multiple keys. This will also
create a ".state" file to keep track of the key state.
This option creates keys according to the dnssec-policy configuration, hence
it cannot be used together with many of the other options that
``dnssec-keygen`` provides.
**-L** ttl
Sets the default TTL to use for this key when it is converted into a
DNSKEY RR. If the key is imported into a zone, this is the TTL that
will be used for it, unless there was already a DNSKEY RRset in
place, in which case the existing TTL would take precedence. If this
value is not set and there is no existing DNSKEY RRset, the TTL will
default to the SOA TTL. Setting the default TTL to ``0`` or ``none``
is the same as leaving it unset.
**-l** file
Provide a configuration file that contains a dnssec-policy statement
(matching the policy set with ``-k``).
**-n** nametype
Specifies the owner type of the key. The value of ``nametype`` must
either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
(for a key associated with a host (KEY)), USER (for a key associated
with a user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
**-p** protocol
Sets the protocol value for the generated key, for use with
``-T KEY``. The protocol is a number between 0 and 255. The default
is 3 (DNSSEC). Other possible values for this argument are listed in
:rfc:`2535` and its successors.
**-q**
Quiet mode: Suppresses unnecessary output, including progress
indication. Without this option, when ``dnssec-keygen`` is run
interactively to generate an RSA or DSA key pair, it will print a
string of symbols to ``stderr`` indicating the progress of the key
generation. A '.' indicates that a random number has been found which
passed an initial sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space means that the
number has passed all the tests and is a satisfactory key.
**-S** key
Create a new key which is an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set to match
the existing key. The activation date of the new key will be set to
the inactivation date of the existing one. The publication date will
be set to the activation date minus the prepublication interval,
which defaults to 30 days.
**-s** strength
Specifies the strength value of the key. The strength is a number
between 0 and 15, and currently has no defined purpose in DNSSEC.
**-T** rrtype
Specifies the resource record type to use for the key. ``rrtype``
must be either DNSKEY or KEY. The default is DNSKEY when using a
DNSSEC algorithm, but it can be overridden to KEY for use with
SIG(0).
**-t** type
Indicates the use of the key, for use with ``-T KEY``. ``type``
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate data, and
CONF the ability to encrypt data.
**-V**
Prints version information.
**-v** level
Sets the debugging level.
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
argument begins with a '+' or '-', it is interpreted as an offset from
the present time. For convenience, if such an offset is followed by one
of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
computed in years (defined as 365 24-hour days, ignoring leap years),
months (defined as 30 24-hour days), weeks, days, hours, or minutes,
respectively. Without a suffix, the offset is computed in seconds. To
explicitly prevent a date from being set, use 'none' or 'never'.
**-P** date/offset
Sets the date on which a key is to be published to the zone. After
that date, the key will be included in the zone but will not be used
to sign it. If not set, and if the -G option has not been used, the
default is "now".
**-P** sync date/offset
Sets the date on which CDS and CDNSKEY records that match this key
are to be published to the zone.
**-A** date/offset
Sets the date on which the key is to be activated. After that date,
the key will be included in the zone and used to sign it. If not set,
and if the -G option has not been used, the default is "now". If set,
if and -P is not set, then the publication date will be set to the
activation date minus the prepublication interval.
**-R** date/offset
Sets the date on which the key is to be revoked. After that date, the
key will be flagged as revoked. It will be included in the zone and
will be used to sign it.
**-I** date/offset
Sets the date on which the key is to be retired. After that date, the
key will still be included in the zone, but it will not be used to
sign it.
**-D** date/offset
Sets the date on which the key is to be deleted. After that date, the
key will no longer be included in the zone. (It may remain in the key
repository, however.)
**-D** sync date/offset
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
**-i** interval
Sets the prepublication interval for a key. If set, then the
publication and activation dates must be separated by at least this
much time. If the activation date is specified but the publication
date isn't, then the publication date will default to this much time
before the activation date; conversely, if the publication date is
specified but activation date isn't, then activation will be set to
this much time after publication.
If the key is being created as an explicit successor to another key,
then the default prepublication interval is 30 days; otherwise it is
zero.
As with date offsets, if the argument is followed by one of the
suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is
measured in years, months, weeks, days, hours, or minutes,
respectively. Without a suffix, the interval is measured in seconds.
Generated Keys
~~~~~~~~~~~~~~
When ``dnssec-keygen`` completes successfully, it prints a string of the
form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
identification string for the key it has generated.
- ``nnnn`` is the key name.
- ``aaa`` is the numeric representation of the algorithm.
- ``iiiii`` is the key identifier (or footprint).
``dnssec-keygen`` creates two files, with names based on the printed
string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
``Knnnn.+aaa+iiiii.private`` contains the private key.
The ``.key`` file contains a DNSKEY or KEY record. When a zone is being
signed by ``named`` or ``dnssec-signzone`` ``-S``, DNSKEY records are
included automatically. In other cases, the ``.key`` file can be
inserted into a zone file manually or with a ``$INCLUDE`` statement.
The ``.private`` file contains algorithm-specific fields. For obvious
security reasons, this file does not have general read permission.
Example
~~~~~~~
To generate an ECDSAP256SHA256 zone-signing key for the zone
``example.com``, issue the command:
``dnssec-keygen -a ECDSAP256SHA256 example.com``
The command would print a string of the form:
``Kexample.com.+013+26160``
In this example, ``dnssec-keygen`` creates the files
``Kexample.com.+013+26160.key`` and ``Kexample.com.+013+26160.private``.
To generate a matching key-signing key, issue the command:
``dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com``
See Also
~~~~~~~~
:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`2539`,
:rfc:`2845`, :rfc:`4034`.

103
bin/dnssec/dnssec-revoke.8
View file

@ -1,103 +0,0 @@
.\" Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-revoke
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-15
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-REVOKE" "8" "2014\-01\-15" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-revoke \- set the REVOKED bit on a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-revoke\fR\ 'u
\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-revoke\fR
reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key\&.
.SH "OPTIONS"
.PP
\-h
.RS 4
Emit usage message and exit\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to reside\&.
.RE
.PP
\-r
.RS 4
After writing the new keyset files remove the original keyset files\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use, when applicable\&.
.sp
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
.RE
.PP
\-f
.RS 4
Force overwrite: Causes
\fBdnssec\-revoke\fR
to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key\&.
.RE
.PP
\-R
.RS 4
Print the key tag of the key with the REVOKE bit set but do not revoke the key\&.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
BIND 9 Administrator Reference Manual,
RFC 5011\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

170
bin/dnssec/dnssec-revoke.docbook
View file

@ -1,170 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-revoke</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-revoke</application></refname>
<refpurpose>set the REVOKED bit on a DNSSEC key</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2011</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-revoke</command>
<arg choice="opt" rep="norepeat"><option>-hr</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-R</option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-revoke</command>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
After writing the new keyset files remove the original keyset
files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Force overwrite: Causes <command>dnssec-revoke</command> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R</term>
<listitem>
<para>
Print the key tag of the key with the REVOKE bit set but do
not revoke the key.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsection>
</refentry>

137
bin/dnssec/dnssec-revoke.html
View file

@ -1,137 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-revoke</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-revoke</span>
&#8212; set the REVOKED bit on a DNSSEC key
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-revoke</code>
[<code class="option">-hr</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f</code>]
[<code class="option">-R</code>]
{keyfile}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd>
<p>
Emit usage message and exit.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
After writing the new keyset files remove the original keyset
files.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-f</span></dt>
<dd>
<p>
Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd>
<p>
Print the key tag of the key with the REVOKE bit set but do
not revoke the key.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
</div></body>
</html>

81
bin/dnssec/dnssec-revoke.rst Normal file
View file

@ -0,0 +1,81 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-revoke:
dnssec-revoke - set the REVOKED bit on a DNSSEC key
---------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
Description
~~~~~~~~~~~
``dnssec-revoke`` reads a DNSSEC key file, sets the REVOKED bit on the
key as defined in :rfc:`5011`, and creates a new pair of key files
containing the now-revoked key.
Options
~~~~~~~
**-h**
Emit usage message and exit.
**-K** directory
Sets the directory in which the key files are to reside.
**-r**
After writing the new keyset files remove the original keyset files.
**-v** level
Sets the debugging level.
**-V**
Prints version information.
**-E** engine
Specifies the cryptographic hardware to use, when applicable.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
string "pkcs11", which identifies an OpenSSL engine that can drive a
cryptographic accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography (--enable-native-pkcs11), it
defaults to the path of the PKCS#11 provider library specified via
"--with-pkcs11".
**-f**
Force overwrite: Causes ``dnssec-revoke`` to write the new key pair
even if a file already exists matching the algorithm and key ID of
the revoked key.
**-R**
Print the key tag of the key with the REVOKE bit set but do not
revoke the key.
See Also
~~~~~~~~
:manpage:`dnssec-keygen(8)`, BIND 9 Administrator Reference Manual, :rfc:`5011`.

255
bin/dnssec/dnssec-settime.8
View file

@ -1,255 +0,0 @@
.\" Copyright (C) 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-SETTIME" "8" "2015\-08\-21" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-s\fR] [\fB\-g\ \fR\fB\fIstate\fR\fR] [\fB\-d\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-z\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
reads a DNSSEC private key file and sets the key timing metadata as specified by the
\fB\-P\fR,
\fB\-A\fR,
\fB\-R\fR,
\fB\-I\fR, and
\fB\-D\fR
options\&. The metadata can then be used by
\fBdnssec\-signzone\fR
or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc\&.
.PP
If none of these options is set on the command line, then
\fBdnssec\-settime\fR
simply prints the key timing metadata already stored in the key\&.
.PP
When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key
and
Knnnn\&.+aaa+iiiii\&.private) are regenerated\&.
.PP
Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
.PP
When working with state files, it is possible to update the timing metadata in those files as well with
\fB\-s\fR\&. If this option is used you can also update key states with
\fB\-d\fR
(DS),
\fB\-k\fR
(DNSKEY),
\fB\-r\fR
(RRSIG of KSK), or
\fB\-z\fR
(RRSIG of ZSK)\&. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE\&.
.PP
You can also set the goal state of the key with
\fB\-g\fR\&. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published)\&.
.PP
It is NOT RECOMMENDED to manipulate state files manually except for testing purposes\&.
.SH "OPTIONS"
.PP
\-f
.RS 4
Force an update of an old\-format key with no metadata fields\&. Without this option,
\fBdnssec\-settime\fR
will fail when attempting to update a legacy key\&. With this option, the key will be recreated in the new format, but with the original key data retained\&. The key\*(Aqs creation date will be set to the present time\&. If no other values are specified, then the key\*(Aqs publication and activation dates will also be set to the present time\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to reside\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
0
or
none
removes it from the key\&.
.RE
.PP
\-h
.RS 4
Emit usage message and exit\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use, when applicable\&.
.sp
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To unset a date, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&.
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
\-S \fIpredecessor key\fR
.RS 4
Select a key for which the key being modified will be an explicit successor\&. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified\&. The activation date of the successor key will be set to the inactivation date of the predecessor\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
.sp
If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
.sp
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
.RE
.SH "KEY STATE OPTIONS"
.PP
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE\&. These should not be set manually except for testing purposes\&.
.PP
\-s
.RS 4
When setting key timing data, also update the state file\&.
.RE
.PP
\-g
.RS 4
Set the goal state for this key\&. Must be HIDDEN or OMNIPRESENT\&.
.RE
.PP
\-d
.RS 4
Set the DS state for this key, and when it was last changed\&.
.RE
.PP
\-k
.RS 4
Set the DNSKEY state for this key, and when it was last changed\&.
.RE
.PP
\-r
.RS 4
Set the RRSIG (KSK) state for this key, and when it was last changed\&.
.RE
.PP
\-z
.RS 4
Set the RRSIG (ZSK) state for this key, and when it was last changed\&.
.RE
.SH "PRINTING OPTIONS"
.PP
\fBdnssec\-settime\fR
can also be used to print the timing metadata associated with a key\&.
.PP
\-u
.RS 4
Print times in UNIX epoch format\&.
.RE
.PP
\-p \fIC/P/Psync/A/R/I/D/Dsync/all\fR
.RS 4
Print a specific metadata value or set of metadata values\&. The
\fB\-p\fR
option may be followed by one or more of the following letters or strings to indicate which value or values to print:
\fBC\fR
for the creation date,
\fBP\fR
for the publication date,
\fBPsync\fR
for the CDS and CDNSKEY publication date,
\fBA\fR
for the activation date,
\fBR\fR
for the revocation date,
\fBI\fR
for the inactivation date,
\fBD\fR
for the deletion date, and
\fBDsync\fR
for the CDS and CDNSKEY deletion date To print all of the metadata, use
\fB\-p all\fR\&.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 5011\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

470
bin/dnssec/dnssec-settime.docbook
View file

@ -1,470 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
<info>
<date>2015-08-21</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-settime</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-settime</application></refname>
<refpurpose>set the key timing metadata for a DNSSEC key</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-settime</command>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">state</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
<option>-R</option>, <option>-I</option>, and <option>-D</option>
options. The metadata can then be used by
<command>dnssec-signzone</command> or other signing software to
determine when a key is to be published, whether it should be
used for signing a zone, etc.
</para>
<para>
If none of these options is set on the command line,
then <command>dnssec-settime</command> simply prints the key timing
metadata already stored in the key.
</para>
<para>
When key metadata fields are changed, both files of a key
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
</para>
<para>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</para>
<para>
When working with state files, it is possible to update the timing
metadata in those files as well with <option>-s</option>. If this
option is used you can also update key states with <option>-d</option>
(DS), <option>-k</option> (DNSKEY), <option>-r</option> (RRSIG of KSK),
or <option>-z</option> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</para>
<para>
You can also set the goal state of the key with <option>-g</option>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</para>
<para>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Force an update of an old-format key with no metadata fields.
Without this option, <command>dnssec-settime</command> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <literal>0</literal>
or <literal>none</literal> removes it from the key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none' or 'never'.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">predecessor key</replaceable></term>
<listitem>
<para>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>KEY STATE OPTIONS</title></info>
<para>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</para>
<variablelist>
<varlistentry>
<term>-s</term>
<listitem>
<para>
When setting key timing data, also update the state file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Set the DS state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Set the DNSKEY state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>PRINTING OPTIONS</title></info>
<para>
<command>dnssec-settime</command> can also be used to print the
timing metadata associated with a key.
</para>
<variablelist>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Print times in UNIX epoch format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">C/P/Psync/A/R/I/D/Dsync/all</replaceable></term>
<listitem>
<para>
Print a specific metadata value or set of metadata values.
The <option>-p</option> option may be followed by one or more
of the following letters or strings to indicate which value
or values to print:
<option>C</option> for the creation date,
<option>P</option> for the publication date,
<option>Psync</option> for the CDS and CDNSKEY publication date,
<option>A</option> for the activation date,
<option>R</option> for the revocation date,
<option>I</option> for the inactivation date,
<option>D</option> for the deletion date, and
<option>Dsync</option> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <option>-p all</option>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsection>
</refentry>

390
bin/dnssec/dnssec-settime.html
View file

@ -1,390 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-settime</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-settime"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-settime</span>
&#8212; set the key timing metadata for a DNSSEC key
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-settime</code>
[<code class="option">-f</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
{keyfile}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
<code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
options. The metadata can then be used by
<span class="command"><strong>dnssec-signzone</strong></span> or other signing software to
determine when a key is to be published, whether it should be
used for signing a zone, etc.
</p>
<p>
If none of these options is set on the command line,
then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
metadata already stored in the key.
</p>
<p>
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
</p>
<p>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
<p>
When working with state files, it is possible to update the timing
metadata in those files as well with <code class="option">-s</code>. If this
option is used you can also update key states with <code class="option">-d</code>
(DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</p>
<p>
You can also set the goal state of the key with <code class="option">-g</code>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</p>
<p>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f</span></dt>
<dd>
<p>
Force an update of an old-format key with no metadata fields.
Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> removes it from the key.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Emit usage message and exit.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd>
<p>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>KEY STATE OPTIONS</h2>
<p>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-s</span></dt>
<dd>
<p>
When setting key timing data, also update the state file.
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd>
<p>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Set the DS state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Set the DNSKEY state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>PRINTING OPTIONS</h2>
<p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-u</span></dt>
<dd>
<p>
Print times in UNIX epoch format.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
<dd>
<p>
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters or strings to indicate which value
or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">Psync</code> for the CDS and CDNSKEY publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date,
<code class="option">D</code> for the deletion date, and
<code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <code class="option">-p all</code>.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
</div></body>
</html>

230
bin/dnssec/dnssec-settime.rst Normal file
View file

@ -0,0 +1,230 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-settime:
dnssec-settime: set the key timing metadata for a DNSSEC key
------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
Description
~~~~~~~~~~~
``dnssec-settime`` reads a DNSSEC private key file and sets the key
timing metadata as specified by the ``-P``, ``-A``, ``-R``, ``-I``, and
``-D`` options. The metadata can then be used by ``dnssec-signzone`` or
other signing software to determine when a key is to be published,
whether it should be used for signing a zone, etc.
If none of these options is set on the command line, then
``dnssec-settime`` simply prints the key timing metadata already stored
in the key.
When key metadata fields are changed, both files of a key pair
(``Knnnn.+aaa+iiiii.key`` and ``Knnnn.+aaa+iiiii.private``) are
regenerated.
Metadata fields are stored in the private file. A
human-readable description of the metadata is also placed in comments in
the key file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
When working with state files, it is possible to update the timing metadata in
those files as well with ``-s``. If this option is used you can also update key
states with ``-d`` (DS), ``-k`` (DNSKEY), ``-r`` (RRSIG of KSK), or ``-z``
(RRSIG of ZSK). Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and
UNRETENTIVE.
You can also set the goal state of the key with ``-g``. This should be either
HIDDEN or OMNIPRESENT (representing whether the key should be removed from the
zone, or published).
It is NOT RECOMMENDED to manipulate state files manually except for testing
purposes.
Options
~~~~~~~
**-f**
Force an update of an old-format key with no metadata fields. Without
this option, ``dnssec-settime`` will fail when attempting to update a
legacy key. With this option, the key will be recreated in the new
format, but with the original key data retained. The key's creation
date will be set to the present time. If no other values are
specified, then the key's publication and activation dates will also
be set to the present time.
**-K** directory
Sets the directory in which the key files are to reside.
**-L** ttl
Sets the default TTL to use for this key when it is converted into a
DNSKEY RR. If the key is imported into a zone, this is the TTL that
will be used for it, unless there was already a DNSKEY RRset in
place, in which case the existing TTL would take precedence. If this
value is not set and there is no existing DNSKEY RRset, the TTL will
default to the SOA TTL. Setting the default TTL to ``0`` or ``none``
removes it from the key.
**-h**
Emit usage message and exit.
**-V**
Prints version information.
**-v** level
Sets the debugging level.
**-E** engine
Specifies the cryptographic hardware to use, when applicable.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
string "pkcs11", which identifies an OpenSSL engine that can drive a
cryptographic accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography (--enable-native-pkcs11), it
defaults to the path of the PKCS#11 provider library specified via
"--with-pkcs11".
Timing Options
~~~~~~~~~~~~~~
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
argument begins with a '+' or '-', it is interpreted as an offset from
the present time. For convenience, if such an offset is followed by one
of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
computed in years (defined as 365 24-hour days, ignoring leap years),
months (defined as 30 24-hour days), weeks, days, hours, or minutes,
respectively. Without a suffix, the offset is computed in seconds. To
unset a date, use 'none' or 'never'.
**-P** date/offset
Sets the date on which a key is to be published to the zone. After
that date, the key will be included in the zone but will not be used
to sign it.
**-P** sync date/offset
Sets the date on which CDS and CDNSKEY records that match this key
are to be published to the zone.
**-A** date/offset
Sets the date on which the key is to be activated. After that date,
the key will be included in the zone and used to sign it.
**-R** date/offset
Sets the date on which the key is to be revoked. After that date, the
key will be flagged as revoked. It will be included in the zone and
will be used to sign it.
**-I** date/offset
Sets the date on which the key is to be retired. After that date, the
key will still be included in the zone, but it will not be used to
sign it.
**-D** date/offset
Sets the date on which the key is to be deleted. After that date, the
key will no longer be included in the zone. (It may remain in the key
repository, however.)
**-D** sync date/offset
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
**-S** predecessor key
Select a key for which the key being modified will be an explicit
successor. The name, algorithm, size, and type of the predecessor key
must exactly match those of the key being modified. The activation
date of the successor key will be set to the inactivation date of the
predecessor. The publication date will be set to the activation date
minus the prepublication interval, which defaults to 30 days.
**-i** interval
Sets the prepublication interval for a key. If set, then the
publication and activation dates must be separated by at least this
much time. If the activation date is specified but the publication
date isn't, then the publication date will default to this much time
before the activation date; conversely, if the publication date is
specified but activation date isn't, then activation will be set to
this much time after publication.
If the key is being set to be an explicit successor to another key,
then the default prepublication interval is 30 days; otherwise it is
zero.
As with date offsets, if the argument is followed by one of the
suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is
measured in years, months, weeks, days, hours, or minutes,
respectively. Without a suffix, the interval is measured in seconds.
Key State Options
~~~~~~~~~~~~~~~~~
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE. These should
not be set manually except for testing purposes.
``-s``
When setting key timing data, also update the state file.
``-g``
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
``-d``
Set the DS state for this key, and when it was last changed.
``-k``
Set the DNSKEY state for this key, and when it was last changed.
``-r``
Set the RRSIG (KSK) state for this key, and when it was last changed.
``-z``
Set the RRSIG (ZSK) state for this key, and when it was last changed.
Printing Options
~~~~~~~~~~~~~~~~
``dnssec-settime`` can also be used to print the timing metadata
associated with a key.
**-u**
Print times in UNIX epoch format.
**-p** C/P/Psync/A/R/I/D/Dsync/all
Print a specific metadata value or set of metadata values. The ``-p``
option may be followed by one or more of the following letters or
strings to indicate which value or values to print: ``C`` for the
creation date, ``P`` for the publication date, ``Psync`` for the CDS
and CDNSKEY publication date, ``A`` for the activation date, ``R``
for the revocation date, ``I`` for the inactivation date, ``D`` for
the deletion date, and ``Dsync`` for the CDS and CDNSKEY deletion
date To print all of the metadata, use ``-p all``.
See Also
~~~~~~~~
:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
:rfc:`5011`.

474
bin/dnssec/dnssec-signzone.8
View file

@ -1,474 +0,0 @@
.\" Copyright (C) 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-signzone
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-18
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-SIGNZONE" "8" "2014\-02\-18" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-signzone\fR\ 'u
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
.SH "DESCRIPTION"
.PP
\fBdnssec\-signzone\fR
signs a zone\&. It generates NSEC and RRSIG records and produces a signed version of the zone\&. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
keyset
file for each child zone\&.
.SH "OPTIONS"
.PP
\-a
.RS 4
Verify all generated signatures\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zone\&.
.RE
.PP
\-C
.RS 4
Compatibility mode: Generate a
keyset\-\fIzonename\fR
file in addition to
dsset\-\fIzonename\fR
when signing a zone, for use by older versions of
\fBdnssec\-signzone\fR\&.
.RE
.PP
\-d \fIdirectory\fR
.RS 4
Look for
dsset\-
or
keyset\-
files in
\fBdirectory\fR\&.
.RE
.PP
\-D
.RS 4
Output only those record types automatically managed by
\fBdnssec\-signzone\fR, i\&.e\&. RRSIG, NSEC, NSEC3 and NSEC3PARAM records\&. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included\&. The resulting file can be included in the original zone file with
\fB$INCLUDE\fR\&. This option cannot be combined with
\fB\-O raw\fR,
\fB\-O map\fR, or serial number updating\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing\&.
.sp
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
.RE
.PP
\-g
.RS 4
Generate DS records for child zones from
dsset\-
or
keyset\-
file\&. Existing DS records will be removed\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Key repository: Specify a directory to search for DNSSEC keys\&. If not specified, defaults to the current directory\&.
.RE
.PP
\-k \fIkey\fR
.RS 4
Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
.RE
.PP
\-M \fImaxttl\fR
.RS 4
Sets the maximum TTL for the signed zone\&. Any TTL higher than
\fImaxttl\fR
in the input zone will be reduced to
\fImaxttl\fR
in the output\&. This provides certainty as to the largest possible TTL in the signed zone, which is useful to know when rolling keys because it is the longest possible time before signatures that have been retrieved by resolvers will expire from resolver caches\&. Zones that are signed with this option should be configured to use a matching
\fBmax\-zone\-ttl\fR
in
named\&.conf\&. (Note: This option is incompatible with
\fB\-D\fR, because it modifies non\-DNSSEC data in the output zone\&.)
.RE
.PP
\-s \fIstart\-time\fR
.RS 4
Specify the date and time when the generated RRSIG records become valid\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000\&. A relative start time is indicated by +N, which is N seconds from the current time\&. If no
\fBstart\-time\fR
is specified, the current time minus 1 hour (to allow for clock skew) is used\&.
.RE
.PP
\-e \fIend\-time\fR
.RS 4
Specify the date and time when the generated RRSIG records expire\&. As with
\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no
\fBend\-time\fR
is specified, 30 days from the start time is used as a default\&.
\fBend\-time\fR
must be later than
\fBstart\-time\fR\&.
.RE
.PP
\-X \fIextended end\-time\fR
.RS 4
Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire\&. This is to be used in cases when the DNSKEY signatures need to persist longer than signatures on other records; e\&.g\&., when the private component of the KSK is kept offline and the KSK signature is to be refreshed manually\&.
.sp
As with
\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no
\fBextended end\-time\fR
is specified, the value of
\fBend\-time\fR
is used as the default\&. (\fBend\-time\fR, in turn, defaults to 30 days from the start time\&.)
\fBextended end\-time\fR
must be later than
\fBstart\-time\fR\&.
.RE
.PP
\-f \fIoutput\-file\fR
.RS 4
The name of the output file containing the signed zone\&. The default is to append
\&.signed
to the input filename\&. If
\fBoutput\-file\fR
is set to
"\-", then the signed zone is written to the standard output, with a default output format of "full"\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBdnssec\-signzone\fR\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
When a previously\-signed zone is passed as input, records may be resigned\&. The
\fBinterval\fR
option specifies the cycle interval as an offset from the current time (in seconds)\&. If a RRSIG record expires after the cycle interval, it is retained\&. Otherwise, it is considered to be expiring soon, and it will be replaced\&.
.sp
The default cycle interval is one quarter of the difference between the signature end and start times\&. So if neither
\fBend\-time\fR
or
\fBstart\-time\fR
are specified,
\fBdnssec\-signzone\fR
generates signatures that are valid for 30 days, with a cycle interval of 7\&.5 days\&. Therefore, if any existing RRSIG records are due to expire in less than 7\&.5 days, they would be replaced\&.
.RE
.PP
\-I \fIinput\-format\fR
.RS 4
The format of the input zone file\&. Possible formats are
\fB"text"\fR
(default),
\fB"raw"\fR, and
\fB"map"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly\&. The use of this option does not make much sense for non\-dynamic zones\&.
.RE
.PP
\-j \fIjitter\fR
.RS 4
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously\&. If the zone is incrementally signed, i\&.e\&. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time\&. The
\fBjitter\fR
option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time\&.
.sp
Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i\&.e\&. if large numbers of RRSIGs don\*(Aqt expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time\&.
.RE
.PP
\-L \fIserial\fR
.RS 4
When writing a signed zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
.RE
.PP
\-n \fIncpus\fR
.RS 4
Specifies the number of threads to use\&. By default, one thread is started for each detected CPU\&.
.RE
.PP
\-N \fIsoa\-serial\-format\fR
.RS 4
The SOA serial number format of the signed zone\&. Possible formats are
\fB"keep"\fR
(default),
\fB"increment"\fR,
\fB"unixtime"\fR, and
\fB"date"\fR\&.
.PP
\fB"keep"\fR
.RS 4
Do not modify the SOA serial number\&.
.RE
.PP
\fB"increment"\fR
.RS 4
Increment the SOA serial number using RFC 1982 arithmetic\&.
.RE
.PP
\fB"unixtime"\fR
.RS 4
Set the SOA serial number to the number of seconds since epoch\&.
.RE
.PP
\fB"date"\fR
.RS 4
Set the SOA serial number to today\*(Aqs date in YYYYMMDDNN format\&.
.RE
.RE
.PP
\-o \fIorigin\fR
.RS 4
The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
.RE
.PP
\-O \fIoutput\-format\fR
.RS 4
The format of the output file containing the signed zone\&. Possible formats are
\fB"text"\fR
(default), which is the standard textual representation of the zone;
\fB"full"\fR, which is text output in a format suitable for processing by external scripts; and
\fB"map"\fR,
\fB"raw"\fR, and
\fB"raw=N"\fR, which store the zone in binary formats for rapid loading by
\fBnamed\fR\&.
\fB"raw=N"\fR
specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
.RE
.PP
\-P
.RS 4
Disable post sign verification tests\&.
.sp
The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm\&. This option skips these tests\&.
.RE
.PP
\-Q
.RS 4
Remove signatures from keys that are no longer active\&.
.sp
Normally, when a previously\-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key that are still within their validity period are retained\&. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset\&. The
\fB\-Q\fR
forces
\fBdnssec\-signzone\fR
to remove signatures from keys that are no longer active\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.1 ("Pre\-Publish Key Rollover")\&.
.RE
.PP
\-q
.RS 4
Quiet mode: Suppresses unnecessary output\&. Without this option, when
\fBdnssec\-signzone\fR
is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information, and finally the filename containing the signed zone\&. With it, that output is suppressed, leaving only the filename\&.
.RE
.PP
\-R
.RS 4
Remove signatures from keys that are no longer published\&.
.sp
This option is similar to
\fB\-Q\fR, except it forces
\fBdnssec\-signzone\fR
to signatures from keys that are no longer published\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.2 ("Double Signature Zone Signing Key Rollover")\&.
.RE
.PP
\-S
.RS 4
Smart signing: Instructs
\fBdnssec\-signzone\fR
to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate\&.
.sp
When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules\&. Each successive rule takes priority over the prior ones:
.PP
.RS 4
If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone\&.
.RE
.PP
.RS 4
If the key\*(Aqs publication date is set and is in the past, the key is published in the zone\&.
.RE
.PP
.RS 4
If the key\*(Aqs activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone\&.
.RE
.PP
.RS 4
If the key\*(Aqs revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone\&.
.RE
.PP
.RS 4
If either of the key\*(Aqs unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata\&.
.RE
.PP
.RS 4
If key\*(Aqs sync publication date is set and in the past, synchronization records (type CDS and/or CDNSKEY) are created\&.
.RE
.PP
.RS 4
If key\*(Aqs sync deletion date is set and in the past, synchronization records (type CDS and/or CDNSKEY) are removed\&.
.RE
.RE
.PP
\-T \fIttl\fR
.RS 4
Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository\&. If not specified, the default is the TTL value from the zone\*(Aqs SOA record\&. This option is ignored when signing without
\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case\&. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records\*(Aq TTL values will be set to match them, or if any of the imported DNSKEY records had a default TTL value\&. In the event of a a conflict between TTL values in imported keys, the shortest one is used\&.
.RE
.PP
\-t
.RS 4
Print statistics at completion\&.
.RE
.PP
\-u
.RS 4
Update NSEC/NSEC3 chain when re\-signing a previously signed zone\&. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters\&. Without this option,
\fBdnssec\-signzone\fR
will retain the existing chain when re\-signing\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-x
.RS 4
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with key\-signing keys, and omit signatures from zone\-signing keys\&. (This is similar to the
\fBdnssec\-dnskey\-kskonly yes;\fR
zone option in
\fBnamed\fR\&.)
.RE
.PP
\-z
.RS 4
Ignore KSK flag on key when determining what to sign\&. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset\&. (This is similar to the
\fBupdate\-check\-ksk no;\fR
zone option in
\fBnamed\fR\&.)
.RE
.PP
\-3 \fIsalt\fR
.RS 4
Generate an NSEC3 chain with the given hex encoded salt\&. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain\&.
.RE
.PP
\-H \fIiterations\fR
.RS 4
When generating an NSEC3 chain, use this many iterations\&. The default is 10\&.
.RE
.PP
\-A
.RS 4
When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations\&.
.sp
Using this option twice (i\&.e\&.,
\fB\-AA\fR) turns the OPTOUT flag off for all records\&. This is useful when using the
\fB\-u\fR
option to modify an NSEC3 chain which previously had OPTOUT set\&.
.RE
.PP
zonefile
.RS 4
The file containing the zone to be signed\&.
.RE
.PP
key
.RS 4
Specify which keys should be used to sign the zone\&. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex\&. If these are found and there are matching private keys, in the current directory, then these will be used for signing\&.
.RE
.SH "EXAMPLE"
.PP
The following command signs the
\fBexample\&.com\fR
zone with the ECDSAP256SHA256 key generated by key generated by
\fBdnssec\-keygen\fR
(Kexample\&.com\&.+013+17247)\&. Because the
\fB\-S\fR
option is not being used, the zone\*(Aqs keys must be in the master file (db\&.example\&.com)\&. This invocation looks for
dsset
files, in the current directory, so that DS records can be imported from them (\fB\-g\fR)\&.
.sp
.if n \{\
.RS 4
.\}
.nf
% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \e
Kexample\&.com\&.+013+17247
db\&.example\&.com\&.signed
%
.fi
.if n \{\
.RE
.\}
.PP
In the above example,
\fBdnssec\-signzone\fR
creates the file
db\&.example\&.com\&.signed\&. This file should be referenced in a zone statement in a
named\&.conf
file\&.
.PP
This example re\-signs a previously signed zone with default parameters\&. The private keys are assumed to be in the current directory\&.
.sp
.if n \{\
.RS 4
.\}
.nf
% cp db\&.example\&.com\&.signed db\&.example\&.com
% dnssec\-signzone \-o example\&.com db\&.example\&.com
db\&.example\&.com\&.signed
%
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
BIND 9 Administrator Reference Manual,
RFC 4033,
RFC 4641\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
.br

837
bin/dnssec/dnssec-signzone.docbook
View file

@ -1,837 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
<info>
<date>2014-02-18</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-signzone</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-signzone</application></refname>
<refpurpose>DNSSEC zone signing tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2011</year>
<year>2012</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-signzone</command>
<arg choice="opt" rep="norepeat"><option>-a</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-g</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">maxttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-Q</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-R</option></arg>
<arg choice="opt" rep="norepeat"><option>-S</option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t</option></arg>
<arg choice="opt" rep="norepeat"><option>-u</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="opt" rep="norepeat"><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A</option></arg>
<arg choice="req" rep="norepeat">zonefile</arg>
<arg rep="repeat" choice="opt">key</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-signzone</command>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<filename>keyset</filename> file for each child zone.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Verify all generated signatures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: Generate a
<filename>keyset-<replaceable>zonename</replaceable></filename>
file in addition to
<filename>dsset-<replaceable>zonename</replaceable></filename>
when signing a zone, for use by older versions of
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>dsset-</filename> or
<filename>keyset-</filename> files in <option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Output only those record types automatically managed by
<command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(<option>-S</option>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <command>$INCLUDE</command>. This option
cannot be combined with <option>-O raw</option>,
<option>-O map</option>, or serial number updating.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
When applicable, specifies the hardware to use for
cryptographic operations, such as a secure key store used
for signing.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Generate DS records for child zones from
<filename>dsset-</filename> or <filename>keyset-</filename>
file. Existing DS records will be removed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Key repository: Specify a directory to search for DNSSEC keys.
If not specified, defaults to the current directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Treat specified key as a key signing key ignoring any
key flags. This option may be specified multiple times.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">maxttl</replaceable></term>
<listitem>
<para>
Sets the maximum TTL for the signed zone.
Any TTL higher than <replaceable>maxttl</replaceable> in the
input zone will be reduced to <replaceable>maxttl</replaceable>
in the output. This provides certainty as to the largest
possible TTL in the signed zone, which is useful to know when
rolling keys because it is the longest possible time before
signatures that have been retrieved by resolvers will expire
from resolver caches. Zones that are signed with this
option should be configured to use a matching
<option>max-zone-ttl</option> in <filename>named.conf</filename>.
(Note: This option is incompatible with <option>-D</option>,
because it modifies non-DNSSEC data in the output zone.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <option>start-time</option> is specified, the current
time minus 1 hour (to allow for clock skew) is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e <replaceable class="parameter">end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
expire. As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
<option>end-time</option> must be later than
<option>start-time</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-X <replaceable class="parameter">extended end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
for the DNSKEY RRset will expire. This is to be used in cases
when the DNSKEY signatures need to persist longer than
signatures on other records; e.g., when the private component
of the KSK is kept offline and the KSK signature is to be
refreshed manually.
</para>
<para>
As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>extended end-time</option> is
specified, the value of <option>end-time</option> is used as
the default. (<option>end-time</option>, in turn, defaults to
30 days from the start time.) <option>extended end-time</option>
must be later than <option>start-time</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">output-file</replaceable></term>
<listitem>
<para>
The name of the output file containing the signed zone. The
default is to append <filename>.signed</filename> to
the input filename. If <option>output-file</option> is
set to <literal>"-"</literal>, then the signed zone is
written to the standard output, with a default output
format of "full".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
When a previously-signed zone is passed as input, records
may be resigned. The <option>interval</option> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</para>
<para>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<option>end-time</option> or <option>start-time</option>
are specified, <command>dnssec-signzone</command>
generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">input-format</replaceable></term>
<listitem>
<para>
The format of the input zone file.
Possible formats are <command>"text"</command> (default),
<command>"raw"</command>, and <command>"map"</command>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly.
The use of this option does not make much sense for
non-dynamic zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j <replaceable class="parameter">jitter</replaceable></term>
<listitem>
<para>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously-signed zone is passed as input to the signer,
all expired signatures have to be regenerated at about the
same time. The <option>jitter</option> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</para>
<para>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">serial</replaceable></term>
<listitem>
<para>
When writing a signed zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">ncpus</replaceable></term>
<listitem>
<para>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
<listitem>
<para>
The SOA serial number format of the signed zone.
Possible formats are <command>"keep"</command> (default),
<command>"increment"</command>, <command>"unixtime"</command>,
and <command>"date"</command>.
</para>
<variablelist>
<varlistentry>
<term><command>"keep"</command></term>
<listitem>
<para>Do not modify the SOA serial number.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>"increment"</command></term>
<listitem>
<para>Increment the SOA serial number using RFC 1982
arithmetic.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>"unixtime"</command></term>
<listitem>
<para>Set the SOA serial number to the number of seconds
since epoch.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>"date"</command></term>
<listitem>
<para>Set the SOA serial number to today's date in
YYYYMMDDNN format.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">origin</replaceable></term>
<listitem>
<para>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-O <replaceable class="parameter">output-format</replaceable></term>
<listitem>
<para>
The format of the output file containing the signed zone.
Possible formats are <command>"text"</command> (default),
which is the standard textual representation of the zone;
<command>"full"</command>, which is text output in a
format suitable for processing by external scripts;
and <command>"map"</command>, <command>"raw"</command>,
and <command>"raw=N"</command>, which store the zone in
binary formats for rapid loading by <command>named</command>.
<command>"raw=N"</command> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <command>named</command>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P</term>
<listitem>
<para>
Disable post sign verification tests.
</para>
<para>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key,
that all revoked KSK keys are self signed, and that all records
in the zone are signed by the algorithm.
This option skips these tests.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-Q</term>
<listitem>
<para>
Remove signatures from keys that are no longer active.
</para>
<para>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <option>-Q</option>
forces <command>dnssec-signzone</command> to remove
signatures from keys that are no longer active. This
enables ZSK rollover using the procedure described in
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output. Without this
option, when <command>dnssec-signzone</command> is run it
will print to standard output the number of keys in use,
the algorithms used to verify the zone was signed correctly
and other status information, and finally the filename
containing the signed zone. With it, that output is
suppressed, leaving only the filename.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R</term>
<listitem>
<para>
Remove signatures from keys that are no longer published.
</para>
<para>
This option is similar to <option>-Q</option>, except it
forces <command>dnssec-signzone</command> to signatures from
keys that are no longer published. This enables ZSK rollover
using the procedure described in RFC 4641, section 4.2.1.2
("Double Signature Zone Signing Key Rollover").
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S</term>
<listitem>
<para>
Smart signing: Instructs <command>dnssec-signzone</command> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</para>
<para>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</para>
<variablelist>
<varlistentry>
<listitem>
<para>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's publication date is set and is in the past, the
key is published in the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If key's sync publication date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are
created.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If key's sync deletion date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are
removed.
</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies a TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not
specified, the default is the TTL value from the zone's SOA
record. This option is ignored when signing without
<option>-S</option>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them, or if any of the imported DNSKEY records had a default
TTL value. In the event of a a conflict between TTL values in
imported keys, the shortest one is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t</term>
<listitem>
<para>
Print statistics at completion.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <command>dnssec-signzone</command> will
retain the existing chain when re-signing.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with
key-signing keys, and omit signatures from zone-signing
keys. (This is similar to the
<command>dnssec-dnskey-kskonly yes;</command> zone option in
<command>named</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<command>update-check-ksk no;</command> zone option in
<command>named</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3 <replaceable class="parameter">salt</replaceable></term>
<listitem>
<para>
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<replaceable class="parameter">salt</replaceable>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-H <replaceable class="parameter">iterations</replaceable></term>
<listitem>
<para>
When generating an NSEC3 chain, use this many iterations. The
default is 10.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</para>
<para>
Using this option twice (i.e., <option>-AA</option>)
turns the OPTOUT flag off for all records. This is useful
when using the <option>-u</option> option to modify an NSEC3
chain which previously had OPTOUT set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
<para>
The file containing the zone to be signed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>key</term>
<listitem>
<para>
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the ECDSAP256SHA256 key generated by key generated by
<command>dnssec-keygen</command> (Kexample.com.+013+17247).
Because the <command>-S</command> option is not being used,
the zone's keys must be in the master file
(<filename>db.example.com</filename>). This invocation looks
for <filename>dsset</filename> files, in the current directory,
so that DS records can be imported from them (<command>-g</command>).
</para>
<programlisting>% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+013+17247
db.example.com.signed
%</programlisting>
<para>
In the above example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This
file should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
<para>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</para>
<programlisting>% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</programlisting>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4033</citetitle>, <citetitle>RFC 4641</citetitle>.
</para>
</refsection>
</refentry>

673
bin/dnssec/dnssec-signzone.html
View file

@ -1,673 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-signzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-signzone</span>
&#8212; DNSSEC zone signing tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-signzone</code>
[<code class="option">-a</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
[<code class="option">-g</code>]
[<code class="option">-h</code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
[<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
[<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
[<code class="option">-P</code>]
[<code class="option">-Q</code>]
[<code class="option">-q</code>]
[<code class="option">-R</code>]
[<code class="option">-S</code>]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-t</code>]
[<code class="option">-u</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
[<code class="option">-x</code>]
[<code class="option">-z</code>]
[<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
[<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
[<code class="option">-A</code>]
{zonefile}
[key...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<code class="filename">keyset</code> file for each child zone.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a</span></dt>
<dd>
<p>
Verify all generated signatures.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specifies the DNS class of the zone.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Compatibility mode: Generate a
<code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
file in addition to
<code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
when signing a zone, for use by older versions of
<span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Look for <code class="filename">dsset-</code> or
<code class="filename">keyset-</code> files in <code class="option">directory</code>.
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd>
<p>
Output only those record types automatically managed by
<span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(<code class="option">-S</code>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
cannot be combined with <code class="option">-O raw</code>,
<code class="option">-O map</code>, or serial number updating.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
When applicable, specifies the hardware to use for
cryptographic operations, such as a secure key store used
for signing.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd>
<p>
Generate DS records for child zones from
<code class="filename">dsset-</code> or <code class="filename">keyset-</code>
file. Existing DS records will be removed.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Key repository: Specify a directory to search for DNSSEC keys.
If not specified, defaults to the current directory.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
<dd>
<p>
Treat specified key as a key signing key ignoring any
key flags. This option may be specified multiple times.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
<dd>
<p>
Sets the maximum TTL for the signed zone.
Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
in the output. This provides certainty as to the largest
possible TTL in the signed zone, which is useful to know when
rolling keys because it is the longest possible time before
signatures that have been retrieved by resolvers will expire
from resolver caches. Zones that are signed with this
option should be configured to use a matching
<code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
(Note: This option is incompatible with <code class="option">-D</code>,
because it modifies non-DNSSEC data in the output zone.)
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd>
<p>
Specify the date and time when the generated RRSIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <code class="option">start-time</code> is specified, the current
time minus 1 hour (to allow for clock skew) is used.
</p>
</dd>
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
<dd>
<p>
Specify the date and time when the generated RRSIG records
expire. As with <code class="option">start-time</code>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <code class="option">end-time</code> is
specified, 30 days from the start time is used as a default.
<code class="option">end-time</code> must be later than
<code class="option">start-time</code>.
</p>
</dd>
<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
<dd>
<p>
Specify the date and time when the generated RRSIG records
for the DNSKEY RRset will expire. This is to be used in cases
when the DNSKEY signatures need to persist longer than
signatures on other records; e.g., when the private component
of the KSK is kept offline and the KSK signature is to be
refreshed manually.
</p>
<p>
As with <code class="option">start-time</code>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <code class="option">extended end-time</code> is
specified, the value of <code class="option">end-time</code> is used as
the default. (<code class="option">end-time</code>, in turn, defaults to
30 days from the start time.) <code class="option">extended end-time</code>
must be later than <code class="option">start-time</code>.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
<dd>
<p>
The name of the output file containing the signed zone. The
default is to append <code class="filename">.signed</code> to
the input filename. If <code class="option">output-file</code> is
set to <code class="literal">"-"</code>, then the signed zone is
written to the standard output, with a default output
format of "full".
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
When a previously-signed zone is passed as input, records
may be resigned. The <code class="option">interval</code> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</p>
<p>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<code class="option">end-time</code> or <code class="option">start-time</code>
are specified, <span class="command"><strong>dnssec-signzone</strong></span>
generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
<dd>
<p>
The format of the input zone file.
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly.
The use of this option does not make much sense for
non-dynamic zones.
</p>
</dd>
<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
<dd>
<p>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously-signed zone is passed as input to the signer,
all expired signatures have to be regenerated at about the
same time. The <code class="option">jitter</code> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</p>
<p>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd>
<p>
When writing a signed zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
<dd>
<p>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</p>
</dd>
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
<dd>
<p>
The SOA serial number format of the signed zone.
Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
<span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
and <span class="command"><strong>"date"</strong></span>.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
<dd>
<p>Do not modify the SOA serial number.</p>
</dd>
<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
<dd>
<p>Increment the SOA serial number using RFC 1982
arithmetic.</p>
</dd>
<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
<dd>
<p>Set the SOA serial number to the number of seconds
since epoch.</p>
</dd>
<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
<dd>
<p>Set the SOA serial number to today's date in
YYYYMMDDNN format.</p>
</dd>
</dl></div>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd>
<p>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</p>
</dd>
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
<dd>
<p>
The format of the output file containing the signed zone.
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
which is the standard textual representation of the zone;
<span class="command"><strong>"full"</strong></span>, which is text output in a
format suitable for processing by external scripts;
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
<span class="command"><strong>"raw=N"</strong></span> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</p>
</dd>
<dt><span class="term">-P</span></dt>
<dd>
<p>
Disable post sign verification tests.
</p>
<p>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key,
that all revoked KSK keys are self signed, and that all records
in the zone are signed by the algorithm.
This option skips these tests.
</p>
</dd>
<dt><span class="term">-Q</span></dt>
<dd>
<p>
Remove signatures from keys that are no longer active.
</p>
<p>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <code class="option">-Q</code>
forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
signatures from keys that are no longer active. This
enables ZSK rollover using the procedure described in
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses unnecessary output. Without this
option, when <span class="command"><strong>dnssec-signzone</strong></span> is run it
will print to standard output the number of keys in use,
the algorithms used to verify the zone was signed correctly
and other status information, and finally the filename
containing the signed zone. With it, that output is
suppressed, leaving only the filename.
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd>
<p>
Remove signatures from keys that are no longer published.
</p>
<p>
This option is similar to <code class="option">-Q</code>, except it
forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
keys that are no longer published. This enables ZSK rollover
using the procedure described in RFC 4641, section 4.2.1.2
("Double Signature Zone Signing Key Rollover").
</p>
</dd>
<dt><span class="term">-S</span></dt>
<dd>
<p>
Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</p>
<p>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</p>
<div class="variablelist"><dl class="variablelist">
<dt></dt>
<dd>
<p>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</p>
</dd>
<dt></dt>
<dd>
<p>
If the key's publication date is set and is in the past, the
key is published in the zone.
</p>
</dd>
<dt></dt>
<dd>
<p>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</p>
</dd>
<dt></dt>
<dd>
<p>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</p>
</dd>
<dt></dt>
<dd>
<p>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</p>
</dd>
<dt></dt>
<dd>
<p>
If key's sync publication date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are
created.
</p>
</dd>
<dt></dt>
<dd>
<p>
If key's sync deletion date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are
removed.
</p>
</dd>
</dl></div>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Specifies a TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not
specified, the default is the TTL value from the zone's SOA
record. This option is ignored when signing without
<code class="option">-S</code>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them, or if any of the imported DNSKEY records had a default
TTL value. In the event of a a conflict between TTL values in
imported keys, the shortest one is used.
</p>
</dd>
<dt><span class="term">-t</span></dt>
<dd>
<p>
Print statistics at completion.
</p>
</dd>
<dt><span class="term">-u</span></dt>
<dd>
<p>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
retain the existing chain when re-signing.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with
key-signing keys, and omit signatures from zone-signing
keys. (This is similar to the
<span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span class="command"><strong>named</strong></span>.)
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<span class="command"><strong>update-check-ksk no;</strong></span> zone option in
<span class="command"><strong>named</strong></span>.)
</p>
</dd>
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
<dd>
<p>
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<em class="replaceable"><code>salt</code></em>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</p>
</dd>
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
<dd>
<p>
When generating an NSEC3 chain, use this many iterations. The
default is 10.
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</p>
<p>
Using this option twice (i.e., <code class="option">-AA</code>)
turns the OPTOUT flag off for all records. This is useful
when using the <code class="option">-u</code> option to modify an NSEC3
chain which previously had OPTOUT set.
</p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd>
<p>
The file containing the zone to be signed.
</p>
</dd>
<dt><span class="term">key</span></dt>
<dd>
<p>
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the ECDSAP256SHA256 key generated by key generated by
<span class="command"><strong>dnssec-keygen</strong></span> (Kexample.com.+013+17247).
Because the <span class="command"><strong>-S</strong></span> option is not being used,
the zone's keys must be in the master file
(<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">dsset</code> files, in the current directory,
so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+013+17247
db.example.com.signed
%</pre>
<p>
In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
the file <code class="filename">db.example.com.signed</code>. This
file should be referenced in a zone statement in a
<code class="filename">named.conf</code> file.
</p>
<p>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
</p>
</div>
</div></body>
</html>

392
bin/dnssec/dnssec-signzone.rst Normal file
View file

@ -0,0 +1,392 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-signzone:
dnssec-signzone - DNSSEC zone signing tool
------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description
~~~~~~~~~~~
``dnssec-signzone`` signs a zone. It generates NSEC and RRSIG records
and produces a signed version of the zone. The security status of
delegations from the signed zone (that is, whether the child zones are
secure or not) is determined by the presence or absence of a ``keyset``
file for each child zone.
Options
~~~~~~~
**-a**
Verify all generated signatures.
**-c** class
Specifies the DNS class of the zone.
**-C**
Compatibility mode: Generate a ``keyset-zonename`` file in addition
to ``dsset-zonename`` when signing a zone, for use by older versions
of ``dnssec-signzone``.
**-d** directory
Look for ``dsset-`` or ``keyset-`` files in ``directory``.
**-D**
Output only those record types automatically managed by
``dnssec-signzone``, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records.
If smart signing (``-S``) is used, DNSKEY records are also included.
The resulting file can be included in the original zone file with
``$INCLUDE``. This option cannot be combined with ``-O raw``,
``-O map``, or serial number updating.
**-E** engine
When applicable, specifies the hardware to use for cryptographic
operations, such as a secure key store used for signing.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
string "pkcs11", which identifies an OpenSSL engine that can drive a
cryptographic accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography (--enable-native-pkcs11), it
defaults to the path of the PKCS#11 provider library specified via
"--with-pkcs11".
**-g**
Generate DS records for child zones from ``dsset-`` or ``keyset-``
file. Existing DS records will be removed.
**-K** directory
Key repository: Specify a directory to search for DNSSEC keys. If not
specified, defaults to the current directory.
**-k** key
Treat specified key as a key signing key ignoring any key flags. This
option may be specified multiple times.
**-M** maxttl
Sets the maximum TTL for the signed zone. Any TTL higher than maxttl
in the input zone will be reduced to maxttl in the output. This
provides certainty as to the largest possible TTL in the signed zone,
which is useful to know when rolling keys because it is the longest
possible time before signatures that have been retrieved by resolvers
will expire from resolver caches. Zones that are signed with this
option should be configured to use a matching ``max-zone-ttl`` in
``named.conf``. (Note: This option is incompatible with ``-D``,
because it modifies non-DNSSEC data in the output zone.)
**-s** start-time
Specify the date and time when the generated RRSIG records become
valid. This can be either an absolute or relative time. An absolute
start time is indicated by a number in YYYYMMDDHHMMSS notation;
20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
start time is indicated by +N, which is N seconds from the current
time. If no ``start-time`` is specified, the current time minus 1
hour (to allow for clock skew) is used.
**-e** end-time
Specify the date and time when the generated RRSIG records expire. As
with ``start-time``, an absolute time is indicated in YYYYMMDDHHMMSS
notation. A time relative to the start time is indicated with +N,
which is N seconds from the start time. A time relative to the
current time is indicated with now+N. If no ``end-time`` is
specified, 30 days from the start time is used as a default.
``end-time`` must be later than ``start-time``.
**-X** extended end-time
Specify the date and time when the generated RRSIG records for the
DNSKEY RRset will expire. This is to be used in cases when the DNSKEY
signatures need to persist longer than signatures on other records;
e.g., when the private component of the KSK is kept offline and the
KSK signature is to be refreshed manually.
As with ``start-time``, an absolute time is indicated in
YYYYMMDDHHMMSS notation. A time relative to the start time is
indicated with +N, which is N seconds from the start time. A time
relative to the current time is indicated with now+N. If no
``extended end-time`` is specified, the value of ``end-time`` is used
as the default. (``end-time``, in turn, defaults to 30 days from the
start time.) ``extended end-time`` must be later than ``start-time``.
**-f** output-file
The name of the output file containing the signed zone. The default
is to append ``.signed`` to the input filename. If ``output-file`` is
set to ``"-"``, then the signed zone is written to the standard
output, with a default output format of "full".
**-h**
Prints a short summary of the options and arguments to
``dnssec-signzone``.
**-V**
Prints version information.
**-i** interval
When a previously-signed zone is passed as input, records may be
resigned. The ``interval`` option specifies the cycle interval as an
offset from the current time (in seconds). If a RRSIG record expires
after the cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
The default cycle interval is one quarter of the difference between
the signature end and start times. So if neither ``end-time`` or
``start-time`` are specified, ``dnssec-signzone`` generates
signatures that are valid for 30 days, with a cycle interval of 7.5
days. Therefore, if any existing RRSIG records are due to expire in
less than 7.5 days, they would be replaced.
**-I** input-format
The format of the input zone file. Possible formats are ``"text"``
(default), ``"raw"``, and ``"map"``. This option is primarily
intended to be used for dynamic signed zones so that the dumped zone
file in a non-text format containing updates can be signed directly.
The use of this option does not make much sense for non-dynamic
zones.
**-j** jitter
When signing a zone with a fixed signature lifetime, all RRSIG
records issued at the time of signing expires simultaneously. If the
zone is incrementally signed, i.e. a previously-signed zone is passed
as input to the signer, all expired signatures have to be regenerated
at about the same time. The ``jitter`` option specifies a jitter
window that will be used to randomize the signature expire time, thus
spreading incremental signature regeneration over time.
Signature lifetime jitter also to some extent benefits validators and
servers by spreading out cache expiration, i.e. if large numbers of
RRSIGs don't expire at the same time from all caches there will be
less congestion than if all validators need to refetch at mostly the
same time.
**-L** serial
When writing a signed zone to "raw" or "map" format, set the "source
serial" value in the header to the specified serial number. (This is
expected to be used primarily for testing purposes.)
**-n** ncpus
Specifies the number of threads to use. By default, one thread is
started for each detected CPU.
**-N** soa-serial-format
The SOA serial number format of the signed zone. Possible formats are
``"keep"`` (default), ``"increment"``, ``"unixtime"``, and
``"date"``.
``"keep"``
Do not modify the SOA serial number.
``"increment"``
Increment the SOA serial number using :rfc:`1982` arithmetic.
``"unixtime"``
Set the SOA serial number to the number of seconds since epoch.
``"date"``
Set the SOA serial number to today's date in YYYYMMDDNN format.
**-o** origin
The zone origin. If not specified, the name of the zone file is
assumed to be the origin.
**-O** output-format
The format of the output file containing the signed zone. Possible
formats are ``"text"`` (default), which is the standard textual
representation of the zone; ``"full"``, which is text output in a
format suitable for processing by external scripts; and ``"map"``,
``"raw"``, and ``"raw=N"``, which store the zone in binary formats
for rapid loading by ``named``. ``"raw=N"`` specifies the format
version of the raw zone file: if N is 0, the raw file can be read by
any version of ``named``; if N is 1, the file can be read by release
9.9.0 or higher; the default is 1.
**-P**
Disable post sign verification tests.
The post sign verification test ensures that for each algorithm in
use there is at least one non revoked self signed KSK key, that all
revoked KSK keys are self signed, and that all records in the zone
are signed by the algorithm. This option skips these tests.
**-Q**
Remove signatures from keys that are no longer active.
Normally, when a previously-signed zone is passed as input to the
signer, and a DNSKEY record has been removed and replaced with a new
one, signatures from the old key that are still within their validity
period are retained. This allows the zone to continue to validate
with cached copies of the old DNSKEY RRset. The ``-Q`` forces
``dnssec-signzone`` to remove signatures from keys that are no longer
active. This enables ZSK rollover using the procedure described in
:rfc:`4641#4.2.1.1` ("Pre-Publish Key Rollover").
``-q``
Quiet mode: Suppresses unnecessary output. Without this option, when
``dnssec-signzone`` is run it will print to standard output the number of
keys in use, the algorithms used to verify the zone was signed correctly and
other status information, and finally the filename containing the signed
zone. With it, that output is suppressed, leaving only the filename.
**-R**
Remove signatures from keys that are no longer published.
This option is similar to ``-Q``, except it forces
``dnssec-signzone`` to signatures from keys that are no longer
published. This enables ZSK rollover using the procedure described in
:rfc:`4641#4.2.1.2` ("Double Signature Zone Signing Key
Rollover").
**-S**
Smart signing: Instructs ``dnssec-signzone`` to search the key
repository for keys that match the zone being signed, and to include
them in the zone if appropriate.
When a key is found, its timing metadata is examined to determine how
it should be used, according to the following rules. Each successive
rule takes priority over the prior ones:
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
If the key's publication date is set and is in the past, the key
is published in the zone.
If the key's activation date is set and in the past, the key is
published (regardless of publication date) and used to sign the
zone.
If the key's revocation date is set and in the past, and the key
is published, then the key is revoked, and the revoked key is used
to sign the zone.
If either of the key's unpublication or deletion dates are set and
in the past, the key is NOT published or used to sign the zone,
regardless of any other metadata.
If key's sync publication date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are created.
If key's sync deletion date is set and in the past,
synchronization records (type CDS and/or CDNSKEY) are removed.
**-T** ttl
Specifies a TTL to be used for new DNSKEY records imported into the
zone from the key repository. If not specified, the default is the
TTL value from the zone's SOA record. This option is ignored when
signing without ``-S``, since DNSKEY records are not imported from
the key repository in that case. It is also ignored if there are any
pre-existing DNSKEY records at the zone apex, in which case new
records' TTL values will be set to match them, or if any of the
imported DNSKEY records had a default TTL value. In the event of a a
conflict between TTL values in imported keys, the shortest one is
used.
**-t**
Print statistics at completion.
**-u**
Update NSEC/NSEC3 chain when re-signing a previously signed zone.
With this option, a zone signed with NSEC can be switched to NSEC3,
or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with
different parameters. Without this option, ``dnssec-signzone`` will
retain the existing chain when re-signing.
**-v** level
Sets the debugging level.
**-x**
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys,
and omit signatures from zone-signing keys. (This is similar to the
``dnssec-dnskey-kskonly yes;`` zone option in ``named``.)
**-z**
Ignore KSK flag on key when determining what to sign. This causes
KSK-flagged keys to sign all records, not just the DNSKEY RRset.
(This is similar to the ``update-check-ksk no;`` zone option in
``named``.)
**-3** salt
Generate an NSEC3 chain with the given hex encoded salt. A dash
(salt) can be used to indicate that no salt is to be used when
generating the NSEC3 chain.
**-H** iterations
When generating an NSEC3 chain, use this many iterations. The default
is 10.
**-A**
When generating an NSEC3 chain set the OPTOUT flag on all NSEC3
records and do not generate NSEC3 records for insecure delegations.
Using this option twice (i.e., ``-AA``) turns the OPTOUT flag off for
all records. This is useful when using the ``-u`` option to modify an
NSEC3 chain which previously had OPTOUT set.
**zonefile**
The file containing the zone to be signed.
**key**
Specify which keys should be used to sign the zone. If no keys are
specified, then the zone will be examined for DNSKEY records at the
zone apex. If these are found and there are matching private keys, in
the current directory, then these will be used for signing.
Example
~~~~~~~
The following command signs the ``example.com`` zone with the
ECDSAP256SHA256 key generated by key generated by ``dnssec-keygen``
(Kexample.com.+013+17247). Because the ``-S`` option is not being used,
the zone's keys must be in the master file (``db.example.com``). This
invocation looks for ``dsset`` files, in the current directory, so that
DS records can be imported from them (``-g``).
::
% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+013+17247
db.example.com.signed
%
In the above example, ``dnssec-signzone`` creates the file
``db.example.com.signed``. This file should be referenced in a zone
statement in a ``named.conf`` file.
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
::
% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%
See Also
~~~~~~~~
:manpage:`dnssec-keygen(8)`, BIND 9 Administrator Reference Manual, :rfc:`4033`,
:rfc:`4641`.

124
bin/dnssec/dnssec-verify.8
View file

@ -1,124 +0,0 @@
.\" Copyright (C) 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-verify
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-15
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-VERIFY" "8" "2014\-01\-15" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-verify \- DNSSEC zone verification tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-verify\fR\ 'u
\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-q\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-verify\fR
verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete\&.
.SH "OPTIONS"
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zone\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use, when applicable\&.
.sp
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
.RE
.PP
\-I \fIinput\-format\fR
.RS 4
The format of the input zone file\&. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently\&. The use of this option does not make much sense for non\-dynamic zones\&.
.RE
.PP
\-o \fIorigin\fR
.RS 4
The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-q
.RS 4
Quiet mode: Suppresses output\&. Without this option, when
\fBdnssec\-verify\fR
is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information\&. With it, all non\-error output is suppressed, and only the exit code will indicate success\&.
.RE
.PP
\-x
.RS 4
Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the
\fB\-x\fR
option in
\fBdnssec\-signzone\fR\&.
.RE
.PP
\-z
.RS 4
Ignore the KSK flag on the keys when determining whether the zone if correctly signed\&. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set\&.
.sp
With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes\&. This corresponds to the
\fB\-z\fR
option in
\fBdnssec\-signzone\fR\&.
.RE
.PP
zonefile
.RS 4
The file containing the zone to be signed\&.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 4033\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

219
bin/dnssec/dnssec-verify.docbook
View file

@ -1,219 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-verify</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-verify</application></refname>
<refpurpose>DNSSEC zone verification tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2012</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-verify</command>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-x</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="req" rep="norepeat">zonefile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-verify</command>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
chains are complete.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">input-format</replaceable></term>
<listitem>
<para>
The format of the input zone file.
Possible formats are <command>"text"</command> (default)
and <command>"raw"</command>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be verified independently.
The use of this option does not make much sense for
non-dynamic zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">origin</replaceable></term>
<listitem>
<para>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses output. Without this option, when
<command>dnssec-verify</command> is run it will print to
standard output the number of keys in use, the algorithms
used to verify the zone was signed correctly and other
status information. With it, all non-error output is
suppressed, and only the exit code will indicate success.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
Only verify that the DNSKEY RRset is signed with key-signing
keys. Without this flag, it is assumed that the DNSKEY RRset
will be signed by all active keys. When this flag is set,
it will not be an error if the DNSKEY RRset is not signed
by zone-signing keys. This corresponds to the <option>-x</option>
option in <command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore the KSK flag on the keys when determining whether
the zone if correctly signed. Without this flag it is
assumed that there will be a non-revoked, self-signed
DNSKEY with the KSK flag set for each algorithm and
that RRsets other than DNSKEY RRset will be signed with
a different DNSKEY without the KSK flag set.
</para>
<para>
With this flag set, we only require that for each algorithm,
there will be at least one non-revoked, self-signed DNSKEY,
regardless of the KSK flag state, and that other RRsets
will be signed by a non-revoked key for the same algorithm
that includes the self-signed key; the same key may be used
for both purposes. This corresponds to the <option>-z</option>
option in <command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
<para>
The file containing the zone to be signed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4033</citetitle>.
</para>
</refsection>
</refentry>

180
bin/dnssec/dnssec-verify.html
View file

@ -1,180 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-verify</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-verify"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-verify</span>
&#8212; DNSSEC zone verification tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-verify</code>
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-x</code>]
[<code class="option">-z</code>]
{zonefile}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-verify</strong></span>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
chains are complete.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specifies the DNS class of the zone.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
<dd>
<p>
The format of the input zone file.
Possible formats are <span class="command"><strong>"text"</strong></span> (default)
and <span class="command"><strong>"raw"</strong></span>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be verified independently.
The use of this option does not make much sense for
non-dynamic zones.
</p>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd>
<p>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses output. Without this option, when
<span class="command"><strong>dnssec-verify</strong></span> is run it will print to
standard output the number of keys in use, the algorithms
used to verify the zone was signed correctly and other
status information. With it, all non-error output is
suppressed, and only the exit code will indicate success.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
Only verify that the DNSKEY RRset is signed with key-signing
keys. Without this flag, it is assumed that the DNSKEY RRset
will be signed by all active keys. When this flag is set,
it will not be an error if the DNSKEY RRset is not signed
by zone-signing keys. This corresponds to the <code class="option">-x</code>
option in <span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Ignore the KSK flag on the keys when determining whether
the zone if correctly signed. Without this flag it is
assumed that there will be a non-revoked, self-signed
DNSKEY with the KSK flag set for each algorithm and
that RRsets other than DNSKEY RRset will be signed with
a different DNSKEY without the KSK flag set.
</p>
<p>
With this flag set, we only require that for each algorithm,
there will be at least one non-revoked, self-signed DNSKEY,
regardless of the KSK flag state, and that other RRsets
will be signed by a non-revoked key for the same algorithm
that includes the self-signed key; the same key may be used
for both purposes. This corresponds to the <code class="option">-z</code>
option in <span class="command"><strong>dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd>
<p>
The file containing the zone to be signed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
</div></body>
</html>

108
bin/dnssec/dnssec-verify.rst Normal file
View file

@ -0,0 +1,108 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-verify:
dnssec-verify - DNSSEC zone verification tool
---------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
Description
~~~~~~~~~~~
``dnssec-verify`` verifies that a zone is fully signed for each
algorithm found in the DNSKEY RRset for the zone, and that the NSEC /
NSEC3 chains are complete.
Options
~~~~~~~
**-c** class
Specifies the DNS class of the zone.
**-E** engine
Specifies the cryptographic hardware to use, when applicable.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
string "pkcs11", which identifies an OpenSSL engine that can drive a
cryptographic accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography (--enable-native-pkcs11), it
defaults to the path of the PKCS#11 provider library specified via
"--with-pkcs11".
**-I** input-format
The format of the input zone file. Possible formats are ``"text"``
(default) and ``"raw"``. This option is primarily intended to be used
for dynamic signed zones so that the dumped zone file in a non-text
format containing updates can be verified independently. The use of
this option does not make much sense for non-dynamic zones.
**-o** origin
The zone origin. If not specified, the name of the zone file is
assumed to be the origin.
**-v** level
Sets the debugging level.
**-V**
Prints version information.
``-q``
Quiet mode: Suppresses output. Without this option, when ``dnssec-verify``
is run it will print to standard output the number of keys in use, the
algorithms used to verify the zone was signed correctly and other status
information. With it, all non-error output is suppressed, and only the exit
code will indicate success.
**-x**
Only verify that the DNSKEY RRset is signed with key-signing keys.
Without this flag, it is assumed that the DNSKEY RRset will be signed
by all active keys. When this flag is set, it will not be an error if
the DNSKEY RRset is not signed by zone-signing keys. This corresponds
to the ``-x`` option in ``dnssec-signzone``.
**-z**
Ignore the KSK flag on the keys when determining whether the zone if
correctly signed. Without this flag it is assumed that there will be
a non-revoked, self-signed DNSKEY with the KSK flag set for each
algorithm and that RRsets other than DNSKEY RRset will be signed with
a different DNSKEY without the KSK flag set.
With this flag set, we only require that for each algorithm, there
will be at least one non-revoked, self-signed DNSKEY, regardless of
the KSK flag state, and that other RRsets will be signed by a
non-revoked key for the same algorithm that includes the self-signed
key; the same key may be used for both purposes. This corresponds to
the ``-z`` option in ``dnssec-signzone``.
**zonefile**
The file containing the zone to be signed.
See Also
~~~~~~~~
:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`4033`.

3
bin/named/Makefile.am
View file

@ -106,3 +106,6 @@ if HAVE_JSON_C
named_LDADD += \
$(JSON_C_LIBS)
endif HAVE_JSON_C
MAINTAINERCLEANFILES = \
named.conf.rst

382
bin/named/named.8
View file

@ -1,382 +0,0 @@
.\" Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: named
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-19
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED" "8" "2014\-02\-19" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
named \- Internet domain name server
.SH "SYNOPSIS"
.HP \w'\fBnamed\fR\ 'u
\fBnamed\fR [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-D\ \fR\fB\fIstring\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-L\ \fR\fB\fIlogfile\fR\fR] [\fB\-M\ \fR\fB\fIoption\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIlock\-file\fR\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
.SH "DESCRIPTION"
.PP
\fBnamed\fR
is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC\&. For more information on the DNS, see RFCs 1033, 1034, and 1035\&.
.PP
When invoked without arguments,
\fBnamed\fR
will read the default configuration file
/etc/named\&.conf, read any initial data, and listen for queries\&.
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only even if the host machine is capable of IPv6\&.
\fB\-4\fR
and
\fB\-6\fR
are mutually exclusive\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only even if the host machine is capable of IPv4\&.
\fB\-4\fR
and
\fB\-6\fR
are mutually exclusive\&.
.RE
.PP
\-c \fIconfig\-file\fR
.RS 4
Use
\fIconfig\-file\fR
as the configuration file instead of the default,
/etc/named\&.conf\&. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible
\fBdirectory\fR
option in the configuration file,
\fIconfig\-file\fR
should be an absolute pathname\&.
.RE
.PP
\-d \fIdebug\-level\fR
.RS 4
Set the daemon\*(Aqs debug level to
\fIdebug\-level\fR\&. Debugging traces from
\fBnamed\fR
become more verbose as the debug level increases\&.
.RE
.PP
\-D \fIstring\fR
.RS 4
Specifies a string that is used to identify a instance of
\fBnamed\fR
in a process listing\&. The contents of
\fIstring\fR
are not examined\&.
.RE
.PP
\-E \fIengine\-name\fR
.RS 4
When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing\&.
.sp
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
.RE
.PP
\-f
.RS 4
Run the server in the foreground (i\&.e\&. do not daemonize)\&.
.RE
.PP
\-g
.RS 4
Run the server in the foreground and force all logging to
stderr\&.
.RE
.PP
\-L \fIlogfile\fR
.RS 4
Log to the file
\fBlogfile\fR
by default instead of the system log\&.
.RE
.PP
\-M \fIoption\fR
.RS 4
Sets the default memory context options\&. If set to
\fIexternal\fR, this causes the internal memory manager to be bypassed in favor of system\-provided memory allocation functions\&. If set to
\fIfill\fR, blocks of memory will be filled with tag values when allocated or freed, to assist debugging of memory problems\&. (\fInofill\fR
disables this behavior, and is the default unless
\fBnamed\fR
has been compiled with developer options\&.)
.RE
.PP
\-m \fIflag\fR
.RS 4
Turn on memory usage debugging flags\&. Possible flags are
\fIusage\fR,
\fItrace\fR,
\fIrecord\fR,
\fIsize\fR, and
\fImctx\fR\&. These correspond to the ISC_MEM_DEBUGXXXX flags described in
<isc/mem\&.h>\&.
.RE
.PP
\-n \fI#cpus\fR
.RS 4
Create
\fI#cpus\fR
worker threads to take advantage of multiple CPUs\&. If not specified,
\fBnamed\fR
will try to determine the number of CPUs present and create one thread per CPU\&. If it is unable to determine the number of CPUs, a single worker thread will be created\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Listen for queries on port
\fIport\fR\&. If not specified, the default is port 53\&.
.RE
.PP
\-s
.RS 4
Write memory usage statistics to
stdout
on exit\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release\&.
.sp .5v
.RE
.RE
.PP
\-S \fI#max\-socks\fR
.RS 4
Allow
\fBnamed\fR
to use up to
\fI#max\-socks\fR
sockets\&. The default value is 21000 on systems built with default configuration options, and 4096 on systems built with "configure \-\-with\-tuning=small"\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
This option should be unnecessary for the vast majority of users\&. The use of this option could even be harmful because the specified value may exceed the limitation of the underlying system API\&. It is therefore set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets\&. Note also that the actual maximum number is normally a little fewer than the specified value because
\fBnamed\fR
reserves some file descriptors for its internal use\&.
.sp .5v
.RE
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
\fIdirectory\fR
after processing the command line arguments, but before reading the configuration file\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
This option should be used in conjunction with the
\fB\-u\fR
option, as chrooting a process running as root doesn\*(Aqt enhance security on most systems; the way
\fBchroot(2)\fR
is defined allows a process with root privileges to escape a chroot jail\&.
.sp .5v
.RE
.RE
.PP
\-U \fI#listeners\fR
.RS 4
Use
\fI#listeners\fR
worker threads to listen for incoming UDP packets on each address\&. If not specified,
\fBnamed\fR
will calculate a default value based on the number of detected CPUs: 1 for 1 CPU, and the number of detected CPUs minus one for machines with more than 1 CPU\&. This cannot be increased to a value higher than the number of CPUs\&. If
\fB\-n\fR
has been set to a higher value than the number of detected CPUs, then
\fB\-U\fR
may be increased as high as that value, but no higher\&. On Windows, the number of UDP listeners is hardwired to 1 and this option has no effect\&.
.RE
.PP
\-u \fIuser\fR
.RS 4
Setuid to
\fIuser\fR
after completing privileged operations, such as creating sockets that listen on privileged ports\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
On Linux,
\fBnamed\fR
uses the kernel\*(Aqs capability mechanism to drop all root privileges except the ability to
\fBbind(2)\fR
to a privileged port and set process resource limits\&. Unfortunately, this means that the
\fB\-u\fR
option only works when
\fBnamed\fR
is run on kernel 2\&.2\&.18 or later, or kernel 2\&.3\&.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
\fBsetuid(2)\fR\&.
.sp .5v
.RE
.RE
.PP
\-v
.RS 4
Report the version number and exit\&.
.RE
.PP
\-V
.RS 4
Report the version number and build options, and exit\&.
.RE
.PP
\-X \fIlock\-file\fR
.RS 4
Acquire a lock on the specified file at runtime; this helps to prevent duplicate
\fBnamed\fR
instances from running simultaneously\&. Use of this option overrides the
\fBlock\-file\fR
option in
named\&.conf\&. If set to
none, the lock file check is disabled\&.
.RE
.PP
\-x \fIcache\-file\fR
.RS 4
Load data from
\fIcache\-file\fR
into the cache of the default view\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
This option must not be used\&. It is only of interest to BIND 9 developers and may be removed or changed in a future release\&.
.sp .5v
.RE
.RE
.SH "SIGNALS"
.PP
In routine operation, signals should not be used to control the nameserver;
\fBrndc\fR
should be used instead\&.
.PP
SIGHUP
.RS 4
Force a reload of the server\&.
.RE
.PP
SIGINT, SIGTERM
.RS 4
Shut down the server\&.
.RE
.PP
The result of sending any other signals to the server is undefined\&.
.SH "CONFIGURATION"
.PP
The
\fBnamed\fR
configuration file is too complex to describe in detail here\&. A complete description is provided in the
BIND 9 Administrator Reference Manual\&.
.PP
\fBnamed\fR
inherits the
\fBumask\fR
(file creation mode mask) from the parent process\&. If files created by
\fBnamed\fR, such as journal files, need to have custom permissions, the
\fBumask\fR
should be set explicitly in the script used to start the
\fBnamed\fR
process\&.
.SH "FILES"
.PP
/etc/named\&.conf
.RS 4
The default configuration file\&.
.RE
.PP
/var/run/named/named\&.pid
.RS 4
The default process\-id file\&.
.RE
.SH "SEE ALSO"
.PP
RFC 1033,
RFC 1034,
RFC 1035,
\fBnamed-checkconf\fR(8),
\fBnamed-checkzone\fR(8),
\fBrndc\fR(8),
\fBnamed.conf\fR(5),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000, 2001, 2003-2009, 2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

1114
bin/named/named.conf.5
View file

File diff suppressed because it is too large Load diff

1066
bin/named/named.conf.docbook
View file

File diff suppressed because it is too large Load diff

1063
bin/named/named.conf.html
View file

File diff suppressed because it is too large Load diff

1025
bin/named/named.conf.rst Normal file
View file

File diff suppressed because it is too large Load diff

550
bin/named/named.docbook
View file

@ -1,550 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named">
<info>
<date>2014-02-19</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>named</application></refname>
<refpurpose>Internet domain name server</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2011</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named</command>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">string</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f</option></arg>
<arg choice="opt" rep="norepeat"><option>-g</option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">logfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">option</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">#max-socks</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-U <replaceable class="parameter">#listeners</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-X <replaceable class="parameter">lock-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named</command>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
information on the DNS, see RFCs 1033, 1034, and 1035.
</para>
<para>
When invoked without arguments, <command>named</command>
will
read the default configuration file
<filename>/etc/named.conf</filename>, read any initial
data, and listen for queries.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Use IPv4 only even if the host machine is capable of IPv6.
<option>-4</option> and <option>-6</option> are mutually
exclusive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Use IPv6 only even if the host machine is capable of IPv4.
<option>-4</option> and <option>-6</option> are mutually
exclusive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">config-file</replaceable></term>
<listitem>
<para>
Use <replaceable class="parameter">config-file</replaceable> as the
configuration file instead of the default,
<filename>/etc/named.conf</filename>. To
ensure that reloading the configuration file continues
to work after the server has changed its working
directory due to to a possible
<option>directory</option> option in the configuration
file, <replaceable class="parameter">config-file</replaceable> should be
an absolute pathname.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">debug-level</replaceable></term>
<listitem>
<para>
Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>.
Debugging traces from <command>named</command> become
more verbose as the debug level increases.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">string</replaceable></term>
<listitem>
<para>
Specifies a string that is used to identify a instance of
<command>named</command> in a process listing. The contents
of <replaceable class="parameter">string</replaceable> are
not examined.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine-name</replaceable></term>
<listitem>
<para>
When applicable, specifies the hardware to use for
cryptographic operations, such as a secure key store used
for signing.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Run the server in the foreground (i.e. do not daemonize).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Run the server in the foreground and force all logging
to <filename>stderr</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">logfile</replaceable></term>
<listitem>
<para>
Log to the file <option>logfile</option> by default
instead of the system log.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">option</replaceable></term>
<listitem>
<para>
Sets the default memory context options. If set to
<replaceable class="parameter">external</replaceable>,
this causes the internal memory manager to be bypassed
in favor of system-provided memory allocation functions.
If set to <replaceable class="parameter">fill</replaceable>,
blocks of memory will be filled with tag values when allocated
or freed, to assist debugging of memory problems.
(<replaceable class="parameter">nofill</replaceable>
disables this behavior, and is the default unless
<command>named</command> has been compiled with developer
options.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Turn on memory usage debugging flags. Possible flags are
<replaceable class="parameter">usage</replaceable>,
<replaceable class="parameter">trace</replaceable>,
<replaceable class="parameter">record</replaceable>,
<replaceable class="parameter">size</replaceable>, and
<replaceable class="parameter">mctx</replaceable>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<filename>&lt;isc/mem.h&gt;</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">#cpus</replaceable></term>
<listitem>
<para>
Create <replaceable class="parameter">#cpus</replaceable> worker threads
to take advantage of multiple CPUs. If not specified,
<command>named</command> will try to determine the
number of CPUs present and create one thread per CPU.
If it is unable to determine the number of CPUs, a
single worker thread will be created.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Listen for queries on port <replaceable class="parameter">port</replaceable>. If not
specified, the default is port 53.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Write memory usage statistics to <filename>stdout</filename> on exit.
</para>
<note>
<para>
This option is mainly of interest to BIND 9 developers
and may be removed or changed in a future release.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">#max-socks</replaceable></term>
<listitem>
<para>
Allow <command>named</command> to use up to
<replaceable class="parameter">#max-socks</replaceable> sockets.
The default value is 21000 on systems built with default
configuration options, and 4096 on systems built with
"configure --with-tuning=small".
</para>
<warning>
<para>
This option should be unnecessary for the vast majority
of users.
The use of this option could even be harmful because the
specified value may exceed the limitation of the
underlying system API.
It is therefore set only when the default configuration
causes exhaustion of file descriptors and the
operational environment is known to support the
specified number of sockets.
Note also that the actual maximum number is normally a little
fewer than the specified value because
<command>named</command> reserves some file descriptors
for its internal use.
</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>Chroot
to <replaceable class="parameter">directory</replaceable> after
processing the command line arguments, but before
reading the configuration file.
</para>
<warning>
<para>
This option should be used in conjunction with the
<option>-u</option> option, as chrooting a process
running as root doesn't enhance security on most
systems; the way <function>chroot(2)</function> is
defined allows a process with root privileges to
escape a chroot jail.
</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term>-U <replaceable class="parameter">#listeners</replaceable></term>
<listitem>
<para>
Use <replaceable class="parameter">#listeners</replaceable>
worker threads to listen for incoming UDP packets on each
address. If not specified, <command>named</command> will
calculate a default value based on the number of detected
CPUs: 1 for 1 CPU, and the number of detected CPUs
minus one for machines with more than 1 CPU. This cannot
be increased to a value higher than the number of CPUs.
If <option>-n</option> has been set to a higher value than
the number of detected CPUs, then <option>-U</option> may
be increased as high as that value, but no higher.
On Windows, the number of UDP listeners is hardwired to 1
and this option has no effect.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para>Setuid
to <replaceable class="parameter">user</replaceable> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
</para>
<note>
<para>
On Linux, <command>named</command> uses the kernel's
capability mechanism to drop all root privileges
except the ability to <function>bind(2)</function> to
a
privileged port and set process resource limits.
Unfortunately, this means that the <option>-u</option>
option only works when <command>named</command> is
run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
later, since previous kernels did not allow privileges
to be retained after <function>setuid(2)</function>.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Report the version number and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Report the version number and build options, and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-X <replaceable class="parameter">lock-file</replaceable></term>
<listitem>
<para>
Acquire a lock on the specified file at runtime; this
helps to prevent duplicate <command>named</command> instances
from running simultaneously.
Use of this option overrides the <command>lock-file</command>
option in <filename>named.conf</filename>.
If set to <literal>none</literal>, the lock file check
is disabled.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x <replaceable class="parameter">cache-file</replaceable></term>
<listitem>
<para>
Load data from <replaceable class="parameter">cache-file</replaceable> into the
cache of the default view.
</para>
<warning>
<para>
This option must not be used. It is only of interest
to BIND 9 developers and may be removed or changed in a
future release.
</para>
</warning>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SIGNALS</title></info>
<para>
In routine operation, signals should not be used to control
the nameserver; <command>rndc</command> should be used
instead.
</para>
<variablelist>
<varlistentry>
<term>SIGHUP</term>
<listitem>
<para>
Force a reload of the server.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SIGINT, SIGTERM</term>
<listitem>
<para>
Shut down the server.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
The result of sending any other signals to the server is undefined.
</para>
</refsection>
<refsection><info><title>CONFIGURATION</title></info>
<para>
The <command>named</command> configuration file is too complex
to describe in detail here. A complete description is provided
in the
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
<para>
<command>named</command> inherits the <function>umask</function>
(file creation mode mask) from the parent process. If files
created by <command>named</command>, such as journal files,
need to have custom permissions, the <function>umask</function>
should be set explicitly in the script used to start the
<command>named</command> process.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<variablelist>
<varlistentry>
<term><filename>/etc/named.conf</filename></term>
<listitem>
<para>
The default configuration file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>/var/run/named/named.pid</filename></term>
<listitem>
<para>
The default process-id file.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citetitle>RFC 1033</citetitle>,
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 1035</citetitle>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

458
bin/named/named.html
View file

@ -1,458 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">named</span>
&#8212; Internet domain name server
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named</code>
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>string</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>]
[<code class="option">-f</code>]
[<code class="option">-g</code>]
[<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>option</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
[<code class="option">-v</code>]
[<code class="option">-V</code>]
[<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>]
[<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
information on the DNS, see RFCs 1033, 1034, and 1035.
</p>
<p>
When invoked without arguments, <span class="command"><strong>named</strong></span>
will
read the default configuration file
<code class="filename">/etc/named.conf</code>, read any initial
data, and listen for queries.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd>
<p>
Use IPv4 only even if the host machine is capable of IPv6.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Use IPv6 only even if the host machine is capable of IPv4.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
<dd>
<p>
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/named.conf</code>. To
ensure that reloading the configuration file continues
to work after the server has changed its working
directory due to to a possible
<code class="option">directory</code> option in the configuration
file, <em class="replaceable"><code>config-file</code></em> should be
an absolute pathname.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
<dd>
<p>
Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
Debugging traces from <span class="command"><strong>named</strong></span> become
more verbose as the debug level increases.
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>string</code></em></span></dt>
<dd>
<p>
Specifies a string that is used to identify a instance of
<span class="command"><strong>named</strong></span> in a process listing. The contents
of <em class="replaceable"><code>string</code></em> are
not examined.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
<dd>
<p>
When applicable, specifies the hardware to use for
cryptographic operations, such as a secure key store used
for signing.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-f</span></dt>
<dd>
<p>
Run the server in the foreground (i.e. do not daemonize).
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd>
<p>
Run the server in the foreground and force all logging
to <code class="filename">stderr</code>.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>logfile</code></em></span></dt>
<dd>
<p>
Log to the file <code class="option">logfile</code> by default
instead of the system log.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>option</code></em></span></dt>
<dd>
<p>
Sets the default memory context options. If set to
<em class="replaceable"><code>external</code></em>,
this causes the internal memory manager to be bypassed
in favor of system-provided memory allocation functions.
If set to <em class="replaceable"><code>fill</code></em>,
blocks of memory will be filled with tag values when allocated
or freed, to assist debugging of memory problems.
(<em class="replaceable"><code>nofill</code></em>
disables this behavior, and is the default unless
<span class="command"><strong>named</strong></span> has been compiled with developer
options.)
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd>
<p>
Turn on memory usage debugging flags. Possible flags are
<em class="replaceable"><code>usage</code></em>,
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
<dd>
<p>
Create <em class="replaceable"><code>#cpus</code></em> worker threads
to take advantage of multiple CPUs. If not specified,
<span class="command"><strong>named</strong></span> will try to determine the
number of CPUs present and create one thread per CPU.
If it is unable to determine the number of CPUs, a
single worker thread will be created.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Listen for queries on port <em class="replaceable"><code>port</code></em>. If not
specified, the default is port 53.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
Write memory usage statistics to <code class="filename">stdout</code> on exit.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
This option is mainly of interest to BIND 9 developers
and may be removed or changed in a future release.
</p>
</div>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
<dd>
<p>
Allow <span class="command"><strong>named</strong></span> to use up to
<em class="replaceable"><code>#max-socks</code></em> sockets.
The default value is 21000 on systems built with default
configuration options, and 4096 on systems built with
"configure --with-tuning=small".
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
This option should be unnecessary for the vast majority
of users.
The use of this option could even be harmful because the
specified value may exceed the limitation of the
underlying system API.
It is therefore set only when the default configuration
causes exhaustion of file descriptors and the
operational environment is known to support the
specified number of sockets.
Note also that the actual maximum number is normally a little
fewer than the specified value because
<span class="command"><strong>named</strong></span> reserves some file descriptors
for its internal use.
</p>
</div>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>Chroot
to <em class="replaceable"><code>directory</code></em> after
processing the command line arguments, but before
reading the configuration file.
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
This option should be used in conjunction with the
<code class="option">-u</code> option, as chrooting a process
running as root doesn't enhance security on most
systems; the way <code class="function">chroot(2)</code> is
defined allows a process with root privileges to
escape a chroot jail.
</p>
</div>
</dd>
<dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
<dd>
<p>
Use <em class="replaceable"><code>#listeners</code></em>
worker threads to listen for incoming UDP packets on each
address. If not specified, <span class="command"><strong>named</strong></span> will
calculate a default value based on the number of detected
CPUs: 1 for 1 CPU, and the number of detected CPUs
minus one for machines with more than 1 CPU. This cannot
be increased to a value higher than the number of CPUs.
If <code class="option">-n</code> has been set to a higher value than
the number of detected CPUs, then <code class="option">-U</code> may
be increased as high as that value, but no higher.
On Windows, the number of UDP listeners is hardwired to 1
and this option has no effect.
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd>
<p>Setuid
to <em class="replaceable"><code>user</code></em> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
On Linux, <span class="command"><strong>named</strong></span> uses the kernel's
capability mechanism to drop all root privileges
except the ability to <code class="function">bind(2)</code> to
a
privileged port and set process resource limits.
Unfortunately, this means that the <code class="option">-u</code>
option only works when <span class="command"><strong>named</strong></span> is
run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
later, since previous kernels did not allow privileges
to be retained after <code class="function">setuid(2)</code>.
</p>
</div>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Report the version number and exit.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Report the version number and build options, and exit.
</p>
</dd>
<dt><span class="term">-X <em class="replaceable"><code>lock-file</code></em></span></dt>
<dd>
<p>
Acquire a lock on the specified file at runtime; this
helps to prevent duplicate <span class="command"><strong>named</strong></span> instances
from running simultaneously.
Use of this option overrides the <span class="command"><strong>lock-file</strong></span>
option in <code class="filename">named.conf</code>.
If set to <code class="literal">none</code>, the lock file check
is disabled.
</p>
</dd>
<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
<dd>
<p>
Load data from <em class="replaceable"><code>cache-file</code></em> into the
cache of the default view.
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
This option must not be used. It is only of interest
to BIND 9 developers and may be removed or changed in a
future release.
</p>
</div>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span class="command"><strong>rndc</strong></span> should be used
instead.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">SIGHUP</span></dt>
<dd>
<p>
Force a reload of the server.
</p>
</dd>
<dt><span class="term">SIGINT, SIGTERM</span></dt>
<dd>
<p>
Shut down the server.
</p>
</dd>
</dl></div>
<p>
The result of sending any other signals to the server is undefined.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>CONFIGURATION</h2>
<p>
The <span class="command"><strong>named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
in the
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
<p>
<span class="command"><strong>named</strong></span> inherits the <code class="function">umask</code>
(file creation mode mask) from the parent process. If files
created by <span class="command"><strong>named</strong></span>, such as journal files,
need to have custom permissions, the <code class="function">umask</code>
should be set explicitly in the script used to start the
<span class="command"><strong>named</strong></span> process.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd>
<p>
The default configuration file.
</p>
</dd>
<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
<dd>
<p>
The default process-id file.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>
(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkzone</span>
(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc</span>
(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named.conf</span>
(5)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

234
bin/named/named.rst Normal file
View file

@ -0,0 +1,234 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_named:
named - Internet domain name server
-----------------------------------
Synopsis
~~~~~~~~
:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-S** #max-socks] [**-t** directory] [**-U** #listeners] [**-u** user] [**-v**] [**-V**] [**-X** lock-file] [**-x** cache-file]
Description
~~~~~~~~~~~
``named`` is a Domain Name System (DNS) server, part of the BIND 9
distribution from ISC. For more information on the DNS, see :rfc:`1033`,
:rfc:`1034`, and :rfc:`1035`.
When invoked without arguments, ``named`` will read the default
configuration file ``/etc/named.conf``, read any initial data, and
listen for queries.
Options
~~~~~~~
**-4**
Use IPv4 only even if the host machine is capable of IPv6. ``-4`` and
``-6`` are mutually exclusive.
**-6**
Use IPv6 only even if the host machine is capable of IPv4. ``-4`` and
``-6`` are mutually exclusive.
**-c** config-file
Use config-file as the configuration file instead of the default,
``/etc/named.conf``. To ensure that reloading the configuration file
continues to work after the server has changed its working directory
due to to a possible ``directory`` option in the configuration file,
config-file should be an absolute pathname.
**-d** debug-level
Set the daemon's debug level to debug-level. Debugging traces from
``named`` become more verbose as the debug level increases.
**-D** string
Specifies a string that is used to identify a instance of ``named``
in a process listing. The contents of string are not examined.
**-E** engine-name
When applicable, specifies the hardware to use for cryptographic
operations, such as a secure key store used for signing.
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
string "pkcs11", which identifies an OpenSSL engine that can drive a
cryptographic accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography (--enable-native-pkcs11), it
defaults to the path of the PKCS#11 provider library specified via
"--with-pkcs11".
**-f**
Run the server in the foreground (i.e. do not daemonize).
**-g**
Run the server in the foreground and force all logging to ``stderr``.
**-L** logfile
Log to the file ``logfile`` by default instead of the system log.
**-M** option
Sets the default memory context options. If set to external, this
causes the internal memory manager to be bypassed in favor of
system-provided memory allocation functions. If set to fill, blocks
of memory will be filled with tag values when allocated or freed, to
assist debugging of memory problems. (nofill disables this behavior,
and is the default unless ``named`` has been compiled with developer
options.)
**-m** flag
Turn on memory usage debugging flags. Possible flags are usage,
trace, record, size, and mctx. These correspond to the
ISC_MEM_DEBUGXXXX flags described in ``<isc/mem.h>``.
**-n** #cpus
Create #cpus worker threads to take advantage of multiple CPUs. If
not specified, ``named`` will try to determine the number of CPUs
present and create one thread per CPU. If it is unable to determine
the number of CPUs, a single worker thread will be created.
**-p** port
Listen for queries on port port. If not specified, the default is
port 53.
**-s**
Write memory usage statistics to ``stdout`` on exit.
.. note::
This option is mainly of interest to BIND 9 developers and may be
removed or changed in a future release.
**-S** #max-socks
Allow ``named`` to use up to #max-socks sockets. The default value is
21000 on systems built with default configuration options, and 4096
on systems built with "configure --with-tuning=small".
.. warning::
This option should be unnecessary for the vast majority of users.
The use of this option could even be harmful because the specified
value may exceed the limitation of the underlying system API. It
is therefore set only when the default configuration causes
exhaustion of file descriptors and the operational environment is
known to support the specified number of sockets. Note also that
the actual maximum number is normally a little fewer than the
specified value because ``named`` reserves some file descriptors
for its internal use.
**-t** directory
Chroot to directory after processing the command line arguments, but
before reading the configuration file.
.. warning::
This option should be used in conjunction with the ``-u`` option,
as chrooting a process running as root doesn't enhance security on
most systems; the way ``chroot(2)`` is defined allows a process
with root privileges to escape a chroot jail.
**-U** #listeners
Use #listeners worker threads to listen for incoming UDP packets on
each address. If not specified, ``named`` will calculate a default
value based on the number of detected CPUs: 1 for 1 CPU, and the
number of detected CPUs minus one for machines with more than 1 CPU.
This cannot be increased to a value higher than the number of CPUs.
If ``-n`` has been set to a higher value than the number of detected
CPUs, then ``-U`` may be increased as high as that value, but no
higher. On Windows, the number of UDP listeners is hardwired to 1 and
this option has no effect.
**-u** user
Setuid to user after completing privileged operations, such as
creating sockets that listen on privileged ports.
.. note::
On Linux, ``named`` uses the kernel's capability mechanism to drop
all root privileges except the ability to ``bind(2)`` to a
privileged port and set process resource limits. Unfortunately,
this means that the ``-u`` option only works when ``named`` is run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since
previous kernels did not allow privileges to be retained after
``setuid(2)``.
**-v**
Report the version number and exit.
**-V**
Report the version number and build options, and exit.
**-X** lock-file
Acquire a lock on the specified file at runtime; this helps to
prevent duplicate ``named`` instances from running simultaneously.
Use of this option overrides the ``lock-file`` option in
``named.conf``. If set to ``none``, the lock file check is disabled.
**-x** cache-file
Load data from cache-file into the cache of the default view.
.. warning::
This option must not be used. It is only of interest to BIND 9
developers and may be removed or changed in a future release.
Signals
~~~~~~~
In routine operation, signals should not be used to control the
nameserver; ``rndc`` should be used instead.
SIGHUP
Force a reload of the server.
SIGINT, SIGTERM
Shut down the server.
The result of sending any other signals to the server is undefined.
Configuration
~~~~~~~~~~~~~
The ``named`` configuration file is too complex to describe in detail
here. A complete description is provided in the BIND 9 Administrator
Reference Manual.
``named`` inherits the ``umask`` (file creation mode mask) from the
parent process. If files created by ``named``, such as journal files,
need to have custom permissions, the ``umask`` should be set explicitly
in the script used to start the ``named`` process.
Files
~~~~~
``/etc/named.conf``
The default configuration file.
``/var/run/named/named.pid``
The default process-id file.
See Also
~~~~~~~~
:rfc:`1033`, :rfc:`1034`, :rfc:`1035`, :manpage:`named-checkconf(8)`, :manpage:`named-checkzone(8)`, :manpage:`rndc(8), :manpage:`named.conf(5)`, BIND 9 Administrator Reference Manual.

523
bin/nsupdate/nsupdate.1
View file

@ -1,523 +0,0 @@
.\" Copyright (C) 2000-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: nsupdate
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-04-18
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NSUPDATE" "1" "2014\-04\-18" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
nsupdate \- Dynamic DNS update utility
.SH "SYNOPSIS"
.HP \w'\fBnsupdate\fR\ 'u
\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [\fB\-i\fR] [\fB\-L\ \fR\fB\fIlevel\fR\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [\fB\-T\fR] [\fB\-P\fR] [\fB\-V\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [filename]
.SH "DESCRIPTION"
.PP
\fBnsupdate\fR
is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server\&. This allows resource records to be added or removed from a zone without manually editing the zone file\&. A single update request can contain requests to add or remove more than one resource record\&.
.PP
Zones that are under dynamic control via
\fBnsupdate\fR
or a DHCP server should not be edited by hand\&. Manual edits could conflict with dynamic updates and cause data to be lost\&.
.PP
The resource records that are dynamically added or removed with
\fBnsupdate\fR
have to be in the same zone\&. Requests are sent to the zone\*(Aqs master server\&. This is identified by the MNAME field of the zone\*(Aqs SOA record\&.
.PP
Transaction signatures can be used to authenticate the Dynamic DNS updates\&. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645\&.
.PP
TSIG relies on a shared secret that should only be known to
\fBnsupdate\fR
and the name server\&. For instance, suitable
\fBkey\fR
and
\fBserver\fR
statements would be added to
/etc/named\&.conf
so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication\&. You can use
\fBddns\-confgen\fR
to generate suitable configuration fragments\&.
\fBnsupdate\fR
uses the
\fB\-y\fR
or
\fB\-k\fR
options to provide the TSIG shared secret\&. These options are mutually exclusive\&.
.PP
SIG(0) uses public key cryptography\&. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server\&.
.PP
GSS\-TSIG uses Kerberos credentials\&. Standard GSS\-TSIG mode is switched on with the
\fB\-g\fR
flag\&. A non\-standards\-compliant variant of GSS\-TSIG used by Windows 2000 can be switched on with the
\fB\-o\fR
flag\&.
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only\&.
.RE
.PP
\-d
.RS 4
Debug mode\&. This provides tracing information about the update requests that are made and the replies received from the name server\&.
.RE
.PP
\-D
.RS 4
Extra debug mode\&.
.RE
.PP
\-i
.RS 4
Force interactive mode, even when standard input is not a terminal\&.
.RE
.PP
\-k \fIkeyfile\fR
.RS 4
The file containing the TSIG authentication key\&. Keyfiles may be in two formats: a single file containing a
named\&.conf\-format
\fBkey\fR
statement, which may be generated automatically by
\fBddns\-confgen\fR, or a pair of files whose names are of the format
K{name}\&.+157\&.+{random}\&.key
and
K{name}\&.+157\&.+{random}\&.private, which can be generated by
\fBdnssec\-keygen\fR\&. The
\fB\-k\fR
may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests\&. In this case, the key specified is not an HMAC\-MD5 key\&.
.RE
.PP
\-l
.RS 4
Local\-host only mode\&. This sets the server address to localhost (disabling the
\fBserver\fR
so that the server address cannot be overridden)\&. Connections to the local server will use a TSIG key found in
/var/run/named/session\&.key, which is automatically generated by
\fBnamed\fR
if any local master zone has set
\fBupdate\-policy\fR
to
\fBlocal\fR\&. The location of this key file can be overridden with the
\fB\-k\fR
option\&.
.RE
.PP
\-L \fIlevel\fR
.RS 4
Set the logging debug level\&. If zero, logging is disabled\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Set the port to use for connections to a name server\&. The default is 53\&.
.RE
.PP
\-P
.RS 4
Print the list of private BIND\-specific resource record types whose format is understood by
\fBnsupdate\fR\&. See also the
\fB\-T\fR
option\&.
.RE
.PP
\-r \fIudpretries\fR
.RS 4
The number of UDP retries\&. The default is 3\&. If zero, only one update request will be made\&.
.RE
.PP
\-t \fItimeout\fR
.RS 4
The maximum time an update request can take before it is aborted\&. The default is 300 seconds\&. Zero can be used to disable the timeout\&.
.RE
.PP
\-T
.RS 4
Print the list of IANA standard resource record types whose format is understood by
\fBnsupdate\fR\&.
\fBnsupdate\fR
will exit after the lists are printed\&. The
\fB\-T\fR
option can be combined with the
\fB\-P\fR
option\&.
.sp
Other types can be entered using "TYPEXXXXX" where "XXXXX" is the decimal value of the type with no leading zeros\&. The rdata, if present, will be parsed using the UNKNOWN rdata format, (<backslash> <hash> <space> <length> <space> <hexstring>)\&.
.RE
.PP
\-u \fIudptimeout\fR
.RS 4
The UDP retry interval\&. The default is 3 seconds\&. If zero, the interval will be computed from the timeout interval and number of UDP retries\&.
.RE
.PP
\-v
.RS 4
Use TCP even for small update requests\&. By default,
\fBnsupdate\fR
uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used\&. TCP may be preferable when a batch of update requests is made\&.
.RE
.PP
\-V
.RS 4
Print the version number and exit\&.
.RE
.PP
\-y \fI[hmac:]\fR\fIkeyname:secret\fR
.RS 4
Literal TSIG authentication key\&.
\fIkeyname\fR
is the name of the key, and
\fIsecret\fR
is the base64 encoded shared secret\&.
\fIhmac\fR
is the name of the key algorithm; valid choices are
hmac\-md5,
hmac\-sha1,
hmac\-sha224,
hmac\-sha256,
hmac\-sha384, or
hmac\-sha512\&. If
\fIhmac\fR
is not specified, the default is
hmac\-md5
or if MD5 was disabled
hmac\-sha256\&.
.sp
NOTE: Use of the
\fB\-y\fR
option is discouraged because the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
\fBps\fR(1)
or in a history file maintained by the user\*(Aqs shell\&.
.RE
.SH "INPUT FORMAT"
.PP
\fBnsupdate\fR
reads input from
\fIfilename\fR
or standard input\&. Each command is supplied on exactly one line of input\&. Some commands are for administrative purposes\&. The others are either update instructions or prerequisite checks on the contents of the zone\&. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone\&. These conditions must be met if the entire update request is to succeed\&. Updates will be rejected if the tests for the prerequisite conditions fail\&.
.PP
Every update request consists of zero or more prerequisites and zero or more updates\&. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone\&. A blank input line (or the
\fBsend\fR
command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server\&.
.PP
The command formats and their meaning are as follows:
.PP
\fBserver\fR {servername} [port]
.RS 4
Sends all dynamic update requests to the name server
\fIservername\fR\&. When no server statement is provided,
\fBnsupdate\fR
will send updates to the master server of the correct zone\&. The MNAME field of that zone\*(Aqs SOA record will identify the master server for that zone\&.
\fIport\fR
is the port number on
\fIservername\fR
where the dynamic update requests get sent\&. If no port number is specified, the default DNS port number of 53 is used\&.
.RE
.PP
\fBlocal\fR {address} [port]
.RS 4
Sends all dynamic update requests using the local
\fIaddress\fR\&. When no local statement is provided,
\fBnsupdate\fR
will send updates using an address and port chosen by the system\&.
\fIport\fR
can additionally be used to make requests come from a specific port\&. If no port number is specified, the system will assign one\&.
.RE
.PP
\fBzone\fR {zonename}
.RS 4
Specifies that all updates are to be made to the zone
\fIzonename\fR\&. If no
\fIzone\fR
statement is provided,
\fBnsupdate\fR
will attempt determine the correct zone to update based on the rest of the input\&.
.RE
.PP
\fBclass\fR {classname}
.RS 4
Specify the default class\&. If no
\fIclass\fR
is specified, the default class is
\fIIN\fR\&.
.RE
.PP
\fBttl\fR {seconds}
.RS 4
Specify the default time to live for records to be added\&. The value
\fInone\fR
will clear the default ttl\&.
.RE
.PP
\fBkey\fR [hmac:] {keyname} {secret}
.RS 4
Specifies that all updates are to be TSIG\-signed using the
\fIkeyname\fR\fIsecret\fR
pair\&. If
\fIhmac\fR
is specified, then it sets the signing algorithm in use; the default is
hmac\-md5
or if MD5 was disabled
hmac\-sha256\&. The
\fBkey\fR
command overrides any key specified on the command line via
\fB\-y\fR
or
\fB\-k\fR\&.
.RE
.PP
\fBgsstsig\fR
.RS 4
Use GSS\-TSIG to sign the updated\&. This is equivalent to specifying
\fB\-g\fR
on the command line\&.
.RE
.PP
\fBoldgsstsig\fR
.RS 4
Use the Windows 2000 version of GSS\-TSIG to sign the updated\&. This is equivalent to specifying
\fB\-o\fR
on the command line\&.
.RE
.PP
\fBrealm\fR {[realm_name]}
.RS 4
When using GSS\-TSIG use
\fIrealm_name\fR
rather than the default realm in
krb5\&.conf\&. If no realm is specified the saved realm is cleared\&.
.RE
.PP
\fBcheck\-names\fR {[yes_or_no]}
.RS 4
Turn on or off check\-names processing on records to be added\&. Check\-names has no effect on prerequisites or records to be deleted\&. By default check\-names processing is on\&. If check\-names processing fails the record will not be added to the UPDATE message\&.
.RE
.PP
\fB[prereq]\fR\fB nxdomain\fR {domain\-name}
.RS 4
Requires that no resource record of any type exists with name
\fIdomain\-name\fR\&.
.RE
.PP
\fB[prereq]\fR\fB yxdomain\fR {domain\-name}
.RS 4
Requires that
\fIdomain\-name\fR
exists (has as at least one resource record, of any type)\&.
.RE
.PP
\fB[prereq]\fR\fB nxrrset\fR {domain\-name} [class] {type}
.RS 4
Requires that no resource record exists of the specified
\fItype\fR,
\fIclass\fR
and
\fIdomain\-name\fR\&. If
\fIclass\fR
is omitted, IN (internet) is assumed\&.
.RE
.PP
\fB[prereq]\fR\fB yxrrset\fR {domain\-name} [class] {type}
.RS 4
This requires that a resource record of the specified
\fItype\fR,
\fIclass\fR
and
\fIdomain\-name\fR
must exist\&. If
\fIclass\fR
is omitted, IN (internet) is assumed\&.
.RE
.PP
\fB[prereq]\fR\fB yxrrset\fR {domain\-name} [class] {type} {data...}
.RS 4
The
\fIdata\fR
from each set of prerequisites of this form sharing a common
\fItype\fR,
\fIclass\fR, and
\fIdomain\-name\fR
are combined to form a set of RRs\&. This set of RRs must exactly match the set of RRs existing in the zone at the given
\fItype\fR,
\fIclass\fR, and
\fIdomain\-name\fR\&. The
\fIdata\fR
are written in the standard text representation of the resource record\*(Aqs RDATA\&.
.RE
.PP
\fB[update]\fR\fB del\fR\fB[ete]\fR {domain\-name} [ttl] [class] [type\ [data...]]
.RS 4
Deletes any resource records named
\fIdomain\-name\fR\&. If
\fItype\fR
and
\fIdata\fR
is provided, only matching resource records will be removed\&. The internet class is assumed if
\fIclass\fR
is not supplied\&. The
\fIttl\fR
is ignored, and is only allowed for compatibility\&.
.RE
.PP
\fB[update]\fR\fB add\fR {domain\-name} {ttl} [class] {type} {data...}
.RS 4
Adds a new resource record with the specified
\fIttl\fR,
\fIclass\fR
and
\fIdata\fR\&.
.RE
.PP
\fBshow\fR
.RS 4
Displays the current message, containing all of the prerequisites and updates specified since the last send\&.
.RE
.PP
\fBsend\fR
.RS 4
Sends the current message\&. This is equivalent to entering a blank line\&.
.RE
.PP
\fBanswer\fR
.RS 4
Displays the answer\&.
.RE
.PP
\fBdebug\fR
.RS 4
Turn on debugging\&.
.RE
.PP
\fBversion\fR
.RS 4
Print version number\&.
.RE
.PP
\fBhelp\fR
.RS 4
Print a list of commands\&.
.RE
.PP
Lines beginning with a semicolon are comments and are ignored\&.
.SH "EXAMPLES"
.PP
The examples below show how
\fBnsupdate\fR
could be used to insert and delete resource records from the
\fBexample\&.com\fR
zone\&. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
\fBexample\&.com\fR\&.
.sp
.if n \{\
.RS 4
.\}
.nf
# nsupdate
> update delete oldhost\&.example\&.com A
> update add newhost\&.example\&.com 86400 A 172\&.16\&.1\&.1
> send
.fi
.if n \{\
.RE
.\}
.PP
Any A records for
\fBoldhost\&.example\&.com\fR
are deleted\&. And an A record for
\fBnewhost\&.example\&.com\fR
with IP address 172\&.16\&.1\&.1 is added\&. The newly\-added record has a 1 day TTL (86400 seconds)\&.
.sp
.if n \{\
.RS 4
.\}
.nf
# nsupdate
> prereq nxdomain nickname\&.example\&.com
> update add nickname\&.example\&.com 86400 CNAME somehost\&.example\&.com
> send
.fi
.if n \{\
.RE
.\}
.PP
The prerequisite condition gets the name server to check that there are no resource records of any type for
\fBnickname\&.example\&.com\fR\&. If there are, the update request fails\&. If this name does not exist, a CNAME for it is added\&. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC 1034 that a name must not exist as any other record type if it exists as a CNAME\&. (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records\&.)
.SH "FILES"
.PP
\fB/etc/resolv\&.conf\fR
.RS 4
used to identify default name server
.RE
.PP
\fB/var/run/named/session\&.key\fR
.RS 4
sets the default TSIG key for use in local\-only mode
.RE
.PP
\fBK{name}\&.+157\&.+{random}\&.key\fR
.RS 4
base\-64 encoding of HMAC\-MD5 key created by
\fBdnssec-keygen\fR(8)\&.
.RE
.PP
\fBK{name}\&.+157\&.+{random}\&.private\fR
.RS 4
base\-64 encoding of HMAC\-MD5 key created by
\fBdnssec-keygen\fR(8)\&.
.RE
.SH "SEE ALSO"
.PP
RFC 2136,
RFC 3007,
RFC 2104,
RFC 2845,
RFC 1034,
RFC 2535,
RFC 2931,
\fBnamed\fR(8),
\fBddns-confgen\fR(8),
\fBdnssec-keygen\fR(8)\&.
.SH "BUGS"
.PP
The TSIG key is redundantly stored in two separate files\&. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

932
bin/nsupdate/nsupdate.docbook
View file

@ -1,932 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsupdate">
<info>
<date>2014-04-18</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>nsupdate</application></refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>nsupdate</application></refname>
<refpurpose>Dynamic DNS update utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>nsupdate</command>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">level</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-g</option></arg>
<arg choice="opt" rep="norepeat"><option>-o</option></arg>
<arg choice="opt" rep="norepeat"><option>-l</option></arg>
<arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-T</option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>nsupdate</command>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
This allows resource records to be added or removed from a zone
without manually editing the zone file.
A single update request can contain requests to add or remove more than
one
resource record.
</para>
<para>
Zones that are under dynamic control via
<command>nsupdate</command>
or a DHCP server should not be edited by hand.
Manual edits could
conflict with dynamic updates and cause data to be lost.
</para>
<para>
The resource records that are dynamically added or removed with
<command>nsupdate</command>
have to be in the same zone.
Requests are sent to the zone's master server.
This is identified by the MNAME field of the zone's SOA record.
</para>
<para>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
in RFC 2845 or the SIG(0) record described in RFC 2535 and
RFC 2931 or GSS-TSIG as described in RFC 3645.
</para>
<para>
TSIG relies on
a shared secret that should only be known to
<command>nsupdate</command> and the name server.
For instance, suitable <type>key</type> and
<type>server</type> statements would be added to
<filename>/etc/named.conf</filename> so that the name server
can associate the appropriate secret key and algorithm with
the IP address of the client application that will be using
TSIG authentication. You can use <command>ddns-confgen</command>
to generate suitable configuration fragments.
<command>nsupdate</command>
uses the <option>-y</option> or <option>-k</option> options
to provide the TSIG shared secret. These options are mutually exclusive.
</para>
<para>
SIG(0) uses public key cryptography.
To use a SIG(0) key, the public key must be stored in a KEY
record in a zone served by the name server.
</para>
<para>
GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
is switched on with the <option>-g</option> flag. A
non-standards-compliant variant of GSS-TSIG used by Windows
2000 can be switched on with the <option>-o</option> flag.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Use IPv4 only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Use IPv6 only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Debug mode. This provides tracing information about the
update requests that are made and the replies received
from the name server.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Extra debug mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Force interactive mode, even when standard input is not a terminal.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyfile</replaceable></term>
<listitem>
<para>
The file containing the TSIG authentication key.
Keyfiles may be in two formats: a single file containing
a <filename>named.conf</filename>-format <command>key</command>
statement, which may be generated automatically by
<command>ddns-confgen</command>, or a pair of files whose names are
of the format <filename>K{name}.+157.+{random}.key</filename> and
<filename>K{name}.+157.+{random}.private</filename>, which can be
generated by <command>dnssec-keygen</command>.
The <option>-k</option> may also be used to specify a SIG(0) key used
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>
Local-host only mode. This sets the server address to
localhost (disabling the <command>server</command> so that the server
address cannot be overridden). Connections to the local server will
use a TSIG key found in <filename>/var/run/named/session.key</filename>,
which is automatically generated by <command>named</command> if any
local master zone has set <command>update-policy</command> to
<command>local</command>. The location of this key file can be
overridden with the <option>-k</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Set the logging debug level. If zero, logging is disabled.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Set the port to use for connections to a name server. The
default is 53.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P</term>
<listitem>
<para>
Print the list of private BIND-specific resource record
types whose format is understood
by <command>nsupdate</command>. See also
the <option>-T</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">udpretries</replaceable></term>
<listitem>
<para>
The number of UDP retries. The default is 3. If zero, only
one update request will be made.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">timeout</replaceable></term>
<listitem>
<para>
The maximum time an update request can take before it is
aborted. The default is 300 seconds. Zero can be used to
disable the timeout.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T</term>
<listitem>
<para>
Print the list of IANA standard resource record types
whose format is understood by <command>nsupdate</command>.
<command>nsupdate</command> will exit after the lists are
printed. The <option>-T</option> option can be combined
with the <option>-P</option> option.
</para>
<para>
Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
decimal value of the type with no leading zeros. The rdata,
if present, will be parsed using the UNKNOWN rdata format,
(&lt;backslash&gt; &lt;hash&gt; &lt;space&gt; &lt;length&gt;
&lt;space&gt; &lt;hexstring&gt;).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u <replaceable class="parameter">udptimeout</replaceable></term>
<listitem>
<para>
The UDP retry interval. The default is 3 seconds. If zero,
the interval will be computed from the timeout interval and
number of UDP retries.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Use TCP even for small update requests.
By default, <command>nsupdate</command>
uses UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used.
TCP may be preferable when a batch of update requests is made.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Print the version number and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></term>
<listitem>
<para>
Literal TSIG authentication key.
<parameter>keyname</parameter> is the name of the key, and
<parameter>secret</parameter> is the base64 encoded shared secret.
<parameter>hmac</parameter> is the name of the key algorithm;
valid choices are <literal>hmac-md5</literal>,
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
is not specified, the default is <literal>hmac-md5</literal>
or if MD5 was disabled <literal>hmac-sha256</literal>.
</para>
<para>
NOTE: Use of the <option>-y</option> option is discouraged because the
shared secret is supplied as a command line argument in clear text.
This may be visible in the output from
<citerefentry>
<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>
or in a history file maintained by the user's shell.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>INPUT FORMAT</title></info>
<para><command>nsupdate</command>
reads input from
<parameter>filename</parameter>
or standard input.
Each command is supplied on exactly one line of input.
Some commands are for administrative purposes.
The others are either update instructions or prerequisite checks on the
contents of the zone.
These checks set conditions that some name or set of
resource records (RRset) either exists or is absent from the zone.
These conditions must be met if the entire update request is to succeed.
Updates will be rejected if the tests for the prerequisite conditions
fail.
</para>
<para>
Every update request consists of zero or more prerequisites
and zero or more updates.
This allows a suitably authenticated update request to proceed if some
specified resource records are present or missing from the zone.
A blank input line (or the <command>send</command> command)
causes the
accumulated commands to be sent as one Dynamic DNS update request to the
name server.
</para>
<para>
The command formats and their meaning are as follows:
<variablelist>
<varlistentry>
<term>
<command>server</command>
<arg choice="req" rep="norepeat">servername</arg>
<arg choice="opt" rep="norepeat">port</arg>
</term>
<listitem>
<para>
Sends all dynamic update requests to the name server
<parameter>servername</parameter>.
When no server statement is provided,
<command>nsupdate</command>
will send updates to the master server of the correct zone.
The MNAME field of that zone's SOA record will identify the
master
server for that zone.
<parameter>port</parameter>
is the port number on
<parameter>servername</parameter>
where the dynamic update requests get sent.
If no port number is specified, the default DNS port number of
53 is
used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>local</command>
<arg choice="req" rep="norepeat">address</arg>
<arg choice="opt" rep="norepeat">port</arg>
</term>
<listitem>
<para>
Sends all dynamic update requests using the local
<parameter>address</parameter>.
When no local statement is provided,
<command>nsupdate</command>
will send updates using an address and port chosen by the
system.
<parameter>port</parameter>
can additionally be used to make requests come from a specific
port.
If no port number is specified, the system will assign one.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>zone</command>
<arg choice="req" rep="norepeat">zonename</arg>
</term>
<listitem>
<para>
Specifies that all updates are to be made to the zone
<parameter>zonename</parameter>.
If no
<parameter>zone</parameter>
statement is provided,
<command>nsupdate</command>
will attempt determine the correct zone to update based on the
rest of the input.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>class</command>
<arg choice="req" rep="norepeat">classname</arg>
</term>
<listitem>
<para>
Specify the default class.
If no <parameter>class</parameter> is specified, the
default class is
<parameter>IN</parameter>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>ttl</command>
<arg choice="req" rep="norepeat">seconds</arg>
</term>
<listitem>
<para>
Specify the default time to live for records to be added.
The value <parameter>none</parameter> will clear the default
ttl.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>key</command>
<arg choice="opt" rep="norepeat">hmac:</arg><arg choice="req" rep="norepeat">keyname</arg>
<arg choice="req" rep="norepeat">secret</arg>
</term>
<listitem>
<para>
Specifies that all updates are to be TSIG-signed using the
<parameter>keyname</parameter> <parameter>secret</parameter> pair.
If <parameter>hmac</parameter> is specified, then it sets the
signing algorithm in use; the default is
<literal>hmac-md5</literal> or if MD5 was disabled
<literal>hmac-sha256</literal>. The <command>key</command>
command overrides any key specified on the command line via
<option>-y</option> or <option>-k</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>gsstsig</command>
</term>
<listitem>
<para>
Use GSS-TSIG to sign the updated. This is equivalent to
specifying <option>-g</option> on the command line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>oldgsstsig</command>
</term>
<listitem>
<para>
Use the Windows 2000 version of GSS-TSIG to sign the updated.
This is equivalent to specifying <option>-o</option> on the
command line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>realm</command>
<arg choice="req" rep="norepeat"><optional>realm_name</optional></arg>
</term>
<listitem>
<para>
When using GSS-TSIG use <parameter>realm_name</parameter> rather
than the default realm in <filename>krb5.conf</filename>. If no
realm is specified the saved realm is cleared.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>check-names</command>
<arg choice="req" rep="norepeat"><optional>yes_or_no</optional></arg>
</term>
<listitem>
<para>
Turn on or off check-names processing on records to
be added. Check-names has no effect on prerequisites
or records to be deleted. By default check-names
processing is on. If check-names processing fails
the record will not be added to the UPDATE message.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command><optional>prereq</optional> nxdomain</command>
<arg choice="req" rep="norepeat">domain-name</arg>
</term>
<listitem>
<para>
Requires that no resource record of any type exists with name
<parameter>domain-name</parameter>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command><optional>prereq</optional> yxdomain</command>
<arg choice="req" rep="norepeat">domain-name</arg>
</term>
<listitem>
<para>
Requires that
<parameter>domain-name</parameter>
exists (has as at least one resource record, of any type).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command><optional>prereq</optional> nxrrset</command>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
</term>
<listitem>
<para>
Requires that no resource record exists of the specified
<parameter>type</parameter>,
<parameter>class</parameter>
and
<parameter>domain-name</parameter>.
If
<parameter>class</parameter>
is omitted, IN (internet) is assumed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command><optional>prereq</optional> yxrrset</command>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
</term>
<listitem>
<para>
This requires that a resource record of the specified
<parameter>type</parameter>,
<parameter>class</parameter>
and
<parameter>domain-name</parameter>
must exist.
If
<parameter>class</parameter>
is omitted, IN (internet) is assumed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command><optional>prereq</optional> yxrrset</command>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
<arg choice="req" rep="repeat">data</arg>
</term>
<listitem>
<para>
The
<parameter>data</parameter>
from each set of prerequisites of this form
sharing a common
<parameter>type</parameter>,
<parameter>class</parameter>,
and
<parameter>domain-name</parameter>
are combined to form a set of RRs. This set of RRs must
exactly match the set of RRs existing in the zone at the
given
<parameter>type</parameter>,
<parameter>class</parameter>,
and
<parameter>domain-name</parameter>.
The
<parameter>data</parameter>
are written in the standard text representation of the resource
record's
RDATA.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command><optional>update</optional> del<optional>ete</optional></command>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="opt" rep="norepeat">ttl</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="opt" rep="norepeat">type <arg choice="opt" rep="repeat">data</arg></arg>
</term>
<listitem>
<para>
Deletes any resource records named
<parameter>domain-name</parameter>.
If
<parameter>type</parameter>
and
<parameter>data</parameter>
is provided, only matching resource records will be removed.
The internet class is assumed if
<parameter>class</parameter>
is not supplied. The
<parameter>ttl</parameter>
is ignored, and is only allowed for compatibility.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command><optional>update</optional> add</command>
<arg choice="req" rep="norepeat">domain-name</arg>
<arg choice="req" rep="norepeat">ttl</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="req" rep="norepeat">type</arg>
<arg choice="req" rep="repeat">data</arg>
</term>
<listitem>
<para>
Adds a new resource record with the specified
<parameter>ttl</parameter>,
<parameter>class</parameter>
and
<parameter>data</parameter>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>show</command>
</term>
<listitem>
<para>
Displays the current message, containing all of the
prerequisites and
updates specified since the last send.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>send</command>
</term>
<listitem>
<para>
Sends the current message. This is equivalent to entering a
blank line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>answer</command>
</term>
<listitem>
<para>
Displays the answer.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>debug</command>
</term>
<listitem>
<para>
Turn on debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>version</command>
</term>
<listitem>
<para>
Print version number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>help</command>
</term>
<listitem>
<para>
Print a list of commands.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
Lines beginning with a semicolon are comments and are ignored.
</para>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
<para>
The examples below show how
<command>nsupdate</command>
could be used to insert and delete resource records from the
<type>example.com</type>
zone.
Notice that the input in each example contains a trailing blank line so
that
a group of commands are sent as one dynamic update request to the
master name server for
<type>example.com</type>.
<programlisting>
# nsupdate
&gt; update delete oldhost.example.com A
&gt; update add newhost.example.com 86400 A 172.16.1.1
&gt; send
</programlisting>
</para>
<para>
Any A records for
<type>oldhost.example.com</type>
are deleted.
And an A record for
<type>newhost.example.com</type>
with IP address 172.16.1.1 is added.
The newly-added record has a 1 day TTL (86400 seconds).
<programlisting>
# nsupdate
&gt; prereq nxdomain nickname.example.com
&gt; update add nickname.example.com 86400 CNAME somehost.example.com
&gt; send
</programlisting>
</para>
<para>
The prerequisite condition gets the name server to check that there
are no resource records of any type for
<type>nickname.example.com</type>.
If there are, the update request fails.
If this name does not exist, a CNAME for it is added.
This ensures that when the CNAME is added, it cannot conflict with the
long-standing rule in RFC 1034 that a name must not exist as any other
record type if it exists as a CNAME.
(The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
RRSIG, DNSKEY and NSEC records.)
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<variablelist>
<varlistentry>
<term><constant>/etc/resolv.conf</constant></term>
<listitem>
<para>
used to identify default name server
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>/var/run/named/session.key</constant></term>
<listitem>
<para>
sets the default TSIG key for use in local-only mode
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>K{name}.+157.+{random}.key</constant></term>
<listitem>
<para>
base-64 encoding of HMAC-MD5 key created by
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>K{name}.+157.+{random}.private</constant></term>
<listitem>
<para>
base-64 encoding of HMAC-MD5 key created by
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citetitle>RFC 2136</citetitle>,
<citetitle>RFC 3007</citetitle>,
<citetitle>RFC 2104</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 2535</citetitle>,
<citetitle>RFC 2931</citetitle>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
<refsection><info><title>BUGS</title></info>
<para>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
for its cryptographic operations, and may change in future
releases.
</para>
</refsection>
</refentry>

785
bin/nsupdate/nsupdate.html
View file

@ -1,785 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nsupdate</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.nsupdate"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">nsupdate</span>
&#8212; Dynamic DNS update utility
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">nsupdate</code>
[<code class="option">-d</code>]
[<code class="option">-D</code>]
[<code class="option">-i</code>]
[<code class="option">-L <em class="replaceable"><code>level</code></em></code>]
[
[<code class="option">-g</code>]
| [<code class="option">-o</code>]
| [<code class="option">-l</code>]
| [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>]
| [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]
]
[<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>]
[<code class="option">-v</code>]
[<code class="option">-T</code>]
[<code class="option">-P</code>]
[<code class="option">-V</code>]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[filename]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
This allows resource records to be added or removed from a zone
without manually editing the zone file.
A single update request can contain requests to add or remove more than
one
resource record.
</p>
<p>
Zones that are under dynamic control via
<span class="command"><strong>nsupdate</strong></span>
or a DHCP server should not be edited by hand.
Manual edits could
conflict with dynamic updates and cause data to be lost.
</p>
<p>
The resource records that are dynamically added or removed with
<span class="command"><strong>nsupdate</strong></span>
have to be in the same zone.
Requests are sent to the zone's master server.
This is identified by the MNAME field of the zone's SOA record.
</p>
<p>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
in RFC 2845 or the SIG(0) record described in RFC 2535 and
RFC 2931 or GSS-TSIG as described in RFC 3645.
</p>
<p>
TSIG relies on
a shared secret that should only be known to
<span class="command"><strong>nsupdate</strong></span> and the name server.
For instance, suitable <span class="type">key</span> and
<span class="type">server</span> statements would be added to
<code class="filename">/etc/named.conf</code> so that the name server
can associate the appropriate secret key and algorithm with
the IP address of the client application that will be using
TSIG authentication. You can use <span class="command"><strong>ddns-confgen</strong></span>
to generate suitable configuration fragments.
<span class="command"><strong>nsupdate</strong></span>
uses the <code class="option">-y</code> or <code class="option">-k</code> options
to provide the TSIG shared secret. These options are mutually exclusive.
</p>
<p>
SIG(0) uses public key cryptography.
To use a SIG(0) key, the public key must be stored in a KEY
record in a zone served by the name server.
</p>
<p>
GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
is switched on with the <code class="option">-g</code> flag. A
non-standards-compliant variant of GSS-TSIG used by Windows
2000 can be switched on with the <code class="option">-o</code> flag.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd>
<p>
Use IPv4 only.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Use IPv6 only.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Debug mode. This provides tracing information about the
update requests that are made and the replies received
from the name server.
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd>
<p>
Extra debug mode.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Force interactive mode, even when standard input is not a terminal.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd>
<p>
The file containing the TSIG authentication key.
Keyfiles may be in two formats: a single file containing
a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
statement, which may be generated automatically by
<span class="command"><strong>ddns-confgen</strong></span>, or a pair of files whose names are
of the format <code class="filename">K{name}.+157.+{random}.key</code> and
<code class="filename">K{name}.+157.+{random}.private</code>, which can be
generated by <span class="command"><strong>dnssec-keygen</strong></span>.
The <code class="option">-k</code> may also be used to specify a SIG(0) key used
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
Local-host only mode. This sets the server address to
localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
address cannot be overridden). Connections to the local server will
use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
which is automatically generated by <span class="command"><strong>named</strong></span> if any
local master zone has set <span class="command"><strong>update-policy</strong></span> to
<span class="command"><strong>local</strong></span>. The location of this key file can be
overridden with the <code class="option">-k</code> option.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Set the logging debug level. If zero, logging is disabled.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Set the port to use for connections to a name server. The
default is 53.
</p>
</dd>
<dt><span class="term">-P</span></dt>
<dd>
<p>
Print the list of private BIND-specific resource record
types whose format is understood
by <span class="command"><strong>nsupdate</strong></span>. See also
the <code class="option">-T</code> option.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
<dd>
<p>
The number of UDP retries. The default is 3. If zero, only
one update request will be made.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
<dd>
<p>
The maximum time an update request can take before it is
aborted. The default is 300 seconds. Zero can be used to
disable the timeout.
</p>
</dd>
<dt><span class="term">-T</span></dt>
<dd>
<p>
Print the list of IANA standard resource record types
whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
<span class="command"><strong>nsupdate</strong></span> will exit after the lists are
printed. The <code class="option">-T</code> option can be combined
with the <code class="option">-P</code> option.
</p>
<p>
Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
decimal value of the type with no leading zeros. The rdata,
if present, will be parsed using the UNKNOWN rdata format,
(&lt;backslash&gt; &lt;hash&gt; &lt;space&gt; &lt;length&gt;
&lt;space&gt; &lt;hexstring&gt;).
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
<dd>
<p>
The UDP retry interval. The default is 3 seconds. If zero,
the interval will be computed from the timeout interval and
number of UDP retries.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Use TCP even for small update requests.
By default, <span class="command"><strong>nsupdate</strong></span>
uses UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used.
TCP may be preferable when a batch of update requests is made.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Print the version number and exit.
</p>
</dd>
<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
<dd>
<p>
Literal TSIG authentication key.
<em class="parameter"><code>keyname</code></em> is the name of the key, and
<em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
<em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
valid choices are <code class="literal">hmac-md5</code>,
<code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
<code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
<code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
is not specified, the default is <code class="literal">hmac-md5</code>
or if MD5 was disabled <code class="literal">hmac-sha256</code>.
</p>
<p>
NOTE: Use of the <code class="option">-y</code> option is discouraged because the
shared secret is supplied as a command line argument in clear text.
This may be visible in the output from
<span class="citerefentry">
<span class="refentrytitle">ps</span>(1)
</span>
or in a history file maintained by the user's shell.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>INPUT FORMAT</h2>
<p><span class="command"><strong>nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
or standard input.
Each command is supplied on exactly one line of input.
Some commands are for administrative purposes.
The others are either update instructions or prerequisite checks on the
contents of the zone.
These checks set conditions that some name or set of
resource records (RRset) either exists or is absent from the zone.
These conditions must be met if the entire update request is to succeed.
Updates will be rejected if the tests for the prerequisite conditions
fail.
</p>
<p>
Every update request consists of zero or more prerequisites
and zero or more updates.
This allows a suitably authenticated update request to proceed if some
specified resource records are present or missing from the zone.
A blank input line (or the <span class="command"><strong>send</strong></span> command)
causes the
accumulated commands to be sent as one Dynamic DNS update request to the
name server.
</p>
<p>
The command formats and their meaning are as follows:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">
<span class="command"><strong>server</strong></span>
{servername}
[port]
</span></dt>
<dd>
<p>
Sends all dynamic update requests to the name server
<em class="parameter"><code>servername</code></em>.
When no server statement is provided,
<span class="command"><strong>nsupdate</strong></span>
will send updates to the master server of the correct zone.
The MNAME field of that zone's SOA record will identify the
master
server for that zone.
<em class="parameter"><code>port</code></em>
is the port number on
<em class="parameter"><code>servername</code></em>
where the dynamic update requests get sent.
If no port number is specified, the default DNS port number of
53 is
used.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>local</strong></span>
{address}
[port]
</span></dt>
<dd>
<p>
Sends all dynamic update requests using the local
<em class="parameter"><code>address</code></em>.
When no local statement is provided,
<span class="command"><strong>nsupdate</strong></span>
will send updates using an address and port chosen by the
system.
<em class="parameter"><code>port</code></em>
can additionally be used to make requests come from a specific
port.
If no port number is specified, the system will assign one.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>zone</strong></span>
{zonename}
</span></dt>
<dd>
<p>
Specifies that all updates are to be made to the zone
<em class="parameter"><code>zonename</code></em>.
If no
<em class="parameter"><code>zone</code></em>
statement is provided,
<span class="command"><strong>nsupdate</strong></span>
will attempt determine the correct zone to update based on the
rest of the input.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>class</strong></span>
{classname}
</span></dt>
<dd>
<p>
Specify the default class.
If no <em class="parameter"><code>class</code></em> is specified, the
default class is
<em class="parameter"><code>IN</code></em>.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>ttl</strong></span>
{seconds}
</span></dt>
<dd>
<p>
Specify the default time to live for records to be added.
The value <em class="parameter"><code>none</code></em> will clear the default
ttl.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>key</strong></span>
[hmac:] {keyname}
{secret}
</span></dt>
<dd>
<p>
Specifies that all updates are to be TSIG-signed using the
<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
signing algorithm in use; the default is
<code class="literal">hmac-md5</code> or if MD5 was disabled
<code class="literal">hmac-sha256</code>. The <span class="command"><strong>key</strong></span>
command overrides any key specified on the command line via
<code class="option">-y</code> or <code class="option">-k</code>.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>gsstsig</strong></span>
</span></dt>
<dd>
<p>
Use GSS-TSIG to sign the updated. This is equivalent to
specifying <code class="option">-g</code> on the command line.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>oldgsstsig</strong></span>
</span></dt>
<dd>
<p>
Use the Windows 2000 version of GSS-TSIG to sign the updated.
This is equivalent to specifying <code class="option">-o</code> on the
command line.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>realm</strong></span>
{[<span class="optional">realm_name</span>]}
</span></dt>
<dd>
<p>
When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
than the default realm in <code class="filename">krb5.conf</code>. If no
realm is specified the saved realm is cleared.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>check-names</strong></span>
{[<span class="optional">yes_or_no</span>]}
</span></dt>
<dd>
<p>
Turn on or off check-names processing on records to
be added. Check-names has no effect on prerequisites
or records to be deleted. By default check-names
processing is on. If check-names processing fails
the record will not be added to the UPDATE message.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span>
{domain-name}
</span></dt>
<dd>
<p>
Requires that no resource record of any type exists with name
<em class="parameter"><code>domain-name</code></em>.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span>
{domain-name}
</span></dt>
<dd>
<p>
Requires that
<em class="parameter"><code>domain-name</code></em>
exists (has as at least one resource record, of any type).
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span>
{domain-name}
[class]
{type}
</span></dt>
<dd>
<p>
Requires that no resource record exists of the specified
<em class="parameter"><code>type</code></em>,
<em class="parameter"><code>class</code></em>
and
<em class="parameter"><code>domain-name</code></em>.
If
<em class="parameter"><code>class</code></em>
is omitted, IN (internet) is assumed.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
{domain-name}
[class]
{type}
</span></dt>
<dd>
<p>
This requires that a resource record of the specified
<em class="parameter"><code>type</code></em>,
<em class="parameter"><code>class</code></em>
and
<em class="parameter"><code>domain-name</code></em>
must exist.
If
<em class="parameter"><code>class</code></em>
is omitted, IN (internet) is assumed.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
{domain-name}
[class]
{type}
{data...}
</span></dt>
<dd>
<p>
The
<em class="parameter"><code>data</code></em>
from each set of prerequisites of this form
sharing a common
<em class="parameter"><code>type</code></em>,
<em class="parameter"><code>class</code></em>,
and
<em class="parameter"><code>domain-name</code></em>
are combined to form a set of RRs. This set of RRs must
exactly match the set of RRs existing in the zone at the
given
<em class="parameter"><code>type</code></em>,
<em class="parameter"><code>class</code></em>,
and
<em class="parameter"><code>domain-name</code></em>.
The
<em class="parameter"><code>data</code></em>
are written in the standard text representation of the resource
record's
RDATA.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
{domain-name}
[ttl]
[class]
[type [data...]]
</span></dt>
<dd>
<p>
Deletes any resource records named
<em class="parameter"><code>domain-name</code></em>.
If
<em class="parameter"><code>type</code></em>
and
<em class="parameter"><code>data</code></em>
is provided, only matching resource records will be removed.
The internet class is assumed if
<em class="parameter"><code>class</code></em>
is not supplied. The
<em class="parameter"><code>ttl</code></em>
is ignored, and is only allowed for compatibility.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>[<span class="optional">update</span>] add</strong></span>
{domain-name}
{ttl}
[class]
{type}
{data...}
</span></dt>
<dd>
<p>
Adds a new resource record with the specified
<em class="parameter"><code>ttl</code></em>,
<em class="parameter"><code>class</code></em>
and
<em class="parameter"><code>data</code></em>.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>show</strong></span>
</span></dt>
<dd>
<p>
Displays the current message, containing all of the
prerequisites and
updates specified since the last send.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>send</strong></span>
</span></dt>
<dd>
<p>
Sends the current message. This is equivalent to entering a
blank line.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>answer</strong></span>
</span></dt>
<dd>
<p>
Displays the answer.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>debug</strong></span>
</span></dt>
<dd>
<p>
Turn on debugging.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>version</strong></span>
</span></dt>
<dd>
<p>
Print version number.
</p>
</dd>
<dt><span class="term">
<span class="command"><strong>help</strong></span>
</span></dt>
<dd>
<p>
Print a list of commands.
</p>
</dd>
</dl></div>
<p>
</p>
<p>
Lines beginning with a semicolon are comments and are ignored.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span class="command"><strong>nsupdate</strong></span>
could be used to insert and delete resource records from the
<span class="type">example.com</span>
zone.
Notice that the input in each example contains a trailing blank line so
that
a group of commands are sent as one dynamic update request to the
master name server for
<span class="type">example.com</span>.
</p>
<pre class="programlisting">
# nsupdate
&gt; update delete oldhost.example.com A
&gt; update add newhost.example.com 86400 A 172.16.1.1
&gt; send
</pre>
<p>
</p>
<p>
Any A records for
<span class="type">oldhost.example.com</span>
are deleted.
And an A record for
<span class="type">newhost.example.com</span>
with IP address 172.16.1.1 is added.
The newly-added record has a 1 day TTL (86400 seconds).
</p>
<pre class="programlisting">
# nsupdate
&gt; prereq nxdomain nickname.example.com
&gt; update add nickname.example.com 86400 CNAME somehost.example.com
&gt; send
</pre>
<p>
</p>
<p>
The prerequisite condition gets the name server to check that there
are no resource records of any type for
<span class="type">nickname.example.com</span>.
If there are, the update request fails.
If this name does not exist, a CNAME for it is added.
This ensures that when the CNAME is added, it cannot conflict with the
long-standing rule in RFC 1034 that a name must not exist as any other
record type if it exists as a CNAME.
(The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
RRSIG, DNSKEY and NSEC records.)
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd>
<p>
used to identify default name server
</p>
</dd>
<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
<dd>
<p>
sets the default TSIG key for use in local-only mode
</p>
</dd>
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
<dd>
<p>
base-64 encoding of HMAC-MD5 key created by
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>.
</p>
</dd>
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
<dd>
<p>
base-64 encoding of HMAC-MD5 key created by
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
<em class="citetitle">RFC 2104</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 2535</em>,
<em class="citetitle">RFC 2931</em>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>.
</p>
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
for its cryptographic operations, and may change in future
releases.
</p>
</div>
</div></body>
</html>

365
bin/nsupdate/nsupdate.rst Normal file
View file

@ -0,0 +1,365 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_nsupdate:
nsupdate - dynamic DNS update utility
-------------------------------------
Synopsis
~~~~~~~~
:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
Description
~~~~~~~~~~~
``nsupdate`` is used to submit Dynamic DNS Update requests as defined in
:rfc:`2136` to a name server. This allows resource records to be added or
removed from a zone without manually editing the zone file. A single
update request can contain requests to add or remove more than one
resource record.
Zones that are under dynamic control via ``nsupdate`` or a DHCP server
should not be edited by hand. Manual edits could conflict with dynamic
updates and cause data to be lost.
The resource records that are dynamically added or removed with
``nsupdate`` have to be in the same zone. Requests are sent to the
zone's master server. This is identified by the MNAME field of the
zone's SOA record.
Transaction signatures can be used to authenticate the Dynamic DNS
updates. These use the TSIG resource record type described in :rfc:`2845`
or the SIG(0) record described in :rfc:`2535` and :rfc:`2931` or GSS-TSIG as
described in :rfc:`3645`.
TSIG relies on a shared secret that should only be known to ``nsupdate``
and the name server. For instance, suitable ``key`` and ``server``
statements would be added to ``/etc/named.conf`` so that the name server
can associate the appropriate secret key and algorithm with the IP
address of the client application that will be using TSIG
authentication. You can use ``ddns-confgen`` to generate suitable
configuration fragments. ``nsupdate`` uses the ``-y`` or ``-k`` options
to provide the TSIG shared secret. These options are mutually exclusive.
SIG(0) uses public key cryptography. To use a SIG(0) key, the public key
must be stored in a KEY record in a zone served by the name server.
GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode is switched
on with the ``-g`` flag. A non-standards-compliant variant of GSS-TSIG
used by Windows 2000 can be switched on with the ``-o`` flag.
Options
~~~~~~~
**-4**
Use IPv4 only.
**-6**
Use IPv6 only.
**-d**
Debug mode. This provides tracing information about the update
requests that are made and the replies received from the name server.
**-D**
Extra debug mode.
**-i**
Force interactive mode, even when standard input is not a terminal.
**-k** keyfile
The file containing the TSIG authentication key. Keyfiles may be in
two formats: a single file containing a ``named.conf``-format ``key``
statement, which may be generated automatically by ``ddns-confgen``,
or a pair of files whose names are of the format
``K{name}.+157.+{random}.key`` and
``K{name}.+157.+{random}.private``, which can be generated by
``dnssec-keygen``. The ``-k`` may also be used to specify a SIG(0)
key used to authenticate Dynamic DNS update requests. In this case,
the key specified is not an HMAC-MD5 key.
**-l**
Local-host only mode. This sets the server address to localhost
(disabling the ``server`` so that the server address cannot be
overridden). Connections to the local server will use a TSIG key
found in ``/var/run/named/session.key``, which is automatically
generated by ``named`` if any local master zone has set
``update-policy`` to ``local``. The location of this key file can be
overridden with the ``-k`` option.
**-L** level
Set the logging debug level. If zero, logging is disabled.
**-p** port
Set the port to use for connections to a name server. The default is
53.
**-P**
Print the list of private BIND-specific resource record types whose
format is understood by ``nsupdate``. See also the ``-T`` option.
**-r** udpretries
The number of UDP retries. The default is 3. If zero, only one update
request will be made.
**-t** timeout
The maximum time an update request can take before it is aborted. The
default is 300 seconds. Zero can be used to disable the timeout.
**-T**
Print the list of IANA standard resource record types whose format is
understood by ``nsupdate``. ``nsupdate`` will exit after the lists
are printed. The ``-T`` option can be combined with the ``-P``
option.
Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
decimal value of the type with no leading zeros. The rdata, if
present, will be parsed using the UNKNOWN rdata format, (<backslash>
<hash> <space> <length> <space> <hexstring>).
**-u** udptimeout
The UDP retry interval. The default is 3 seconds. If zero, the
interval will be computed from the timeout interval and number of UDP
retries.
**-v**
Use TCP even for small update requests. By default, ``nsupdate`` uses
UDP to send update requests to the name server unless they are too
large to fit in a UDP request in which case TCP will be used. TCP may
be preferable when a batch of update requests is made.
**-V**
Print the version number and exit.
**-y** [hmac:]keyname:secret
Literal TSIG authentication key. ``keyname`` is the name of the key,
and ``secret`` is the base64 encoded shared secret. ``hmac`` is the
name of the key algorithm; valid choices are ``hmac-md5``,
``hmac-sha1``, ``hmac-sha224``, ``hmac-sha256``, ``hmac-sha384``, or
``hmac-sha512``. If ``hmac`` is not specified, the default is
``hmac-md5`` or if MD5 was disabled ``hmac-sha256``.
NOTE: Use of the ``-y`` option is discouraged because the shared
secret is supplied as a command line argument in clear text. This may
be visible in the output from ps1 or in a history file maintained by
the user's shell.
Input Format
~~~~~~~~~~~~
``nsupdate`` reads input from ``filename`` or standard input. Each
command is supplied on exactly one line of input. Some commands are for
administrative purposes. The others are either update instructions or
prerequisite checks on the contents of the zone. These checks set
conditions that some name or set of resource records (RRset) either
exists or is absent from the zone. These conditions must be met if the
entire update request is to succeed. Updates will be rejected if the
tests for the prerequisite conditions fail.
Every update request consists of zero or more prerequisites and zero or
more updates. This allows a suitably authenticated update request to
proceed if some specified resource records are present or missing from
the zone. A blank input line (or the ``send`` command) causes the
accumulated commands to be sent as one Dynamic DNS update request to the
name server.
The command formats and their meaning are as follows:
``server`` servername port
Sends all dynamic update requests to the name server ``servername``.
When no server statement is provided, ``nsupdate`` will send updates
to the master server of the correct zone. The MNAME field of that
zone's SOA record will identify the master server for that zone.
``port`` is the port number on ``servername`` where the dynamic
update requests get sent. If no port number is specified, the default
DNS port number of 53 is used.
``local`` address port
Sends all dynamic update requests using the local ``address``. When
no local statement is provided, ``nsupdate`` will send updates using
an address and port chosen by the system. ``port`` can additionally
be used to make requests come from a specific port. If no port number
is specified, the system will assign one.
``zone`` zonename
Specifies that all updates are to be made to the zone ``zonename``.
If no ``zone`` statement is provided, ``nsupdate`` will attempt
determine the correct zone to update based on the rest of the input.
``class`` classname
Specify the default class. If no ``class`` is specified, the default
class is ``IN``.
``ttl`` seconds
Specify the default time to live for records to be added. The value
``none`` will clear the default ttl.
``key`` hmac:keyname secret
Specifies that all updates are to be TSIG-signed using the
``keyname`` ``secret`` pair. If ``hmac`` is specified, then it sets
the signing algorithm in use; the default is ``hmac-md5`` or if MD5
was disabled ``hmac-sha256``. The ``key`` command overrides any key
specified on the command line via ``-y`` or ``-k``.
``gsstsig``
Use GSS-TSIG to sign the updated. This is equivalent to specifying
``-g`` on the command line.
``oldgsstsig``
Use the Windows 2000 version of GSS-TSIG to sign the updated. This is
equivalent to specifying ``-o`` on the command line.
``realm`` [realm_name]
When using GSS-TSIG use ``realm_name`` rather than the default realm
in ``krb5.conf``. If no realm is specified the saved realm is
cleared.
``check-names`` [yes_or_no]
Turn on or off check-names processing on records to be added.
Check-names has no effect on prerequisites or records to be deleted.
By default check-names processing is on. If check-names processing
fails the record will not be added to the UPDATE message.
``prereq nxdomain`` domain-name
Requires that no resource record of any type exists with name
``domain-name``.
``prereq yxdomain`` domain-name
Requires that ``domain-name`` exists (has as at least one resource
record, of any type).
``prereq nxrrset`` domain-name class type
Requires that no resource record exists of the specified ``type``,
``class`` and ``domain-name``. If ``class`` is omitted, IN (internet)
is assumed.
``prereq yxrrset`` domain-name class type
This requires that a resource record of the specified ``type``,
``class`` and ``domain-name`` must exist. If ``class`` is omitted, IN
(internet) is assumed.
``prereq yxrrset`` domain-name class type data
The ``data`` from each set of prerequisites of this form sharing a
common ``type``, ``class``, and ``domain-name`` are combined to form
a set of RRs. This set of RRs must exactly match the set of RRs
existing in the zone at the given ``type``, ``class``, and
``domain-name``. The ``data`` are written in the standard text
representation of the resource record's RDATA.
``update delete`` domain-name ttl class type data
Deletes any resource records named ``domain-name``. If ``type`` and
``data`` is provided, only matching resource records will be removed.
The internet class is assumed if ``class`` is not supplied. The
``ttl`` is ignored, and is only allowed for compatibility.
``update add`` domain-name ttl class type data
Adds a new resource record with the specified ``ttl``, ``class`` and
``data``.
``show``
Displays the current message, containing all of the prerequisites and
updates specified since the last send.
``send``
Sends the current message. This is equivalent to entering a blank
line.
``answer``
Displays the answer.
``debug``
Turn on debugging.
``version``
Print version number.
``help``
Print a list of commands.
Lines beginning with a semicolon are comments and are ignored.
Examples
~~~~~~~~
The examples below show how ``nsupdate`` could be used to insert and
delete resource records from the ``example.com`` zone. Notice that the
input in each example contains a trailing blank line so that a group of
commands are sent as one dynamic update request to the master name
server for ``example.com``.
::
# nsupdate
> update delete oldhost.example.com A
> update add newhost.example.com 86400 A 172.16.1.1
> send
Any A records for ``oldhost.example.com`` are deleted. And an A record
for ``newhost.example.com`` with IP address 172.16.1.1 is added. The
newly-added record has a 1 day TTL (86400 seconds).
::
# nsupdate
> prereq nxdomain nickname.example.com
> update add nickname.example.com 86400 CNAME somehost.example.com
> send
The prerequisite condition gets the name server to check that there are
no resource records of any type for ``nickname.example.com``. If there
are, the update request fails. If this name does not exist, a CNAME for
it is added. This ensures that when the CNAME is added, it cannot
conflict with the long-standing rule in :rfc:`1034` that a name must not
exist as any other record type if it exists as a CNAME. (The rule has
been updated for DNSSEC in :rfc:`2535` to allow CNAMEs to have RRSIG,
DNSKEY and NSEC records.)
Files
~~~~~
``/etc/resolv.conf``
used to identify default name server
``/var/run/named/session.key``
sets the default TSIG key for use in local-only mode
``K{name}.+157.+{random}.key``
base-64 encoding of HMAC-MD5 key created by dnssec-keygen8.
``K{name}.+157.+{random}.private``
base-64 encoding of HMAC-MD5 key created by dnssec-keygen8.
See Also
~~~~~~~~
:rfc:`2136`, :rfc:`3007`, :rfc:`2104`, :rfc:`2845`, :rfc:`1034`, :rfc:`2535`, :rfc:`2931`,
:manpage:`named(8)`, :manpage:`ddns-confgen(8)`, :manpage:`dnssec-keygen(8)`.
Bugs
~~~~
The TSIG key is redundantly stored in two separate files. This is a
consequence of nsupdate using the DST library for its cryptographic
operations, and may change in future releases.

97
bin/pkcs11/pkcs11-destroy.8
View file

@ -1,97 +0,0 @@
.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: pkcs11-destroy
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-15
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "PKCS11\-DESTROY" "8" "2014\-01\-15" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pkcs11-destroy \- destroy PKCS#11 objects
.SH "SYNOPSIS"
.HP \w'\fBpkcs11\-destroy\fR\ 'u
\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-w\ \fR\fB\fIseconds\fR\fR]
.SH "DESCRIPTION"
.PP
\fBpkcs11\-destroy\fR
destroys keys stored in a PKCS#11 device, identified by their
\fBID\fR
or
\fBlabel\fR\&.
.PP
Matching keys are displayed before being destroyed\&. By default, there is a five second delay to allow the user to interrupt the process before the destruction takes place\&.
.SH "ARGUMENTS"
.PP
\-m \fImodule\fR
.RS 4
Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
.RE
.PP
\-s \fIslot\fR
.RS 4
Open the session with the given PKCS#11 slot\&. The default is slot 0\&.
.RE
.PP
\-i \fIID\fR
.RS 4
Destroy keys with the given object ID\&.
.RE
.PP
\-l \fIlabel\fR
.RS 4
Destroy keys with the given label\&.
.RE
.PP
\-p \fIPIN\fR
.RS 4
Specify the PIN for the device\&. If no PIN is provided on the command line,
\fBpkcs11\-destroy\fR
will prompt for it\&.
.RE
.PP
\-w \fIseconds\fR
.RS 4
Specify how long to pause before carrying out key destruction\&. The default is five seconds\&. If set to
0, destruction will be immediate\&.
.RE
.SH "SEE ALSO"
.PP
\fBpkcs11-keygen\fR(8),
\fBpkcs11-list\fR(8),
\fBpkcs11-tokens\fR(8)
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

154
bin/pkcs11/pkcs11-destroy.docbook
View file

@ -1,154 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-destroy">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>pkcs11-destroy</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>pkcs11-destroy</application></refname>
<refpurpose>destroy PKCS#11 objects</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>pkcs11-destroy</command>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<group choice="req" rep="norepeat">
<arg choice="plain" rep="norepeat">-i <replaceable class="parameter">ID</replaceable></arg>
<arg choice="plain" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">seconds</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-destroy</command> destroys keys stored in a
PKCS#11 device, identified by their <option>ID</option> or
<option>label</option>.
</para>
<para>
Matching keys are displayed before being destroyed. By default,
there is a five second delay to allow the user to interrupt the
process before the destruction takes place.
</para>
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
<listitem>
<para>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">slot</replaceable></term>
<listitem>
<para>
Open the session with the given PKCS#11 slot. The default is
slot 0.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">ID</replaceable></term>
<listitem>
<para>
Destroy keys with the given object ID.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Destroy keys with the given label.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">PIN</replaceable></term>
<listitem>
<para>
Specify the PIN for the device. If no PIN is provided on the
command line, <command>pkcs11-destroy</command> will prompt for it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w <replaceable class="parameter">seconds</replaceable></term>
<listitem>
<para>
Specify how long to pause before carrying out key destruction.
The default is five seconds. If set to <literal>0</literal>,
destruction will be immediate.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsection>
</refentry>

128
bin/pkcs11/pkcs11-destroy.html
View file

@ -1,128 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>pkcs11-destroy</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.pkcs11-destroy"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">pkcs11-destroy</span>
&#8212; destroy PKCS#11 objects
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">pkcs11-destroy</code>
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
{
-i <em class="replaceable"><code>ID</code></em>
| -l <em class="replaceable"><code>label</code></em>
}
[<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-destroy</strong></span> destroys keys stored in a
PKCS#11 device, identified by their <code class="option">ID</code> or
<code class="option">label</code>.
</p>
<p>
Matching keys are displayed before being destroyed. By default,
there is a five second delay to allow the user to interrupt the
process before the destruction takes place.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
<dd>
<p>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
<dd>
<p>
Open the session with the given PKCS#11 slot. The default is
slot 0.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
<dd>
<p>
Destroy keys with the given object ID.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
Destroy keys with the given label.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
<dd>
<p>
Specify the PIN for the device. If no PIN is provided on the
command line, <span class="command"><strong>pkcs11-destroy</strong></span> will prompt for it.
</p>
</dd>
<dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt>
<dd>
<p>
Specify how long to pause before carrying out key destruction.
The default is five seconds. If set to <code class="literal">0</code>,
destruction will be immediate.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">pkcs11-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-list</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-tokens</span>(8)
</span>
</p>
</div>
</div></body>
</html>

71
bin/pkcs11/pkcs11-destroy.rst Normal file
View file

@ -0,0 +1,71 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-destroy:
pkcs11-destroy - destroy PKCS#11 objects
Synopsis
~~~~~~~~
:program:`pkcs11-destroy` [**-m** module] [**-s** slot] [**-i** ID] [**-l** label] [**-p** PIN] [**-w** seconds]
Description
~~~~~~~~~~~
``pkcs11-destroy`` destroys keys stored in a PKCS#11 device, identified
by their ``ID`` or ``label``.
Matching keys are displayed before being destroyed. By default, there is
a five second delay to allow the user to interrupt the process before
the destruction takes place.
Arguments
~~~~~~~~~
**-m** module
Specify the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
**-s** slot
Open the session with the given PKCS#11 slot. The default is slot 0.
**-i** ID
Destroy keys with the given object ID.
**-l** label
Destroy keys with the given label.
**-p** PIN
Specify the PIN for the device. If no PIN is provided on the command
line, ``pkcs11-destroy`` will prompt for it.
**-w** seconds
Specify how long to pause before carrying out key destruction. The
default is five seconds. If set to ``0``, destruction will be
immediate.
See Also
~~~~~~~~
:manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`

120
bin/pkcs11/pkcs11-keygen.8
View file

@ -1,120 +0,0 @@
.\" Copyright (C) 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: pkcs11-keygen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-15
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "PKCS11\-KEYGEN" "8" "2014\-01\-15" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pkcs11-keygen \- generate keys on a PKCS#11 device
.SH "SYNOPSIS"
.HP \w'\fBpkcs11\-keygen\fR\ 'u
\fBpkcs11\-keygen\fR {\-a\ \fIalgorithm\fR} [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-e\fR] [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-P\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-q\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {label}
.SH "DESCRIPTION"
.PP
\fBpkcs11\-keygen\fR
causes a PKCS#11 device to generate a new key pair with the given
\fBlabel\fR
(which must be unique) and with
\fBkeysize\fR
bits of prime\&.
.SH "ARGUMENTS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify the key algorithm class: Supported classes are RSA, DSA, DH, ECC and ECX\&. In addition to these strings, the
\fBalgorithm\fR
can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to ECC, and ED25519 to ECX\&. The default class is "RSA"\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Create the key pair with
\fBkeysize\fR
bits of prime\&. For ECC keys, the only valid values are 256 and 384, and the default is 256\&. For ECX kyes, the only valid values are 256 and 456, and the default is 256\&.
.RE
.PP
\-e
.RS 4
For RSA keys only, use a large exponent\&.
.RE
.PP
\-i \fIid\fR
.RS 4
Create key objects with id\&. The id is either an unsigned short 2 byte or an unsigned long 4 byte number\&.
.RE
.PP
\-m \fImodule\fR
.RS 4
Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
.RE
.PP
\-P
.RS 4
Set the new private key to be non\-sensitive and extractable\&. The allows the private key data to be read from the PKCS#11 device\&. The default is for private keys to be sensitive and non\-extractable\&.
.RE
.PP
\-p \fIPIN\fR
.RS 4
Specify the PIN for the device\&. If no PIN is provided on the command line,
\fBpkcs11\-keygen\fR
will prompt for it\&.
.RE
.PP
\-q
.RS 4
Quiet mode: suppress unnecessary output\&.
.RE
.PP
\-S
.RS 4
For Diffie\-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2\&. If not specified, bit size will default to 1024\&.
.RE
.PP
\-s \fIslot\fR
.RS 4
Open the session with the given PKCS#11 slot\&. The default is slot 0\&.
.RE
.SH "SEE ALSO"
.PP
\fBpkcs11-destroy\fR(8),
\fBpkcs11-list\fR(8),
\fBpkcs11-tokens\fR(8),
\fBdnssec-keyfromlabel\fR(8)
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

206
bin/pkcs11/pkcs11-keygen.docbook
View file

@ -1,206 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>pkcs11-keygen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>pkcs11-keygen</application></refname>
<refpurpose>generate keys on a PKCS#11 device</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>pkcs11-keygen</command>
<arg choice="req" rep="norepeat">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-e</option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">id</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-S</option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<arg choice="req" rep="norepeat">label</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-keygen</command> causes a PKCS#11 device to generate
a new key pair with the given <option>label</option> (which must be
unique) and with <option>keysize</option> bits of prime.
</para>
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specify the key algorithm class: Supported classes are RSA,
DSA, DH, ECC and ECX. In addition to these strings, the
<option>algorithm</option> can be specified as a DNSSEC
signing algorithm that will be used with this key; for
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
to ECC, and ED25519 to ECX. The default class is "RSA".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Create the key pair with <option>keysize</option> bits of
prime. For ECC keys, the only valid values are 256 and 384,
and the default is 256. For ECX kyes, the only valid values
are 256 and 456, and the default is 256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e</term>
<listitem>
<para>
For RSA keys only, use a large exponent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">id</replaceable></term>
<listitem>
<para>
Create key objects with id. The id is either
an unsigned short 2 byte or an unsigned long 4 byte number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
<listitem>
<para>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P</term>
<listitem>
<para>
Set the new private key to be non-sensitive and extractable.
The allows the private key data to be read from the PKCS#11
device. The default is for private keys to be sensitive and
non-extractable.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">PIN</replaceable></term>
<listitem>
<para>
Specify the PIN for the device. If no PIN is provided on
the command line, <command>pkcs11-keygen</command> will
prompt for it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: suppress unnecessary output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S</term>
<listitem>
<para>
For Diffie-Hellman (DH) keys only, use a special prime of
768, 1024 or 1536 bit size and base (aka generator) 2.
If not specified, bit size will default to 1024.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">slot</replaceable></term>
<listitem>
<para>
Open the session with the given PKCS#11 slot. The default is
slot 0.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsection>
</refentry>

166
bin/pkcs11/pkcs11-keygen.html
View file

@ -1,166 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>pkcs11-keygen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">pkcs11-keygen</span>
&#8212; generate keys on a PKCS#11 device
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">pkcs11-keygen</code>
{-a <em class="replaceable"><code>algorithm</code></em>}
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-e</code>]
[<code class="option">-i <em class="replaceable"><code>id</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
[<code class="option">-P</code>]
[<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-S</code>]
[<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
{label}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
a new key pair with the given <code class="option">label</code> (which must be
unique) and with <code class="option">keysize</code> bits of prime.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify the key algorithm class: Supported classes are RSA,
DSA, DH, ECC and ECX. In addition to these strings, the
<code class="option">algorithm</code> can be specified as a DNSSEC
signing algorithm that will be used with this key; for
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
to ECC, and ED25519 to ECX. The default class is "RSA".
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Create the key pair with <code class="option">keysize</code> bits of
prime. For ECC keys, the only valid values are 256 and 384,
and the default is 256. For ECX kyes, the only valid values
are 256 and 456, and the default is 256.
</p>
</dd>
<dt><span class="term">-e</span></dt>
<dd>
<p>
For RSA keys only, use a large exponent.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
<dd>
<p>
Create key objects with id. The id is either
an unsigned short 2 byte or an unsigned long 4 byte number.
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
<dd>
<p>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</p>
</dd>
<dt><span class="term">-P</span></dt>
<dd>
<p>
Set the new private key to be non-sensitive and extractable.
The allows the private key data to be read from the PKCS#11
device. The default is for private keys to be sensitive and
non-extractable.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
<dd>
<p>
Specify the PIN for the device. If no PIN is provided on
the command line, <span class="command"><strong>pkcs11-keygen</strong></span> will
prompt for it.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: suppress unnecessary output.
</p>
</dd>
<dt><span class="term">-S</span></dt>
<dd>
<p>
For Diffie-Hellman (DH) keys only, use a special prime of
768, 1024 or 1536 bit size and base (aka generator) 2.
If not specified, bit size will default to 1024.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
<dd>
<p>
Open the session with the given PKCS#11 slot. The default is
slot 0.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">pkcs11-destroy</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-list</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-tokens</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-keyfromlabel</span>(8)
</span>
</p>
</div>
</div></body>
</html>

90
bin/pkcs11/pkcs11-keygen.rst Normal file
View file

@ -0,0 +1,90 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-keygen:
pkcs11-keygen - generate keys on a PKCS#11 device
-------------------------------------------------
Synopsis
~~~~~~~~
:program:`pkcs11-keygen` [**-a** algorithm] [**-b** keysize] [**-e**] [**-i** id] [**-m** module] [**-P**] [**-p** PIN] [**-q**] [**-S**] [**-s** slot] label
Description
~~~~~~~~~~~
``pkcs11-keygen`` causes a PKCS#11 device to generate a new key pair
with the given ``label`` (which must be unique) and with ``keysize``
bits of prime.
Arguments
~~~~~~~~~
**-a** algorithm
Specify the key algorithm class: Supported classes are RSA, DSA, DH,
ECC and ECX. In addition to these strings, the ``algorithm`` can be
specified as a DNSSEC signing algorithm that will be used with this
key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
ECC, and ED25519 to ECX. The default class is "RSA".
**-b** keysize
Create the key pair with ``keysize`` bits of prime. For ECC keys, the
only valid values are 256 and 384, and the default is 256. For ECX
keys, the only valid values are 256 and 456, and the default is 256.
**-e**
For RSA keys only, use a large exponent.
**-i** id
Create key objects with id. The id is either an unsigned short 2 byte
or an unsigned long 4 byte number.
**-m** module
Specify the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
**-P**
Set the new private key to be non-sensitive and extractable. The
allows the private key data to be read from the PKCS#11 device. The
default is for private keys to be sensitive and non-extractable.
**-p** PIN
Specify the PIN for the device. If no PIN is provided on the command
line, ``pkcs11-keygen`` will prompt for it.
**-q**
Quiet mode: suppress unnecessary output.
**-S**
For Diffie-Hellman (DH) keys only, use a special prime of 768, 1024
or 1536 bit size and base (aka generator) 2. If not specified, bit
size will default to 1024.
**-s** slot
Open the session with the given PKCS#11 slot. The default is slot 0.
See Also
~~~~~~~~
:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`, :manpage:`dnssec-keyfromlabel(8)`

98
bin/pkcs11/pkcs11-list.8
View file

@ -1,98 +0,0 @@
.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: pkcs11-list
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2009-10-05
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "PKCS11\-LIST" "8" "2009\-10\-05" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pkcs11-list \- list PKCS#11 objects
.SH "SYNOPSIS"
.HP \w'\fBpkcs11\-list\fR\ 'u
\fBpkcs11\-list\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\-i\ \fIID\fR] [\-l\ \fIlabel\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
.SH "DESCRIPTION"
.PP
\fBpkcs11\-list\fR
lists the PKCS#11 objects with
\fBID\fR
or
\fBlabel\fR
or by default all objects\&. The object class, label, and ID are displayed for all keys\&. For private or secret keys, the extractability attribute is also displayed, as either
true,
false, or
never\&.
.SH "ARGUMENTS"
.PP
\-P
.RS 4
List only the public objects\&. (Note that on some PKCS#11 devices, all objects are private\&.)
.RE
.PP
\-m \fImodule\fR
.RS 4
Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
.RE
.PP
\-s \fIslot\fR
.RS 4
Open the session with the given PKCS#11 slot\&. The default is slot 0\&.
.RE
.PP
\-i \fIID\fR
.RS 4
List only key objects with the given object ID\&.
.RE
.PP
\-l \fIlabel\fR
.RS 4
List only key objects with the given label\&.
.RE
.PP
\-p \fIPIN\fR
.RS 4
Specify the PIN for the device\&. If no PIN is provided on the command line,
\fBpkcs11\-list\fR
will prompt for it\&.
.RE
.SH "SEE ALSO"
.PP
\fBpkcs11-destroy\fR(8),
\fBpkcs11-keygen\fR(8),
\fBpkcs11-tokens\fR(8)
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

150
bin/pkcs11/pkcs11-list.docbook
View file

@ -1,150 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-list">
<info>
<date>2009-10-05</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>pkcs11-list</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>pkcs11-list</application></refname>
<refpurpose>list PKCS#11 objects</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>pkcs11-list</command>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
<arg choice="opt" rep="norepeat">-i <replaceable class="parameter">ID</replaceable></arg>
<arg choice="opt" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-list</command>
lists the PKCS#11 objects with <option>ID</option> or
<option>label</option> or by default all objects.
The object class, label, and ID are displayed for all
keys. For private or secret keys, the extractability
attribute is also displayed, as either <literal>true</literal>,
<literal>false</literal>, or <literal>never</literal>.
</para>
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-P</term>
<listitem>
<para>
List only the public objects. (Note that on some PKCS#11
devices, all objects are private.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
<listitem>
<para>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">slot</replaceable></term>
<listitem>
<para>
Open the session with the given PKCS#11 slot. The default is
slot 0.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">ID</replaceable></term>
<listitem>
<para>
List only key objects with the given object ID.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
List only key objects with the given label.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">PIN</replaceable></term>
<listitem>
<para>
Specify the PIN for the device. If no PIN is provided on the
command line, <command>pkcs11-list</command> will prompt for it.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-tokens</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsection>
</refentry>

124
bin/pkcs11/pkcs11-list.html
View file

@ -1,124 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>pkcs11-list</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.pkcs11-list"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">pkcs11-list</span>
&#8212; list PKCS#11 objects
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">pkcs11-list</code>
[<code class="option">-P</code>]
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
[-i <em class="replaceable"><code>ID</code></em>]
[-l <em class="replaceable"><code>label</code></em>]
[<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-list</strong></span>
lists the PKCS#11 objects with <code class="option">ID</code> or
<code class="option">label</code> or by default all objects.
The object class, label, and ID are displayed for all
keys. For private or secret keys, the extractability
attribute is also displayed, as either <code class="literal">true</code>,
<code class="literal">false</code>, or <code class="literal">never</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P</span></dt>
<dd>
<p>
List only the public objects. (Note that on some PKCS#11
devices, all objects are private.)
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
<dd>
<p>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
<dd>
<p>
Open the session with the given PKCS#11 slot. The default is
slot 0.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
<dd>
<p>
List only key objects with the given object ID.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
List only key objects with the given label.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
<dd>
<p>
Specify the PIN for the device. If no PIN is provided on the
command line, <span class="command"><strong>pkcs11-list</strong></span> will prompt for it.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">pkcs11-destroy</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-tokens</span>(8)
</span>
</p>
</div>
</div></body>
</html>

66
bin/pkcs11/pkcs11-list.rst Normal file
View file

@ -0,0 +1,66 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-list:
pkcs11-list - list PKCS#11 objects
----------------------------------
:program:`pkcs11-list` [**-P**] [**-m** module] [**-s** slot] [**-i** ID **] [-l** label] [**-p** PIN]
Description
~~~~~~~~~~~
``pkcs11-list`` lists the PKCS#11 objects with ``ID`` or ``label`` or by
default all objects. The object class, label, and ID are displayed for
all keys. For private or secret keys, the extractability attribute is
also displayed, as either ``true``, ``false``, or ``never``.
Arguments
~~~~~~~~~
**-P**
List only the public objects. (Note that on some PKCS#11 devices, all
objects are private.)
**-m** module
Specify the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
**-s** slot
Open the session with the given PKCS#11 slot. The default is slot 0.
**-i** ID
List only key objects with the given object ID.
**-l** label
List only key objects with the given label.
**-p** PIN
Specify the PIN for the device. If no PIN is provided on the command
line, ``pkcs11-list`` will prompt for it.
See Also
~~~~~~~~
:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-tokens(8)`

69
bin/pkcs11/pkcs11-tokens.8
View file

@ -1,69 +0,0 @@
.\" Copyright (C) 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: pkcs11-tokens
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-15
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "PKCS11\-TOKENS" "8" "2014\-01\-15" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pkcs11-tokens \- list PKCS#11 available tokens
.SH "SYNOPSIS"
.HP \w'\fBpkcs11\-tokens\fR\ 'u
\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-v\fR]
.SH "DESCRIPTION"
.PP
\fBpkcs11\-tokens\fR
lists the PKCS#11 available tokens with defaults from the slot/token scan performed at application initialization\&.
.SH "ARGUMENTS"
.PP
\-m \fImodule\fR
.RS 4
Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
.RE
.PP
\-v
.RS 4
Make the PKCS#11 libisc initialization verbose\&.
.RE
.SH "SEE ALSO"
.PP
\fBpkcs11-destroy\fR(8),
\fBpkcs11-keygen\fR(8),
\fBpkcs11-list\fR(8)
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

102
bin/pkcs11/pkcs11-tokens.docbook
View file

@ -1,102 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-tokens">
<info>
<date>2014-01-15</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>pkcs11-tokens</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>pkcs11-tokens</application></refname>
<refpurpose>list PKCS#11 available tokens</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>pkcs11-tokens</command>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>pkcs11-tokens</command>
lists the PKCS#11 available tokens with defaults from the slot/token
scan performed at application initialization.
</para>
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
<variablelist>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
<listitem>
<para>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Make the PKCS#11 libisc initialization verbose.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-list</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsection>
</refentry>

89
bin/pkcs11/pkcs11-tokens.html
View file

@ -1,89 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>pkcs11-tokens</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.pkcs11-tokens"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">pkcs11-tokens</span>
&#8212; list PKCS#11 available tokens
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">pkcs11-tokens</code>
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
[<code class="option">-v</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-tokens</strong></span>
lists the PKCS#11 available tokens with defaults from the slot/token
scan performed at application initialization.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
<dd>
<p>
Specify the PKCS#11 provider module. This must be the full
path to a shared library object implementing the PKCS#11 API
for the device.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Make the PKCS#11 libisc initialization verbose.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">pkcs11-destroy</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">pkcs11-list</span>(8)
</span>
</p>
</div>
</div></body>
</html>

53
bin/pkcs11/pkcs11-tokens.rst Normal file
View file

@ -0,0 +1,53 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-tokens:
pkcs11-tokens - list PKCS#11 available tokens
---------------------------------------------
Synopsis
~~~~~~~~
:program:`pkcs11-tokens` [**-m** module] [**-v**]
Description
~~~~~~~~~~~
``pkcs11-tokens`` lists the PKCS#11 available tokens with defaults from
the slot/token scan performed at application initialization.
Arguments
~~~~~~~~~
**-m** module
Specify the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
**-v**
Make the PKCS#11 libisc initialization verbose.
See Also
~~~~~~~~
:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`

Some files were not shown because too many files have changed in this diff Show more