upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-14 01:39:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

regen v9_10

Browse source
This commit is contained in:
Tinderbox User 2015-10-22 05:56:10 +00:00
parent b724be8882
commit caa957c067
33 changed files with 117 additions and 117 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bin/check/named-checkzone.html
View file

@ -212,7 +212,7 @@
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
are semantically equal in plain DNS.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.

2
bin/confgen/ddns-confgen.html
View file

@ -60,7 +60,7 @@
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with
<span class="command"><strong>update-policy local;</strong></span>.
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance,
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system.

4
bin/dig/dig.html
View file

@ -74,7 +74,7 @@
<p>
The IN and CH class names overlap with the IN and CH top level
domain names. Either use the <code class="option">-t</code> and
<code class="option">-c</code> options to specify the type and class,
<code class="option">-c</code> options to specify the type and class,
use the <code class="option">-q</code> the specify the domain name, or
use "IN." and "CH." when looking up these top level domains.
</p>
@ -737,7 +737,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
The IDN support is disabled if the variable is set when
<span class="command"><strong>dig</strong></span> runs.
</p>
</div>

4
bin/dig/host.html
View file

@ -170,7 +170,7 @@
value for an integer quantity.
</p>
<p>
The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span>
The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span>
<span class="emphasis"><em>not</em></span> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behavior.
@ -190,7 +190,7 @@
<a name="id-1.8"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.

2
bin/dnssec/dnssec-dsfromkey.html
View file

@ -94,7 +94,7 @@
<dd><p>
Include ZSK's when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
records and printed. Useful only in zone file mode.
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>

4
bin/dnssec/dnssec-keyfromlabel.html
View file

@ -281,7 +281,7 @@
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
@ -313,7 +313,7 @@
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and

4
bin/dnssec/dnssec-keygen.html
View file

@ -328,7 +328,7 @@
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
@ -361,7 +361,7 @@
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and

6
bin/dnssec/dnssec-settime.html
View file

@ -65,8 +65,8 @@
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
@ -178,7 +178,7 @@
</p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>

6
bin/dnssec/dnssec-signzone.html
View file

@ -74,7 +74,7 @@
(<code class="option">-S</code>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
cannot be combined with <code class="option">-O raw</code>,
cannot be combined with <code class="option">-O raw</code>,
<code class="option">-O map</code>, or serial number updating.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
@ -325,7 +325,7 @@
<p>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <code class="option">-Q</code>
@ -388,7 +388,7 @@
<dd><p>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>

4
bin/named/lwresd.html
View file

@ -39,7 +39,7 @@
server that answers queries using the BIND 9 lightweight
resolver protocol rather than the DNS protocol.
</p>
<p><span class="command"><strong>lwresd</strong></span>
<p><span class="command"><strong>lwresd</strong></span>
listens for resolver queries on a
UDP port on the IPv4 loopback interface, 127.0.0.1. This
means that <span class="command"><strong>lwresd</strong></span> can only be used by
@ -123,7 +123,7 @@
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd>

4
bin/named/named.conf.5
View file

@ -131,7 +131,7 @@ server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen
.\}
.nf
trusted\-keys {
\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
};
.fi
.if n \{\
@ -144,7 +144,7 @@ trusted\-keys {
.\}
.nf
managed\-keys {
\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; \&.\&.\&.
};
.fi
.if n \{\

4
bin/named/named.conf.html
View file

@ -99,7 +99,7 @@ server
<a name="id-1.12"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
trusted-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
};<br>
</p></div>
</div>
@ -107,7 +107,7 @@ trusted-keys
<a name="id-1.13"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
managed-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
};<br>
</p></div>
</div>

2
bin/python/dnssec-checkds.html
View file

@ -49,7 +49,7 @@
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Check for a DLV record in the specified lookaside domain,
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com"
in ISC's DLV zone, use:

8
bin/rndc/rndc.html
View file

@ -186,7 +186,7 @@
Delete a zone while the server is running.
Only zones that were originally added via
<span class="command"><strong>rndc addzone</strong></span> can be deleted
in this manner.
in this manner.
</p>
<p>
If the <code class="option">-clean</code> is specified,
@ -377,7 +377,7 @@
<dd>
<p>
Fetch all DNSSEC keys for the given zone
from the key directory (see the
from the key directory (see the
<span class="command"><strong>key-directory</strong></span> option in
the BIND 9 Administrator Reference Manual). If they are within
their publication period, merge them into the
@ -407,7 +407,7 @@
operations (such as signing or generating
NSEC3 chains) is stored in the zone in the form
of DNS resource records of type
<span class="command"><strong>sig-signing-type</strong></span>.
<span class="command"><strong>sig-signing-type</strong></span>.
<span class="command"><strong>rndc signing -list</strong></span> converts
these records into a human-readable form,
indicating which keys are currently signing
@ -433,7 +433,7 @@
flags, iterations, and salt, in that order.
</p>
<p>
Currently, the only defined value for hash algorithm
Currently, the only defined value for hash algorithm
is <code class="literal">1</code>, representing SHA-1.
The <code class="option">flags</code> may be set to
<code class="literal">0</code> or <code class="literal">1</code>,

4
bin/tools/named-journalprint.html
View file

@ -34,10 +34,10 @@
<p>
<span class="command"><strong>named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
form.
form.
</p>
<p>
Journal files are automatically created by <span class="command"><strong>named</strong></span>
Journal files are automatically created by <span class="command"><strong>named</strong></span>
when changes are made to dynamic zones (e.g., by
<span class="command"><strong>nsupdate</strong></span>). They record each addition
or deletion of a resource record, in binary format, allowing the

112
doc/arm/Bv9ARM.ch04.html
View file

@ -574,7 +574,7 @@ nameserver 172.16.72.4
<p>
TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
command; the output of the command is a <span class="command"><strong>key</strong></span> directive
suitable for inclusion in <code class="filename">named.conf</code>. The
suitable for inclusion in <code class="filename">named.conf</code>. The
key name, algorithm and size can be specified by command line parameters;
the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
</p>
@ -656,7 +656,7 @@ key "host1-host2." {
signed using the specified key. Keys may also be specified
in the <span class="command"><strong>also-notify</strong></span> statement of a master
or slave zone, causing NOTIFY messages to be signed using
the specified key.
the specified key.
</p>
<p>
Keys can also be specified in a <span class="command"><strong>server</strong></span>
@ -765,7 +765,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<p>
The TKEY process is initiated by a client or server by sending
a query of type TKEY to a TKEY-aware server. The query must include
an appropriate KEY record in the additional section, and
an appropriate KEY record in the additional section, and
must be signed using either TSIG or SIG(0) with a previously
established key. The server's response, if successful, will
contain a TKEY record in its answer section. After this transaction,
@ -1107,15 +1107,15 @@ options {
<div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div>
<p>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
ways: using a dynamic DNS update, or the
<span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
<p>For either method, you need to configure
<span class="command"><strong>named</strong></span> so that it can see the
<p>For either method, you need to configure
<span class="command"><strong>named</strong></span> so that it can see the
<code class="filename">K*</code> files which contain the public and private
parts of the keys that will be used to sign the zone. These files
will have been generated by
will have been generated by
<span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
in the key-directory, as specified in
in the key-directory, as specified in
<code class="filename">named.conf</code>:</p>
<pre class="programlisting">
zone example.net {
@ -1141,7 +1141,7 @@ options {
&gt; send
</pre>
<p>While the update request will complete almost immediately,
the zone will not be completely signed until
the zone will not be completely signed until
<span class="command"><strong>named</strong></span> has had time to walk the zone and
generate the NSEC and RRSIG records. The NSEC record at the apex
will be added last, to signal that there is a complete NSEC
@ -1159,7 +1159,7 @@ options {
&gt; send
</pre>
<p>Again, this update request will complete almost
immediately; however, the record won't show up until
immediately; however, the record won't show up until
<span class="command"><strong>named</strong></span> has had a chance to build/remove the
relevant chain. A private type record will be created to record
the state of the operation (see below for more details), and will
@ -1168,17 +1168,17 @@ options {
is happening, other updates are possible as well.</p>
<div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div>
<p>To enable automatic signing, add the
<span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
<code class="filename">named.conf</code>.
<span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
<code class="constant">allow</code> or
<p>To enable automatic signing, add the
<span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
<code class="filename">named.conf</code>.
<span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
<code class="constant">allow</code> or
<code class="constant">maintain</code>.</p>
<p>With
<span class="command"><strong>auto-dnssec allow</strong></span>,
<p>With
<span class="command"><strong>auto-dnssec allow</strong></span>,
<span class="command"><strong>named</strong></span> can search the key directory for keys
matching the zone, insert them into the zone, and use them to
sign the zone. It will do so only when it receives an
sign the zone. It will do so only when it receives an
<span class="command"><strong>rndc sign &lt;zonename&gt;</strong></span>.</p>
<p>
@ -1186,7 +1186,7 @@ options {
functionality, but will also automatically adjust the zone's
DNSKEY records on schedule according to the keys' timing metadata.
(See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
<a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
</p>
<p>
<span class="command"><strong>named</strong></span> will periodically search the key directory
@ -1200,7 +1200,7 @@ options {
</p>
<p>
If keys are present in the key directory the first time the zone
is loaded, the zone will be signed immediately, without waiting for an
is loaded, the zone will be signed immediately, without waiting for an
<span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
command. (Those commands can still be used when there are unscheduled
key changes, however.)
@ -1222,10 +1222,10 @@ options {
the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
record will appear in the zone.
</p>
<p>Using the
<p>Using the
<span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
configured to allow dynamic updates, by adding an
<span class="command"><strong>allow-update</strong></span> or
configured to allow dynamic updates, by adding an
<span class="command"><strong>allow-update</strong></span> or
<span class="command"><strong>update-policy</strong></span> statement to the zone
configuration. If this has not been done, the configuration will
fail.</p>
@ -1273,14 +1273,14 @@ options {
<div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div>
<p>As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
keys can be done in two ways: using a dynamic DNS update, or the
<span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
<div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div>
<p> To perform key rollovers via dynamic update, you need to add
the <code class="filename">K*</code> files for the new keys so that
the <code class="filename">K*</code> files for the new keys so that
<span class="command"><strong>named</strong></span> can find them. You can then add the new
DNSKEY RRs via dynamic update.
DNSKEY RRs via dynamic update.
<span class="command"><strong>named</strong></span> will then cause the zone to be signed
with the new keys. When the signing is complete the private type
records will be updated so that the last octet is non
@ -1294,14 +1294,14 @@ options {
be able to verify at least one signature when you remove the old
DNSKEY.</p>
<p>The old DNSKEY can be removed via UPDATE. Take care to
specify the correct key.
specify the correct key.
<span class="command"><strong>named</strong></span> will clean out any signatures generated
by the old key after the update completes.</p>
<div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div>
<p>When a new key reaches its activation date (as set by
<span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
<code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
automatically carry out the key rollover. If the key's algorithm
has not previously been used to sign the zone, then the zone will
@ -1339,9 +1339,9 @@ options {
<span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
and associated NSEC3PARAM records will be removed automatically.
This will take place after the update request completes.</p>
<p> This requires the
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
<strong class="userinput"><code>yes</code></strong> in
<p> This requires the
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
<strong class="userinput"><code>yes</code></strong> in
<code class="filename">named.conf</code>.</p>
<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
zone statement is used, it should be removed or changed to
@ -1359,9 +1359,9 @@ options {
<p>
<span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
state.
state.
<span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
records in the chain have mixed OPTOUT state.
records in the chain have mixed OPTOUT state.
<span class="command"><strong>named</strong></span> does not support changing the OPTOUT
state of an individual NSEC3 record, the entire chain needs to be
changed if the OPTOUT state of an individual NSEC3 needs to be
@ -1371,7 +1371,7 @@ options {
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
anchor management. Using this feature allows
anchor management. Using this feature allows
<span class="command"><strong>named</strong></span> to keep track of changes to critical
DNSSEC keys without any need for the operator to make changes to
configuration files.</p>
@ -1379,9 +1379,9 @@ options {
<div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>managed-keys</strong></span> statement. Information about
this can be found in
this can be found in
<a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage&#8221;</a>.</p>
</div>
@ -1403,21 +1403,21 @@ options {
timer has completed, the active KSK can be revoked, and the
zone can be "rolled over" to the newly accepted key.</p>
<p>The easiest way to place a stand-by key in a zone is to
use the "smart signing" features of
<span class="command"><strong>dnssec-keygen</strong></span> and
use the "smart signing" features of
<span class="command"><strong>dnssec-keygen</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication
date in the past, but an activation date which is unset or in
the future, "
the future, "
<span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY
record in the zone, but will not sign with it:</p>
<pre class="screen">
$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
</pre>
<p>To revoke a key, the new command
<p>To revoke a key, the new command
<span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the
REVOKED bit to the key flags and re-generates the
<code class="filename">K*.key</code> and
REVOKED bit to the key flags and re-generates the
<code class="filename">K*.key</code> and
<code class="filename">K*.private</code> files.</p>
<p>After revoking the active key, the zone must be signed
with both the revoked KSK and the new active KSK. (Smart
@ -1435,7 +1435,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
"<code class="filename">Kexample.com.+005+10128</code>".</p>
<p>If two keys have ID's exactly 128 apart, and one is
revoked, then the two key ID's will collide, causing several
problems. To prevent this,
problems. To prevent this,
<span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if
another key is present which may collide. This checking will
only occur if the new keys are written to the same directory
@ -1719,8 +1719,8 @@ $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
</p>
<p>
After configuring, run
<span class="command"><strong>make</strong></span> and
After configuring, run
<span class="command"><strong>make</strong></span> and
<span class="command"><strong>make test</strong></span>.
</p>
</div>
@ -1867,9 +1867,9 @@ $ <strong class="userinput"><code>./configure --enable-threads \
<a name="id-1.5.12.9"></a>PKCS#11 Tools</h3></div></div></div>
<p>
BIND 9 includes a minimal set of tools to operate the
HSM, including
HSM, including
<span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair
within the HSM,
within the HSM,
<span class="command"><strong>pkcs11-list</strong></span> to list objects currently
available,
<span class="command"><strong>pkcs11-destroy</strong></span> to remove objects, and
@ -1906,7 +1906,7 @@ $ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${L
For example, when operating an AEP Keyper, it is necessary to
specify the location of the "machine" file, which stores
information about the Keyper for use by the provider
library. If the machine file is in
library. If the machine file is in
<code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
use:
</p>
@ -1915,12 +1915,12 @@ $ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11P
</pre>
<p>
Such environment variables must be set whenever running
any tool that uses the HSM, including
<span class="command"><strong>pkcs11-keygen</strong></span>,
<span class="command"><strong>pkcs11-list</strong></span>,
<span class="command"><strong>pkcs11-destroy</strong></span>,
<span class="command"><strong>dnssec-keyfromlabel</strong></span>,
<span class="command"><strong>dnssec-signzone</strong></span>,
any tool that uses the HSM, including
<span class="command"><strong>pkcs11-keygen</strong></span>,
<span class="command"><strong>pkcs11-list</strong></span>,
<span class="command"><strong>pkcs11-destroy</strong></span>,
<span class="command"><strong>dnssec-keyfromlabel</strong></span>,
<span class="command"><strong>dnssec-signzone</strong></span>,
<span class="command"><strong>dnssec-keygen</strong></span>, and
<span class="command"><strong>named</strong></span>.
</p>
@ -2028,7 +2028,7 @@ example.net.signed
$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
</pre>
<p>
This causes
This causes
<span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled
without the --with-pkcs11 option.
</p>
@ -2046,7 +2046,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
using HSM keys, and/or to to sign new records inserted via nsupdate,
then named must have access to the HSM PIN. In OpenSSL-based PKCS#11,
this is accomplished by placing the PIN into the openssl.cnf file
(in the above examples,
(in the above examples,
<code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).
</p>
<p>

2
doc/arm/Bv9ARM.ch12.html
View file

@ -449,7 +449,7 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
<p>
removes all A RRs for foo.dynamic.example.com using the given key.
</p>
<pre class="screen">
<pre class="screen">
$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
<p>
removes all RRs for foo.dynamic.example.com using the given key.

2
doc/arm/man.ddns-confgen.html
View file

@ -79,7 +79,7 @@
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with
<span class="command"><strong>update-policy local;</strong></span>.
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance,
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system.

2
doc/arm/man.delv.html
View file

@ -414,7 +414,7 @@
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd><p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p></dd>

4
doc/arm/man.dig.html
View file

@ -92,7 +92,7 @@
<p>
The IN and CH class names overlap with the IN and CH top level
domain names. Either use the <code class="option">-t</code> and
<code class="option">-c</code> options to specify the type and class,
<code class="option">-c</code> options to specify the type and class,
use the <code class="option">-q</code> the specify the domain name, or
use "IN." and "CH." when looking up these top level domains.
</p>
@ -755,7 +755,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
The IDN support is disabled if the variable is set when
<span class="command"><strong>dig</strong></span> runs.
</p>
</div>

2
doc/arm/man.dnssec-checkds.html
View file

@ -68,7 +68,7 @@
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Check for a DLV record in the specified lookaside domain,
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com"
in ISC's DLV zone, use:

2
doc/arm/man.dnssec-coverage.html
View file

@ -97,7 +97,7 @@
<p>
The length of time to check for DNSSEC coverage. Key events
scheduled further into the future than <code class="option">duration</code>
will be ignored, and assumed to be correct.
will be ignored, and assumed to be correct.
</p>
<p>
The value of <code class="option">duration</code> can be set in seconds,

2
doc/arm/man.dnssec-dsfromkey.html
View file

@ -113,7 +113,7 @@
<dd><p>
Include ZSK's when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
records and printed. Useful only in zone file mode.
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>

4
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -300,7 +300,7 @@
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
@ -332,7 +332,7 @@
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and

4
doc/arm/man.dnssec-keygen.html
View file

@ -346,7 +346,7 @@
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
@ -379,7 +379,7 @@
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and

6
doc/arm/man.dnssec-settime.html
View file

@ -84,8 +84,8 @@
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
@ -197,7 +197,7 @@
</p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>

6
doc/arm/man.dnssec-signzone.html
View file

@ -92,7 +92,7 @@
(<code class="option">-S</code>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
cannot be combined with <code class="option">-O raw</code>,
cannot be combined with <code class="option">-O raw</code>,
<code class="option">-O map</code>, or serial number updating.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
@ -343,7 +343,7 @@
<p>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <code class="option">-Q</code>
@ -406,7 +406,7 @@
<dd><p>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>

4
doc/arm/man.host.html
View file

@ -188,7 +188,7 @@
value for an integer quantity.
</p>
<p>
The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span>
The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span>
<span class="emphasis"><em>not</em></span> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behavior.
@ -208,7 +208,7 @@
<a name="id-1.14.3.8"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.

4
doc/arm/man.lwresd.html
View file

@ -57,7 +57,7 @@
server that answers queries using the BIND 9 lightweight
resolver protocol rather than the DNS protocol.
</p>
<p><span class="command"><strong>lwresd</strong></span>
<p><span class="command"><strong>lwresd</strong></span>
listens for resolver queries on a
UDP port on the IPv4 loopback interface, 127.0.0.1. This
means that <span class="command"><strong>lwresd</strong></span> can only be used by
@ -141,7 +141,7 @@
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd>

2
doc/arm/man.named-checkzone.html
View file

@ -230,7 +230,7 @@
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
are semantically equal in plain DNS.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.

4
doc/arm/man.named-journalprint.html
View file

@ -53,10 +53,10 @@
<p>
<span class="command"><strong>named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
form.
form.
</p>
<p>
Journal files are automatically created by <span class="command"><strong>named</strong></span>
Journal files are automatically created by <span class="command"><strong>named</strong></span>
when changes are made to dynamic zones (e.g., by
<span class="command"><strong>nsupdate</strong></span>). They record each addition
or deletion of a resource record, in binary format, allowing the

4
doc/arm/man.named.conf.html
View file

@ -118,7 +118,7 @@ server
<a name="id-1.14.18.12"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
trusted-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
};<br>
</p></div>
</div>
@ -126,7 +126,7 @@ trusted-keys
<a name="id-1.14.18.13"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
managed-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ...<br>
};<br>
</p></div>
</div>

8
doc/arm/man.rndc.html
View file

@ -204,7 +204,7 @@
Delete a zone while the server is running.
Only zones that were originally added via
<span class="command"><strong>rndc addzone</strong></span> can be deleted
in this manner.
in this manner.
</p>
<p>
If the <code class="option">-clean</code> is specified,
@ -395,7 +395,7 @@
<dd>
<p>
Fetch all DNSSEC keys for the given zone
from the key directory (see the
from the key directory (see the
<span class="command"><strong>key-directory</strong></span> option in
the BIND 9 Administrator Reference Manual). If they are within
their publication period, merge them into the
@ -425,7 +425,7 @@
operations (such as signing or generating
NSEC3 chains) is stored in the zone in the form
of DNS resource records of type
<span class="command"><strong>sig-signing-type</strong></span>.
<span class="command"><strong>sig-signing-type</strong></span>.
<span class="command"><strong>rndc signing -list</strong></span> converts
these records into a human-readable form,
indicating which keys are currently signing
@ -451,7 +451,7 @@
flags, iterations, and salt, in that order.
</p>
<p>
Currently, the only defined value for hash algorithm
Currently, the only defined value for hash algorithm
is <code class="literal">1</code>, representing SHA-1.
The <code class="option">flags</code> may be set to
<code class="literal">0</code> or <code class="literal">1</code>,