diff --git a/CHANGES b/CHANGES
index 0e96c2bfa3..d9a0054703 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+ --- 9.11.7 released ---
+
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
diff --git a/README b/README
index 3b28ae32f7..45c1f490c8 100644
--- a/README
+++ b/README
@@ -265,10 +265,10 @@ BIND 9.11.6
BIND 9.11.6 is a maintenance release, and also addresses the security
flaws disclosed in CVE-2018-5744, CVE-2018-5745, and CVE-2019-6465.
-BIND 9.11.6-P1
+BIND 9.11.7
-BIND 9.11.6-P1 addresses the security vulnerability disclosed in
-CVE-2018-5743.
+BIND 9.11.7 is a maintenance release, and also addresses the security flaw
+disclosed in CVE-2018-5743.
Building BIND
diff --git a/README.md b/README.md
index 02cc464b3d..ea48104e68 100644
--- a/README.md
+++ b/README.md
@@ -282,10 +282,10 @@ feature:
BIND 9.11.6 is a maintenance release, and also addresses the security
flaws disclosed in CVE-2018-5744, CVE-2018-5745, and CVE-2019-6465.
-#### BIND 9.11.6-P1
+#### BIND 9.11.7
-BIND 9.11.6-P1 addresses the security vulnerability disclosed in
-CVE-2018-5743.
+BIND 9.11.7 is a maintenance release, and also addresses the security
+flaw disclosed in CVE-2018-5743.
### Building BIND
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 6f8eedb2f0..a169e62d65 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -39,7 +39,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
@@ -50,6 +50,13 @@ The
of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
.SH "OPTIONS"
.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
@@ -78,21 +85,9 @@ The key size does not need to be specified if using a default algorithm\&. The d
must be used\&.
.RE
.PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key\&. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
-.RE
-.PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&.
-.RE
-.PP
\-C
.RS 4
-Compatibility mode: generates an old\-style key, without any metadata\&. By default,
+Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
\fBdnssec\-keygen\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
@@ -151,9 +146,17 @@ none
is the same as leaving it unset\&.
.RE
.PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
\-p \fIprotocol\fR
.RS 4
-Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+Sets the protocol value for the generated key, for use with
+\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-q
@@ -196,20 +199,21 @@ Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY\&.
.PP
\-t \fItype\fR
.RS 4
-Indicates the use of the key\&.
+Indicates the use of the key, for use with
+\fB\-T KEY\fR\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level\&.
-.RE
-.PP
\-V
.RS 4
Prints version information\&.
.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&.
+.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
@@ -338,6 +342,10 @@ creates the files
Kexample\&.com\&.+003+26160\&.key
and
Kexample\&.com\&.+003+26160\&.private\&.
+.PP
+To generate a matching key\-signing key, issue the command:
+.PP
+\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE \-f KSK example\&.com\fR
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 4cdeca62cc..70f75b8ff2 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -33,11 +33,10 @@
Synopsis
dnssec-keygen
- [-a algorithm]
- [-b keysize]
- [-n nametype]
[-3]
[-A date/offset]
+ [-a algorithm]
+ [-b keysize]
[-C]
[-c class]
[-D date/offset]
@@ -52,6 +51,7 @@
[-K directory]
[-k]
[-L ttl]
+ [-n nametype]
[-P date/offset]
[-P sync date/offset]
[-p protocol]
@@ -63,7 +63,6 @@
[-t type]
[-V]
[-v level]
- [-z]
{name}
+- -3
+-
+
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, dnssec-keygen -3a RSASHA1
+ specifies the NSEC3RSASHA1 algorithm.
+
+
- -a
algorithm
-
@@ -139,38 +148,15 @@
must be used.
-- -n
nametype
--
-
- Specifies the owner type of the key. The value of
- nametype must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive. Defaults to ZONE for DNSKEY
- generation.
-
-
-- -3
--
-
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used and no algorithm is explicitly
- set on the command line, NSEC3RSASHA1 will be used by
- default. Note that RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
- algorithms are NSEC3-capable.
-
-
- -C
-
- Compatibility mode: generates an old-style key, without
- any metadata. By default, dnssec-keygen
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
+ Compatibility mode: generates an old-style key, without any
+ timing metadata. By default, dnssec-keygen
+ will include the key's creation date in the metadata stored with
+ the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include this
+ data may be incompatible with older versions of BIND; the
-C option suppresses them.
@@ -250,13 +236,24 @@
or none is the same as leaving it unset.
+- -n
nametype
+-
+
+ Specifies the owner type of the key. The value of
+ nametype must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
+
+
- -p
protocol
-
- Sets the protocol value for the generated key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
+ Sets the protocol value for the generated key, for use
+ with -T KEY. The protocol is a number between 0
+ and 255. The default is 3 (DNSSEC). Other possible values for
+ this argument are listed in RFC 2535 and its successors.
- -q
@@ -327,16 +324,11 @@
- -t
type
-
- Indicates the use of the key. type must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
-
-
-- -v
level
--
-
- Sets the debugging level.
+ Indicates the use of the key, for use with -T
+ KEY. type must be one of AUTHCONF,
+ NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+ refers to the ability to authenticate data, and CONF the ability
+ to encrypt data.
- -V
@@ -345,6 +337,12 @@
Prints version information.
+- -v
level
+-
+
+ Sets the debugging level.
+
+
Kexample.com.+003+26160.private.
+
+ To generate a matching key-signing key, issue the command:
+
+
+ dnssec-keygen -a DSA -b 768 -n ZONE -f KSK example.com
+
diff --git a/configure b/configure
index 3ae0f2210c..b219e16074 100755
--- a/configure
+++ b/configure
@@ -971,7 +971,6 @@ infodir
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -1139,7 +1138,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1392,15 +1390,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1538,7 +1527,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1691,7 +1680,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index adc7430667..120ae4f5c4 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -616,6 +616,6 @@
-BIND 9.11.6-P1 (Extended Support Version)
+BIND 9.11.7 (Extended Support Version)