upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-08 19:32:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of repo.isc.org:/proj/git/prod/bind9

Browse source
This commit is contained in:
Jeremy C. Reed 2015-11-09 11:25:01 -05:00
commit dde7a7d357
166 changed files with 4635 additions and 3202 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
CHANGES
View file

@ -1,3 +1,47 @@
4257. [cleanup] Python scripts reported incorrect version. [RT #41080]
4256. [bug] Allow rndc command arguments to be quoted so as
to allow spaces. [RT #36665]
4255. [func] Add 'message-compression' option to disable DNS
compression in responses. [RT #40726]
4254. [bug] Address missing lock when getting zone's serial.
[RT #41072]
4253. [bug] Address fetch context reference count handling error
on socket error. [RT#40945]
4252. [func] Add support for automating the generation CDS and
CDNSKEY rrsets to named and dnssec-signzone.
[RT #40424]
4251. [bug] NTAs were deleted when the server was reconfigured
or reloaded. [RT #41058]
4250. [func] Log the TSIG key in use during inbound zone
transfers. [RT #41075]
4249. [func] Improve error reporting of TSIG / SIG(0) records in
the wrong location. [RT #41030]
4248. [func] Add an isc_atomic_storeq() function, use it in
stats counters to improve performance.
[RT #39972] [RT #39979]
4247. [port] Require both HAVE_JSON and JSON_C_VERSION to be
defined to report json library version. [RT #41045]
4246. [test] Ensure the statschannel system test runs when BIND
is not built with libjson. [RT #40944]
4245. [placeholder]
4244. [bug] The parser was not reporting that use-ixfr is obsolete.
[RT #41010]
4243. [func] Improved stats reporting from Timothe Litt. [RT #38941]
4242. [bug] Replace the client if not already replaced when
prefetching. [RT #41001]

2
Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
SUBDIRS = make unit lib bin doc
TARGETS =

2
bin/check/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/confgen/Makefile.in
View file

@ -18,7 +18,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/delv/Makefile.in
View file

@ -16,7 +16,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/dig/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/dnssec/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

204
bin/dnssec/dnssec-dsfromkey.docbook
View file

@ -96,85 +96,85 @@
<variablelist>
<varlistentry>
<term>-1</term>
<listitem>
<para>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</para>
</listitem>
<term>-1</term>
<listitem>
<para>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-2</term>
<listitem>
<para>
Use SHA-256 as the digest algorithm.
</para>
</listitem>
<term>-2</term>
<listitem>
<para>
Use SHA-256 as the digest algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records.
</para>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in
<option>directory</option>.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in
<option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -189,64 +189,64 @@
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</para>
</listitem>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</para>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints usage information.
</para>
</listitem>
<term>-h</term>
<listitem>
<para>
Prints usage information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
@ -292,10 +292,10 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle>,

96
bin/dnssec/dnssec-dsfromkey.html
View file

@ -43,52 +43,52 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd><p>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
<dt><span class="term">-2</span></dt>
<dd><p>
Use SHA-256 as the digest algorithm.
</p></dd>
Use SHA-256 as the digest algorithm.
</p></dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Generate CDS records rather than DS records. This is mutually
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</p></dd>
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
Specifies the TTL of the DS records.
</p></dd>
Specifies the TTL of the DS records.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd><p>
@ -98,35 +98,35 @@
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</p></dd>
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints usage information.
</p></dd>
Prints usage information.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
</dl></div>
</div>
<div class="refsection">

18
bin/dnssec/dnssec-importkey.8
View file

@ -18,12 +18,12 @@
.\" Title: dnssec-importkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-20
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-IMPORTKEY" "8" "2014\-02\-20" "ISC" "BIND9"
.TH "DNSSEC\-IMPORTKEY" "8" "August 21, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -47,9 +47,9 @@
dnssec-importkey \- Import DNSKEY records from external systems so they can be managed\&.
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP
\fBdnssec\-importkey\fR
@ -109,10 +109,20 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.SH "FILES"
.PP
A keyfile can be designed by the key identification

36
bin/dnssec/dnssec-importkey.c
View file

@ -68,6 +68,9 @@ static isc_boolean_t setpub = ISC_FALSE, setdel = ISC_FALSE;
static isc_boolean_t setttl = ISC_FALSE;
static isc_stdtime_t pub = 0, del = 0;
static dns_ttl_t ttl = 0;
static isc_stdtime_t syncadd = 0, syncdel = 0;
static isc_boolean_t setsyncadd = ISC_FALSE;
static isc_boolean_t setsyncdel = ISC_FALSE;
static isc_result_t
initname(char *setname) {
@ -236,6 +239,11 @@ emit(const char *dir, dns_rdata_t *rdata) {
dst_key_settime(key, DST_TIME_PUBLISH, pub);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
if (setttl)
dst_key_setttl(key, ttl);
@ -278,8 +286,12 @@ usage(void) {
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY publication date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY deletion date\n");
exit (-1);
}
@ -318,6 +330,18 @@ main(int argc, char **argv) {
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncdel)
fatal("-D sync specified more than "
"once");
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel)
fatal("-D specified more than once");
@ -334,6 +358,18 @@ main(int argc, char **argv) {
setttl = ISC_TRUE;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncadd)
fatal("-P sync specified more than "
"once");
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub)
fatal("-P specified more than once");

137
bin/dnssec/dnssec-importkey.docbook
View file

@ -20,6 +20,7 @@
<date>2014-02-20</date>
</info>
<refentryinfo>
<date>August 21, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
@ -50,7 +51,9 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
@ -62,7 +65,9 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
@ -97,68 +102,68 @@
<variablelist>
<varlistentry>
<term>-f <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
Zone file mode: instead of a public keyfile name, the argument
<listitem>
<para>
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the domain name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input.
</para>
</listitem>
from <option>file</option>. If the domain name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</listitem>
</varlistentry>
</variablelist>
@ -180,25 +185,45 @@
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</para>
</listitem>
</varlistentry>
</variablelist>
@ -217,10 +242,10 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.

66
bin/dnssec/dnssec-importkey.html
View file

@ -28,8 +28,8 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -57,37 +57,37 @@
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Zone file mode: instead of a public keyfile name, the argument
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -110,16 +110,26 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</p></dd>
</dl></div>
</div>
<div class="refsection">

16
bin/dnssec/dnssec-keyfromlabel.8
View file

@ -18,12 +18,12 @@
.\" Title: dnssec-keyfromlabel
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-27
.\" Date: August 27, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-KEYFROMLABEL" "8" "2014\-02\-27" "ISC" "BIND9"
.TH "DNSSEC\-KEYFROMLABEL" "8" "August 27, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -47,7 +47,7 @@
dnssec-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keyfromlabel\fR\ 'u
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name}
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
@ -201,6 +201,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
@ -221,6 +226,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.

41
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -104,10 +104,14 @@ usage(void) {
fprintf(stderr, " -V: print version information\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -P sync date/[+-]offset: set CDS and CDNSKEY "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset: set CDS and CDNSKEY "
"deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
" all dates\n");
@ -171,6 +175,9 @@ main(int argc, char **argv) {
isc_boolean_t avoid_collisions = ISC_TRUE;
isc_boolean_t exact;
unsigned char c;
isc_stdtime_t syncadd = 0, syncdel = 0;
isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE;
isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE;
if (argc == 1)
usage();
@ -255,6 +262,19 @@ main(int argc, char **argv) {
genonly = ISC_TRUE;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd)
fatal("-P sync specified more than "
"once");
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
@ -287,6 +307,19 @@ main(int argc, char **argv) {
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncdel || setsyncdel)
fatal("-D sync specified more than "
"once");
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
unsetsyncdel = !setsyncdel;
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel)
fatal("-D specified more than once");
@ -621,10 +654,16 @@ main(int argc, char **argv) {
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
} else {
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetinact || unsetdel || genonly)
unsetrev || unsetinact || unsetdel || genonly ||
setsyncadd || setsyncdel)
fatal("cannot use -C together with "
"-P, -A, -R, -I, -D, or -G options");
/*

483
bin/dnssec/dnssec-keyfromlabel.docbook
View file

@ -20,6 +20,7 @@
<date>2014-02-27</date>
</info>
<refentryinfo>
<date>August 27, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
@ -57,6 +58,7 @@
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
@ -67,6 +69,7 @@
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
@ -100,113 +103,113 @@
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</para>
<para>
Note 2: DH automatically sets the -k flag.
</para>
</listitem>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</para>
<para>
Note 2: DH automatically sets the -k flag.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</para>
</listitem>
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label for a key pair in the crypto hardware.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel</replaceable>".
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</para>
<para>
If the label contains a
<option>pin-source</option> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</para>
</listitem>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label for a key pair in the crypto hardware.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel</replaceable>".
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</para>
<para>
If the label contains a
<option>pin-source</option> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</para>
</listitem>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keyfromlabel</command>
will include the key's creation date in the metadata stored
@ -214,150 +217,150 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keyfromlabel</command>.
</para>
</listitem>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keyfromlabel</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Generate a key as an explicit successor to an existing key.
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</listitem>
</varlistentry>
<varlistentry>
<term>-y</term>
<listitem>
<para>
Allows DNSSEC key files to be generated even if the key ID
<term>-y</term>
<listitem>
<para>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</para>
</listitem>
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</para>
</listitem>
</varlistentry>
</variablelist>
@ -380,60 +383,80 @@
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -477,18 +500,18 @@
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the algorithm.
</para>
<para><filename>aaa</filename> is the numeric representation
of the algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keyfromlabel</command>
@ -515,10 +538,10 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4034</citetitle>,

262
bin/dnssec/dnssec-keyfromlabel.html
View file

@ -27,7 +27,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -52,87 +52,87 @@
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
<p>
Note 2: DH automatically sets the -k flag.
</p>
Note 2: DH automatically sets the -k flag.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use.
</p>
Specifies the cryptographic hardware to use.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
Specifies the label for a key pair in the crypto hardware.
</p>
Specifies the label for a key pair in the crypto hardware.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
<p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -142,84 +142,84 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
</p></dd>
Generate KEY records rather than DNSKEY records.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Generate a key as an explicit successor to an existing key.
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p></dd>
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
<dt><span class="term">-y</span></dt>
<dd><p>
Allows DNSSEC key files to be generated even if the key ID
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</dl></div>
</div>
<div class="refsection">
@ -238,36 +238,46 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -305,13 +315,13 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
of the algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based

16
bin/dnssec/dnssec-keygen.8
View file

@ -19,12 +19,12 @@
.\" Title: dnssec-keygen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-06
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-KEYGEN" "8" "2014\-02\-06" "ISC" "BIND9"
.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -48,7 +48,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-z\fR] {name}
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
@ -228,6 +228,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&.
@ -248,6 +253,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.

46
bin/dnssec/dnssec-keygen.c
View file

@ -153,13 +153,18 @@ usage(void) {
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set key publication date "
"(default: now)\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set CDS and CDNSKEY "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set key activation date "
"(default: now)\n");
fprintf(stderr, " -R date/[+-]offset/none: set key "
"revocation date\n");
"revocation date\n");
fprintf(stderr, " -I date/[+-]offset/none: set key "
"inactivation date\n");
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set key deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set CDS and CDNSKEY "
"deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
"all dates\n");
@ -254,6 +259,9 @@ main(int argc, char **argv) {
isc_boolean_t quiet = ISC_FALSE;
isc_boolean_t show_progress = ISC_FALSE;
unsigned char c;
isc_stdtime_t syncadd = 0, syncdel = 0;
isc_boolean_t setsyncadd = ISC_FALSE;
isc_boolean_t setsyncdel = ISC_FALSE;
if (argc == 1)
usage();
@ -409,6 +417,17 @@ main(int argc, char **argv) {
genonly = ISC_TRUE;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncadd)
fatal("-P sync specified more than "
"once");
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
@ -441,6 +460,17 @@ main(int argc, char **argv) {
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncdel)
fatal("-D sync specified more than "
"once");
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel)
fatal("-D specified more than once");
@ -973,10 +1003,20 @@ main(int argc, char **argv) {
program);
dst_key_settime(key, DST_TIME_DELETE, delete);
}
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH,
syncadd);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE,
syncdel);
} else {
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetinact || unsetdel || genonly)
unsetrev || unsetinact || unsetdel || genonly ||
setsyncadd || setsyncdel)
fatal("cannot use -C together with "
"-P, -A, -R, -I, -D, or -G options");
/*

605
bin/dnssec/dnssec-keygen.docbook
View file

@ -21,6 +21,7 @@
<date>2014-02-06</date>
</info>
<refentryinfo>
<date>August 21, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
@ -70,6 +71,7 @@
<arg choice="opt" rep="norepeat"><option>-C</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
@ -78,9 +80,10 @@
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
@ -88,8 +91,8 @@
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="req" rep="norepeat">name</arg>
</cmdsynopsis>
@ -115,94 +118,94 @@
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</para>
<para>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</para>
</listitem>
</para>
<para>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</para>
<para>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <option>-f KSK</option>). However, if an
algorithm is explicitly specified with the <option>-a</option>,
then there is no default key size, and the <option>-b</option>
must be used.
</para>
</listitem>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</para>
<para>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <option>-f KSK</option>). However, if an
algorithm is explicitly specified with the <option>-a</option>,
then there is no default key size, and the <option>-b</option>
must be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keygen</command>
will include the key's creation date in the metadata stored
@ -210,231 +213,231 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Deprecated in favor of -T KEY.
</para>
</listitem>
<term>-k</term>
<listitem>
<para>
Deprecated in favor of -T KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <literal>0</literal>
or <literal>none</literal> is the same as leaving it unset.
</para>
</listitem>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <literal>0</literal>
or <literal>none</literal> is the same as leaving it unset.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<command>dnssec-keygen</command> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <filename>stderr</filename> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</para>
</listitem>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<command>dnssec-keygen</command> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <filename>stderr</filename> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</para>
</listitem>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
<listitem>
<para>
Specifies the resource record type to use for the key.
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
<para>
</para>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</para>
</listitem>
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
<listitem>
<para>
Specifies the resource record type to use for the key.
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
<para>
</para>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</listitem>
</varlistentry>
</variablelist>
@ -457,62 +460,82 @@
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</para>
</listitem>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -557,19 +580,19 @@
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
</para>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keygen</command>
@ -624,7 +647,7 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,

352
bin/dnssec/dnssec-keygen.html
View file

@ -28,7 +28,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -50,72 +50,72 @@
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
</p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
</p></dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</p></dd>
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -125,142 +125,142 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Deprecated in favor of -T KEY.
</p></dd>
Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -283,38 +283,48 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -352,14 +362,14 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
of the
algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based

28
bin/dnssec/dnssec-settime.8
View file

@ -18,12 +18,12 @@
.\" Title: dnssec-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-06
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-SETTIME" "8" "2014\-02\-06" "ISC" "BIND9"
.TH "DNSSEC\-SETTIME" "8" "2015\-08\-21" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -47,7 +47,7 @@
dnssec-settime \- Set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
@ -121,6 +121,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&.
@ -141,6 +146,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
\-S \fIpredecessor key\fR
.RS 4
Select a key for which the key being modified will be an explicit successor\&. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified\&. The activation date of the successor key will be set to the inactivation date of the predecessor\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
@ -164,23 +174,27 @@ can also be used to print the timing metadata associated with a key\&.
Print times in UNIX epoch format\&.
.RE
.PP
\-p \fIC/P/A/R/I/D/all\fR
\-p \fIC/P/Psync/A/R/I/D/Dsync/all\fR
.RS 4
Print a specific metadata value or set of metadata values\&. The
\fB\-p\fR
option may be followed by one or more of the following letters to indicate which value or values to print:
option may be followed by one or more of the following letters or strings to indicate which value or values to print:
\fBC\fR
for the creation date,
\fBP\fR
for the publication date,
\fBPsync\fR
for the CDS and CDNSKEY publication date,
\fBA\fR
for the activation date,
\fBR\fR
for the revocation date,
\fBI\fR
for the inactivation date, or
for the inactivation date,
\fBD\fR
for the deletion date\&. To print all of the metadata, use
for the deletion date, and
\fBDsync\fR
for the CDS and CDNSKEY deletion date To print all of the metadata, use
\fB\-p all\fR\&.
.RE
.SH "SEE ALSO"

69
bin/dnssec/dnssec-settime.c
View file

@ -78,6 +78,8 @@ usage(void) {
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
@ -86,9 +88,11 @@ usage(void) {
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY deletion date\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time "
"value or values\n");
fprintf(stderr, " -p C/P/Psync/A/R/I/D/Dsync/all: print a "
"particular time value or values\n");
fprintf(stderr, " -u: print times in unix epoch "
"format\n");
fprintf(stderr, "Output:\n");
@ -161,6 +165,10 @@ main(int argc, char **argv) {
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
isc_log_t *log = NULL;
isc_stdtime_t syncadd = 0, syncdel = 0;
isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE;
isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE;
isc_boolean_t printsyncadd = ISC_FALSE, printsyncdel = ISC_FALSE;
if (argc == 1)
usage();
@ -198,6 +206,8 @@ main(int argc, char **argv) {
printrev = ISC_TRUE;
printinact = ISC_TRUE;
printdel = ISC_TRUE;
printsyncadd = ISC_TRUE;
printsyncdel = ISC_TRUE;
break;
}
@ -207,6 +217,11 @@ main(int argc, char **argv) {
printcreate = ISC_TRUE;
break;
case 'P':
if (!strncmp(p, "sync", 3)) {
p += 3;
printsyncadd = ISC_TRUE;
break;
}
printpub = ISC_TRUE;
break;
case 'A':
@ -219,6 +234,11 @@ main(int argc, char **argv) {
printinact = ISC_TRUE;
break;
case 'D':
if (!strncmp(p, "sync", 3)) {
p += 3;
printsyncdel = ISC_TRUE;
break;
}
printdel = ISC_TRUE;
break;
case ' ':
@ -254,6 +274,19 @@ main(int argc, char **argv) {
fatal("-v must be followed by a number");
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd)
fatal("-P sync specified more than "
"once");
changed = ISC_TRUE;
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
@ -290,6 +323,20 @@ main(int argc, char **argv) {
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncdel || setsyncdel)
fatal("-D sync specified more than "
"once");
changed = ISC_TRUE;
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
unsetsyncdel = !setsyncdel;
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel)
fatal("-D specified more than once");
@ -533,6 +580,16 @@ main(int argc, char **argv) {
else if (unsetdel)
dst_key_unsettime(key, DST_TIME_DELETE);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
else if (unsetsyncadd)
dst_key_unsettime(key, DST_TIME_SYNCPUBLISH);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
else if (unsetsyncdel)
dst_key_unsettime(key, DST_TIME_SYNCDELETE);
if (setttl)
dst_key_setttl(key, ttl);
@ -570,6 +627,14 @@ main(int argc, char **argv) {
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
if (printsyncadd)
printtime(key, DST_TIME_SYNCPUBLISH, "SYNC Publish",
epoch, stdout);
if (printsyncdel)
printtime(key, DST_TIME_SYNCDELETE, "SYNC Delete",
epoch, stdout);
if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,

76
bin/dnssec/dnssec-settime.docbook
View file

@ -17,7 +17,7 @@
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
<info>
<date>2014-02-06</date>
<date>2015-08-21</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
@ -53,10 +53,13 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
@ -97,10 +100,10 @@
<variablelist>
<varlistentry>
<term>-f</term>
<term>-f</term>
<listitem>
<para>
Force an update of an old-format key with no metadata fields.
<para>
Force an update of an old-format key with no metadata fields.
Without this option, <command>dnssec-settime</command> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
@ -108,7 +111,7 @@
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</para>
</para>
</listitem>
</varlistentry>
@ -138,20 +141,20 @@
</varlistentry>
<varlistentry>
<term>-h</term>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
@ -208,6 +211,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
@ -252,6 +265,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">predecessor key</replaceable></term>
<listitem>
@ -305,29 +328,32 @@
<variablelist>
<varlistentry>
<term>-u</term>
<term>-u</term>
<listitem>
<para>
Print times in UNIX epoch format.
</para>
<para>
Print times in UNIX epoch format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
<term>-p <replaceable class="parameter">C/P/Psync/A/R/I/D/Dsync/all</replaceable></term>
<listitem>
<para>
Print a specific metadata value or set of metadata values.
<para>
Print a specific metadata value or set of metadata values.
The <option>-p</option> option may be followed by one or more
of the following letters to indicate which value or values to print:
of the following letters or strings to indicate which value
or values to print:
<option>C</option> for the creation date,
<option>P</option> for the publication date,
<option>Psync</option> for the CDS and CDNSKEY publication date,
<option>A</option> for the activation date,
<option>R</option> for the revocation date,
<option>I</option> for the inactivation date, or
<option>D</option> for the deletion date.
<option>I</option> for the inactivation date,
<option>D</option> for the deletion date, and
<option>Dsync</option> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <option>-p all</option>.
</para>
</para>
</listitem>
</varlistentry>

43
bin/dnssec/dnssec-settime.html
View file

@ -27,7 +27,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -60,7 +60,7 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f</span></dt>
<dd><p>
Force an update of an old-format key with no metadata fields.
Force an update of an old-format key with no metadata fields.
Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
@ -68,7 +68,7 @@
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
@ -86,12 +86,12 @@
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
@ -131,6 +131,11 @@
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
@ -155,6 +160,11 @@
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
@ -200,21 +210,24 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
of the following letters or strings to indicate which value
or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">Psync</code> for the CDS and CDNSKEY publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
<code class="option">I</code> for the inactivation date,
<code class="option">D</code> for the deletion date, and
<code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</p></dd>
</dl></div>
</div>
<div class="refsection">

20
bin/dnssec/dnssectool.c
View file

@ -27,15 +27,16 @@
#include <isc/base32.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/entropy.h>
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <isc/print.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
@ -1834,3 +1835,20 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
}
}
}
isc_boolean_t
isoptarg(const char *arg, char **argv, void(*usage)(void)) {
if (!strcasecmp(isc_commandline_argument, arg)) {
if (argv[isc_commandline_index] == NULL) {
fprintf(stderr, "%s: missing argument -%c %s\n",
program, isc_commandline_option,
isc_commandline_argument);
usage();
}
isc_commandline_argument = argv[isc_commandline_index];
/* skip to next arguement */
isc_commandline_index++;
return (ISC_TRUE);
}
return (ISC_FALSE);
}

4
bin/dnssec/dnssectool.h
View file

@ -98,4 +98,8 @@ void
verifyzone(dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
isc_boolean_t
isoptarg(const char *arg, char **argv, void (*usage)(void));
#endif /* DNSSEC_DNSSECTOOL_H */

2
bin/named/Makefile.in
View file

@ -17,7 +17,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_PRODUCT@

971
bin/named/bind9.xsl
View file

File diff suppressed because it is too large Load diff

13
bin/named/bind9.xsl.h
View file

@ -302,6 +302,12 @@ static char xslmsg[] =
" <xsl:value-of select=\"server/current-time\"/>\n"
" </td>\n"
" </tr>\n"
" <tr>\n"
" <th>Server version:</th>\n"
" <td>\n"
" <xsl:value-of select=\"server/version\"/>\n"
" </td>\n"
" </tr>\n"
" </table>\n"
" <br/>\n"
" <xsl:if test=\"server/counters[@type=&quot;opcode&quot;]/counter[. &gt; 0]\">\n"
@ -548,7 +554,6 @@ static char xslmsg[] =
" </table>\n"
" </xsl:if>\n"
" </xsl:for-each>\n"
"\n"
" <xsl:for-each select=\"views/view\">\n"
" <xsl:if test=\"counters[@type=&quot;cachestats&quot;]/counter[.&gt;0]\">\n"
" <h3>Cache Statistics for View <xsl:value-of select=\"@name\"/></h3>\n"
@ -573,7 +578,6 @@ static char xslmsg[] =
" </table>\n"
" </xsl:if>\n"
" </xsl:for-each>\n"
"\n"
" <xsl:for-each select=\"views/view\">\n"
" <xsl:if test=\"cache/rrset\">\n"
" <h3>Cache DB RRsets for View <xsl:value-of select=\"@name\"/></h3>\n"
@ -598,7 +602,6 @@ static char xslmsg[] =
" <br/>\n"
" </xsl:if>\n"
" </xsl:for-each>\n"
"\n"
" <xsl:if test=\"traffic/udp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0] or traffic/udp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0] or traffic/tcp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0] or traffic/tcp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]\">\n"
" <h2>Traffic Size Statistics</h2>\n"
" </xsl:if>\n"
@ -624,7 +627,6 @@ static char xslmsg[] =
" </table>\n"
" <br/>\n"
" </xsl:if>\n"
"\n"
" <xsl:if test=\"traffic/udp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]\">\n"
" <h4>UDP Responses Sent</h4>\n"
" <table class=\"counters\">\n"
@ -647,7 +649,6 @@ static char xslmsg[] =
" </table>\n"
" <br/>\n"
" </xsl:if>\n"
"\n"
" <xsl:if test=\"traffic/tcp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0]\">\n"
" <h4>TCP Requests Received</h4>\n"
" <table class=\"counters\">\n"
@ -670,7 +671,6 @@ static char xslmsg[] =
" </table>\n"
" <br/>\n"
" </xsl:if>\n"
"\n"
" <xsl:if test=\"traffic/tcp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]\">\n"
" <h4>TCP Responses Sent</h4>\n"
" <table class=\"counters\">\n"
@ -693,7 +693,6 @@ static char xslmsg[] =
" </table>\n"
" <br/>\n"
" </xsl:if>\n"
"\n"
" <xsl:if test=\"server/counters[@type=&quot;sockstat&quot;]/counter[.&gt;0]\">\n"
" <h2>Socket I/O Statistics</h2>\n"
" <table class=\"counters\">\n"

5
bin/named/client.c
View file

@ -1065,12 +1065,17 @@ client_send(ns_client_t *client) {
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
if (client->message->tsigkey != NULL)
name = &client->message->tsigkey->name;
if (client->view->nocasecompress == NULL ||
!allowed(&netaddr, name, NULL, 0, NULL,
client->view->nocasecompress))
{
dns_compress_setsensitive(&cctx, ISC_TRUE);
}
if (client->view->msgcompression == ISC_FALSE) {
dns_compress_disable(&cctx);
}
}
cleanup_cctx = ISC_TRUE;

3
bin/named/config.c
View file

@ -118,7 +118,7 @@ options {\n\
transfers-out 10;\n\
# treat-cr-as-space <obsolete>;\n\
# use-id-pool <obsolete>;\n\
use-ixfr true;\n\
# use-ixfr <obsolete>;\n\
edns-udp-size 4096;\n\
max-udp-size 4096;\n\
nocookie-udp-size 4096;\n\
@ -185,6 +185,7 @@ options {\n\
fetches-per-server 0;\n\
require-server-cookie no;\n\
v6-bias 50;\n\
message-compression yes;\n\
"
#ifdef HAVE_DNSTAP
"\

113
bin/named/control.c
View file

@ -24,6 +24,7 @@
#include <isc/app.h>
#include <isc/event.h>
#include <isc/lex.h>
#include <isc/mem.h>
#include <isc/string.h>
#include <isc/timer.h>
@ -36,6 +37,7 @@
#include <isccc/result.h>
#include <named/control.h>
#include <named/globals.h>
#include <named/log.h>
#include <named/os.h>
#include <named/server.h>
@ -43,15 +45,30 @@
#include <named/ns_smf_globals.h>
#endif
static isc_boolean_t
command_compare(const char *text, const char *command) {
unsigned int commandlen = strlen(command);
if (strncasecmp(text, command, commandlen) == 0 &&
(text[commandlen] == '\0' ||
text[commandlen] == ' ' ||
text[commandlen] == '\t'))
return (ISC_TRUE);
return (ISC_FALSE);
static isc_result_t
getcommand(isc_lex_t *lex, char **cmdp) {
isc_result_t result;
isc_token_t token;
REQUIRE(cmdp != NULL && *cmdp == NULL);
result = isc_lex_gettoken(lex, ISC_LEXOPT_EOF, &token);
if (result != ISC_R_SUCCESS)
return (result);
isc_lex_ungettoken(lex, &token);
if (token.type != isc_tokentype_string)
return (ISC_R_FAILURE);
*cmdp = token.value.as_textregion.base;
return (ISC_R_SUCCESS);
}
static inline isc_boolean_t
command_compare(const char *str, const char *command) {
return ISC_TF(strcasecmp(str, command) == 0);
}
/*%
@ -61,9 +78,12 @@ command_compare(const char *text, const char *command) {
isc_result_t
ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
isccc_sexpr_t *data;
char *cmdline = NULL;
char *command = NULL;
isc_result_t result;
int log_level;
isc_buffer_t src;
isc_lex_t *lex = NULL;
#ifdef HAVE_LIBSCF
ns_smf_want_disable = 0;
#endif
@ -76,7 +96,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
return (ISC_R_FAILURE);
}
result = isccc_cc_lookupstring(data, "type", &command);
result = isccc_cc_lookupstring(data, "type", &cmdline);
if (result != ISC_R_SUCCESS) {
/*
* We have no idea what this is.
@ -84,6 +104,20 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
return (result);
}
result = isc_lex_create(ns_g_mctx, strlen(cmdline), &lex);
if (result != ISC_R_SUCCESS)
return (result);
isc_buffer_init(&src, cmdline, strlen(cmdline));
isc_buffer_add(&src, strlen(cmdline));
result = isc_lex_openbuffer(lex, &src);
if (result != ISC_R_SUCCESS)
goto cleanup;
result = getcommand(lex, &command);
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Compare the 'command' parameter against all known control commands.
*/
@ -93,20 +127,21 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
} else {
log_level = ISC_LOG_INFO;
}
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, log_level,
"received control channel command '%s'",
command);
if (command_compare(command, NS_COMMAND_RELOAD)) {
result = ns_server_reloadcommand(ns_g_server, command, text);
result = ns_server_reloadcommand(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
result = ns_server_reconfigcommand(ns_g_server);
} else if (command_compare(command, NS_COMMAND_REFRESH)) {
result = ns_server_refreshcommand(ns_g_server, command, text);
result = ns_server_refreshcommand(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
result = ns_server_retransfercommand(ns_g_server,
command, text);
lex, text);
} else if (command_compare(command, NS_COMMAND_HALT)) {
#ifdef HAVE_LIBSCF
/*
@ -116,7 +151,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
*/
if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
result = ns_smf_add_message(text);
return (result);
goto cleanup;
}
/*
* If we are managed by smf(5) but not in chroot,
@ -143,7 +178,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
#ifdef HAVE_LIBSCF
if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
result = ns_smf_add_message(text);
return (result);
goto cleanup;
}
if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
ns_smf_want_disable = 1;
@ -155,42 +190,42 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
} else if (command_compare(command, NS_COMMAND_DUMPSTATS)) {
result = ns_server_dumpstats(ns_g_server);
} else if (command_compare(command, NS_COMMAND_QUERYLOG)) {
result = ns_server_togglequerylog(ns_g_server, command);
result = ns_server_togglequerylog(ns_g_server, lex);
} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
ns_server_dumpdb(ns_g_server, command);
ns_server_dumpdb(ns_g_server, lex);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
result = ns_server_dumpsecroots(ns_g_server, command, text);
result = ns_server_dumpsecroots(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_TRACE)) {
result = ns_server_setdebuglevel(ns_g_server, command);
result = ns_server_setdebuglevel(ns_g_server, lex);
} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
ns_g_debuglevel = 0;
isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_FLUSH)) {
result = ns_server_flushcache(ns_g_server, command);
result = ns_server_flushcache(ns_g_server, lex);
} else if (command_compare(command, NS_COMMAND_FLUSHNAME)) {
result = ns_server_flushnode(ns_g_server, command, ISC_FALSE);
result = ns_server_flushnode(ns_g_server, lex, ISC_FALSE);
} else if (command_compare(command, NS_COMMAND_FLUSHTREE)) {
result = ns_server_flushnode(ns_g_server, command, ISC_TRUE);
result = ns_server_flushnode(ns_g_server, lex, ISC_TRUE);
} else if (command_compare(command, NS_COMMAND_STATUS)) {
result = ns_server_status(ns_g_server, text);
} else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
result = ns_server_tsiglist(ns_g_server, text);
} else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
result = ns_server_tsigdelete(ns_g_server, command, text);
result = ns_server_tsigdelete(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_FREEZE)) {
result = ns_server_freeze(ns_g_server, ISC_TRUE, command,
result = ns_server_freeze(ns_g_server, ISC_TRUE, lex,
text);
} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
command_compare(command, NS_COMMAND_THAW)) {
result = ns_server_freeze(ns_g_server, ISC_FALSE, command,
result = ns_server_freeze(ns_g_server, ISC_FALSE, lex,
text);
} else if (command_compare(command, NS_COMMAND_SCAN)) {
result = ISC_R_SUCCESS;
ns_server_scan_interfaces(ns_g_server);
} else if (command_compare(command, NS_COMMAND_SYNC)) {
result = ns_server_sync(ns_g_server, command, text);
result = ns_server_sync(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_RECURSING)) {
result = ns_server_dumprecursing(ns_g_server);
} else if (command_compare(command, NS_COMMAND_TIMERPOKE)) {
@ -199,29 +234,29 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
} else if (command_compare(command, NS_COMMAND_NULL)) {
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
result = ns_server_notifycommand(ns_g_server, command, text);
result = ns_server_notifycommand(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
result = ns_server_validation(ns_g_server, command, text);
result = ns_server_validation(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_SIGN) ||
command_compare(command, NS_COMMAND_LOADKEYS)) {
result = ns_server_rekey(ns_g_server, command, text);
result = ns_server_rekey(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_ADDZONE) ||
command_compare(command, NS_COMMAND_MODZONE)) {
result = ns_server_changezone(ns_g_server, command, text);
result = ns_server_changezone(ns_g_server, cmdline, text);
} else if (command_compare(command, NS_COMMAND_DELZONE)) {
result = ns_server_delzone(ns_g_server, command, text);
result = ns_server_delzone(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_SHOWZONE)) {
result = ns_server_showzone(ns_g_server, command, text);
result = ns_server_showzone(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_SIGNING)) {
result = ns_server_signing(ns_g_server, command, text);
result = ns_server_signing(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_ZONESTATUS)) {
result = ns_server_zonestatus(ns_g_server, command, text);
result = ns_server_zonestatus(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_NTA)) {
result = ns_server_nta(ns_g_server, command, text);
result = ns_server_nta(ns_g_server, lex, text);
} else if (command_compare(command, NS_COMMAND_TESTGEN)) {
result = ns_server_testgen(command, text);
result = ns_server_testgen(lex, text);
} else if (command_compare(command, NS_COMMAND_MKEYS)) {
result = ns_server_mkeys(ns_g_server, command, text);
result = ns_server_mkeys(ns_g_server, lex, text);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
@ -230,5 +265,9 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t **text) {
result = DNS_R_UNKNOWNCOMMAND;
}
cleanup:
if (lex != NULL)
isc_lex_destroy(&lex);
return (result);
}

54
bin/named/include/named/server.h
View file

@ -534,7 +534,8 @@ ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush);
*/
isc_result_t
ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_reloadcommand(ns_server_t *server, isc_lex_t *lex,
isc_buffer_t **text);
/*%<
* Act on a "reload" command from the command channel.
*/
@ -546,26 +547,28 @@ ns_server_reconfigcommand(ns_server_t *server);
*/
isc_result_t
ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_notifycommand(ns_server_t *server, isc_lex_t *lex,
isc_buffer_t **text);
/*%<
* Act on a "notify" command from the command channel.
*/
isc_result_t
ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_refreshcommand(ns_server_t *server, isc_lex_t *lex,
isc_buffer_t **text);
/*%<
* Act on a "refresh" command from the command channel.
*/
isc_result_t
ns_server_retransfercommand(ns_server_t *server, char *args,
ns_server_retransfercommand(ns_server_t *server, isc_lex_t *lex,
isc_buffer_t **text);
/*%<
* Act on a "retransfer" command from the command channel.
*/
isc_result_t
ns_server_togglequerylog(ns_server_t *server, char *args);
ns_server_togglequerylog(ns_server_t *server, isc_lex_t *lex);
/*%<
* Enable/disable logging of queries. (Takes "yes" or "no" argument,
* but can also be used as a toggle for backward comptibility.)
@ -593,25 +596,26 @@ ns_server_dumpstats(ns_server_t *server);
* Dump the current cache to the dump file.
*/
isc_result_t
ns_server_dumpdb(ns_server_t *server, char *args);
ns_server_dumpdb(ns_server_t *server, isc_lex_t *lex);
/*%
* Dump the current security roots to the secroots file.
*/
isc_result_t
ns_server_dumpsecroots(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_dumpsecroots(ns_server_t *server, isc_lex_t *lex,
isc_buffer_t **text);
/*%
* Change or increment the server debug level.
*/
isc_result_t
ns_server_setdebuglevel(ns_server_t *server, char *args);
ns_server_setdebuglevel(ns_server_t *server, isc_lex_t *lex);
/*%
* Flush the server's cache(s)
*/
isc_result_t
ns_server_flushcache(ns_server_t *server, char *args);
ns_server_flushcache(ns_server_t *server, isc_lex_t *lex);
/*%
* Flush a particular name from the server's cache. If 'tree' is false,
@ -619,7 +623,8 @@ ns_server_flushcache(ns_server_t *server, char *args);
* flush all the names under the specified name.
*/
isc_result_t
ns_server_flushnode(ns_server_t *server, char *args, isc_boolean_t tree);
ns_server_flushnode(ns_server_t *server, isc_lex_t *lex,
isc_boolean_t tree);
/*%
* Report the server's status.
@ -637,20 +642,21 @@ ns_server_tsiglist(ns_server_t *server, isc_buffer_t **text);
* Delete a specific key (with optional view).
*/
isc_result_t
ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t **text);
ns_server_tsigdelete(ns_server_t *server, isc_lex_t *lex,
isc_buffer_t **text);
/*%
* Enable or disable updates for a zone.
*/
isc_result_t
ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
isc_buffer_t **text);
ns_server_freeze(ns_server_t *server, isc_boolean_t freeze,
isc_lex_t *lex, isc_buffer_t **text);
/*%
* Dump zone updates to disk, optionally removing the journal file
*/
isc_result_t
ns_server_sync(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Update a zone's DNSKEY set from the key repository. If
@ -660,7 +666,7 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t **text);
* take place incrementally.
*/
isc_result_t
ns_server_rekey(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_rekey(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Dump the current recursive queries.
@ -678,57 +684,57 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
* Enable or disable dnssec validation.
*/
isc_result_t
ns_server_validation(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_validation(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Add a zone to a running process, or modify an existing zone
*/
isc_result_t
ns_server_changezone(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_changezone(ns_server_t *server, char *command, isc_buffer_t **text);
/*%
* Deletes a zone from a running process
*/
isc_result_t
ns_server_delzone(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_delzone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Show current configuration for a given zone
*/
isc_result_t
ns_server_showzone(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_showzone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Lists the status of the signing records for a given zone.
*/
isc_result_t
ns_server_signing(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_signing(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Lists status information for a given zone (e.g., name, type, files,
* load time, expiry, etc).
*/
isc_result_t
ns_server_zonestatus(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_zonestatus(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Adds a Negative Trust Anchor (NTA) for a specified name and
* duration, in a particular view if specified, or in all views.
*/
isc_result_t
ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_nta(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
/*%
* Generates a test sequence that is only for use in system tests. The
* argument is the size of required output in bytes.
*/
isc_result_t
ns_server_testgen(char *args, isc_buffer_t **text);
ns_server_testgen(isc_lex_t *lex, isc_buffer_t **text);
/*%
* Force fefresh or print status for managed keys zones.
*/
isc_result_t
ns_server_mkeys(ns_server_t *server, char *args, isc_buffer_t **text);
ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
#endif /* NAMED_SERVER_H */

2
bin/named/main.c
View file

@ -666,7 +666,7 @@ parse_command_line(int argc, char *argv[]) {
printf("linked to libxml2 version: %s\n",
xmlParserVersion);
#endif
#ifdef HAVE_JSON
#if defined(HAVE_JSON) && defined(JSON_C_VERSION)
printf("compiled with libjson-c version: %s\n",
JSON_C_VERSION);
printf("linked to libjson-c version: %s\n",

2
bin/named/named.conf.5
View file

@ -257,7 +257,6 @@ options {
transfers\-per\-ns \fIinteger\fR;
transfers\-in \fIinteger\fR;
transfers\-out \fIinteger\fR;
use\-ixfr \fIboolean\fR;
version ( \fIquoted_string\fR | none );
allow\-recursion { \fIaddress_match_element\fR; \&.\&.\&. };
allow\-recursion\-on { \fIaddress_match_element\fR; \&.\&.\&. };
@ -410,6 +409,7 @@ options {
serial\-queries \fIinteger\fR; // obsolete
treat\-cr\-as\-space \fIboolean\fR; // obsolete
use\-id\-pool \fIboolean\fR; // obsolete
use\-ixfr \fIboolean\fR; // obsolete
};
.fi
.if n \{\

2
bin/named/named.conf.docbook
View file

@ -240,7 +240,6 @@ options {
transfers-per-ns <replaceable>integer</replaceable>;
transfers-in <replaceable>integer</replaceable>;
transfers-out <replaceable>integer</replaceable>;
use-ixfr <replaceable>boolean</replaceable>;
version ( <replaceable>quoted_string</replaceable> | none );
allow-recursion { <replaceable>address_match_element</replaceable>; ... };
allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
@ -408,6 +407,7 @@ options {
serial-queries <replaceable>integer</replaceable>; // obsolete
treat-cr-as-space <replaceable>boolean</replaceable>; // obsolete
use-id-pool <replaceable>boolean</replaceable>; // obsolete
use-ixfr <replaceable>boolean</replaceable>; // obsolete
};
</literallayout>
</refsection>

2
bin/named/named.conf.html
View file

@ -200,7 +200,6 @@ options
transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
transfers-in <em class="replaceable"><code>integer</code></em>;<br>
transfers-out <em class="replaceable"><code>integer</code></em>;<br>
use-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -368,6 +367,7 @@ options
serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
};<br>
</p></div>
</div>

432
bin/named/server.c
View file

File diff suppressed because it is too large Load diff

65
bin/named/statschannel.c
View file

@ -80,6 +80,41 @@ static isc_once_t once = ISC_ONCE_INIT;
#undef EXTENDED_STATS
#endif
#ifdef EXTENDED_STATS
static const char *
user_zonetype( dns_zone_t *zone ) {
dns_zonetype_t ztype;
dns_view_t *view;
static const struct zt {
const dns_zonetype_t type;
const char *const string;
} typemap[] = {
{ dns_zone_none, "none" },
{ dns_zone_master, "master" },
{ dns_zone_slave, "slave" },
{ dns_zone_stub, "stub" },
{ dns_zone_staticstub, "static-stub" },
{ dns_zone_key, "key" },
{ dns_zone_dlz, "dlz" },
{ dns_zone_redirect, "redirect" },
{ 0, NULL }
};
const struct zt *tp;
if ((dns_zone_getoptions2(zone) & DNS_ZONEOPT2_AUTOEMPTY) != 0)
return ("builtin");
view = dns_zone_getview(zone);
if (view != NULL && strcmp(view->name, "_bind") == 0)
return ("builtin");
ztype = dns_zone_gettype(zone);
for (tp = typemap; tp->string != NULL && tp->type != ztype; tp++)
/* empty */;
return (tp->string);
}
#endif
/*%
* Statistics descriptions. These could be statistically initialized at
* compile time, but we configure them run time in the init_desc() function
@ -1296,6 +1331,7 @@ zone_xmlrender(dns_zone_t *zone, void *arg) {
isc_uint64_t nsstat_values[dns_nsstatscounter_max];
int xmlrc;
stats_dumparg_t dumparg;
const char *ztype;
statlevel = dns_zone_getstatlevel(zone);
if (statlevel == dns_zonestat_none)
@ -1315,6 +1351,14 @@ zone_xmlrender(dns_zone_t *zone, void *arg) {
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "rdataclass",
ISC_XMLCHAR buf));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "type"));
ztype = user_zonetype(zone);
if (ztype != NULL)
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR ztype));
else
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "unknown"));
TRY0(xmlTextWriterEndElement(writer)); /* type */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"));
if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS)
TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial));
@ -1418,6 +1462,9 @@ generatexml(ns_server_t *server, isc_uint32_t flags,
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
TRY0(xmlTextWriterEndElement(writer)); /* current-time */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "version"));
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR ns_g_version));
TRY0(xmlTextWriterEndElement(writer)); /* version */
if ((flags & STATS_XML_SERVER) != 0) {
dumparg.result = ISC_R_SUCCESS;
@ -1896,8 +1943,8 @@ wrap_jsonfree(isc_buffer_t *buffer, void *arg) {
}
static json_object *
addzone(char *name, char *class, isc_uint32_t serial,
isc_boolean_t add_serial)
addzone(char *name, char *class, const char *ztype,
isc_uint32_t serial, isc_boolean_t add_serial)
{
json_object *node = json_object_new_object();
@ -1909,6 +1956,9 @@ addzone(char *name, char *class, isc_uint32_t serial,
if (add_serial)
json_object_object_add(node, "serial",
json_object_new_int64(serial));
if (ztype != NULL)
json_object_object_add(node, "type",
json_object_new_string(ztype));
return (node);
}
@ -1940,9 +1990,11 @@ zone_jsonrender(dns_zone_t *zone, void *arg) {
class_only = class;
if (dns_zone_getserial2(zone, &serial) != ISC_R_SUCCESS)
zoneobj = addzone(zone_name_only, class_only, 0, ISC_FALSE);
zoneobj = addzone(zone_name_only, class_only,
user_zonetype(zone), 0, ISC_FALSE);
else
zoneobj = addzone(zone_name_only, class_only, serial, ISC_TRUE);
zoneobj = addzone(zone_name_only, class_only,
user_zonetype(zone), serial, ISC_TRUE);
if (zoneobj == NULL)
return (ISC_R_NOMEMORY);
@ -2057,6 +2109,9 @@ generatejson(ns_server_t *server, size_t *msglen,
obj = json_object_new_string(nowstr);
CHECKMEM(obj);
json_object_object_add(bindstats, "current-time", obj);
obj = json_object_new_string(ns_g_version);
CHECKMEM(obj);
json_object_object_add(bindstats, "version", obj);
if ((flags & STATS_JSON_SERVER) != 0) {
/* OPCODE counters */
@ -2466,7 +2521,7 @@ render_json(isc_uint32_t flags,
json_object *bindstats = NULL;
ns_server_t *server = arg;
const char *msg = NULL;
size_t msglen;
size_t msglen = 0;
char *p;
UNUSED(url);

2
bin/nsupdate/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

3
bin/python/dnssec-checkds.py.in
View file

@ -303,7 +303,8 @@ def parse_args():
default=os.path.join(prefix(sbindir),
'dnssec-dsfromkey'),
type=str, help='path to \'dig\'')
parser.add_argument('-v', '--version', action='version', version='9.9.1')
parser.add_argument('-v', '--version', action='version',
version='@BIND9_VERSION@')
args = parser.parse_args()
args.zone = args.zone.strip('.')

3
bin/python/dnssec-coverage.py.in
View file

@ -694,7 +694,8 @@ def parse_args():
parser.add_argument('-D', '--debug', dest='debug_mode',
action='store_true', default=False,
help='Turn on debugging output')
parser.add_argument('-v', '--version', action='version', version='9.9.1')
parser.add_argument('-v', '--version', action='version',
version='@BIND9_VERSION@')
args = parser.parse_args()

2
bin/rndc/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

6
bin/tests/Makefile.in
View file

@ -59,7 +59,6 @@ XTARGETS = adb_test@EXEEXT@ \
backtrace_test@EXEEXT@ \
backtrace_test_nosymtbl@EXEEXT@ \
byname_test@EXEEXT@ \
compress_test@EXEEXT@ \
db_test@EXEEXT@ \
entropy_test@EXEEXT@ \
entropy2_test@EXEEXT@ \
@ -99,7 +98,6 @@ XSRCS = adb_test.c \
byaddr_test.c \
backtrace_test.c \
byname_test.c \
compress_test.c \
db_test.c \
entropy_test.c \
entropy2_test.c \
@ -258,10 +256,6 @@ db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ db_test.@O@ \
${DNSLIBS} ${ISCLIBS} ${LIBS}
compress_test@EXEEXT@: compress_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ compress_test.@O@ \
${DNSLIBS} ${ISCLIBS} ${LIBS}
mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ mempool_test.@O@ \
${ISCLIBS} ${LIBS}

173
bin/tests/atomic/t_atomic.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (C) 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2011, 2013, 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -14,8 +14,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: t_atomic.c,v 1.2 2011/01/11 23:47:12 tbox Exp $ */
#include <config.h>
#include <ctype.h>
@ -38,7 +36,9 @@ char *progname;
isc_mem_t *mctx = NULL;
isc_taskmgr_t *task_manager = NULL;
#if defined(ISC_PLATFORM_HAVEXADD) || defined(ISC_PLATFORM_HAVEXADDQ)
#if defined(ISC_PLATFORM_HAVEXADD) || defined(ISC_PLATFORM_HAVEXADDQ) || \
defined(ISC_PLATFORM_HAVEATOMICSTORE) || \
defined(ISC_PLATFORM_HAVEATOMICSTOREQ)
static void
setup(void) {
/* 1 */ CHECK(isc_mem_create(0, 0, &mctx));
@ -65,14 +65,10 @@ typedef struct {
counter_t counters[TASKS];
void do_xaddq(isc_task_t *task, isc_event_t *ev);
#if defined(ISC_PLATFORM_HAVEXADD)
isc_int32_t counter_32;
static isc_int32_t counter_32;
void do_xadd(isc_task_t *task, isc_event_t *ev);
void
static void
do_xadd(isc_task_t *task, isc_event_t *ev) {
counter_t *state = (counter_t *)ev->ev_arg;
int i;
@ -128,11 +124,9 @@ test_atomic_xadd() {
#endif
#if defined(ISC_PLATFORM_HAVEXADDQ)
isc_int64_t counter_64;
static isc_int64_t counter_64;
void do_xaddq(isc_task_t *task, isc_event_t *ev);
void
static void
do_xaddq(isc_task_t *task, isc_event_t *ev) {
counter_t *state = (counter_t *)ev->ev_arg;
int i;
@ -188,6 +182,151 @@ test_atomic_xaddq() {
}
#endif
#ifdef ISC_PLATFORM_HAVEATOMICSTORE
static isc_int32_t store_32;
static void
do_store(isc_task_t *task, isc_event_t *ev) {
counter_t *state = (counter_t *)ev->ev_arg;
int i;
isc_uint8_t r;
isc_uint32_t val;
r = random() % 256;
val = (r << 24) | (r << 16) | (r << 8) | r;
for (i = 0 ; i < COUNTS_PER_ITERATION ; i++) {
isc_atomic_store(&store_32, val);
}
state->iteration++;
if (state->iteration < ITERATIONS) {
isc_task_send(task, &ev);
} else {
isc_event_free(&ev);
}
}
static void
test_atomic_store() {
int test_result;
isc_task_t *tasks[TASKS];
isc_event_t *event;
int i;
isc_uint8_t r;
isc_uint32_t val;
t_assert("test_atomic_store", 1, T_REQUIRED, "%s",
"ensure that isc_atomic_store() works.");
setup();
memset(counters, 0, sizeof(counters));
store_32 = 0;
/*
* Create our tasks, and allocate an event to get the counters
* going.
*/
for (i = 0 ; i < TASKS ; i++) {
tasks[i] = NULL;
CHECK(isc_task_create(task_manager, 0, &tasks[i]));
event = isc_event_allocate(mctx, NULL, 1000, do_store,
&counters[i],
sizeof(struct isc_event));
isc_task_sendanddetach(&tasks[i], &event);
}
teardown();
test_result = T_PASS;
r = store_32 & 0xff;
val = (r << 24) | (r << 16) | (r << 8) | r;
t_info("32-bit store 0x%x, expected 0x%x\n",
(isc_uint32_t) store_32, val);
if ((isc_uint32_t) store_32 != val)
test_result = T_FAIL;
t_result(test_result);
store_32 = 0;
}
#endif
#if defined(ISC_PLATFORM_HAVEATOMICSTOREQ)
static isc_int64_t store_64;
static void
do_storeq(isc_task_t *task, isc_event_t *ev) {
counter_t *state = (counter_t *)ev->ev_arg;
int i;
isc_uint8_t r;
isc_uint64_t val;
r = random() % 256;
val = (((isc_uint64_t) r << 24) |
((isc_uint64_t) r << 16) |
((isc_uint64_t) r << 8) |
(isc_uint64_t) r);
val |= ((isc_uint64_t) val << 32);
for (i = 0 ; i < COUNTS_PER_ITERATION ; i++) {
isc_atomic_storeq(&store_64, val);
}
state->iteration++;
if (state->iteration < ITERATIONS) {
isc_task_send(task, &ev);
} else {
isc_event_free(&ev);
}
}
static void
test_atomic_storeq() {
int test_result;
isc_task_t *tasks[TASKS];
isc_event_t *event;
int i;
isc_uint8_t r;
isc_uint64_t val;
t_assert("test_atomic_storeq", 1, T_REQUIRED, "%s",
"ensure that isc_atomic_storeq() works.");
setup();
memset(counters, 0, sizeof(counters));
store_64 = 0;
/*
* Create our tasks, and allocate an event to get the counters going.
*/
for (i = 0 ; i < TASKS ; i++) {
tasks[i] = NULL;
CHECK(isc_task_create(task_manager, 0, &tasks[i]));
event = isc_event_allocate(mctx, NULL, 1000, do_storeq,
&counters[i], sizeof(struct isc_event));
isc_task_sendanddetach(&tasks[i], &event);
}
teardown();
test_result = T_PASS;
r = store_64 & 0xff;
val = (((isc_uint64_t) r << 24) |
((isc_uint64_t) r << 16) |
((isc_uint64_t) r << 8) |
(isc_uint64_t) r);
val |= ((isc_uint64_t) val << 32);
t_info("64-bit store 0x%"ISC_PRINT_QUADFORMAT"x, expected 0x%"ISC_PRINT_QUADFORMAT"x\n",
(isc_uint64_t) store_64, val);
if ((isc_uint64_t) store_64 != val)
test_result = T_FAIL;
t_result(test_result);
store_64 = 0;
}
#endif /* ISC_PLATFORM_HAVEATOMICSTOREQ */
testspec_t T_testlist[] = {
#if defined(ISC_PLATFORM_HAVEXADD)
@ -195,6 +334,12 @@ testspec_t T_testlist[] = {
#endif
#if defined(ISC_PLATFORM_HAVEXADDQ)
{ (PFV) test_atomic_xaddq, "test_atomic_xaddq" },
#endif
#ifdef ISC_PLATFORM_HAVEATOMICSTORE
{ (PFV) test_atomic_store, "test_atomic_store" },
#endif
#if defined(ISC_PLATFORM_HAVEXADDQ)
{ (PFV) test_atomic_storeq, "test_atomic_storeq" },
#endif
{ (PFV) 0, NULL }
};

195
bin/tests/compress_test.c
View file

@ -1,195 +0,0 @@
/*
* Copyright (C) 2004-2007, 2015 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: compress_test.c,v 1.34 2007/06/18 23:47:26 tbox Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <string.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/util.h>
#include <dns/compress.h>
#include <dns/name.h>
unsigned char plain1[] = "\003yyy\003foo";
unsigned char plain2[] = "\003bar\003yyy\003foo";
unsigned char plain3[] = "\003xxx\003bar\003foo";
unsigned char plain[] = "\003yyy\003foo\0\003bar\003yyy\003foo\0\003"
"bar\003yyy\003foo\0\003xxx\003bar\003foo";
/*
* Result concatenate (plain1, plain2, plain2, plain3).
*/
int raw = 0;
int verbose = 0;
void
test(unsigned int, dns_name_t *, dns_name_t *, dns_name_t *,
unsigned char *, unsigned int);
int
main(int argc, char *argv[]) {
dns_name_t name1;
dns_name_t name2;
dns_name_t name3;
isc_region_t region;
int c;
while ((c = isc_commandline_parse(argc, argv, "rv")) != -1) {
switch (c) {
case 'r':
raw++;
break;
case 'v':
verbose++;
break;
}
}
dns_name_init(&name1, NULL);
region.base = plain1;
region.length = sizeof(plain1);
dns_name_fromregion(&name1, &region);
dns_name_init(&name2, NULL);
region.base = plain2;
region.length = sizeof(plain2);
dns_name_fromregion(&name2, &region);
dns_name_init(&name3, NULL);
region.base = plain3;
region.length = sizeof(plain3);
dns_name_fromregion(&name3, &region);
test(DNS_COMPRESS_NONE, &name1, &name2, &name3, plain, sizeof(plain));
test(DNS_COMPRESS_GLOBAL14, &name1, &name2, &name3, plain,
sizeof(plain));
test(DNS_COMPRESS_ALL, &name1, &name2, &name3, plain, sizeof(plain));
return (0);
}
void
test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
dns_name_t *name3, unsigned char *result, unsigned int length)
{
isc_mem_t *mctx = NULL;
dns_compress_t cctx;
dns_decompress_t dctx;
isc_buffer_t source;
isc_buffer_t target;
dns_name_t name;
unsigned char buf1[1024];
unsigned char buf2[1024];
if (verbose) {
const char *s;
switch (allowed) {
case DNS_COMPRESS_NONE: s = "DNS_COMPRESS_NONE"; break;
case DNS_COMPRESS_GLOBAL14: s = "DNS_COMPRESS_GLOBAL14"; break;
/* case DNS_COMPRESS_ALL: s = "DNS_COMPRESS_ALL"; break; */
default: s = "UNKNOWN"; break;
}
fprintf(stdout, "Allowed = %s\n", s);
}
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
isc_buffer_init(&source, buf1, sizeof(buf1));
RUNTIME_CHECK(dns_compress_init(&cctx, -1, mctx) == ISC_R_SUCCESS);
RUNTIME_CHECK(dns_name_towire(name1, &cctx, &source) == ISC_R_SUCCESS);
/*
RUNTIME_CHECK(dns_compress_localinit(&cctx, name1, &source) ==
ISC_R_SUCCESS);
*/
dns_compress_setmethods(&cctx, allowed);
RUNTIME_CHECK(dns_name_towire(name2, &cctx, &source) == ISC_R_SUCCESS);
RUNTIME_CHECK(dns_name_towire(name2, &cctx, &source) == ISC_R_SUCCESS);
RUNTIME_CHECK(dns_name_towire(name3, &cctx, &source) == ISC_R_SUCCESS);
/*
dns_compress_localinvalidate(&cctx);
*/
dns_compress_rollback(&cctx, 0); /* testing only */
dns_compress_invalidate(&cctx);
if (raw) {
unsigned int i;
for (i = 0; i < source.used; /* */ ) {
fprintf(stdout, "%02x",
((unsigned char *)source.base)[i]);
if ((++i % 20) == 0)
fputs("\n", stdout);
else
if (i == source.used)
fputs("\n", stdout);
else
fputs(" ", stdout);
}
}
isc_buffer_setactive(&source, source.used);
isc_buffer_init(&target, buf2, sizeof(buf2));
dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
dns_name_init(&name, NULL);
RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
&target) == ISC_R_SUCCESS);
dns_decompress_setmethods(&dctx, allowed);
/*
dns_decompress_localinit(&dctx, &name, &source);
*/
RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
&target) == ISC_R_SUCCESS);
RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
&target) == ISC_R_SUCCESS);
RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
&target) == ISC_R_SUCCESS);
/*
dns_decompress_localinvalidate(&dctx);
*/
dns_decompress_invalidate(&dctx);
if (raw) {
unsigned int i;
for (i = 0; i < target.used; /* */ ) {
fprintf(stdout, "%02x",
((unsigned char *)target.base)[i]);
if ((++i % 20) == 0)
fputs("\n", stdout);
else
if (i == target.used)
fputs("\n", stdout);
else
fputs(" ", stdout);
}
fputs("\n", stdout);
fflush(stdout);
}
RUNTIME_CHECK(target.used == length);
RUNTIME_CHECK(memcmp(target.base, result, target.used) == 0);
isc_mem_destroy(&mctx);
}

3
bin/tests/db_test.c
View file

@ -295,7 +295,8 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
dns_dbtable_adddefault(dbtable, dbi->db);
cache_dbi = dbi;
} else {
if (dns_dbtable_add(dbtable, dbi->db) != ISC_R_SUCCESS) {
result = dns_dbtable_add(dbtable, dbi->db);
if (result != ISC_R_SUCCESS) {
dns_db_detach(&dbi->db);
isc_mem_put(mctx, dbi, sizeof(*dbi));
return (result);

38
bin/tests/system/autosign/clean.sh
View file

@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2009-2014 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2009-2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -15,42 +15,44 @@
# PERFORMANCE OF THIS SOFTWARE.
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f active.key inact.key del.key unpub.key standby.key rev.key
rm -f activate-now-publish-1day.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f missingzsk.key inactivezsk.key
rm -f nsupdate.out
rm -f */core
rm -f */example.bk
rm -f */named.memstats
rm -f activate-now-publish-1day.key
rm -f active.key inact.key del.key unpub.key standby.key rev.key
rm -f sync.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f dig.out.*
rm -f digcomp.out.test*
rm -f missingzsk.key inactivezsk.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/named.lock
rm -f ns1/root.db
rm -f ns2/example.db
rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db
rm -f ns3/sync.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
rm -f ns3/nsec.example.db
rm -f ns3/nsec3-to-nsec.example.db
rm -f ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db
rm -f ns3/nsec3-to-nsec.example.db
rm -f ns3/oldsigs.example.db
rm -f ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
rm -f ns3/prepub.example.db
rm -f ns3/prepub.example.db.in
rm -f ns3/reconf.example.db
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/secure-to-insecure.example.db
rm -f ns3/secure-to-insecure2.example.db
rm -f ns3/secure.example.db
rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db
rm -f ns3/secure-to-insecure.example.db
rm -f ns3/prepub.example.db
rm -f ns3/prepub.example.db.in
rm -f ns3/secure-to-insecure2.example.db
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
rm -f ns3/reconf.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/ttl*.db
rm -f nsupdate.out
rm -f signing.out.*
rm -f ns3/*.nzf
rm -f digcomp.out.test*
rm -f ns*/named.lock

4
bin/tests/system/autosign/ns2/keygen.sh
View file

@ -1,6 +1,6 @@
#!/bin/sh -e
#
# Copyright (C) 2009-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2009-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -20,7 +20,7 @@ SYSTEMTESTTOP=../..
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
do
cp ../ns3/dsset-$subdomain.example. .
done

12
bin/tests/system/autosign/ns3/keygen.sh
View file

@ -1,6 +1,6 @@
#!/bin/sh -e
#
# Copyright (C) 2009-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2009-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -262,3 +262,13 @@ setup reconf.example
cp secure.example.db.in $zonefile
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
#
# A zone which generates a CDS and CDNSEY RRsets automatically
#
setup sync.example
cp $infile $zonefile
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
echo ns3/$ksk > ../sync.key

10
bin/tests/system/autosign/ns3/named.conf
View file

@ -1,5 +1,5 @@
/*
* Copyright (C) 2009-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2009-2013, 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -243,4 +243,12 @@ zone "inaczsk.example" {
allow-update { any; };
auto-dnssec maintain;
};
zone "sync.example" {
type master;
file "sync.example.db";
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";

37
bin/tests/system/autosign/ns3/sync.example.db.in Normal file
View file

@ -0,0 +1,37 @@
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

30
bin/tests/system/autosign/tests.sh
View file

@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2009-2014 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2009-2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -1170,5 +1170,33 @@ if [ "$lret" != 0 ]; then ret=$lret; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:test CDS and CDNSKEY auto generation ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1
grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1
n=`expr $n + 1`
if [ "$lret" != 0 ]; then ret=$lret; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
$SETTIME -D sync now+2 `cat sync.key`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys sync.example
echo "I:waiting for deletion to occur"
sleep 3
echo "I:checking that the CDS and CDNSKEY are deleted ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null && ret=1
grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null && ret=1
n=`expr $n + 1`
if [ "$lret" != 0 ]; then ret=$lret; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

2
bin/tests/system/builtin/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

12
bin/tests/system/conf.sh.in
View file

@ -71,8 +71,8 @@ SUBDIRS="acl additional allow_query addzone autosign builtin
dname dns64 dnssec dsdigest dscp @DNSTAP@ ecdsa ednscompliance
emptyzones fetchlimit filter-aaaa formerr forward geoip glue gost
ixfr inline legacy limits logfileconfig lwresd masterfile
masterformat metadata mkeys notify nslookup nsupdate pending
pipelined @PKCS11_TEST@ reclimit redirect resolver rndc
masterformat metadata mkeys names notify nslookup nsupdate
pending pipelined @PKCS11_TEST@ reclimit redirect resolver rndc
rpz rpzrecurse rrl rrchecker rrsetorder rsabigexponent
runtime sfcache smartsign sortlist spf staticstub statistics
stub tcp tkey tsig tsiggss unknown upforwd verify views
@ -101,6 +101,14 @@ else
TESTSOCK6=false
fi
#
# Determine if we support various optional features.
#
CHECK_DSA=@CHECK_DSA@
XMLSTATS=@XMLSTATS@
JSONSTATS=@JSONSTATS@
ZLIB=@ZLIB@
. ${TOP}/version
export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \

2
bin/tests/system/dlzexternal/Makefile.in
View file

@ -18,7 +18,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/dnssec/tests.sh
View file

@ -1674,11 +1674,13 @@ ret=0
#
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 20s bogus.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta badds.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig # reconfig should maintain NTAs
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1
lines=`wc -l < rndc.out.ns4.test$n.1`
[ "$lines" -eq 2 ] || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta secure.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta fakenode.secure.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reload # reload should maintain NTAs
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.2
lines=`wc -l < rndc.out.ns4.test$n.2`
[ "$lines" -eq 4 ] || ret=1

2
bin/tests/system/dyndb/Makefile.in
View file

@ -16,7 +16,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/dyndb/driver/driver.c
View file

@ -44,7 +44,7 @@ dns_dyndb_version_t dyndb_version;
* @code
* dyndb example-name "sample.so" { param1 param2 };
* @endcode
*
*
* @param[in] name User-defined string from dyndb "name" {}; definition
* in named.conf.
* The example above will have name = "example-name".

2
bin/tests/system/dyndb/driver/log.c
View file

@ -9,7 +9,7 @@
#include <dns/log.h>
#include "log.h"
void
log_write(int level, const char *format, ...) {
va_list args;

2
bin/tests/system/filter-aaaa/Makefile.in
View file

@ -18,7 +18,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/geoip/Makefile.in
View file

@ -18,7 +18,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/lwresd/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

20
bin/tests/system/names/clean.sh Normal file
View file

@ -0,0 +1,20 @@
#!/bin/sh
#
# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
rm -f dig.*.test*
rm -f ns*/named.lock
rm -f ns*/named.memstats
rm -f ns*/named.pid

54
bin/tests/system/names/ns1/example.db Normal file
View file

@ -0,0 +1,54 @@
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns1
ns1 A 10.53.0.1
@ MX 0 m1.mail-servers.example.
@ MX 0 m2.mail-servers.example.
@ MX 0 m3.mail-servers.example.
@ MX 0 m4.mail-servers.example.
@ MX 0 m5.mail-servers.example.
@ MX 0 m6.mail-servers.example.
@ MX 0 m7.mail-servers.example.
@ MX 0 m8.mail-servers.example.
@ MX 0 m9.mail-servers.example.
@ MX 0 m10.mail-servers.example.
@ MX 0 m11.mail-servers.example.
@ MX 0 m12.mail-servers.example.
@ MX 0 m13.mail-servers.example.
@ MX 0 m14.mail-servers.example.
@ MX 0 m15.mail-servers.example.
@ MX 0 m16.mail-servers.example.
@ MX 0 m17.mail-servers.example.
@ MX 0 m18.mail-servers.example.
@ MX 0 m19.mail-servers.example.
@ MX 0 m20.mail-servers.example.
@ MX 0 m21.mail-servers.example.
@ MX 0 m22.mail-servers.example.
@ MX 0 m23.mail-servers.example.
@ MX 0 m24.mail-servers.example.
@ MX 0 m25.mail-servers.example.
@ MX 0 m26.mail-servers.example.
@ MX 0 m27.mail-servers.example.
@ MX 0 m28.mail-servers.example.
@ MX 0 m29.mail-servers.example.

49
bin/tests/system/names/ns1/named.conf Normal file
View file

@ -0,0 +1,49 @@
/*
* Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
ixfr-from-differences yes;
check-integrity no;
};
view compress {
match-clients { 10.53.0.1/32; };
zone "example" {
type master;
file "example.db";
};
};
view nocompress {
match-clients { 10.53.0.2/32; };
message-compression no;
zone "example" {
type master;
file "example.db";
};
};

15
bin/tests/system/names/setup.sh Normal file
View file

@ -0,0 +1,15 @@
# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
sh clean.sh

51
bin/tests/system/names/tests.sh Normal file
View file

@ -0,0 +1,51 @@
#!/bin/sh
#
# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+nosea +stat +noquest +nocomm +nocmd"
status=0
echo "I:Getting message size with compression enabled"
$DIG $DIGOPTS -b 10.53.0.1 @10.53.0.1 -p 5300 mx example > dig.compen.test
COMPEN=`grep ';; MSG SIZE' dig.compen.test |sed -e "s/.*: //g"`
cat dig.compen.test |grep -v ';;' |sort > dig.compen.sorted.test
echo "I:Getting message size with compression disabled"
$DIG $DIGOPTS -b 10.53.0.2 @10.53.0.1 -p 5300 mx example > dig.compdis.test
COMPDIS=`grep ';; MSG SIZE' dig.compdis.test |sed -e "s/.*: //g"`
cat dig.compdis.test |grep -v ';;' |sort > dig.compdis.sorted.test
# the compression disabled message should be at least twice as large as with
# compression disabled, but the content should be the same
echo "I:Checking if responses are identical other than in message size"
diff dig.compdis.sorted.test dig.compen.sorted.test >/dev/null
ret=$?
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:Checking if message with compression disabled is significantly larger"
echo "I: Disabled $COMPDIS vs enabled $COMPEN"
val=`expr \( $COMPDIS \* 3 / 2 \) / $COMPEN`
if [ $val -le 1 ]; then
echo "I:failed"
status=`expr $status + 1`
fi;
echo "I:exit status: $status"
exit $status

2
bin/tests/system/pipelined/Makefile.in
View file

@ -16,7 +16,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/resolver/Makefile.in
View file

@ -16,7 +16,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/rndc/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

11
bin/tests/system/rndc/ns4/named.conf.in
View file

@ -1,5 +1,5 @@
/*
* Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2013-2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -14,8 +14,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
controls { /* empty */ };
options {
@ -26,3 +24,10 @@ options {
recursion yes;
};
view normal {
match-clients { any; };
};
view "view with a space" {
match-clients { none; };
};

9
bin/tests/system/rndc/tests.sh
View file

@ -344,7 +344,7 @@ status=`expr $status + $ret`
echo "I:testing automatic zones are reported"
ret=0
$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf status > rndc.status || ret=1
grep "number of zones: 99 (98 automatic)" rndc.status > /dev/null || ret=1
grep "number of zones: 198 (196 automatic)" rndc.status > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@ -411,6 +411,13 @@ grep "ISC_R_SUCCESS 0" rndc.output > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing rndc with a token containing a space"
ret=0
$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf -r flush '"view with a space"' 2>&1 > rndc.output || ret=1
grep "not found" rndc.output > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:test 'rndc reconfig' with a broken config"
ret=0
$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf reconfig > /dev/null || ret=1

2
bin/tests/system/rpz/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

12
bin/tests/system/rrchecker/tests.sh
View file

@ -21,15 +21,15 @@ status=0
t=0
echo "I:class list"
$RRCHECKER -C > classlist.out
$RRCHECKER -C > classlist.out
diff classlist.out classlist.good || { echo "I:failed"; status=`expr $status + 1`; }
echo "I:type list"
$RRCHECKER -T > typelist.out
$RRCHECKER -T > typelist.out
diff typelist.out typelist.good || { echo "I:failed"; status=`expr $status + 1`; }
echo "I:private type list"
$RRCHECKER -P > privatelist.out
$RRCHECKER -P > privatelist.out
diff privatelist.out privatelist.good || { echo "I:failed"; status=`expr $status + 1`; }
myecho() {
@ -44,7 +44,7 @@ $SHELL ../genzone.sh 0 > tempzone
$CHECKZONE -Dq . tempzone | sed '/^;/d' |
while read -r n tt cl ty rest
do
myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || {
myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || {
ret=1
echo "I: '$cl $ty $rest' not handled."
}
@ -61,12 +61,12 @@ ret=0
$CHECKZONE -Dq . tempzone | sed '/^;/d' |
while read -r n tt cl ty rest
do
myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || {
myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || {
ret=1
echo "I: '$cl $ty $rest' not converted to unknown record format"
}
read -r clu tyu restu < checker.out
myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || {
myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || {
ret=1
echo "I: '$cl $ty $rest' not converted back to canonical format"
}

2
bin/tests/system/rsabigexponent/Makefile.in
View file

@ -18,7 +18,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/statistics/Makefile.in
View file

@ -16,7 +16,7 @@ srcdir= @srcdir@
VPATH= @srcdir@
top_srcdir= @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

12
bin/tests/system/statistics/tests.sh
View file

@ -130,5 +130,17 @@ fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
ret=0
n=`expr $n + 1`
echo "I:checking that zones return their type ($n)"
if ./xmlstats && [ -x ${CURL} ] ; then
${CURL} http://10.53.0.1:8053/xml/v3/zones > curl.out.${t} 2>/dev/null || ret=1
grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN"><type>master</type>' curl.out.${t} > /dev/null || ret=1
else
echo "I:skipping test as libxml2 and/or curl was not found"
fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

45
bin/tests/system/statschannel/tests.sh
View file

@ -19,7 +19,11 @@ SYSTEMTESTTOP=..
DIGCMD="$DIG @10.53.0.2 -p 5300"
if $PERL -e 'use JSON;' 2>/dev/null
if [ ! "$JSONSTATS" ]
then
unset PERL_JSON
echo "I:JSON was not configured; skipping" >&2
elif $PERL -e 'use JSON;' 2>/dev/null
then
PERL_JSON=1
else
@ -27,7 +31,11 @@ else
echo "I:JSON tests require JSON library; skipping" >&2
fi
if $PERL -e 'use XML::Simple;' 2>/dev/null
if [ ! "$XMLSTATS" ]
then
unset PERL_XML
echo "I:XML was not configured; skipping" >&2
elif $PERL -e 'use XML::Simple;' 2>/dev/null
then
PERL_XML=1
else
@ -143,10 +151,10 @@ if [ $PERL_XML ]; then
file=`$PERL fetch.pl xml/v3/server`
mv $file xml.stats
$PERL server-xml.pl > xml.fmtstats 2> /dev/null
xml_query_count=`awk '/opcode QUERY/ { print $NF }' xml.fmtstats`
xml_query_count=`awk '/opcode QUERY/ { print $NF }' xml.fmtstats`
xml_query_count=${xml_query_count:-0}
[ "$query_count" -eq "$xml_query_count" ] || ret=1
xml_txt_count=`awk '/qtype TXT/ { print $NF }' xml.fmtstats`
xml_txt_count=`awk '/qtype TXT/ { print $NF }' xml.fmtstats`
xml_txt_count=${xml_txt_count:-0}
[ "$txt_count" -eq "$xml_txt_count" ] || ret=1
fi
@ -154,10 +162,10 @@ if [ $PERL_JSON ]; then
file=`$PERL fetch.pl json/v1/server`
mv $file json.stats
$PERL server-json.pl > json.fmtstats 2> /dev/null
json_query_count=`awk '/opcode QUERY/ { print $NF }' json.fmtstats`
json_query_count=`awk '/opcode QUERY/ { print $NF }' json.fmtstats`
json_query_count=${json_query_count:-0}
[ "$query_count" -eq "$json_query_count" ] || ret=1
json_txt_count=`awk '/qtype TXT/ { print $NF }' json.fmtstats`
json_txt_count=`awk '/qtype TXT/ { print $NF }' json.fmtstats`
json_txt_count=${json_txt_count:-0}
[ "$txt_count" -eq "$json_txt_count" ] || ret=1
fi
@ -165,13 +173,18 @@ if [ $ret != 0 ]; then echo "I: failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
ret=0
echo "I:checking consistency between regular and compressed output ($n)"
$CURL -D regular.headers \
http://10.53.0.2:8853/xml/v3/server 2>/dev/null | \
if [ "$XMLSTATS" ];
then
URL=http://10.53.0.2:8853/xml/v3/server
else
URL=http://10.53.0.2:8853/json/v1/server
fi
$CURL -D regular.headers $URL 2>/dev/null | \
sed -e "s#<current-time>.*</current-time>##g" > regular.out
$CURL -D compressed.headers --compressed \
http://10.53.0.2:8853/xml/v3/server 2>/dev/null | \
$CURL -D compressed.headers --compressed $URL 2>/dev/null | \
sed -e "s#<current-time>.*</current-time>##g" > compressed.out
diff regular.out compressed.out >/dev/null || ret=1
if [ $ret != 0 ]; then echo "I: failed"; fi
@ -180,14 +193,18 @@ n=`expr $n + 1`
ret=0
echo "I:checking if compressed output is really compressed ($n)"
REGSIZE=`cat regular.headers | \
if [ "$ZLIB" ];
then
REGSIZE=`cat regular.headers | \
grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/"`
COMPSIZE=`cat compressed.headers | \
COMPSIZE=`cat compressed.headers | \
grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/"`
if [ ! `expr $REGSIZE / $COMPSIZE` -gt 2 ]; then
if [ ! `expr $REGSIZE / $COMPSIZE` -gt 2 ]; then
ret=1
fi
else
echo "I:skipped"
fi
if [ $ret != 0 ]; then echo "I: failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`

2
bin/tests/system/tkey/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tests/system/tsiggss/Makefile.in
View file

@ -18,7 +18,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

2
bin/tools/Makefile.in
View file

@ -18,7 +18,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

33
configure vendored
View file

@ -717,6 +717,7 @@ ISC_PLATFORM_USEMACASM
ISC_PLATFORM_USESTDASM
ISC_PLATFORM_USEOSFASM
ISC_PLATFORM_USEGCCASM
ISC_PLATFORM_HAVEATOMICSTOREQ
ISC_PLATFORM_HAVEATOMICSTORE
ISC_PLATFORM_HAVECMPXCHG
ISC_PLATFORM_HAVEXADDQ
@ -814,6 +815,9 @@ IRIX_DNSSEC_WARNINGS_HACK
MKDEPPROG
MKDEPCFLAGS
MKDEPCC
ZLIB
JSONSTATS
XMLSTATS
PKCS11_TEST
PKCS11_GOST
PKCS11_ECDSA
@ -16547,11 +16551,13 @@ rm -f core conftest.err conftest.$ac_objext \
$as_echo "#define HAVE_LIBXML2 1" >>confdefs.h
XMLSTATS=1
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
#
# was --with-libjson specified?
#
@ -16696,8 +16702,10 @@ $as_echo "#define HAVE_JSON 1" >>confdefs.h
$as_echo "#define HAVE_JSON_C 1" >>confdefs.h
fi
JSONSTATS=1
fi
#
# was --with-zlib specified?
#
@ -16814,15 +16822,18 @@ else
$as_echo "no" >&6; }
fi
ZLIB=
if test "X${have_zlib}" != "X"
then
CFLAGS="$CFLAGS $zlib_cflags"
$as_echo "#define HAVE_ZLIB 1" >>confdefs.h
ZLIB=1
fi
#
# In solaris 10, SMF can manage named service
#
@ -19844,14 +19855,17 @@ if test "$have_atomic" = "yes"; then
ISC_PLATFORM_HAVEATOMICSTORE="#define ISC_PLATFORM_HAVEATOMICSTORE 1"
if test "$have_xaddq" = "yes"; then
ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1"
ISC_PLATFORM_HAVEATOMICSTOREQ="#define ISC_PLATFORM_HAVEATOMICSTOREQ 1"
else
ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ"
ISC_PLATFORM_HAVEATOMICSTOREQ="#undef ISC_PLATFORM_HAVEATOMICSTOREQ"
fi
else
ISC_PLATFORM_HAVEXADD="#undef ISC_PLATFORM_HAVEXADD"
ISC_PLATFORM_HAVECMPXCHG="#undef ISC_PLATFORM_HAVECMPXCHG"
ISC_PLATFORM_HAVEATOMICSTORE="#undef ISC_PLATFORM_HAVEATOMICSTORE"
ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ"
ISC_PLATFORM_HAVEATOMICSTOREQ="#undef ISC_PLATFORM_HAVEATOMICSTOREQ"
fi
@ -19864,6 +19878,7 @@ fi
ISC_ARCH_DIR=$arch
@ -21227,7 +21242,7 @@ BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
BIND9_VERSION="${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
BIND9_MAJOR="MAJOR=${MAJORVER}.${MINORVER}"
@ -22455,7 +22470,7 @@ ac_config_commands="$ac_config_commands chmod"
# elsewhere if there's a good reason for doing so.
#
ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/builtin/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/pipelined/Makefile bin/tests/system/resolver/Makefile bin/tests/system/rndc/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/statistics/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/tex/Makefile doc/tex/armstyle.sty doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/builtin/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/pipelined/Makefile bin/tests/system/resolver/Makefile bin/tests/system/rndc/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/statistics/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/arm/noteversion.xml doc/arm/pkgversion.xml doc/arm/releaseinfo.xml doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/tex/Makefile doc/tex/armstyle.sty doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
#
@ -23526,6 +23541,9 @@ do
"contrib/scripts/zone-edit.sh") CONFIG_FILES="$CONFIG_FILES contrib/scripts/zone-edit.sh" ;;
"doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
"doc/arm/Makefile") CONFIG_FILES="$CONFIG_FILES doc/arm/Makefile" ;;
"doc/arm/noteversion.xml") CONFIG_FILES="$CONFIG_FILES doc/arm/noteversion.xml" ;;
"doc/arm/pkgversion.xml") CONFIG_FILES="$CONFIG_FILES doc/arm/pkgversion.xml" ;;
"doc/arm/releaseinfo.xml") CONFIG_FILES="$CONFIG_FILES doc/arm/releaseinfo.xml" ;;
"doc/doxygen/Doxyfile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Doxyfile" ;;
"doc/doxygen/Makefile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Makefile" ;;
"doc/doxygen/doxygen-input-filter") CONFIG_FILES="$CONFIG_FILES doc/doxygen/doxygen-input-filter" ;;
@ -24915,9 +24933,9 @@ if test "$enable_full_report" = "yes"; then
test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)"
test "X$have_libjson" = "X" || echo " JSON statistics (--with-libjson)"
test "X$have_zlib" = "X" || echo " HTTP zlib compression (--with-zlib)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
test "X$ZLIB" = "X" || echo " HTTP zlib compression (--with-zlib)"
fi
if test "$use_pkcs11" != "no"; then
@ -25006,8 +25024,9 @@ test "$use_libtool" = "yes" || echo " Use GNU libtool (--with-libtool)"
test "$atf" = "no" && echo " Automated Testing Framework (--with-atf)"
test "X$PYTHON" = "X" && echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)"
test "X$have_libjson" = "X" && echo " JSON statistics (--with-libjson)"
test "X$XMLSTATS" = "X" && echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" && echo " JSON statistics (--with-libjson)"
test "X$ZLIB" = "X" && echo " HTTP zlib compression (--with-zlib)"
if test "X$ac_unrecognized_opts" != "X"; then
echo

27
configure.in
View file

@ -2097,9 +2097,11 @@ then
AC_MSG_RESULT(yes),
AC_MSG_ERROR(xml2-config returns badness))
AC_DEFINE(HAVE_LIBXML2, 1, [Define if libxml2 was found])
XMLSTATS=1
else
AC_MSG_RESULT(no)
fi
AC_SUBST(XMLSTATS)
#
# was --with-libjson specified?
@ -2177,7 +2179,9 @@ then
then
AC_DEFINE(HAVE_JSON_C, 1, [Define if json-c was found])
fi
JSONSTATS=1
fi
AC_SUBST(JSONSTATS)
#
# was --with-zlib specified?
@ -2231,11 +2235,14 @@ else
AC_MSG_RESULT(no)
fi
ZLIB=
if test "X${have_zlib}" != "X"
then
CFLAGS="$CFLAGS $zlib_cflags"
AC_DEFINE(HAVE_ZLIB, 1, [Define if zlib was found])
ZLIB=1
fi
AC_SUBST(ZLIB)
#
@ -3834,20 +3841,24 @@ if test "$have_atomic" = "yes"; then
ISC_PLATFORM_HAVEATOMICSTORE="#define ISC_PLATFORM_HAVEATOMICSTORE 1"
if test "$have_xaddq" = "yes"; then
ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1"
ISC_PLATFORM_HAVEATOMICSTOREQ="#define ISC_PLATFORM_HAVEATOMICSTOREQ 1"
else
ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ"
ISC_PLATFORM_HAVEATOMICSTOREQ="#undef ISC_PLATFORM_HAVEATOMICSTOREQ"
fi
else
ISC_PLATFORM_HAVEXADD="#undef ISC_PLATFORM_HAVEXADD"
ISC_PLATFORM_HAVECMPXCHG="#undef ISC_PLATFORM_HAVECMPXCHG"
ISC_PLATFORM_HAVEATOMICSTORE="#undef ISC_PLATFORM_HAVEATOMICSTORE"
ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ"
ISC_PLATFORM_HAVEATOMICSTOREQ="#undef ISC_PLATFORM_HAVEATOMICSTOREQ"
fi
AC_SUBST(ISC_PLATFORM_HAVEXADD)
AC_SUBST(ISC_PLATFORM_HAVEXADDQ)
AC_SUBST(ISC_PLATFORM_HAVECMPXCHG)
AC_SUBST(ISC_PLATFORM_HAVEATOMICSTORE)
AC_SUBST(ISC_PLATFORM_HAVEATOMICSTOREQ)
AC_SUBST(ISC_PLATFORM_USEGCCASM)
AC_SUBST(ISC_PLATFORM_USEOSFASM)
@ -4360,7 +4371,7 @@ BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
AC_SUBST(BIND9_PRODUCT)
BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
AC_SUBST(BIND9_DESCRIPTION)
BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
BIND9_VERSION="${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
AC_SUBST(BIND9_VERSION)
BIND9_MAJOR="MAJOR=${MAJORVER}.${MINORVER}"
AC_SUBST(BIND9_MAJOR)
@ -4797,6 +4808,9 @@ AC_CONFIG_FILES([
contrib/scripts/zone-edit.sh
doc/Makefile
doc/arm/Makefile
doc/arm/noteversion.xml
doc/arm/pkgversion.xml
doc/arm/releaseinfo.xml
doc/doxygen/Doxyfile
doc/doxygen/Makefile
doc/doxygen/doxygen-input-filter
@ -4913,9 +4927,9 @@ if test "$enable_full_report" = "yes"; then
test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)"
test "X$have_libjson" = "X" || echo " JSON statistics (--with-libjson)"
test "X$have_zlib" = "X" || echo " HTTP zlib compression (--with-zlib)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
test "X$ZLIB" = "X" || echo " HTTP zlib compression (--with-zlib)"
fi
if test "$use_pkcs11" != "no"; then
@ -5004,8 +5018,9 @@ test "$use_libtool" = "yes" || echo " Use GNU libtool (--with-libtool)"
test "$atf" = "no" && echo " Automated Testing Framework (--with-atf)"
test "X$PYTHON" = "X" && echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)"
test "X$have_libjson" = "X" && echo " JSON statistics (--with-libjson)"
test "X$XMLSTATS" = "X" && echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" && echo " JSON statistics (--with-libjson)"
test "X$ZLIB" = "X" && echo " HTTP zlib compression (--with-zlib)"
if test "X$ac_unrecognized_opts" != "X"; then
echo

2
contrib/dlz/bin/dlzbdb/Makefile.in
View file

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@

19
doc/arm/Bv9ARM-book.xml
View file

@ -4486,6 +4486,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
<optional> keep-response-order { <replaceable>address_match_list</replaceable> }; </optional>
<optional> no-case-compress { <replaceable>address_match_list</replaceable> }; </optional>
<optional> message-compression <replaceable>yes_or_no</replaceable> ; </optional>
<optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
<optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
<optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
@ -6150,6 +6151,22 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>message-compression</command></term> <listitem>
<para>
If <userinput>yes</userinput>, DNS name compression is
used in responses to regular queries (not including
AXFR or IXFR, which always uses compression). Setting
this option to <userinput>no</userinput> reduces CPU
usage on servers and may improve throughput. However,
it increases response size, which may cause more queries
to be processed using TCP; a server with compression
disabled is out of compliance with RFC 1123 Section
6.1.3.2. The default is <userinput>yes</userinput>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>minimal-responses</command></term>
<listitem>
@ -6684,7 +6701,7 @@ options {
<varlistentry>
<term><command>auto-dnssec</command></term>
<listitem>
<para>
<para>
Zones configured for dynamic DNS may use this
option to allow varying levels of automatic DNSSEC key
management. There are three possible settings:

13
doc/arm/Bv9ARM.ch06.html
View file

@ -2366,6 +2366,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> keep-response-order { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> message-compression <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
@ -3774,6 +3775,18 @@ options {
incremental zone
transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
</p></dd>
<dt><span class="term"><span class="command"><strong>message-compression</strong></span></span></dt>
<dd><p>
If <strong class="userinput"><code>yes</code></strong>, DNS name compression is
used in responses to regular queries (not including
AXFR or IXFR, which always uses compression). Setting
this option to <strong class="userinput"><code>no</code></strong> reduces CPU
usage on servers and may improve throughput. However,
it increases response size, which may cause more queries
to be processed using TCP; a server with compression
disabled is out of compiance with RFC 1123 Section
6.1.3.2. The default is <strong class="userinput"><code>yes</code></strong>.
</p></dd>
<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
<dd><p>
If <strong class="userinput"><code>yes</code></strong>, then when generating

11
doc/arm/Bv9ARM.ch09.html
View file

@ -478,6 +478,13 @@
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</p></li>
<li class="listitem"><p>
A new <span class="command"><strong>message-compression</strong></span> option can be
used to specify whether or not to use name compression when
answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
results in larger responses, but reduces CPU consumption and
may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
</p></li>
</ul></div>
</div>
<div class="section">
@ -759,6 +766,10 @@
initiated while another reload of the same zone was
already in progress. [RT #39649]
</p></li>
<li class="listitem"><p>
Negative trust anchors (NTAs) were incorrectly deleted
when the server was reloaded or reconfigured. [RT #41058]
</p></li>
</ul></div>
</li>
</ul></div>

15
doc/arm/Makefile.in
View file

@ -19,10 +19,6 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_RULES@
@BIND9_VERSION@
PKGVERSION = @PACKAGE_VERSION@
MANOBJS = Bv9ARM.html notes.html
PDFOBJS = Bv9ARM.pdf notes.pdf
@ -64,14 +60,3 @@ Bv9ARM.pdf: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | \
${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
${DBLATEX} -c Bv9ARM.conf -o Bv9ARM.pdf -
FORCE:
releaseinfo.xml: FORCE
echo >$@ '<releaseinfo>BIND Version ${VERSION}</releaseinfo>'
noteversion.xml: FORCE
echo >$@ '<title>Release Notes for BIND Version ${VERSION}</title>'
pkgversion.xml: FORCE
echo >$@ ' <para>This version of the manual corresponds to BIND version ${PKGVERSION}.</para>'

342
doc/arm/README-SGML
View file

@ -1,32 +1,45 @@
Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2004, 2015 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2000, 2001 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The BIND v9 ARM master document is now kept in DocBook XML format.
The BIND v9 ARM master document is now kept in DocBook 5 XML format.
Version: $Id: README-SGML,v 1.17 2004/03/05 05:04:43 marka Exp $
Most of the ARM is in the single file "Bv9ARM-book.xml", with certain
other files included into it:
The entire ARM is in the single file:
- dlz.xml
- dnssec.xml
- libdns.xml
- logging-categories.xml
- managed-keys.xml
- notes.xml
- pkcs11.xml
- BIND man pages
Bv9ARM-book.xml
All of the published ARM formats - HTML, PDF, etc - are generated from
this master source.
All of the other documents - HTML, PDF, etc - are generated from this
master source.
The file "notes.xml" contains the release notes for the current release. In
addition to being included in the ARM as an appendix, it is also built into
a stand-alone document: "notes.pdf" and "notes.html".
This file attempts to describe what tools are necessary for the
maintenance of this document as well as the generation of the
alternate formats of this document.
Building these these files requires DocBook 5 and dblatex. These are
available as packages in many OS distributes; in debian, for example:
This file will also spend a very little time describing the XML and
SGML headers so you can understand a bit what you may need to do to be
able to work with this document in any fashion other than simply
editing it.
$ sudo apt-get install docbook5-xml docbook-xml docbook-xsl-ns \
docbook-utils dblatex
We will spend almost no time on the actual tags and how to write an
XML DocBook compliant document. If you are at all familiar with SGML
or HTML it will be very evident. You only need to know what the tags
are and how to use them. You can find a good resource either for this
either online or in printed form:
To build all documentation, run "make doc".
When committing changes or submitting patches, it is only necessary to
edit the XML source (i.e., the files with ".docbook" or ".xml" suffixes);
the files in HTML and man page format are built from the XML source by a
cron job.
If you are familiar with SGML or HTML, editing the DocBook XML is quite
straightforward. You only need to know what the tags are and how to use
them. You can find a good resource either for this either online or in
printed form:
DocBook: The Definitive Guide
By Norman Walsh and Leonard Muellner
@ -38,292 +51,5 @@ The book is available online in HTML format:
http://docbook.org/
and buried in:
http://www.nwalsh.com/docbook/defguide/index.html
A lot of useful stuff is at NWalsh's site in general. You may also
want to look at:
http://www.xml.com/
The BIND v9 ARM is based on the XML 4.0 DocBook DTD. Every XML and
SGML document begins with a prefix that tells where to find the file
that describes the meaning and structure of the tags used in the rest
of the document.
For our XML DocBook 4.0 based document this prefix looks like this:
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"/usr/local/share/xml/dtd/docbook/docbookx.dtd">
This "DOCTYPE" statement has three parts, of which we are only using
two:
o The highest level term that represents this document (in this case
it is "book"
o The identifier that tells us which DTD to use. This identifier has
two parts, the "Formal Public Identifier" (or FPI) and the system
identifier. In SGML you can have either a FPI or a SYSTEM identifier
but you have to have at least one of them. In XML you have to have a
SYSTEM identifier.
FP & SYSTEM identifiers - These are names/lookups for the actual
DTD. The FPI is a globally unique name that should, on a properly
configured system, tell you exactly what DTD to use. The SYSTEM
identifier gives an absolute location for the DTD. In XML these are
supposed to be properly formatted URL's.
SGML has these things called "catalogs" that are files that map FPI's
in to actual files. A "catalog" can also be used to remap a SYSTEM
identifier so you can say something like: "http://www.oasis.org/foo"
is actually "/usr/local/share/xml/foo.dtd"
When you use various SGML/XML tools they need to be configured to look
at the same "catalog" files so that as you move from tool to tool they
all refer to the same DTD for the same document.
We will be spending most of our configuration time making sure our
tools use the same "catalog" files and that we have the same DTD's
installed on our machines. XML's requirement of the SYSTEM identifier
over the FPI will probably lead to more problems as it does not
guarantee that everyone is using the same DTD.
I did my initial work with the "sgmltools" the XML 4.0 DocBook DTD and
"jade" or "openjade."
You can get the 4.0 XML DocBook DTD from:
http://www.docbook.org/xml/4.0/
(download the .zip file.) NOTE: We will eventually be changing the
SYSTEM identifier to the recommended value of:
http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd
NOTE: Under FreeBSD this is the package:
/usr/ports/textproc/docbook-xml
NetBSD instructions are coming soon.
With packages listed below installed under FreeBSD the "catalog" file
that all the tools refer to at least one is in:
/usr/local/share/sgml/catalog
In order for our SYSTEM identifier for the XML DocBook dtd to be found
I create a new catalog file at the top of the XML directory created on
FreeBSD:
/usr/local/share/xml/catalog
This file has one line:
SYSTEM "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" "/usr/local/share/xml/dtd/docbook/docbookx.dtd"
Then in the main "catalog" I have it include this XML catalog:
CATALOG "/usr/local/share/xml/catalog"
On your systems you need to replace "/usr/local/share" with your
prefix root (probably /usr/pkg under NetBSD.)
NOTE: The URL used above is supposed to the be the proper one for this
XML DocBook DTD... but there is nothing at that URL so you really do
need the "SYSTEM" identifier mapping in your catalog (or make the
SYSTEM identifier in your document refer to the real location of the
file on your local system.)
HOW TO VALIDATE A DOCUMENT:
I use the sgmltools "nsgmls" document validator. Since we are using
XML we need to use the XML declarations, which are installed as part
of the modular DSSL style sheets:
nsgmls -sv /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
Bv9ARM-book.xml
A convenient shell script "validate.sh" is now generated by configure
to invoke the above command with the correct system-dependent paths.
The SGML tools can be found at:
ftp://ftp.us.sgmltools.org/pub/SGMLtools/v2.0/source/ \
ftp://ftp.nllgg.nl/pub/SGMLtools/v2.0/source/
FreeBSD package for these is:
/usr/ports/textproc/sgmltools
HOW TO RENDER A DOCUMENT AS HTML or TeX:
o Generate html doc with:
openjade -v -d ./nominum-docbook-html.dsl \
-t sgml \
/usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
Bv9ARM-book.xml
A convenient shell script "genhtml.sh" is now generated by configure to
invoke the above command with the correct system-dependent paths.
On NetBSD there is no port for "openjade" however "jade" does still
work. However you need to specify the "catalog" file to use for style
sheets on the command line AND you need to have a default "catalog"
mapping where to find various DTDs. It seems that "jade" installed out
of the box on NetBSD does not use a globally defined "catalog" file
for mapping PUBLIC identifiers in to SYSTEM identifiers.
So you need to have a "catalog" file in your current working directory
that has in it this: (these are probably more entries than you need!)
CATALOG "/usr/pkg/share/sgml/iso8879/catalog"
CATALOG "/usr/pkg/share/sgml/docbook/2.4.1/catalog"
CATALOG "/usr/pkg/share/sgml/docbook/3.0/catalog"
CATALOG "/usr/pkg/share/sgml/docbook/3.1/catalog"
CATALOG "/usr/pkg/share/sgml/jade/catalog"
CATALOG "/usr/local/share/xml/catalog"
(These would all be "/usr/local" on FreeBSD)
So the command for jade on NetBSD will look like this:
jade -v -c /usr/pkg/share/sgml/catalog -t sgml \
-d ./nominum-docbook-html.dsl \
/usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
./Bv9ARM-book.xml
Furthermore, since the style sheet subset we define has in it a hard
coded path to the style sheet is based, it is actually generated by
configure from a .in file so that it will contain the correct
system-dependent path: where on FreeBSD the second line reads:
<!ENTITY dbstyle SYSTEM "/usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
On NetBSD it needs to read:
<!ENTITY dbstyle SYSTEM "/usr/pkg/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
NOTE: This is usually solved by having this style sheet modification
be installed in a system directory and have it reference the style
sheet it is based on via a relative path.
o Generate TeX documentation:
openjade -d ./nominum-docbook-print.dsl -t tex -v \
/usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
Bv9ARM-book.xml
If you have "jade" installed instead of "openjade" then use that as
the command. There is little difference, openjade has some bug fixes
and is in more active development.
To convert the resulting TeX file in to a DVI file you need to do:
tex "&jadetex" Bv9ARM-book.tex
You can also directly generate the pdf file via:
pdftex "&pdfjadetex" Bv9ARM-book.tex
The scripts "genpdf.sh" and "gendvi." have been added to simply
generating the PDF and DVI output. These substitute the correct paths
of NetBSD & FreeBSD. You still need to have TeX, jadeTeX, and pdfTeX
installed and configured properly for these to work.
You will need to up both the "pool_size" and "hash_extra" variables in
your texmf.cnf file and regenerate them. See below.
You can see that I am using a DSSSL style sheet for DocBook. Actually
two different ones - one for rendering html, and one for 'print'
media.
NOTE: For HTML we are using a Nominum DSSSL style instead of the
default one (all it does is change the chunking to the chapter level
and makes the files end with ".html" instead of ".htm" so far.) If you
want to use the plain jane DSSSL style sheet replace the:
-d ./nominum-docbook-html.dsl
with
-d /usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl
This style sheet will attempt to reference the one above.
I am currently working on fixing these up so that it works the same on
our various systems. The main trick is knowing which DTD's and DSSSL
stylesheets you have installed, installing the right ones, and
configuring a CATALOG that refers to them in the same way. We will
probably end up putting our CATALOG's in the same place and then we
should be able to generate and validate our documents with a minimal
number of command line arguments.
When running these commands you will get a lot of messages about a
bunch of general entities not being defined and having no default
entity. You can ignore those for now.
Also with the style sheets we have and jade as it is you will get
messages about "xref to title" being unsupported. You can ignore these
for now as well.
=== Getting the various tools installed on FreeBSD
(NetBSD coming soon..)
o On freebsd you need to install the following packages:
o print/teTeX
o textproc/openjade
o textproc/docbook
o textproc/docbook-xml
o textproc/dsssl-docbook-modular
o textproc/dtd-catalogs
o on freebsd you need to make some entities visible to the docbook xml
dtd by making a symlink (can probably be done with a catalog too)
ln -s /usr/local/share/xml/entity /usr/local/share/xml/dtd/docbook/ent
o you may need to edit /usr/local/share/sgml/catalog and add the line:
CATALOG "/usr/local/share/sgml/openjade/catalog"
o add "hugelatex," Enlarge pool sizes, install the jadetex TeX driver
file.
cd /usr/local/share/texmf/web2c/
sudo cp texmf.cnf texmf.cnf.bak
o edit the lines in texmf.cnf with these keys to these values:
main_memory = 1100000
hash_extra = 15000
pool_size = 500000
string_vacancies = 45000
max_strings = 55000
pool_free = 47500
nest_size = 500
param_size = 1500
save_size = 5000
stack_size = 1500
sudo tex -ini -progname=hugelatex -fmt=hugelatex latex.ltx
sudo texconfig init
sudo texhash
o For the jadetex macros you will need I recommend you get a more
current version than what is packaged with openjade or jade.
Checkout http://www.tug.org/applications/jadetex/
Unzip the file you get from there (should be jadetex-2.20 or
newer.)
In the directory you unzip:
sudo make install
sudo texhash
NOTE: In the most uptodate "ports" for FreeBSD, jadetext is 2.20+
so on this platform you should be set as of 2001.01.08.
After editing documentation, it is useful to check the correctness of the
XML; this can be done using the "xmllint" utility.

96
doc/arm/man.dnssec-dsfromkey.html
View file

@ -62,52 +62,52 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd><p>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
<dt><span class="term">-2</span></dt>
<dd><p>
Use SHA-256 as the digest algorithm.
</p></dd>
Use SHA-256 as the digest algorithm.
</p></dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Generate CDS records rather than DS records. This is mutually
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</p></dd>
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
Specifies the TTL of the DS records.
</p></dd>
Specifies the TTL of the DS records.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd><p>
@ -117,35 +117,35 @@
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</p></dd>
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints usage information.
</p></dd>
Prints usage information.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
</dl></div>
</div>
<div class="refsection">

66
doc/arm/man.dnssec-importkey.html
View file

@ -46,8 +46,8 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsection">
<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
@ -75,37 +75,37 @@
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Zone file mode: instead of a public keyfile name, the argument
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -128,16 +128,26 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</p></dd>
</dl></div>
</div>
<div class="refsection">

262
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -46,7 +46,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.14.9.7"></a><h2>DESCRIPTION</h2>
@ -71,87 +71,87 @@
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
<p>
Note 2: DH automatically sets the -k flag.
</p>
Note 2: DH automatically sets the -k flag.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use.
</p>
Specifies the cryptographic hardware to use.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
Specifies the label for a key pair in the crypto hardware.
</p>
Specifies the label for a key pair in the crypto hardware.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
<p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -161,84 +161,84 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
</p></dd>
Generate KEY records rather than DNSKEY records.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Generate a key as an explicit successor to an existing key.
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p></dd>
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
<dt><span class="term">-y</span></dt>
<dd><p>
Allows DNSSEC key files to be generated even if the key ID
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</dl></div>
</div>
<div class="refsection">
@ -257,36 +257,46 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -324,13 +334,13 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
of the algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based

352
doc/arm/man.dnssec-keygen.html
View file

@ -46,7 +46,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.14.10.7"></a><h2>DESCRIPTION</h2>
@ -68,72 +68,72 @@
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
</p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
</p></dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</p></dd>
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -143,142 +143,142 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Deprecated in favor of -T KEY.
</p></dd>
Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -301,38 +301,48 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -370,14 +380,14 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
of the
algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based

43
doc/arm/man.dnssec-settime.html
View file

@ -46,7 +46,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsection">
<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
@ -79,7 +79,7 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f</span></dt>
<dd><p>
Force an update of an old-format key with no metadata fields.
Force an update of an old-format key with no metadata fields.
Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
@ -87,7 +87,7 @@
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
@ -105,12 +105,12 @@
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
@ -150,6 +150,11 @@
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
@ -174,6 +179,11 @@
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
@ -219,21 +229,24 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
of the following letters or strings to indicate which value
or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">Psync</code> for the CDS and CDNSKEY publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
<code class="option">I</code> for the inactivation date,
<code class="option">D</code> for the deletion date, and
<code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</p></dd>
</dl></div>
</div>
<div class="refsection">

2
doc/arm/man.named.conf.html
View file

@ -219,7 +219,6 @@ options
transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
transfers-in <em class="replaceable"><code>integer</code></em>;<br>
transfers-out <em class="replaceable"><code>integer</code></em>;<br>
use-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -387,6 +386,7 @@ options
serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
use-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
};<br>
</p></div>
</div>

11
doc/arm/notes.html
View file

@ -439,6 +439,13 @@
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</p></li>
<li class="listitem"><p>
A new <span class="command"><strong>message-compression</strong></span> option can be
used to specify whether or not to use name compression when
answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
results in larger responses, but reduces CPU consumption and
may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
</p></li>
</ul></div>
</div>
<div class="section">
@ -720,6 +727,10 @@
initiated while another reload of the same zone was
already in progress. [RT #39649]
</p></li>
<li class="listitem"><p>
Negative trust anchors (NTAs) were incorrectly deleted
when the server was reloaded or reconfigured. [RT #41058]
</p></li>
</ul></div>
</li>
</ul></div>

16
doc/arm/notes.xml
View file

@ -504,6 +504,15 @@
SINK, TA, TALINK.
</para>
</listitem>
<listitem>
<para>
A new <command>message-compression</command> option can be
used to specify whether or not to use name compression when
answering queries. Setting this to <userinput>no</userinput>
results in larger responses, but reduces CPU consumption and
may improve throughput. The default is <userinput>yes</userinput>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
@ -692,7 +701,6 @@
</itemizedlist>
</section>
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
@ -864,6 +872,12 @@
already in progress. [RT #39649]
</para>
</listitem>
<listitem>
<para>
Negative trust anchors (NTAs) were incorrectly deleted
when the server was reloaded or reconfigured. [RT #41058]
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>

1
doc/arm/noteversion.xml.in Normal file
View file

@ -0,0 +1 @@
<title>Release Notes for BIND Version @BIND9_VERSION@</title>

Some files were not shown because too many files have changed in this diff Show more