From f6d93187a121da71416026756e190169a135ce1b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 11 Jun 2004 03:03:14 +0000 Subject: [PATCH] regen --- bin/dnssec/dnssec-keygen.8 | 31 ++--- bin/dnssec/dnssec-keygen.html | 61 +++++----- bin/dnssec/dnssec-signzone.8 | 20 ++-- bin/dnssec/dnssec-signzone.html | 35 +++--- doc/arm/Bv9ARM.ch04.html | 202 ++++++++++---------------------- doc/arm/Bv9ARM.ch05.html | 4 +- doc/arm/Bv9ARM.ch06.html | 147 +++++++++++++---------- doc/arm/Bv9ARM.ch07.html | 8 +- doc/arm/Bv9ARM.ch08.html | 14 +-- doc/arm/Bv9ARM.ch09.html | 108 ++++++++--------- doc/arm/Bv9ARM.html | 92 +++++++-------- 11 files changed, 324 insertions(+), 398 deletions(-) diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 5d6d04734d..9f78919eb2 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -13,34 +13,36 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.26 2004/06/03 04:12:36 marka Exp $ +.\" $Id: dnssec-keygen.8,v 1.27 2004/06/11 03:03:11 marka Exp $ .\" .TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-keygen \- DNSSEC key generation tool .SH SYNOPSIS .sp -\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-f \fIflag\fB\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR +\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-f \fIflag\fB\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-k\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR .SH "DESCRIPTION" .PP \fBdnssec-keygen\fR generates keys for DNSSEC -(Secure DNS), as defined in RFC 2535. It can also generate +(Secure DNS), as defined in RFC 2535 and RFC . It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. .SH "OPTIONS" .TP \fB-a \fIalgorithm\fB\fR Selects the cryptographic algorithm. The value of -\fBalgorithm\fR must be one of RSAMD5 or RSA, +\fBalgorithm\fR must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. -Note that for DNSSEC, DSA is a mandatory to implement algorithm, -and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. +Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, +and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + +Note 2: HMAC-MD5 and DH automatically set the -k flag. .TP \fB-b \fIkeysize\fB\fR Specifies the number of bits in the key. The choice of key -size depends on the algorithm used. RSA keys must be between +size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be @@ -49,8 +51,8 @@ between 1 and 512 bits. \fB-n \fInametype\fB\fR Specifies the owner type of the key. The value of \fBnametype\fR must either be ZONE (for a DNSSEC -zone key), HOST or ENTITY (for a key associated with a host), -or USER (for a key associated with a user). These values are +zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), +USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. .TP \fB-c \fIclass\fB\fR @@ -58,11 +60,11 @@ Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. .TP \fB-e\fR -If generating an RSA key, use a large exponent. +If generating an RSAMD5/RSASHA1 key, use a large exponent. .TP \fB-f \fIflag\fB\fR -Set the specified flag in the flag field of the key record. -The only recognized flag is KSK (Key Signing Key). +Set the specified flag in the flag field of the KEY/DNSKEY record. +The only recognized flag is KSK (Key Signing Key) DNSKEY. .TP \fB-g \fIgenerator\fB\fR If generating a Diffie Hellman key, use this generator. @@ -74,6 +76,9 @@ if possible; otherwise the default is 2. Prints a short summary of the options and arguments to \fBdnssec-keygen\fR. .TP +\fB-k\fR +Generate KEY records rather than DNSKEY records. +.TP \fB-p \fIprotocol\fB\fR Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). @@ -159,8 +164,6 @@ the files \fIKexample.com.+003+26160.key\fR and \fIKexample.com.+003+26160.private\fR .SH "SEE ALSO" .PP -\fBdnssec-makekeyset\fR(8), -\fBdnssec-signkey\fR(8), \fBdnssec-signzone\fR(8), \fIBIND 9 Administrator Reference Manual\fR, \fIRFC 2535\fR, diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index dabd6de969..97e2fd3b35 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + -h] [-k] [-p

DESCRIPTION

dnssec-keygen generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535. It can also generate + (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.

OPTIONS

algorithm must be one of RSAMD5 or RSA, +> must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive.

Note that for DNSSEC, DSA is a mandatory to implement algorithm, - and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. +> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. +

Note 2: HMAC-MD5 and DH automatically set the -k flag.

Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be between + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be @@ -231,8 +237,8 @@ CLASS="REPLACEABLE" CLASS="OPTION" >nametype must either be ZONE (for a DNSSEC - zone key), HOST or ENTITY (for a key associated with a host), - or USER (for a key associated with a user). These values are + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.

-e

If generating an RSA key, use a large exponent. +> If generating an RSAMD5/RSASHA1 key, use a large exponent.

Set the specified flag in the flag field of the key record. - The only recognized flag is KSK (Key Signing Key). +> Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY.

-k

Generate KEY records rather than DNSKEY records. +

-p

GENERATED KEYS

EXAMPLE

SEE ALSO

dnssec-makekeyset(8), - dnssec-signkey(8), - dnssec-signzone(8), @@ -582,7 +581,7 @@ CLASS="CITETITLE" >

AUTHOR

- + dnssec-signzone signs a zone. It generates NSEC - and RRSIG records and produces a signed version of the zone. If there - is a signedkey file from the zone's parent, - the parent's signatures will be incorporated into the generated - signed zone file. The security status of delegations from the - signed zone (that is, whether the child zones are secure or not) is - determined by the presence or absence of a +> signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a signedkeykeyset file for each child zone.

OPTIONS

Look for signedkeykeyset files in

EXAMPLE

signedkey files associated with this zone - or any child zones, they must be in the current directory. +>keyset files associated with child zones, + they must be in the current directory.

SEE ALSO

AUTHOR

4.9. IPv6 Support in BIND statement.

Updating of secure zones (zones using DNSSEC) follows - RFC 3007: SIG and NXT records affected by updates are automatically + RFC 3007: RRSIG and NSEC records affected by updates are automatically regenerated by the server using an online zone key. Update authorization is based on transaction signatures and an explicit server policy.

DNSSECDNSSEC-bis) extensions, - defined in RFC 2535. This section describes the creation and use + defined in RFC <TBA>. This section describes the creation and use of DNSSEC signed zones.

In order to set up a DNSSEC secure zone, there are a series @@ -1202,18 +1202,23 @@ CLASS="option" >-h option prints a full list of parameters. Note that the DNSSEC tools require the - keyset and signedkey files to be in the working directory or the + keyset files to be in the working directory or the directory specified by the -h option, and - that the tools shipped with BIND 9.0.x are not fully compatible + that the tools shipped with BIND 9.2.x and earlier are not compatible with the current ones.

There must also be communication with the administrators of - the parent and/or child zone to transmit keys and signatures. A - zone's security status must be indicated by the parent zone for a - DNSSEC capable resolver to trust its data.

DS record at the delegation + point.

For other servers to trust data in this zone, they must either be statically configured with this zone's zone key or the @@ -1223,7 +1228,7 @@ CLASS="sect2" >

4.8.1. Generating Keys

, and must be usable for authentication. It is recommended that zone keys use a cryptographic algorithm designated as "mandatory to implement" by the IETF; currently - these are RSASHA1 and DSA.

The following command will generate a 768 bit DSA key for +>The following command will generate a 768 bit RSASHA1 key for the child.examplednssec-keygen -a DSA -b 768 -n ZONE child.example.dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.

Two output files will be produced: Kchild.example.+003+12345.keyKchild.example.+005+12345.key and Kchild.example.+003+12345.privateKchild.example.+005+12345.private (where 12345 is an example of a key tag). The key file names contain the key name (

4.8.2. Creating a Keyset

The dnssec-makekeyset program is used - to create a key set from one or more keys.

Once the zone keys have been generated, a key set must be - built for transmission to the administrator of the parent zone, - so that the parent zone can sign the keys with its own zone key - and correctly indicate the security status of this zone. When - building a key set, the list of keys to be included and the TTL - of the set must be specified, and the desired signature validity - period of the parent's signature may also be specified.

The list of keys to be inserted into the key set may also - included non-zone keys present at the top of the zone. - dnssec-makekeyset may also be used at other - names in the zone.

The following command generates a key set containing the - above key and another key similarly generated, with a TTL of - 3600 and a signature validity period of 10 days starting from - now.

dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456

One output file is produced: - keyset-child.example.. This file should be - transmitted to the parent to be signed. It includes the keys, - as well as signatures over the key set generated by the zone - keys themselves, which are used to prove ownership of the - private keys and encode the desired validity period.

4.8.3. Signing the Child's Keyset

The dnssec-signkey program is used to - sign one child's keyset.

If the child.example zone has any - delegations which are secure, for example, - grand.child.example, the - child.example administrator should receive - keyset files for each secure subzone. These keys must be signed - by this zone's zone keys.

The following command signs the child's key set with the - zone keys:

dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456

One output file is produced: - signedkey-grand.child.example.. This file - should be both transmitted back to the child and retained. It - includes all keys (the child's keys) from the keyset file and - signatures generated by this zone's zone keys.

4.8.4. Signing the Zone4.8.2. Signing the Zone

The

Any signedkey files corresponding to - secure subzones should be present, as well as a - signedkey file for this zone generated by - the parent (if there is one). The zone signer will generate - keyset files corresponding + to secure subzones should be present. The zone signer will + generate NXTNSEC and SIG records for - the zone, as well as incorporate the zone key signature from the - parent and indicate the security status at all delegation - points.

RRSIG + records for the zone, as well as DS for + the child zones if '-d' is specified. + If '-d' is not specified then DS RRsets for + the secure child zones need to be added manually.

The following command signs the zone, assuming it is in a file called named.conf as the input file for the zone.

dnssec-signzone will also produce a + keyset and dsset files and optionally a dlvset file. These + are used to provide the parent zone administators with the + DNSKEYs (or their corresponding DS + records) that are the secure entry point to the zone.

4.8.5. Configuring Servers4.8.3. Configuring Servers

Unlike

4.9. IPv6 Support in BIND

4.9.1. Address Lookups Using AAAA Records

4.9.2. Address to Name Lookups Using Nibble Format

5.1. The Lightweight Resolver Library

5.1. The Lightweight Resolver Library

6.3. Zone File

6.1.1.1. Syntax

6.1.1.2. Definition and Usage
6.1.2. Comment Syntax
6.1.2.1. Syntax
6.1.2.2. Definition and Usage
6.2.1. acl
6.2.3. controls
6.2.5. include
6.2.6. include
6.2.7. key
6.2.8. key
6.2.9. logging
6.2.10. logging
6.2.10.1. The channel
 option has been
 specified.
 

+

The query log entry reports the client's IP address and port number.  The
+query name, class and type.  It also reports whether the Recursion Desired
+flag was set (+ if set, - if not set), EDNS was in use (E) or if the
+query was signed (S).

+
client 127.0.0.1#62536: query: www.example.com IN AAAA +SE
+client ::1#62537: query: www.example.net IN AAAA -SE
+

+
6.2.11. lwres
6.2.12. lwres
6.2.13. masters
6.2.14. masters
6.2.15. options
6.2.16.2. Forwarding
6.2.16.3. 6 to 4 Servers
6.2.16.5. Interfaces
6.2.16.6. Query Address
6.2.16.8. Bad UDP Port Lists
6.2.16.9. Operating System Resource Limits
6.2.16.10. Server  Resource Limits
6.2.16.11. Periodic Task Intervals
6.2.19. trusted-keys
6.2.20. trusted-keys
6.2.22. view
6.2.24. zone
6.2.24.1. Zone Types
6.2.24.2. Class
6.2.24.3. Zone Options
6.3. Zone File
6.3.1.1. Resource Records
6.3.1.2. Textual expression of RRs
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.5.1. The $ORIGIN
6.3.5.2. The $INCLUDE
6.3.5.3. The $TTL
6.3.6. BIND
7.2. chroot
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgments
A.1. Acknowledgments
A.1.1. A Brief History of the DNS
Bibliography
Standards
[RFC974] 
[RFC1034] 
[RFC1035] 
[RFC2181] 
[RFC2308] 
[RFC1995] 
[RFC1996] 
[RFC2136] 
[RFC2845] 
Proposed Standards Still Under Development
[RFC1886] 
[RFC2065] 
[RFC2137] 
Other Important RFCs About DNS
[RFC1535] 
[RFC1536] 
[RFC1982] 
Resource Record Types
[RFC1183] 
[RFC1706] 
[RFC2168] 
[RFC1876] 
[RFC2052] 
[RFC2163] 
[RFC2230] 
DNS
[RFC1101] 
[RFC1123] 
[RFC1591] 
[RFC2317] 
DNS
[RFC1537] 
[RFC1912] 
[RFC2010] 
[RFC2219] 
Other DNS
[RFC1464] 
[RFC1713] 
[RFC1794] 
[RFC2240] 
[RFC2345] 
[RFC2352] 
Obsolete and Unimplemented Experimental RRs
[RFC1712] 
A.3.3. Other Documents About BIND
Bibliography
4.8.1. Generating Keys
4.8.2. Creating a Keyset
4.8.3. Signing the Child's Keyset
4.8.4. Signing the Zone
4.8.5. 4.8.3. Configuring Servers
4.9. IPv6 Support in BIND
4.9.1. Address Lookups Using AAAA Records
4.9.2. Address to Name Lookups Using Nibble Format
5.1. The Lightweight Resolver Library
6.1.2. Comment Syntax
6.2.1. acl
6.2.3. controls
6.2.5. include
6.2.6. include
6.2.7. key
6.2.8. key
6.2.9. logging
6.2.10. logging
6.2.11. lwres
6.2.12. lwres
6.2.13. masters
6.2.14. masters
6.2.15. options
6.2.19. trusted-keys
6.2.20. trusted-keys
6.2.22. view
6.2.24. zone
6.3. Zone File
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgments
A.1.1. A Brief History of the DNS
A.3.3. Other Documents About BIND