From e62b9c9ce6413fb183c8116381e75dcd07ca5517 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Fri, 6 Nov 2015 01:04:13 +0000 Subject: [PATCH] regen master --- bin/dnssec/dnssec-dsfromkey.html | 96 ++++---- bin/dnssec/dnssec-importkey.8 | 18 +- bin/dnssec/dnssec-importkey.html | 66 ++--- bin/dnssec/dnssec-keyfromlabel.8 | 16 +- bin/dnssec/dnssec-keyfromlabel.html | 262 ++++++++++---------- bin/dnssec/dnssec-keygen.8 | 16 +- bin/dnssec/dnssec-keygen.html | 352 ++++++++++++++------------- bin/dnssec/dnssec-settime.8 | 28 ++- bin/dnssec/dnssec-settime.html | 43 ++-- doc/arm/Bv9ARM.ch06.html | 10 + doc/arm/Bv9ARM.ch09.html | 7 + doc/arm/man.dnssec-dsfromkey.html | 96 ++++---- doc/arm/man.dnssec-importkey.html | 66 ++--- doc/arm/man.dnssec-keyfromlabel.html | 262 ++++++++++---------- doc/arm/man.dnssec-keygen.html | 352 ++++++++++++++------------- doc/arm/man.dnssec-settime.html | 43 ++-- doc/arm/man.dnstap-read.html | 4 +- doc/arm/man.lwresd.html | 10 +- doc/arm/man.named.conf.html | 4 +- doc/arm/notes.html | 7 + 20 files changed, 956 insertions(+), 802 deletions(-) diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index 269ab16cde..207527d043 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -43,52 +43,52 @@
-1

- Use SHA-1 as the digest algorithm (the default is to use - both SHA-1 and SHA-256). -

+ Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). +

-2

- Use SHA-256 as the digest algorithm. -

+ Use SHA-256 as the digest algorithm. +

-a algorithm

- Select the digest algorithm. The value of - algorithm must be one of SHA-1 (SHA1), - SHA-256 (SHA256), GOST or SHA-384 (SHA384). - These values are case insensitive. -

+ Select the digest algorithm. The value of + algorithm must be one of SHA-1 (SHA1), + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. +

-C

- Generate CDS records rather than DS records. This is mutually + Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records. -

+

-T TTL

- Specifies the TTL of the DS records. -

+ Specifies the TTL of the DS records. +

-K directory

- Look for key files (or, in keyset mode, - keyset- files) in - directory. -

+ Look for key files (or, in keyset mode, + keyset- files) in + directory. +

-f file

- Zone file mode: in place of the keyfile name, the argument is - the DNS domain name of a zone master file, which can be read - from file. If the zone name is the same as - file, then it may be omitted. -

+ Zone file mode: in place of the keyfile name, the argument is + the DNS domain name of a zone master file, which can be read + from file. If the zone name is the same as + file, then it may be omitted. +

- If file is set to "-", then - the zone data is read from the standard input. This makes it - possible to use the output of the dig - command as input, as in: -

+ If file is set to "-", then + the zone data is read from the standard input. This makes it + possible to use the output of the dig + command as input, as in: +

- dig dnskey example.com | dnssec-dsfromkey -f - example.com -

+ dig dnskey example.com | dnssec-dsfromkey -f - example.com +

-A

@@ -98,35 +98,35 @@

-l domain

- Generate a DLV set instead of a DS set. The specified - domain is appended to the name for each - record in the set. - The DNSSEC Lookaside Validation (DLV) RR is described - in RFC 4431. This is mutually exclusive with generating + Generate a DLV set instead of a DS set. The specified + domain is appended to the name for each + record in the set. + The DNSSEC Lookaside Validation (DLV) RR is described + in RFC 4431. This is mutually exclusive with generating CDS records. -

+

-s

- Keyset mode: in place of the keyfile name, the argument is - the DNS domain name of a keyset file. -

+ Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. +

-c class

- Specifies the DNS class (default is IN). Useful only - in keyset or zone file mode. -

+ Specifies the DNS class (default is IN). Useful only + in keyset or zone file mode. +

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-h

- Prints usage information. -

+ Prints usage information. +

-V

- Prints version information. -

+ Prints version information. +

diff --git a/bin/dnssec/dnssec-importkey.8 b/bin/dnssec/dnssec-importkey.8 index 2d1d0b7188..3940077200 100644 --- a/bin/dnssec/dnssec-importkey.8 +++ b/bin/dnssec/dnssec-importkey.8 @@ -18,12 +18,12 @@ .\" Title: dnssec-importkey .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-20 +.\" Date: August 21, 2015 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-IMPORTKEY" "8" "2014\-02\-20" "ISC" "BIND9" +.TH "DNSSEC\-IMPORTKEY" "8" "August 21, 2015" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,9 +47,9 @@ dnssec-importkey \- Import DNSKEY records from external systems so they can be managed\&. .SH "SYNOPSIS" .HP \w'\fBdnssec\-importkey\fR\ 'u -\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR} +\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR} .HP \w'\fBdnssec\-importkey\fR\ 'u -\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR] +\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR] .SH "DESCRIPTION" .PP \fBdnssec\-importkey\fR @@ -109,10 +109,20 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&. +.RE +.PP \-D \fIdate/offset\fR .RS 4 Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE +.PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&. +.RE .SH "FILES" .PP A keyfile can be designed by the key identification diff --git a/bin/dnssec/dnssec-importkey.html b/bin/dnssec/dnssec-importkey.html index 5417a5415b..6f1d657ffc 100644 --- a/bin/dnssec/dnssec-importkey.html +++ b/bin/dnssec/dnssec-importkey.html @@ -28,8 +28,8 @@

Synopsis

-

dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] {keyfile}

-

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

+

dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] {keyfile}

+

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

DESCRIPTION

@@ -57,37 +57,37 @@
-f filename

- Zone file mode: instead of a public keyfile name, the argument + Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read - from file. If the domain name is the same as - file, then it may be omitted. -

+ from file. If the domain name is the same as + file, then it may be omitted. +

- If file is set to "-", then - the zone data is read from the standard input. -

+ If file is set to "-", then + the zone data is read from the standard input. +

-K directory

- Sets the directory in which the key files are to reside. -

+ Sets the directory in which the key files are to reside. +

-L ttl

- Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. -

+ Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. +

-h

Emit usage message and exit.

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-V

Prints version information. @@ -110,16 +110,26 @@

-P date/offset

- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. -

+ Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. +

+
-P sync date/offset
+

+ Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

-D date/offset

- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

+ Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records that match + this key are to be deleted. +

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index 8822519e11..90aaaf78e3 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -18,12 +18,12 @@ .\" Title: dnssec-keyfromlabel .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-27 +.\" Date: August 27, 2015 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-KEYFROMLABEL" "8" "2014\-02\-27" "ISC" "BIND9" +.TH "DNSSEC\-KEYFROMLABEL" "8" "August 27, 2015" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,7 +47,7 @@ dnssec-keyfromlabel \- DNSSEC key generation tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-keyfromlabel\fR\ 'u -\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name} +\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name} .SH "DESCRIPTION" .PP \fBdnssec\-keyfromlabel\fR @@ -201,6 +201,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone\&. +.RE +.PP \-A \fIdate/offset\fR .RS 4 Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. @@ -221,6 +226,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE .PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted\&. +.RE +.PP \-i \fIinterval\fR .RS 4 Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&. diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 93037d9bf1..df6acbf996 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -27,7 +27,7 @@

Synopsis

-

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

+

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

DESCRIPTION

@@ -52,87 +52,87 @@

Selects the cryptographic algorithm. The value of - algorithm must be one of RSAMD5, RSASHA1, + algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.

- If no algorithm is specified, then RSASHA1 will be used by - default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - -3 is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) -

+ If no algorithm is specified, then RSASHA1 will be used by + default, unless the -3 option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) +

- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. -

+ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. +

- Note 2: DH automatically sets the -k flag. -

+ Note 2: DH automatically sets the -k flag. +

-3

Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. -

+ If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. +

-E engine

- Specifies the cryptographic hardware to use. -

+ Specifies the cryptographic hardware to use. +

- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

-l label

- Specifies the label for a key pair in the crypto hardware. -

+ Specifies the label for a key pair in the crypto hardware. +

- When BIND 9 is built with OpenSSL-based - PKCS#11 support, the label is an arbitrary string that - identifies a particular key. It may be preceded by an - optional OpenSSL engine name, followed by a colon, as in - "pkcs11:keylabel". -

+ When BIND 9 is built with OpenSSL-based + PKCS#11 support, the label is an arbitrary string that + identifies a particular key. It may be preceded by an + optional OpenSSL engine name, followed by a colon, as in + "pkcs11:keylabel". +

- When BIND 9 is built with native PKCS#11 - support, the label is a PKCS#11 URI string in the format - "pkcs11:keyword=value[;keyword=value;...]" - Keywords include "token", which identifies the HSM; "object", which - identifies the key; and "pin-source", which identifies a file from - which the HSM's PIN code can be obtained. The label will be - stored in the on-disk "private" file. -

+ When BIND 9 is built with native PKCS#11 + support, the label is a PKCS#11 URI string in the format + "pkcs11:keyword=value[;keyword=value;...]" + Keywords include "token", which identifies the HSM; "object", which + identifies the key; and "pin-source", which identifies a file from + which the HSM's PIN code can be obtained. The label will be + stored in the on-disk "private" file. +

- If the label contains a - pin-source field, tools using the generated - key files will be able to use the HSM for signing and other - operations without any need for an operator to manually enter - a PIN. Note: Making the HSM's PIN accessible in this manner - may reduce the security advantage of using an HSM; be sure - this is what you want to do before making use of this feature. -

+ If the label contains a + pin-source field, tools using the generated + key files will be able to use the HSM for signing and other + operations without any need for an operator to manually enter + a PIN. Note: Making the HSM's PIN accessible in this manner + may reduce the security advantage of using an HSM; be sure + this is what you want to do before making use of this feature. +

-n nametype

- Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. -

+ Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. +

-C

Compatibility mode: generates an old-style key, without @@ -142,84 +142,84 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

-c class

- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

+ Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. +

-f flag

- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+ Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. +

-G

- Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -

+ Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. +

-h

- Prints a short summary of the options and arguments to - dnssec-keyfromlabel. -

+ Prints a short summary of the options and arguments to + dnssec-keyfromlabel. +

-K directory

- Sets the directory in which the key files are to be written. -

+ Sets the directory in which the key files are to be written. +

-k

- Generate KEY records rather than DNSKEY records. -

+ Generate KEY records rather than DNSKEY records. +

-L ttl

- Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. -

+ Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. +

-p protocol

- Sets the protocol value for the key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

+ Sets the protocol value for the key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. +

-S key

- Generate a key as an explicit successor to an existing key. + Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

+

-t type

- Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

+ Indicates the use of the key. type must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. +

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-V

Prints version information.

-y

- Allows DNSSEC key files to be generated even if the key ID + Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you - are sure you won't be using RFC 5011 trust anchor maintenance - with either of the keys involved.) -

+ are sure you won't be using RFC 5011 trust anchor maintenance + with either of the keys involved.) +

@@ -238,36 +238,46 @@
-P date/offset

- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -

+ Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". +

+
-P sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records which match + this key are to be published to the zone. +

-A date/offset

- Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". -

+ Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". +

-R date/offset

- Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -

+ Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. +

-I date/offset

- Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -

+ Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. +

-D date/offset

- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

+ Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records which match + this key are to be deleted. +

-i interval

@@ -305,13 +315,13 @@

  • nnnn is the key name. -

    • +

  • aaa is the numeric representation - of the algorithm. -

    • + of the algorithm. +

  • iiiii is the key identifier (or - footprint). -

    • + footprint). +

dnssec-keyfromlabel creates two files, with names based diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 8a56cd5d25..55488e99c3 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -19,12 +19,12 @@ .\" Title: dnssec-keygen .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-06 +.\" Date: August 21, 2015 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-KEYGEN" "8" "2014\-02\-06" "ISC" "BIND9" +.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -48,7 +48,7 @@ dnssec-keygen \- DNSSEC key generation tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-keygen\fR\ 'u -\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-z\fR] {name} +\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name} .SH "DESCRIPTION" .PP \fBdnssec\-keygen\fR @@ -228,6 +228,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&. +.RE +.PP \-A \fIdate/offset\fR .RS 4 Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&. @@ -248,6 +253,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE .PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&. +.RE +.PP \-i \fIinterval\fR .RS 4 Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&. diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 2aeda3c217..c39b274697 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -28,7 +28,7 @@

Synopsis

-

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

+

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-k] [-L ttl] [-P date/offset] [-P sync date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-V] [-v level] [-z] {name}

DESCRIPTION

@@ -50,72 +50,72 @@
-a algorithm

- Selects the cryptographic algorithm. For DNSSEC keys, the value - of algorithm must be one of RSAMD5, RSASHA1, + Selects the cryptographic algorithm. For DNSSEC keys, the value + of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must - be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, - HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are - case insensitive. -

+ be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, + HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are + case insensitive. +

- If no algorithm is specified, then RSASHA1 will be used by - default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - -3 is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) -

+ If no algorithm is specified, then RSASHA1 will be used by + default, unless the -3 option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) +

- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. -

+

- Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 - automatically set the -T KEY option. -

+ Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 + automatically set the -T KEY option. +

-b keysize

- Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be - between 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. Elliptic curve algorithms don't need - this parameter. -

+ Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSA keys must be + between 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC keys must be + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. +

- The key size does not need to be specified if using a default - algorithm. The default key size is 1024 bits for zone signing - keys (ZSKs) and 2048 bits for key signing keys (KSKs, - generated with -f KSK). However, if an - algorithm is explicitly specified with the -a, - then there is no default key size, and the -b - must be used. -

+ The key size does not need to be specified if using a default + algorithm. The default key size is 1024 bits for zone signing + keys (ZSKs) and 2048 bits for key signing keys (KSKs, + generated with -f KSK). However, if an + algorithm is explicitly specified with the -a, + then there is no default key size, and the -b + must be used. +

-n nametype

- Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. Defaults to ZONE for DNSKEY + Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. Defaults to ZONE for DNSKEY generation. -

+

-3

Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. -

+

-C

Compatibility mode: generates an old-style key, without @@ -125,142 +125,142 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

+

-c class

- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

+ Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. +

-E engine

- Specifies the cryptographic hardware to use, when applicable. -

+ Specifies the cryptographic hardware to use, when applicable. +

- When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

-f flag

- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -

+ Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. +

-G

- Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -

+ Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. +

-g generator

- If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. -

+ If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. +

-h

- Prints a short summary of the options and arguments to - dnssec-keygen. -

+ Prints a short summary of the options and arguments to + dnssec-keygen. +

-K directory

- Sets the directory in which the key files are to be written. -

+ Sets the directory in which the key files are to be written. +

-k

- Deprecated in favor of -T KEY. -

+ Deprecated in favor of -T KEY. +

-L ttl

- Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. If this value is not set and there - is no existing DNSKEY RRset, the TTL will default to the - SOA TTL. Setting the default TTL to 0 - or none is the same as leaving it unset. -

+ Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. If this value is not set and there + is no existing DNSKEY RRset, the TTL will default to the + SOA TTL. Setting the default TTL to 0 + or none is the same as leaving it unset. +

-p protocol

- Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

+ Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. +

-q

- Quiet mode: Suppresses unnecessary output, including - progress indication. Without this option, when - dnssec-keygen is run interactively - to generate an RSA or DSA key pair, it will print a string - of symbols to stderr indicating the - progress of the key generation. A '.' indicates that a - random number has been found which passed an initial - sieve test; '+' means a number has passed a single - round of the Miller-Rabin primality test; a space - means that the number has passed all the tests and is - a satisfactory key. -

+ Quiet mode: Suppresses unnecessary output, including + progress indication. Without this option, when + dnssec-keygen is run interactively + to generate an RSA or DSA key pair, it will print a string + of symbols to stderr indicating the + progress of the key generation. A '.' indicates that a + random number has been found which passed an initial + sieve test; '+' means a number has passed a single + round of the Miller-Rabin primality test; a space + means that the number has passed all the tests and is + a satisfactory key. +

-r randomdev

- Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

+ Specifies the source of randomness. If the operating + system does not provide a /dev/random + or equivalent device, the default source of randomness + is keyboard input. randomdev + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + keyboard indicates that keyboard + input should be used. +

-S key

- Create a new key which is an explicit successor to an - existing key. The name, algorithm, size, and type of the - key will be set to match the existing key. The activation - date of the new key will be set to the inactivation date of - the existing one. The publication date will be set to the - activation date minus the prepublication interval, which - defaults to 30 days. -

+ Create a new key which is an explicit successor to an + existing key. The name, algorithm, size, and type of the + key will be set to match the existing key. The activation + date of the new key will be set to the inactivation date of + the existing one. The publication date will be set to the + activation date minus the prepublication interval, which + defaults to 30 days. +

-s strength

- Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. -

+ Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. +

-T rrtype

- Specifies the resource record type to use for the key. - rrtype must be either DNSKEY or KEY. The - default is DNSKEY when using a DNSSEC algorithm, but it can be - overridden to KEY for use with SIG(0). -

+ Specifies the resource record type to use for the key. + rrtype must be either DNSKEY or KEY. The + default is DNSKEY when using a DNSSEC algorithm, but it can be + overridden to KEY for use with SIG(0). +

-

+

- Using any TSIG algorithm (HMAC-* or DH) forces this option - to KEY. -

+ Using any TSIG algorithm (HMAC-* or DH) forces this option + to KEY. +

-t type

- Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

+ Indicates the use of the key. type must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. +

-v level

- Sets the debugging level. -

+ Sets the debugging level. +

-V

Prints version information. @@ -283,38 +283,48 @@

-P date/offset

- Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -

+ Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". +

+
-P sync date/offset
+

+ Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

-A date/offset

- Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". If set, if and -P is not set, then - the publication date will be set to the activation date - minus the prepublication interval. -

+ Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". If set, if and -P is not set, then + the publication date will be set to the activation date + minus the prepublication interval. +

-R date/offset

- Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -

+ Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. +

-I date/offset

- Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -

+ Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. +

-D date/offset

- Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

+ Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. +

-i interval

@@ -352,14 +362,14 @@

  • nnnn is the key name. -

    • +

  • aaa is the numeric representation - of the - algorithm. -

    • + of the + algorithm. +

  • iiiii is the key identifier (or - footprint). -

    • + footprint). +

dnssec-keygen creates two files, with names based diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8 index af1cfd9d76..599eca4776 100644 --- a/bin/dnssec/dnssec-settime.8 +++ b/bin/dnssec/dnssec-settime.8 @@ -18,12 +18,12 @@ .\" Title: dnssec-settime .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2014-02-06 +.\" Date: 2015-08-21 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-SETTIME" "8" "2014\-02\-06" "ISC" "BIND9" +.TH "DNSSEC\-SETTIME" "8" "2015\-08\-21" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,7 +47,7 @@ dnssec-settime \- Set the key timing metadata for a DNSSEC key .SH "SYNOPSIS" .HP \w'\fBdnssec\-settime\fR\ 'u -\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile} +\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile} .SH "DESCRIPTION" .PP \fBdnssec\-settime\fR @@ -121,6 +121,11 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argume Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. .RE .PP +\-P sync \fIdate/offset\fR +.RS 4 +Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&. +.RE +.PP \-A \fIdate/offset\fR .RS 4 Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. @@ -141,6 +146,11 @@ Sets the date on which the key is to be retired\&. After that date, the key will Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.) .RE .PP +\-D sync \fIdate/offset\fR +.RS 4 +Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&. +.RE +.PP \-S \fIpredecessor key\fR .RS 4 Select a key for which the key being modified will be an explicit successor\&. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified\&. The activation date of the successor key will be set to the inactivation date of the predecessor\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&. @@ -164,23 +174,27 @@ can also be used to print the timing metadata associated with a key\&. Print times in UNIX epoch format\&. .RE .PP -\-p \fIC/P/A/R/I/D/all\fR +\-p \fIC/P/Psync/A/R/I/D/Dsync/all\fR .RS 4 Print a specific metadata value or set of metadata values\&. The \fB\-p\fR -option may be followed by one or more of the following letters to indicate which value or values to print: +option may be followed by one or more of the following letters or strings to indicate which value or values to print: \fBC\fR for the creation date, \fBP\fR for the publication date, +\fBPsync\fR +for the CDS and CDNSKEY publication date, \fBA\fR for the activation date, \fBR\fR for the revocation date, \fBI\fR -for the inactivation date, or +for the inactivation date, \fBD\fR -for the deletion date\&. To print all of the metadata, use +for the deletion date, and +\fBDsync\fR +for the CDS and CDNSKEY deletion date To print all of the metadata, use \fB\-p all\fR\&. .RE .SH "SEE ALSO" diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index e366fb215c..509cf1190c 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -27,7 +27,7 @@

Synopsis

-

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

+

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D sync date/offset] [-D sync date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

DESCRIPTION

@@ -60,7 +60,7 @@
-f

- Force an update of an old-format key with no metadata fields. + Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the @@ -68,7 +68,7 @@ set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time. -

+

-K directory

Sets the directory in which the key files are to reside. @@ -86,12 +86,12 @@

-h

- Emit usage message and exit. -

+ Emit usage message and exit. +

-V

- Prints version information. -

+ Prints version information. +

-v level

Sets the debugging level. @@ -131,6 +131,11 @@ After that date, the key will be included in the zone but will not be used to sign it.

+
-P sync date/offset
+

+ Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

-A date/offset

Sets the date on which the key is to be activated. After that @@ -155,6 +160,11 @@ date, the key will no longer be included in the zone. (It may remain in the key repository, however.)

+
-D sync date/offset
+

+ Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. +

-S predecessor key

Select a key for which the key being modified will be an @@ -200,21 +210,24 @@

-u

- Print times in UNIX epoch format. -

-
-p C/P/A/R/I/D/all
+ Print times in UNIX epoch format. +

+
-p C/P/Psync/A/R/I/D/Dsync/all

- Print a specific metadata value or set of metadata values. + Print a specific metadata value or set of metadata values. The -p option may be followed by one or more - of the following letters to indicate which value or values to print: + of the following letters or strings to indicate which value + or values to print: C for the creation date, P for the publication date, + Psync for the CDS and CDNSKEY publication date, A for the activation date, R for the revocation date, - I for the inactivation date, or - D for the deletion date. + I for the inactivation date, + D for the deletion date, and + Dsync for the CDS and CDNSKEY deletion date To print all of the metadata, use -p all. -

+

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 0d0da0d19b..27d9c86b61 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -2366,6 +2366,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ blackhole { address_match_list }; ] [ keep-response-order { address_match_list }; ] [ no-case-compress { address_match_list }; ] + [ message-compression yes_or_no ; ] [ use-v4-udp-ports { port_list }; ] [ avoid-v4-udp-ports { port_list }; ] [ use-v6-udp-ports { port_list }; ] @@ -3774,6 +3775,15 @@ options { incremental zone transfers, use provide-ixfr no.

+
message-compression
+

+ If yes, DNS name compression will + be used for responses to regular queries (not including + AXFR or IXFR, which always uses compression). Setting + this option to no can result in + larger responses, but will reduce CPU usage on servers. + The default is yes. +

minimal-responses

If yes, then when generating diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index f0aa1ed75c..abc6e70525 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -478,6 +478,13 @@ The following types have been implemented: CSYNC, NINFO, RKEY, SINK, TA, TALINK.

+

  • + A new message-compression option can be + used to specify whether or not to use name compression when + answering queries. Setting this to no + results in larger responses, but reduces CPU consumption and + may improve throughput. The default is yes. +

    • diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index ed468f25d8..508df20b7f 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -62,52 +62,52 @@
    -1

    - Use SHA-1 as the digest algorithm (the default is to use - both SHA-1 and SHA-256). -

    + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). +

    -2

    - Use SHA-256 as the digest algorithm. -

    + Use SHA-256 as the digest algorithm. +

    -a algorithm

    - Select the digest algorithm. The value of - algorithm must be one of SHA-1 (SHA1), - SHA-256 (SHA256), GOST or SHA-384 (SHA384). - These values are case insensitive. -

    + Select the digest algorithm. The value of + algorithm must be one of SHA-1 (SHA1), + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. +

    -C

    - Generate CDS records rather than DS records. This is mutually + Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records. -

    +

    -T TTL

    - Specifies the TTL of the DS records. -

    + Specifies the TTL of the DS records. +

    -K directory

    - Look for key files (or, in keyset mode, - keyset- files) in - directory. -

    + Look for key files (or, in keyset mode, + keyset- files) in + directory. +

    -f file

    - Zone file mode: in place of the keyfile name, the argument is - the DNS domain name of a zone master file, which can be read - from file. If the zone name is the same as - file, then it may be omitted. -

    + Zone file mode: in place of the keyfile name, the argument is + the DNS domain name of a zone master file, which can be read + from file. If the zone name is the same as + file, then it may be omitted. +

    - If file is set to "-", then - the zone data is read from the standard input. This makes it - possible to use the output of the dig - command as input, as in: -

    + If file is set to "-", then + the zone data is read from the standard input. This makes it + possible to use the output of the dig + command as input, as in: +

    - dig dnskey example.com | dnssec-dsfromkey -f - example.com -

    + dig dnskey example.com | dnssec-dsfromkey -f - example.com +

    -A

    @@ -117,35 +117,35 @@

    -l domain

    - Generate a DLV set instead of a DS set. The specified - domain is appended to the name for each - record in the set. - The DNSSEC Lookaside Validation (DLV) RR is described - in RFC 4431. This is mutually exclusive with generating + Generate a DLV set instead of a DS set. The specified + domain is appended to the name for each + record in the set. + The DNSSEC Lookaside Validation (DLV) RR is described + in RFC 4431. This is mutually exclusive with generating CDS records. -

    +

    -s

    - Keyset mode: in place of the keyfile name, the argument is - the DNS domain name of a keyset file. -

    + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. +

    -c class

    - Specifies the DNS class (default is IN). Useful only - in keyset or zone file mode. -

    + Specifies the DNS class (default is IN). Useful only + in keyset or zone file mode. +

    -v level

    - Sets the debugging level. -

    + Sets the debugging level. +

    -h

    - Prints usage information. -

    + Prints usage information. +

    -V

    - Prints version information. -

    + Prints version information. +

    diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index d3cf277f63..478ca15b37 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -46,8 +46,8 @@

    Synopsis

    -

    dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] {keyfile}

    -

    dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

    +

    dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] {keyfile}

    +

    dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

    DESCRIPTION

    @@ -75,37 +75,37 @@
    -f filename

    - Zone file mode: instead of a public keyfile name, the argument + Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read - from file. If the domain name is the same as - file, then it may be omitted. -

    + from file. If the domain name is the same as + file, then it may be omitted. +

    - If file is set to "-", then - the zone data is read from the standard input. -

    + If file is set to "-", then + the zone data is read from the standard input. +

    -K directory

    - Sets the directory in which the key files are to reside. -

    + Sets the directory in which the key files are to reside. +

    -L ttl

    - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. -

    + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. +

    -h

    Emit usage message and exit.

    -v level

    - Sets the debugging level. -

    + Sets the debugging level. +

    -V

    Prints version information. @@ -128,16 +128,26 @@

    -P date/offset

    - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. -

    + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. +

    +
    -P sync date/offset
    +

    + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

    -D date/offset

    - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

    + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

    +
    -D sync date/offset
    +

    + Sets the date on which the CDS and CDNSKEY records that match + this key are to be deleted. +

    diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 70750fe0df..12d3a35a63 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -46,7 +46,7 @@

    Synopsis

    -

    dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

    +

    dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

    DESCRIPTION

    @@ -71,87 +71,87 @@

    Selects the cryptographic algorithm. The value of - algorithm must be one of RSAMD5, RSASHA1, + algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.

    - If no algorithm is specified, then RSASHA1 will be used by - default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - -3 is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) -

    + If no algorithm is specified, then RSASHA1 will be used by + default, unless the -3 option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) +

    - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. -

    + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. +

    - Note 2: DH automatically sets the -k flag. -

    + Note 2: DH automatically sets the -k flag. +

    -3

    Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. -

    + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. +

    -E engine

    - Specifies the cryptographic hardware to use. -

    + Specifies the cryptographic hardware to use. +

    - When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -

    + When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

    -l label

    - Specifies the label for a key pair in the crypto hardware. -

    + Specifies the label for a key pair in the crypto hardware. +

    - When BIND 9 is built with OpenSSL-based - PKCS#11 support, the label is an arbitrary string that - identifies a particular key. It may be preceded by an - optional OpenSSL engine name, followed by a colon, as in - "pkcs11:keylabel". -

    + When BIND 9 is built with OpenSSL-based + PKCS#11 support, the label is an arbitrary string that + identifies a particular key. It may be preceded by an + optional OpenSSL engine name, followed by a colon, as in + "pkcs11:keylabel". +

    - When BIND 9 is built with native PKCS#11 - support, the label is a PKCS#11 URI string in the format - "pkcs11:keyword=value[;keyword=value;...]" - Keywords include "token", which identifies the HSM; "object", which - identifies the key; and "pin-source", which identifies a file from - which the HSM's PIN code can be obtained. The label will be - stored in the on-disk "private" file. -

    + When BIND 9 is built with native PKCS#11 + support, the label is a PKCS#11 URI string in the format + "pkcs11:keyword=value[;keyword=value;...]" + Keywords include "token", which identifies the HSM; "object", which + identifies the key; and "pin-source", which identifies a file from + which the HSM's PIN code can be obtained. The label will be + stored in the on-disk "private" file. +

    - If the label contains a - pin-source field, tools using the generated - key files will be able to use the HSM for signing and other - operations without any need for an operator to manually enter - a PIN. Note: Making the HSM's PIN accessible in this manner - may reduce the security advantage of using an HSM; be sure - this is what you want to do before making use of this feature. -

    + If the label contains a + pin-source field, tools using the generated + key files will be able to use the HSM for signing and other + operations without any need for an operator to manually enter + a PIN. Note: Making the HSM's PIN accessible in this manner + may reduce the security advantage of using an HSM; be sure + this is what you want to do before making use of this feature. +

    -n nametype

    - Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. -

    + Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. +

    -C

    Compatibility mode: generates an old-style key, without @@ -161,84 +161,84 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

    +

    -c class

    - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

    + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. +

    -f flag

    - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -

    + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. +

    -G

    - Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -

    + Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. +

    -h

    - Prints a short summary of the options and arguments to - dnssec-keyfromlabel. -

    + Prints a short summary of the options and arguments to + dnssec-keyfromlabel. +

    -K directory

    - Sets the directory in which the key files are to be written. -

    + Sets the directory in which the key files are to be written. +

    -k

    - Generate KEY records rather than DNSKEY records. -

    + Generate KEY records rather than DNSKEY records. +

    -L ttl

    - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. -

    + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. +

    -p protocol

    - Sets the protocol value for the key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

    + Sets the protocol value for the key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. +

    -S key

    - Generate a key as an explicit successor to an existing key. + Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. -

    +

    -t type

    - Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

    + Indicates the use of the key. type must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. +

    -v level

    - Sets the debugging level. -

    + Sets the debugging level. +

    -V

    Prints version information.

    -y

    - Allows DNSSEC key files to be generated even if the key ID + Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you - are sure you won't be using RFC 5011 trust anchor maintenance - with either of the keys involved.) -

    + are sure you won't be using RFC 5011 trust anchor maintenance + with either of the keys involved.) +

    @@ -257,36 +257,46 @@
    -P date/offset

    - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -

    + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". +

    +
    -P sync date/offset
    +

    + Sets the date on which the CDS and CDNSKEY records which match + this key are to be published to the zone. +

    -A date/offset

    - Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". -

    + Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". +

    -R date/offset

    - Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -

    + Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. +

    -I date/offset

    - Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -

    + Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. +

    -D date/offset

    - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

    + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

    +
    -D sync date/offset
    +

    + Sets the date on which the CDS and CDNSKEY records which match + this key are to be deleted. +

    -i interval

    @@ -324,13 +334,13 @@

    • nnnn is the key name. -

      • +

    • aaa is the numeric representation - of the algorithm. -

      • + of the algorithm. +

    • iiiii is the key identifier (or - footprint). -

      • + footprint). +

    dnssec-keyfromlabel creates two files, with names based diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index fadad71da0..190e8062bd 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -46,7 +46,7 @@

    Synopsis

    -

    dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

    +

    dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-D sync date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-k] [-L ttl] [-P date/offset] [-P sync date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-V] [-v level] [-z] {name}

    DESCRIPTION

    @@ -68,72 +68,72 @@
    -a algorithm

    - Selects the cryptographic algorithm. For DNSSEC keys, the value - of algorithm must be one of RSAMD5, RSASHA1, + Selects the cryptographic algorithm. For DNSSEC keys, the value + of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must - be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, - HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are - case insensitive. -

    + be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, + HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are + case insensitive. +

    - If no algorithm is specified, then RSASHA1 will be used by - default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - -3 is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) -

    + If no algorithm is specified, then RSASHA1 will be used by + default, unless the -3 option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) +

    - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. -

    +

    - Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 - automatically set the -T KEY option. -

    + Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 + automatically set the -T KEY option. +

    -b keysize

    - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be - between 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. Elliptic curve algorithms don't need - this parameter. -

    + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSA keys must be + between 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC keys must be + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. +

    - The key size does not need to be specified if using a default - algorithm. The default key size is 1024 bits for zone signing - keys (ZSKs) and 2048 bits for key signing keys (KSKs, - generated with -f KSK). However, if an - algorithm is explicitly specified with the -a, - then there is no default key size, and the -b - must be used. -

    + The key size does not need to be specified if using a default + algorithm. The default key size is 1024 bits for zone signing + keys (ZSKs) and 2048 bits for key signing keys (KSKs, + generated with -f KSK). However, if an + algorithm is explicitly specified with the -a, + then there is no default key size, and the -b + must be used. +

    -n nametype

    - Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. Defaults to ZONE for DNSKEY + Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. Defaults to ZONE for DNSKEY generation. -

    +

    -3

    Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. -

    +

    -C

    Compatibility mode: generates an old-style key, without @@ -143,142 +143,142 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. -

    +

    -c class

    - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

    + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. +

    -E engine

    - Specifies the cryptographic hardware to use, when applicable. -

    + Specifies the cryptographic hardware to use, when applicable. +

    - When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". -

    + When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

    -f flag

    - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. -

    + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. +

    -G

    - Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. -

    + Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. +

    -g generator

    - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. -

    + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. +

    -h

    - Prints a short summary of the options and arguments to - dnssec-keygen. -

    + Prints a short summary of the options and arguments to + dnssec-keygen. +

    -K directory

    - Sets the directory in which the key files are to be written. -

    + Sets the directory in which the key files are to be written. +

    -k

    - Deprecated in favor of -T KEY. -

    + Deprecated in favor of -T KEY. +

    -L ttl

    - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. If this value is not set and there - is no existing DNSKEY RRset, the TTL will default to the - SOA TTL. Setting the default TTL to 0 - or none is the same as leaving it unset. -

    + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. If this value is not set and there + is no existing DNSKEY RRset, the TTL will default to the + SOA TTL. Setting the default TTL to 0 + or none is the same as leaving it unset. +

    -p protocol

    - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

    + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. +

    -q

    - Quiet mode: Suppresses unnecessary output, including - progress indication. Without this option, when - dnssec-keygen is run interactively - to generate an RSA or DSA key pair, it will print a string - of symbols to stderr indicating the - progress of the key generation. A '.' indicates that a - random number has been found which passed an initial - sieve test; '+' means a number has passed a single - round of the Miller-Rabin primality test; a space - means that the number has passed all the tests and is - a satisfactory key. -

    + Quiet mode: Suppresses unnecessary output, including + progress indication. Without this option, when + dnssec-keygen is run interactively + to generate an RSA or DSA key pair, it will print a string + of symbols to stderr indicating the + progress of the key generation. A '.' indicates that a + random number has been found which passed an initial + sieve test; '+' means a number has passed a single + round of the Miller-Rabin primality test; a space + means that the number has passed all the tests and is + a satisfactory key. +

    -r randomdev

    - Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

    + Specifies the source of randomness. If the operating + system does not provide a /dev/random + or equivalent device, the default source of randomness + is keyboard input. randomdev + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + keyboard indicates that keyboard + input should be used. +

    -S key

    - Create a new key which is an explicit successor to an - existing key. The name, algorithm, size, and type of the - key will be set to match the existing key. The activation - date of the new key will be set to the inactivation date of - the existing one. The publication date will be set to the - activation date minus the prepublication interval, which - defaults to 30 days. -

    + Create a new key which is an explicit successor to an + existing key. The name, algorithm, size, and type of the + key will be set to match the existing key. The activation + date of the new key will be set to the inactivation date of + the existing one. The publication date will be set to the + activation date minus the prepublication interval, which + defaults to 30 days. +

    -s strength

    - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. -

    + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. +

    -T rrtype

    - Specifies the resource record type to use for the key. - rrtype must be either DNSKEY or KEY. The - default is DNSKEY when using a DNSSEC algorithm, but it can be - overridden to KEY for use with SIG(0). -

    + Specifies the resource record type to use for the key. + rrtype must be either DNSKEY or KEY. The + default is DNSKEY when using a DNSSEC algorithm, but it can be + overridden to KEY for use with SIG(0). +

    -

    +

    - Using any TSIG algorithm (HMAC-* or DH) forces this option - to KEY. -

    + Using any TSIG algorithm (HMAC-* or DH) forces this option + to KEY. +

    -t type

    - Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

    + Indicates the use of the key. type must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. +

    -v level

    - Sets the debugging level. -

    + Sets the debugging level. +

    -V

    Prints version information. @@ -301,38 +301,48 @@

    -P date/offset

    - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". -

    + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". +

    +
    -P sync date/offset
    +

    + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

    -A date/offset

    - Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". If set, if and -P is not set, then - the publication date will be set to the activation date - minus the prepublication interval. -

    + Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". If set, if and -P is not set, then + the publication date will be set to the activation date + minus the prepublication interval. +

    -R date/offset

    - Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. -

    + Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. +

    -I date/offset

    - Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. -

    + Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. +

    -D date/offset

    - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) -

    + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) +

    +
    -D sync date/offset
    +

    + Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. +

    -i interval

    @@ -370,14 +380,14 @@

    • nnnn is the key name. -

      • +

    • aaa is the numeric representation - of the - algorithm. -

      • + of the + algorithm. +

    • iiiii is the key identifier (or - footprint). -

      • + footprint). +

    dnssec-keygen creates two files, with names based diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index e4768c5281..9946cd0887 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -46,7 +46,7 @@

    Synopsis

    -

    dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

    +

    dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D sync date/offset] [-D sync date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

    DESCRIPTION

    @@ -79,7 +79,7 @@
    -f

    - Force an update of an old-format key with no metadata fields. + Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the @@ -87,7 +87,7 @@ set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time. -

    +

    -K directory

    Sets the directory in which the key files are to reside. @@ -105,12 +105,12 @@

    -h

    - Emit usage message and exit. -

    + Emit usage message and exit. +

    -V

    - Prints version information. -

    + Prints version information. +

    -v level

    Sets the debugging level. @@ -150,6 +150,11 @@ After that date, the key will be included in the zone but will not be used to sign it.

    +
    -P sync date/offset
    +

    + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. +

    -A date/offset

    Sets the date on which the key is to be activated. After that @@ -174,6 +179,11 @@ date, the key will no longer be included in the zone. (It may remain in the key repository, however.)

    +
    -D sync date/offset
    +

    + Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. +

    -S predecessor key

    Select a key for which the key being modified will be an @@ -219,21 +229,24 @@

    -u

    - Print times in UNIX epoch format. -

    -
    -p C/P/A/R/I/D/all
    + Print times in UNIX epoch format. +

    +
    -p C/P/Psync/A/R/I/D/Dsync/all

    - Print a specific metadata value or set of metadata values. + Print a specific metadata value or set of metadata values. The -p option may be followed by one or more - of the following letters to indicate which value or values to print: + of the following letters or strings to indicate which value + or values to print: C for the creation date, P for the publication date, + Psync for the CDS and CDNSKEY publication date, A for the activation date, R for the revocation date, - I for the inactivation date, or - D for the deletion date. + I for the inactivation date, + D for the deletion date, and + Dsync for the CDS and CDNSKEY deletion date To print all of the metadata, use -p all. -

    +

    diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 50aa7eda6c..f1c6872c94 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -1,11 +1,11 @@