upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

regen master

Browse source
This commit is contained in:
Tinderbox User 2015-11-06 01:04:13 +00:00
parent e74212eb2f
commit e62b9c9ce6
20 changed files with 956 additions and 802 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
bin/dnssec/dnssec-dsfromkey.html
View file

@ -43,52 +43,52 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd><p>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
<dt><span class="term">-2</span></dt>
<dd><p>
Use SHA-256 as the digest algorithm.
</p></dd>
Use SHA-256 as the digest algorithm.
</p></dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Generate CDS records rather than DS records. This is mutually
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</p></dd>
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
Specifies the TTL of the DS records.
</p></dd>
Specifies the TTL of the DS records.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd><p>
@ -98,35 +98,35 @@
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</p></dd>
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints usage information.
</p></dd>
Prints usage information.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
</dl></div>
</div>
<div class="refsection">

18
bin/dnssec/dnssec-importkey.8
View file

@ -18,12 +18,12 @@
.\" Title: dnssec-importkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-20
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-IMPORTKEY" "8" "2014\-02\-20" "ISC" "BIND9"
.TH "DNSSEC\-IMPORTKEY" "8" "August 21, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -47,9 +47,9 @@
dnssec-importkey \- Import DNSKEY records from external systems so they can be managed\&.
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP
\fBdnssec\-importkey\fR
@ -109,10 +109,20 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.SH "FILES"
.PP
A keyfile can be designed by the key identification

66
bin/dnssec/dnssec-importkey.html
View file

@ -28,8 +28,8 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -57,37 +57,37 @@
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Zone file mode: instead of a public keyfile name, the argument
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -110,16 +110,26 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</p></dd>
</dl></div>
</div>
<div class="refsection">

16
bin/dnssec/dnssec-keyfromlabel.8
View file

@ -18,12 +18,12 @@
.\" Title: dnssec-keyfromlabel
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-27
.\" Date: August 27, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-KEYFROMLABEL" "8" "2014\-02\-27" "ISC" "BIND9"
.TH "DNSSEC\-KEYFROMLABEL" "8" "August 27, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -47,7 +47,7 @@
dnssec-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keyfromlabel\fR\ 'u
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name}
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
@ -201,6 +201,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
@ -221,6 +226,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.

262
bin/dnssec/dnssec-keyfromlabel.html
View file

@ -27,7 +27,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -52,87 +52,87 @@
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
<p>
Note 2: DH automatically sets the -k flag.
</p>
Note 2: DH automatically sets the -k flag.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use.
</p>
Specifies the cryptographic hardware to use.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
Specifies the label for a key pair in the crypto hardware.
</p>
Specifies the label for a key pair in the crypto hardware.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
<p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -142,84 +142,84 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
</p></dd>
Generate KEY records rather than DNSKEY records.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Generate a key as an explicit successor to an existing key.
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p></dd>
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
<dt><span class="term">-y</span></dt>
<dd><p>
Allows DNSSEC key files to be generated even if the key ID
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</dl></div>
</div>
<div class="refsection">
@ -238,36 +238,46 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -305,13 +315,13 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
of the algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based

16
bin/dnssec/dnssec-keygen.8
View file

@ -19,12 +19,12 @@
.\" Title: dnssec-keygen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-06
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-KEYGEN" "8" "2014\-02\-06" "ISC" "BIND9"
.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -48,7 +48,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-z\fR] {name}
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
@ -228,6 +228,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&.
@ -248,6 +253,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.

352
bin/dnssec/dnssec-keygen.html
View file

@ -28,7 +28,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -50,72 +50,72 @@
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
</p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
</p></dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</p></dd>
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -125,142 +125,142 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Deprecated in favor of -T KEY.
</p></dd>
Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -283,38 +283,48 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -352,14 +362,14 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
of the
algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based

28
bin/dnssec/dnssec-settime.8
View file

@ -18,12 +18,12 @@
.\" Title: dnssec-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-06
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-SETTIME" "8" "2014\-02\-06" "ISC" "BIND9"
.TH "DNSSEC\-SETTIME" "8" "2015\-08\-21" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -47,7 +47,7 @@
dnssec-settime \- Set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
@ -121,6 +121,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
.RE
.PP
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&.
@ -141,6 +146,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
.RE
.PP
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
\-S \fIpredecessor key\fR
.RS 4
Select a key for which the key being modified will be an explicit successor\&. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified\&. The activation date of the successor key will be set to the inactivation date of the predecessor\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
@ -164,23 +174,27 @@ can also be used to print the timing metadata associated with a key\&.
Print times in UNIX epoch format\&.
.RE
.PP
\-p \fIC/P/A/R/I/D/all\fR
\-p \fIC/P/Psync/A/R/I/D/Dsync/all\fR
.RS 4
Print a specific metadata value or set of metadata values\&. The
\fB\-p\fR
option may be followed by one or more of the following letters to indicate which value or values to print:
option may be followed by one or more of the following letters or strings to indicate which value or values to print:
\fBC\fR
for the creation date,
\fBP\fR
for the publication date,
\fBPsync\fR
for the CDS and CDNSKEY publication date,
\fBA\fR
for the activation date,
\fBR\fR
for the revocation date,
\fBI\fR
for the inactivation date, or
for the inactivation date,
\fBD\fR
for the deletion date\&. To print all of the metadata, use
for the deletion date, and
\fBDsync\fR
for the CDS and CDNSKEY deletion date To print all of the metadata, use
\fB\-p all\fR\&.
.RE
.SH "SEE ALSO"

43
bin/dnssec/dnssec-settime.html
View file

@ -27,7 +27,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
@ -60,7 +60,7 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f</span></dt>
<dd><p>
Force an update of an old-format key with no metadata fields.
Force an update of an old-format key with no metadata fields.
Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
@ -68,7 +68,7 @@
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
@ -86,12 +86,12 @@
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
@ -131,6 +131,11 @@
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
@ -155,6 +160,11 @@
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
@ -200,21 +210,24 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
of the following letters or strings to indicate which value
or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">Psync</code> for the CDS and CDNSKEY publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
<code class="option">I</code> for the inactivation date,
<code class="option">D</code> for the deletion date, and
<code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</p></dd>
</dl></div>
</div>
<div class="refsection">

10
doc/arm/Bv9ARM.ch06.html
View file

@ -2366,6 +2366,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> keep-response-order { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> message-compression <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
@ -3774,6 +3775,15 @@ options {
incremental zone
transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
</p></dd>
<dt><span class="term"><span class="command"><strong>message-compression</strong></span></span></dt>
<dd><p>
If <strong class="userinput"><code>yes</code></strong>, DNS name compression will
be used for responses to regular queries (not including
AXFR or IXFR, which always uses compression). Setting
this option to <strong class="userinput"><code>no</code></strong> can result in
larger responses, but will reduce CPU usage on servers.
The default is <strong class="userinput"><code>yes</code></strong>.
</p></dd>
<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
<dd><p>
If <strong class="userinput"><code>yes</code></strong>, then when generating

7
doc/arm/Bv9ARM.ch09.html
View file

@ -478,6 +478,13 @@
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</p></li>
<li class="listitem"><p>
A new <span class="command"><strong>message-compression</strong></span> option can be
used to specify whether or not to use name compression when
answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
results in larger responses, but reduces CPU consumption and
may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
</p></li>
</ul></div>
</div>
<div class="section">

96
doc/arm/man.dnssec-dsfromkey.html
View file

@ -62,52 +62,52 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd><p>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
<dt><span class="term">-2</span></dt>
<dd><p>
Use SHA-256 as the digest algorithm.
</p></dd>
Use SHA-256 as the digest algorithm.
</p></dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Generate CDS records rather than DS records. This is mutually
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</p></dd>
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
Specifies the TTL of the DS records.
</p></dd>
Specifies the TTL of the DS records.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd><p>
@ -117,35 +117,35 @@
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</p></dd>
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints usage information.
</p></dd>
Prints usage information.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
</dl></div>
</div>
<div class="refsection">

66
doc/arm/man.dnssec-importkey.html
View file

@ -46,8 +46,8 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsection">
<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
@ -75,37 +75,37 @@
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Zone file mode: instead of a public keyfile name, the argument
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -128,16 +128,26 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</p></dd>
</dl></div>
</div>
<div class="refsection">

262
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -46,7 +46,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.14.9.7"></a><h2>DESCRIPTION</h2>
@ -71,87 +71,87 @@
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
<p>
Note 2: DH automatically sets the -k flag.
</p>
Note 2: DH automatically sets the -k flag.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use.
</p>
Specifies the cryptographic hardware to use.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
Specifies the label for a key pair in the crypto hardware.
</p>
Specifies the label for a key pair in the crypto hardware.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
<p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -161,84 +161,84 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
</p></dd>
Generate KEY records rather than DNSKEY records.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Generate a key as an explicit successor to an existing key.
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p></dd>
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
<dt><span class="term">-y</span></dt>
<dd><p>
Allows DNSSEC key files to be generated even if the key ID
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</dl></div>
</div>
<div class="refsection">
@ -257,36 +257,46 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -324,13 +334,13 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
of the algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based

352
doc/arm/man.dnssec-keygen.html
View file

@ -46,7 +46,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.14.10.7"></a><h2>DESCRIPTION</h2>
@ -68,72 +68,72 @@
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
</p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
</p></dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</p></dd>
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
@ -143,142 +143,142 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Deprecated in favor of -T KEY.
</p></dd>
Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
Sets the debugging level.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
@ -301,38 +301,48 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
@ -370,14 +380,14 @@
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
of the
algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
footprint).
</p></li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based

43
doc/arm/man.dnssec-settime.html
View file

@ -46,7 +46,7 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsection">
<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
@ -79,7 +79,7 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f</span></dt>
<dd><p>
Force an update of an old-format key with no metadata fields.
Force an update of an old-format key with no metadata fields.
Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
@ -87,7 +87,7 @@
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
@ -105,12 +105,12 @@
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
Prints version information.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
@ -150,6 +150,11 @@
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
@ -174,6 +179,11 @@
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
@ -219,21 +229,24 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
of the following letters or strings to indicate which value
or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">Psync</code> for the CDS and CDNSKEY publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
<code class="option">I</code> for the inactivation date,
<code class="option">D</code> for the deletion date, and
<code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</p></dd>
</dl></div>
</div>
<div class="refsection">

4
doc/arm/man.dnstap-read.html
View file

@ -1,11 +1,11 @@
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

10
doc/arm/man.lwresd.html
View file

@ -1,11 +1,11 @@
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
@ -103,7 +103,7 @@
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/lwresd.conf</code>.
<code class="option">-c</code> can not be used with <code class="option">-C</code>.
</p></dd>
<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
@ -117,7 +117,7 @@
<dd><p>
Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
Debugging traces from <span class="command"><strong>lwresd</strong></span> become
more verbose as the debug level increases.
more verbose as the debug level increases.
</p></dd>
<dt><span class="term">-f</span></dt>
<dd><p>
@ -158,7 +158,7 @@
<dd><p>
Listen for lightweight resolver queries on port
<em class="replaceable"><code>port</code></em>. If
not specified, the default is port 921.
not specified, the default is port 921.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>

4
doc/arm/man.named.conf.html
View file

@ -1,11 +1,11 @@
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

7
doc/arm/notes.html
View file

@ -439,6 +439,13 @@
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</p></li>
<li class="listitem"><p>
A new <span class="command"><strong>message-compression</strong></span> option can be
used to specify whether or not to use name compression when
answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
results in larger responses, but reduces CPU consumption and
may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
</p></li>
</ul></div>
</div>
<div class="section">