dig [global-queryopt...] [query...]
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -80,7 +80,7 @@
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -230,7 +230,7 @@
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -392,8 +392,25 @@
+[no]commentsToggle the display of comment lines in the output. The default - is to - print comments. + is to print comments. +
+[no]rrcomments+ Toggle the display of per-record comments in the output (for + example, human-readable key information about DNSKEY records). + The default is not to print record comments unless multiline + mode is active. +
+split=W
+ Split long hex- or base64-formatted fields in resource
+ records into chunks of W characters
+ (where W is rounded up to the nearest
+ multiple of 4).
+ +nosplit or
+ +split=0 causes fields not to be
+ split at all. The default is 56 characters, or 44 characters
+ when multiline mode is active.
+[no]stats@@ -561,7 +578,7 @@
The BIND 9 implementation of dig supports @@ -607,7 +624,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -621,14 +638,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
host(1), named(8), dnssec-keygen(8), @@ -636,7 +653,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
There are probably too many query options.
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index 9126fe7521..7bfa354def 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.60 2011/03/05 01:14:21 tbox Exp $ +.\" $Id: dnssec-signzone.8,v 1.61 2011/03/06 01:14:20 tbox Exp $ .\" .hy 0 .ad l @@ -33,7 +33,7 @@ dnssec\-signzone \- DNSSEC zone signing tool .SH "SYNOPSIS" .HP 16 -\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP \fBdnssec\-signzone\fR @@ -72,6 +72,15 @@ files in \fBdirectory\fR. .RE .PP +\-D +.RS 4 +Output only those record types automatically managed by +\fBdnssec\-signzone\fR, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with +\fB$INCLUDE\fR. This option cannot be combined with +\fB\-O raw\fR +or serial number updating. +.RE +.PP \-E \fIengine\fR .RS 4 Uses a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance signing with private keys from a secure key store. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine. @@ -393,7 +402,7 @@ RFC 4033. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2009, 2011 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 30b0bda832..1d60acf3f8 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -1,5 +1,5 @@ - + @@ -29,10 +29,10 @@dnssec-signzone [-a] [-c ] [class-d ] [directory-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-l ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-p] [-P] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]
dnssec-signzone [-a] [-c ] [class-d ] [directory-D] [-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-l ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-p] [-P] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -43,7 +43,7 @@
@@ -67,6 +67,17 @@
Look for dsset- or
keyset- files in directory.
+ Output only those record types automatically managed by
+ dnssec-signzone, i.e. RRSIG, NSEC,
+ NSEC3 and NSEC3PARAM records. If smart signing
+ (-S) is used, DNSKEY records are also
+ included. The resulting file can be included in the original
+ zone file with $INCLUDE. This option
+ cannot be combined with -O raw or serial
+ number updating.
+
engineUses a crypto hardware (OpenSSL engine) for the crypto operations @@ -401,7 +412,7 @@
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -431,14 +442,14 @@ db.example.com.signed
%
arpaname {ipaddress ...}
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen [-a ] [algorithm-h] [-k ] [keyname-r ] [ -s randomfilename | -z zone ] [-q] [name]
ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -77,7 +77,7 @@
dig [global-queryopt...] [query...]
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -248,7 +248,7 @@
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -410,8 +410,25 @@
+[no]commentsToggle the display of comment lines in the output. The default - is to - print comments. + is to print comments. +
+[no]rrcomments+ Toggle the display of per-record comments in the output (for + example, human-readable key information about DNSKEY records). + The default is not to print record comments unless multiline + mode is active. +
+split=W
+ Split long hex- or base64-formatted fields in resource
+ records into chunks of W characters
+ (where W is rounded up to the nearest
+ multiple of 4).
+ +nosplit or
+ +split=0 causes fields not to be
+ split at all. The default is 56 characters, or 44 characters
+ when multiline mode is active.
+[no]stats@@ -579,7 +596,7 @@
The BIND 9 implementation of dig supports @@ -625,7 +642,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -639,14 +656,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
host(1), named(8), dnssec-keygen(8), @@ -654,7 +671,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index e2a3c779be..0d36558d31 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,14 +51,14 @@dnssec-dsfromkey {-s} [-1] [-2] [-a ] [alg-K ] [directory-l ] [domain-s] [-c ] [class-f ] [file-A] [-v ] {dnsname}level
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -164,7 +164,7 @@
dnssec-keyfromlabel {-l label} [-3] [-a ] [algorithm-A ] [date/offset-c ] [class-D ] [date/offset-E ] [engine-f ] [flag-G] [-I ] [date/offset-k] [-K ] [directory-n ] [nametype-P ] [date/offset-p ] [protocol-R ] [date/offset-t ] [type-v ] [level-y] {name}
dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -63,7 +63,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -229,7 +229,7 @@
When dnssec-keyfromlabel completes successfully, @@ -268,7 +268,7 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -276,7 +276,7 @@
dnssec-keygen [-a ] [algorithm-b ] [keysize-n ] [nametype-3] [-A ] [date/offset-C] [-c ] [class-D ] [date/offset-E ] [engine-e] [-f ] [flag-G] [-g ] [generator-h] [-I ] [date/offset-i ] [interval-K ] [directory-k] [-P ] [date/offset-p ] [protocol-q] [-R ] [date/offset-r ] [randomdev-S ] [key-s ] [strength-t ] [type-v ] [level-z] {name}
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -337,7 +337,7 @@
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -404,7 +404,7 @@
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -413,7 +413,7 @@
dnssec-revoke [-hr] [-v ] [level-K ] [directory-E ] [engine-f] {keyfile}
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime [-f] [-K ] [directory-P ] [date/offset-A ] [date/offset-R ] [date/offset-I ] [date/offset-D ] [date/offset-h] [-v ] [level-E ] {keyfile}engine
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the -P, -A,
@@ -75,7 +75,7 @@
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -185,7 +185,7 @@
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -211,7 +211,7 @@
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -219,7 +219,7 @@
dnssec-signzone [-a] [-c ] [class-d ] [directory-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-l ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-p] [-P] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]
dnssec-signzone [-a] [-c ] [class-d ] [directory-D] [-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-l ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-p] [-P] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
@@ -85,6 +85,17 @@
Look for dsset- or
keyset- files in directory.
+ Output only those record types automatically managed by
+ dnssec-signzone, i.e. RRSIG, NSEC,
+ NSEC3 and NSEC3PARAM records. If smart signing
+ (-S) is used, DNSKEY records are also
+ included. The resulting file can be included in the original
+ zone file with $INCLUDE. This option
+ cannot be combined with -O raw or serial
+ number updating.
+
engineUses a crypto hardware (OpenSSL engine) for the crypto operations @@ -419,7 +430,7 @@
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -449,14 +460,14 @@ db.example.com.signed
%
genrandom [-n ] {numbersize} {filename}
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host [-aCdlnrsTwv] [-c ] [class-N ] [ndots-R ] [number-t ] [type-W ] [wait-m ] [flag-4] [-6] {name} [server]
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 85623016a1..14095a7239 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@isc-hmac-fixup {algorithm} {secret}
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf [-h] [-v] [-j] [-t ] {filename} [directory-p] [-z]
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone [-d] [-j] [-q] [-v] [-c ] [class-C ] [mode-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-n ] [mode-r ] [mode-s ] [style-t ] [directory-w ] [directory-D] [-W ] {mode-o } {zonename} {filename}filename
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint {journal}
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named [-4] [-6] [-c ] [config-file-d ] [debug-level-E ] [engine-name-f] [-g] [-m ] [flag-n ] [#cpus-p ] [port-s] [-S ] [#max-socks-t ] [directory-u ] [user-v] [-V] [-x ]cache-file
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -267,7 +267,7 @@
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -284,7 +284,7 @@
nsec3hash {salt} {algorithm} {iterations} {domain}
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y ] | [[hmac:]keyname:secret-k ]] [keyfile-t ] [timeout-u ] [udptimeout-r ] [udpretries-R ] [randomdev-v] [filename]
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -210,7 +210,7 @@
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index a34bc5d652..00f020f344 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -50,7 +50,7 @@rndc-confgen [-a] [-b ] [keysize-c ] [keyfile-h] [-k ] [keyname-p ] [port-r ] [randomfile-s ] [address-t ] [chrootdir-u ]user
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
rndc [-b ] [source-address-c ] [config-file-k ] [key-file-s ] [server-p ] [port-V] [-y ] {command}key_id