diff --git a/CHANGES b/CHANGES
index 4f55ca2aa0e..2fc7dff3687 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,23 @@
+ --- 9.6.1 released ---
+
+2607. [bug] named could incorrectly delete NSEC3 records for
+ empty nodes when processing a update request.
+ [RT #19749]
+
+2606. [bug] "delegation-only" was not being accepted in
+ delegation-only type zones. [RT #19717]
+
+2605. [bug] Accept DS responses from delegation only zones.
+ [RT # 19296]
+
+2603. [port] win32: handle .exe extension of named-checkzone and
+ named-comilezone argv[0] names under windows.
+ [RT #19767]
+
+2602. [port] win32: fix debugging command line build of libisccfg.
+ [RT #19767]
+
--- 9.6.1rc1 released ---
2599. [bug] Address rapid memory growth when validation fails.
diff --git a/KNOWN-DEFECTS b/KNOWN-DEFECTS
new file mode 100644
index 00000000000..83d71759740
--- /dev/null
+++ b/KNOWN-DEFECTS
@@ -0,0 +1,15 @@
+dnssec-signzone was designed so that it could sign a zone partially, using
+only a subset of the DNSSEC keys needed to produce a fully-signed zone.
+This permits a zone administrator, for example, to sign a zone with one
+key on one machine, move the resulting partially-signed zone to a second
+machine, and sign it again with a second key.
+
+An unfortunate side-effect of this flexibility is that dnssec-signzone
+does not check to make sure it's signing a zone with any valid keys at
+all. An attempt to sign a zone without any keys will appear to succeed,
+producing a "signed" zone with no signatures. There is no warning issued
+when a zone is not signed.
+
+This will be corrected in a future release. In the meantime, ISC
+recommends examining the output of dnssec-signzone to confirm that
+the zone is properly signed by all keys before using it.
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index e91cbeadc10..83b3bbe9acf 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkzone.c,v 1.51.34.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: named-checkzone.c,v 1.51.34.3 2009/05/29 02:17:43 marka Exp $ */
/*! \file */
@@ -123,9 +123,13 @@ main(int argc, char **argv) {
*/
if (strncmp(prog_name, "lt-", 3) == 0)
prog_name += 3;
- if (strcmp(prog_name, "named-checkzone") == 0)
+
+#define PROGCMP(X) \
+ (strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
+
+ if (PROGCMP("named-checkzone"))
progmode = progmode_check;
- else if (strcmp(prog_name, "named-compilezone") == 0)
+ else if (PROGCMP("named-compilezone"))
progmode = progmode_compile;
else
INSIST(0);
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index ca0ed36d4c2..84e613f721b 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -13,275 +13,163 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signzone.8,v 1.47 2008/10/15 01:11:35 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.47.44.4 2009/06/09 01:47:19 each Exp $
.\"
.hy 0
.ad l
-.\" Title: dnssec\-signzone
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.71.1
-.\" Date: June 30, 2000
-.\" Manual: BIND9
-.\" Source: BIND9
-.\"
-.TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-signzone \- DNSSEC zone signing tool
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "DNSSEC-SIGNZONE" 8 "June 08, 2009" "" ""
+.SH NAME
+dnssec-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS"
.HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fIclass\fR\fR] [\fB\-d\ \fIdirectory\fR\fR] [\fB\-e\ \fIend\-time\fR\fR] [\fB\-f\ \fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fIkey\fR\fR] [\fB\-l\ \fIdomain\fR\fR] [\fB\-i\ \fIinterval\fR\fR] [\fB\-I\ \fIinput\-format\fR\fR] [\fB\-j\ \fIjitter\fR\fR] [\fB\-N\ \fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fIorigin\fR\fR] [\fB\-O\ \fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fIrandomdev\fR\fR] [\fB\-s\ \fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fIsalt\fR\fR] [\fB\-H\ \fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
.SH "DESCRIPTION"
.PP
-\fBdnssec\-signzone\fR
-signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
-\fIkeyset\fR
-file for each child zone.
+\fBdnssec\-signzone\fR signs a zone\&. It generates NSEC and RRSIG records and produces a signed version of the zone\&. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a \fIkeyset\fR file for each child zone\&.
.SH "OPTIONS"
-.PP
+.TP
\-a
-.RS 4
-Verify all generated signatures.
-.RE
-.PP
+Verify all generated signatures\&.
+.TP
\-c \fIclass\fR
-.RS 4
-Specifies the DNS class of the zone.
-.RE
-.PP
+Specifies the DNS class of the zone\&.
+.TP
\-k \fIkey\fR
-.RS 4
-Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
-.RE
-.PP
+Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
+.TP
\-l \fIdomain\fR
-.RS 4
-Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
-.RE
-.PP
+Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
+.TP
\-d \fIdirectory\fR
-.RS 4
-Look for
-\fIkeyset\fR
-files in
-\fBdirectory\fR
-as the directory
-.RE
-.PP
+Look for \fIkeyset\fR files in \fBdirectory\fR as the directory
+.TP
\-g
-.RS 4
-Generate DS records for child zones from keyset files. Existing DS records will be removed.
-.RE
-.PP
+Generate DS records for child zones from keyset files\&. Existing DS records will be removed\&.
+.TP
\-s \fIstart\-time\fR
-.RS 4
-Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
-\fBstart\-time\fR
-is specified, the current time minus 1 hour (to allow for clock skew) is used.
-.RE
-.PP
+Specify the date and time when the generated RRSIG records become valid\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000\&. A relative start time is indicated by +N, which is N seconds from the current time\&. If no \fBstart\-time\fR is specified, the current time minus 1 hour (to allow for clock skew) is used\&.
+.TP
\-e \fIend\-time\fR
-.RS 4
-Specify the date and time when the generated RRSIG records expire. As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
-\fBend\-time\fR
-is specified, 30 days from the start time is used as a default.
-.RE
-.PP
+Specify the date and time when the generated RRSIG records expire\&. As with \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no \fBend\-time\fR is specified, 30 days from the start time is used as a default\&.
+.TP
\-f \fIoutput\-file\fR
-.RS 4
-The name of the output file containing the signed zone. The default is to append
-\fI.signed\fR
-to the input filename.
-.RE
-.PP
+The name of the output file containing the signed zone\&. The default is to append \fI\&.signed\fR to the input filename\&.
+.TP
\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBdnssec\-signzone\fR.
-.RE
-.PP
+Prints a short summary of the options and arguments to \fBdnssec\-signzone\fR\&.
+.TP
\-i \fIinterval\fR
-.RS 4
-When a previously\-signed zone is passed as input, records may be resigned. The
-\fBinterval\fR
-option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
-.sp
-The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
-\fBend\-time\fR
-or
-\fBstart\-time\fR
-are specified,
-\fBdnssec\-signzone\fR
-generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
-.RE
-.PP
+When a previously\-signed zone is passed as input, records may be resigned\&. The \fBinterval\fR option specifies the cycle interval as an offset from the current time (in seconds)\&. If a RRSIG record expires after the cycle interval, it is retained\&. Otherwise, it is considered to be expiring soon, and it will be replaced\&.
+The default cycle interval is one quarter of the difference between the signature end and start times\&. So if neither \fBend\-time\fR or \fBstart\-time\fR are specified, \fBdnssec\-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7\&.5 days\&. Therefore, if any existing RRSIG records are due to expire in less than 7\&.5 days, they would be replaced\&.
+.TP
\-I \fIinput\-format\fR
-.RS 4
-The format of the input zone file. Possible formats are
-\fB"text"\fR
-(default) and
-\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
-.RE
-.PP
+The format of the input zone file\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly\&. The use of this option does not make much sense for non\-dynamic zones\&.
+.TP
\-j \fIjitter\fR
-.RS 4
-When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
-\fBjitter\fR
-option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
-.sp
-Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
-.RE
-.PP
+When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously\&. If the zone is incrementally signed, i\&.e\&. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time\&. The \fBjitter\fR option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time\&.
+Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i\&.e\&. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time\&.
+.TP
\-n \fIncpus\fR
-.RS 4
-Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.RE
-.PP
+Specifies the number of threads to use\&. By default, one thread is started for each detected CPU\&.
+.TP
\-N \fIsoa\-serial\-format\fR
-.RS 4
-The SOA serial number format of the signed zone. Possible formats are
+The SOA serial number format of the signed zone\&. Possible formats are \fB"keep"\fR (default), \fB"increment"\fR and \fB"unixtime"\fR\&.
+.RS
+.TP
\fB"keep"\fR
-(default),
+Do not modify the SOA serial number\&.
+.TP
\fB"increment"\fR
-and
-\fB"unixtime"\fR.
-.RS 4
-.PP
-\fB"keep"\fR
-.RS 4
-Do not modify the SOA serial number.
-.RE
-.PP
-\fB"increment"\fR
-.RS 4
-Increment the SOA serial number using RFC 1982 arithmetics.
-.RE
-.PP
+Increment the SOA serial number using RFC 1982 arithmetics\&.
+.TP
\fB"unixtime"\fR
-.RS 4
-Set the SOA serial number to the number of seconds since epoch.
+Set the SOA serial number to the number of seconds since epoch\&.
.RE
-.RE
-.RE
-.PP
+.IP
+.TP
\-o \fIorigin\fR
-.RS 4
-The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.RE
-.PP
+The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
+.TP
\-O \fIoutput\-format\fR
-.RS 4
-The format of the output file containing the signed zone. Possible formats are
-\fB"text"\fR
-(default) and
-\fB"raw"\fR.
-.RE
-.PP
+The format of the output file containing the signed zone\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&.
+.TP
\-p
-.RS 4
-Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.RE
-.PP
+Use pseudo\-random data when signing the zone\&. This is faster, but less secure, than using real random data\&. This option may be useful when signing large zones or when the entropy source is limited\&.
+.TP
\-r \fIrandomdev\fR
-.RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
+Specifies the source of randomness\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
+.TP
\-t
-.RS 4
-Print statistics at completion.
-.RE
-.PP
+Print statistics at completion\&.
+.TP
\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.PP
+Sets the debugging level\&.
+.TP
\-z
-.RS 4
-Ignore KSK flag on key when determining what to sign.
-.RE
-.PP
+Ignore KSK flag on key when determining what to sign\&.
+.TP
\-3 \fIsalt\fR
-.RS 4
-Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
-.RE
-.PP
+Generate a NSEC3 chain with the given hex encoded salt\&. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain\&.
+.TP
\-H \fIiterations\fR
-.RS 4
-When generating a NSEC3 chain use this many interations. The default is 100.
-.RE
-.PP
+When generating a NSEC3 chain use this many interations\&. The default is 100\&.
+.TP
\-A
-.RS 4
-When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
-.RE
-.PP
+When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations\&.
+.TP
zonefile
-.RS 4
-The file containing the zone to be signed.
-.RE
-.PP
+The file containing the zone to be signed\&.
+.TP
key
-.RS 4
-Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
-.RE
+Specify which keys should be used to sign the zone\&. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex\&. If these are found and there are matching private keys, in the current directory, then these will be used for signing\&.
.SH "EXAMPLE"
.PP
-The following command signs the
-\fBexample.com\fR
-zone with the DSA key generated by
-\fBdnssec\-keygen\fR
-(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
-\fIkeyset\fR
-files, in the current directory, so that DS records can be generated from them (\fB\-g\fR).
-.sp
-.RS 4
+The following command signs the \fBexample\&.com\fR zone with the DSA key generated by \fBdnssec\-keygen\fR (Kexample\&.com\&.+003+17247)\&. The zone's keys must be in the master file (\fIdb\&.example\&.com\fR)\&. This invocation looks for \fIkeyset\fR files, in the current directory, so that DS records can be generated from them (\fB\-g\fR)\&.
.nf
-% dnssec\-signzone \-g \-o example.com db.example.com \\
-Kexample.com.+003+17247
-db.example.com.signed
+% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \\
+Kexample\&.com\&.+003+17247
+db\&.example\&.com\&.signed
%
.fi
-.RE
.PP
-In the above example,
-\fBdnssec\-signzone\fR
-creates the file
-\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
-\fInamed.conf\fR
-file.
+In the above example, \fBdnssec\-signzone\fR creates the file \fIdb\&.example\&.com\&.signed\fR\&. This file should be referenced in a zone statement in a \fInamed\&.conf\fR file\&.
.PP
-This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
-.sp
-.RS 4
+This example re\-signs a previously signed zone with default parameters\&. The private keys are assumed to be in the current directory\&.
.nf
-% cp db.example.com.signed db.example.com
-% dnssec\-signzone \-o example.com db.example.com
-db.example.com.signed
+% cp db\&.example\&.com\&.signed db\&.example\&.com
+% dnssec\-signzone \-o example\&.com db\&.example\&.com
+db\&.example\&.com\&.signed
%
.fi
-.RE
+.SH "KNOWN BUGS"
+.PP
+ \fBdnssec\-signzone\fR was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone\&. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key\&.
+.PP
+An unfortunate side\-effect of this flexibility is that \fBdnssec\-signzone\fR does not check to make sure it's signing a zone with any valid keys at all\&. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures\&. There is no warning issued when a zone is not fully signed\&.
+.PP
+This will be corrected in a future release\&. In the meantime, ISC recommends examining the output of \fBdnssec\-signzone\fR to confirm that the zone is properly signed by all keys before using it\&.
.SH "SEE ALSO"
.PP
-\fBdnssec\-keygen\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 4033.
+\fBdnssec\-keygen\fR(8), BIND 9 Administrator Reference Manual, RFC 4033\&.
.SH "AUTHOR"
.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2003 Internet Software Consortium.
-.br
+Internet Systems Consortium
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 1da280f711f..2ef2e104902 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.209.12.3 2009/01/18 23:25:15 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.209.12.8 2009/06/08 22:23:06 each Exp $ */
/*! \file */
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 2f26ba4e155..7ed320ad575 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[]>
-
+
- June 30, 2000
+ June 08, 2009
@@ -42,6 +42,7 @@
200620072008
+ 2009Internet Systems Consortium, Inc. ("ISC")
@@ -489,6 +490,33 @@ db.example.com.signed
%
+
+ KNOWN BUGS
+
+ dnssec-signzone was designed so that it could
+ sign a zone partially, using only a subset of the DNSSEC keys
+ needed to produce a fully-signed zone. This permits a zone
+ administrator, for example, to sign a zone with one key on one
+ machine, move the resulting partially-signed zone to a second
+ machine, and sign it again with a second key.
+
+
+ An unfortunate side-effect of this flexibility is that
+ dnssec-signzone does not check to make sure
+ it's signing a zone with any valid keys at all. An attempt to
+ sign a zone without any keys will appear to succeed, producing
+ a "signed" zone with no signatures. There is no warning issued
+ when a zone is not fully signed.
+
+
+
+ This will be corrected in a future release. In the meantime, ISC
+ recommends examining the output of dnssec-signzone
+ to confirm that the zone is properly signed by all keys before
+ using it.
+
+
+
SEE ALSO
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 6548d845d52..5eb8626e643 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -1,5 +1,5 @@
-
+
dnssec-signzone
-
+
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
-
OPTIONS
+
OPTIONS
-a
@@ -258,7 +258,7 @@
-
EXAMPLE
+
EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -287,14 +287,39 @@ db.example.com.signed
%
-
SEE ALSO
+
KNOWN BUGS
+
+ dnssec-signzone was designed so that it could
+ sign a zone partially, using only a subset of the DNSSEC keys
+ needed to produce a fully-signed zone. This permits a zone
+ administrator, for example, to sign a zone with one key on one
+ machine, move the resulting partially-signed zone to a second
+ machine, and sign it again with a second key.
+
+
+ An unfortunate side-effect of this flexibility is that
+ dnssec-signzone does not check to make sure
+ it's signing a zone with any valid keys at all. An attempt to
+ sign a zone without any keys will appear to succeed, producing
+ a "signed" zone with no signatures. There is no warning issued
+ when a zone is not fully signed.
+
+
+ This will be corrected in a future release. In the meantime, ISC
+ recommends examining the output of dnssec-signzone
+ to confirm that the zone is properly signed by all keys before
+ using it.
+
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index e933a06d602..b89d76945b8 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.c,v 1.45 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: dnssectool.c,v 1.45.334.4 2009/06/08 23:47:00 tbox Exp $ */
/*! \file */
@@ -222,7 +222,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
REQUIRE(ectx != NULL);
-
+
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f3bfe0d29ff..0875e57ff09 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
BIND 9 Administrator Reference Manual
@@ -4333,16 +4333,16 @@ category notify { null; };
delegation-only
-
-
- Delegation only. Logs queries that have
- been forced to NXDOMAIN as the result of a
- delegation-only zone or
- a delegation-only in a
- hint or stub zone declaration.
-
-
-
+
+
+ Delegation only. Logs queries that have been
+ forced to NXDOMAIN as the result of a
+ delegation-only zone or a
+ delegation-only in a hint
+ or stub zone declaration.
+
+
+
edns-disabled
@@ -5116,17 +5116,45 @@ category notify { null; };
-
+ root-delegation-only
- Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
- with an optional
- exclude list.
+ Turn on enforcement of delegation-only in TLDs
+ (top level domains) and root zones with an optional
+ exclude list.
+
+ DS queries are expected to be made to and be answered by
+ delegation only zones. Such queries and responses are
+ treated as a exception to delegation-only processing
+ and are not converted to NXDOMAIN responses provided
+ a CNAME is not discovered at the query name.
+
+
+ If a delegation only zone server also serves a child
+ zone it is not always possible to determine whether
+ a answer comes from the delegation only zone or the
+ child zone. SOA NS and DNSKEY records are apex
+ only records and a matching response that contains
+ these records or DS is treated as coming from a
+ child zone. RRSIG records are also examined to see
+ if they are signed by a child zone or not. The
+ authority section is also examined to see if there
+ is evidence that the answer is from the child zone.
+ Answers that are determined to be from a child zone
+ are not converted to NXDOMAIN responses. Despite
+ all these checks there is still a possibility of
+ false negatives when a child zone is being served.
+
+
+ Similarly false positives can arise from empty nodes
+ (no records at the name) in the delegation only zone
+ when the query type is not ANY.
+
- Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
- and "MUSEUM").
+ Note some TLDs are not delegation only (e.g. "DE", "LV",
+ "US" and "MUSEUM"). This list is not exhaustive.
@@ -9027,20 +9055,22 @@ zone zone_nameclass
- This is used to enforce the delegation-only
- status of infrastructure zones (e.g. COM, NET, ORG).
- Any answer that
- is received without an explicit or implicit delegation
- in the authority
- section will be treated as NXDOMAIN. This does not
- apply to the zone
- apex. This should not be applied to leaf zones.
+ This is used to enforce the delegation-only
+ status of infrastructure zones (e.g. COM,
+ NET, ORG). Any answer that is received
+ without an explicit or implicit delegation
+ in the authority section will be treated
+ as NXDOMAIN. This does not apply to the
+ zone apex. This should not be applied to
+ leaf zones.
delegation-only has no
- effect on answers received
- from forwarders.
+ effect on answers received from forwarders.
+
+ See caveats in .
+
@@ -9299,9 +9329,11 @@ zone zone_nameclass
The flag only applies to hint and stub zones. If set
to yes, then the zone will also be
- treated as if it
- is also a delegation-only type zone.
+ treated as if it is also a delegation-only type zone.
+
+ See caveats in .
+
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 10b7fd55580..46fd0dd1f6a 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -78,25 +78,25 @@
- Delegation only. Logs queries that have
- been forced to NXDOMAIN as the result of a
- delegation-only zone or
- a delegation-only in a
- hint or stub zone declaration.
+ Delegation only. Logs queries that have been
+ forced to NXDOMAIN as the result of a
+ delegation-only zone or a
+ delegation-only in a hint
+ or stub zone declaration.
@@ -2367,16 +2367,46 @@ category notify { null; };
in the additional section of a query response.
The default is not to prefer any type (NONE).
-
root-delegation-only
+
+root-delegation-only
+
- Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
- with an optional
+ Turn on enforcement of delegation-only in TLDs
+ (top level domains) and root zones with an optional
exclude list.
- Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
- and "MUSEUM").
+ DS queries are expected to be made to and be answered by
+ delegation only zones. Such queries and responses are
+ treated as a exception to delegation-only processing
+ and are not converted to NXDOMAIN responses provided
+ a CNAME is not discovered at the query name.
+
+
+ If a delegation only zone server also serves a child
+ zone it is not always possible to determine whether
+ a answer comes from the delegation only zone or the
+ child zone. SOA NS and DNSKEY records are apex
+ only records and a matching response that contains
+ these records or DS is treated as coming from a
+ child zone. RRSIG records are also examined to see
+ if they are signed by a child zone or not. The
+ authority section is also examined to see if there
+ is evidence that the answer is from the child zone.
+ Answers that are determined to be from a child zone
+ are not converted to NXDOMAIN responses. Despite
+ all these checks there is still a possibility of
+ false negatives when a child zone is being served.
+
+
+ Similarly false positives can arise from empty nodes
+ (no records at the name) in the delegation only zone
+ when the query type is not ANY.
+
+
+ Note some TLDs are not delegation only (e.g. "DE", "LV",
+ "US" and "MUSEUM"). This list is not exhaustive.
options {
@@ -3151,7 +3181,7 @@ options {
-Forwarding
+Forwarding
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -3195,7 +3225,7 @@ options {
-Dual-stack Servers
+Dual-stack Servers
Dual-stack servers are used as servers of last resort to work
around
@@ -3392,7 +3422,7 @@ options {
-Interfaces
+Interfaces
The interfaces and ports that the server will answer queries
from may be specified using the listen-on option. listen-on takes
@@ -3844,7 +3874,7 @@ avoid-v6-udp-ports {};
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -4048,7 +4078,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
-trusted-keys Statement Definition
+trusted-keys Statement Definition
and Usage
The trusted-keys statement defines
@@ -5132,7 +5162,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
-view Statement Definition and Usage
+view Statement Definition and Usage
The view statement is a powerful
feature
@@ -5398,10 +5428,10 @@ zone zone_name [
-zone Statement Definition and Usage
+zone Statement Definition and Usage
-Zone Types
+Zone Types
@@ -5590,18 +5620,20 @@ zone zone_name [
This is used to enforce the delegation-only
- status of infrastructure zones (e.g. COM, NET, ORG).
- Any answer that
- is received without an explicit or implicit delegation
- in the authority
- section will be treated as NXDOMAIN. This does not
- apply to the zone
- apex. This should not be applied to leaf zones.
+ status of infrastructure zones (e.g. COM,
+ NET, ORG). Any answer that is received
+ without an explicit or implicit delegation
+ in the authority section will be treated
+ as NXDOMAIN. This does not apply to the
+ zone apex. This should not be applied to
+ leaf zones.
delegation-only has no
- effect on answers received
- from forwarders.
+ effect on answers received from forwarders.
+
Only meaningful if the zone has a forwarders
@@ -6207,7 +6243,7 @@ zone zone_name [
-Zone File
+Zone File
Types of Resource Records and When to Use Them
@@ -6220,7 +6256,7 @@ zone zone_name [
-Resource Records
+Resource Records
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -6957,7 +6993,7 @@ zone zone_name [
-Textual expression of RRs
+Textual expression of RRs
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -7160,7 +7196,7 @@ zone zone_name [
-Discussion of MX Records
+Discussion of MX Records
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -7416,7 +7452,7 @@ zone zone_name [
-Inverse Mapping in IPv4
+Inverse Mapping in IPv4
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -7477,7 +7513,7 @@ zone zone_name [
-Other Zone File Directives
+Other Zone File Directives
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -7492,7 +7528,7 @@ zone zone_name [
Socket I/O statistics counters are defined per socket
types, which are
@@ -9208,7 +9244,7 @@ $GENERATE 1-127 $ CNAME $.0
-Compatibility with BIND 8 Counters
+Compatibility with BIND 8 Counters
Most statistics counters that were available
in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 80ba6e3c546..ca12cb3c435 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
On UNIX servers, it is possible to run BIND
@@ -145,7 +145,7 @@ zone "example.com" {
-The chroot Environment
+The chroot Environment
In order for a chroot environment
to
@@ -173,7 +173,7 @@ zone "example.com" {
-Using the setuid Function
+Using the setuid Function
Prior to running the named daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 65ca623f8a4..5e547eb48e0 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
-It's not working; how can I figure out what's wrong?
+It's not working; how can I figure out what's wrong?
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
-Incrementing and Changing the Serial Number
+Incrementing and Changing the Serial Number
Zone serial numbers are just numbers — they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
-Where Can I Get Help?
+Where Can I Get Help?
The Internet Systems Consortium
(ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 3664b99fc34..87134e05c3d 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
-General DNS Reference Information
+General DNS Reference Information
IPv6 addresses (AAAA)
@@ -250,17 +250,17 @@
-Bibliography
+Bibliography
Standards
-
[RFC974] C.Partridge. Mail Routing and the Domain System. January 1986.
+
[RFC974] C.Partridge. Mail Routing and the Domain System. January 1986.
-
[RFC1034] P.V.Mockapetris. Domain Names — Concepts and Facilities. November 1987.
+
[RFC1034] P.V.Mockapetris. Domain Names — Concepts and Facilities. November 1987.
-
[RFC1035] P. V.Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V.Mockapetris. Domain Names — Implementation and
Specification. November 1987.
@@ -268,42 +268,42 @@
Proposed Standards
-
[RFC2181] R., R. BushElz. Clarifications to the DNS
+
[RFC2181] R., R. BushElz. Clarifications to the DNS
Specification. July 1997.
-
[RFC2308] M.Andrews. Negative Caching of DNS
+
[RFC2308] M.Andrews. Negative Caching of DNS
Queries. March 1998.
-
[RFC1995] M.Ohta. Incremental Zone Transfer in DNS. August 1996.
+
[RFC1995] M.Ohta. Incremental Zone Transfer in DNS. August 1996.
-
[RFC1996] P.Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.
+
[RFC1996] P.Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.
-
[RFC2136] P.Vixie, S.Thomson, Y.Rekhter, and J.Bound. Dynamic Updates in the Domain Name System. April 1997.
+
[RFC2136] P.Vixie, S.Thomson, Y.Rekhter, and J.Bound. Dynamic Updates in the Domain Name System. April 1997.
-
[RFC2671] P.Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.
+
[RFC2671] P.Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.
-
[RFC2672] M.Crawford. Non-Terminal DNS Name Redirection. August 1999.
+
[RFC2672] M.Crawford. Non-Terminal DNS Name Redirection. August 1999.
-
[RFC2845] P.Vixie, O.Gudmundsson, D.Eastlake, 3rd, and B.Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+
[RFC2845] P.Vixie, O.Gudmundsson, D.Eastlake, 3rd, and B.Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-
[RFC2930] D.Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.
+
[RFC2930] D.Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.
-
[RFC2931] D.Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+
[RFC2931] D.Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-
[RFC3007] B.Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.
+
[RFC3007] B.Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.
-
[RFC3645] S.Kwan, P.Garg, J.Gilroy, L.Esibov, J.Westhead, and R.Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S.Kwan, P.Garg, J.Gilroy, L.Esibov, J.Westhead, and R.Hall. Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG). October 2003.
@@ -312,19 +312,19 @@
DNS Security Proposed Standards
-
[RFC3225] D.Conrad. Indicating Resolver Support of DNSSEC. December 2001.
+
[RFC3225] D.Conrad. Indicating Resolver Support of DNSSEC. December 2001.
-
[RFC3833] D.Atkins and R.Austein. Threat Analysis of the Domain Name System (DNS). August 2004.
+
[RFC3833] D.Atkins and R.Austein. Threat Analysis of the Domain Name System (DNS). August 2004.
-
[RFC4033] R.Arends, R.Austein, M.Larson, D.Massey, and S.Rose. DNS Security Introduction and Requirements. March 2005.
+
[RFC4033] R.Arends, R.Austein, M.Larson, D.Massey, and S.Rose. DNS Security Introduction and Requirements. March 2005.
-
[RFC4034] R.Arends, R.Austein, M.Larson, D.Massey, and S.Rose. Resource Records for the DNS Security Extensions. March 2005.
+
[RFC4034] R.Arends, R.Austein, M.Larson, D.Massey, and S.Rose. Resource Records for the DNS Security Extensions. March 2005.
-
[RFC4035] R.Arends, R.Austein, M.Larson, D.Massey, and S.Rose. Protocol Modifications for the DNS
+
[RFC4035] R.Arends, R.Austein, M.Larson, D.Massey, and S.Rose. Protocol Modifications for the DNS
Security Extensions. March 2005.
@@ -332,146 +332,146 @@
Other Important RFCs About DNS
Implementation
-
[RFC1535] E.Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E.Gavron. A Security Problem and Proposed Correction With Widely
Deployed DNS Software.. October 1993.
-
[RFC1536] A.Kumar, J.Postel, C.Neuman, P.Danzig, and S.Miller. Common DNS Implementation
+
[RFC1536] A.Kumar, J.Postel, C.Neuman, P.Danzig, and S.Miller. Common DNS Implementation
Errors and Suggested Fixes. October 1993.
-
[RFC1982] R.Elz and R.Bush. Serial Number Arithmetic. August 1996.
+
[RFC1982] R.Elz and R.Bush. Serial Number Arithmetic. August 1996.
-
[RFC4074] Y.Morishita and T.Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y.Morishita and T.Jinmei. Common Misbehaviour Against DNS
Queries for IPv6 Addresses. May 2005.
Resource Record Types
-
[RFC1183] C.F.Everhart, L. A.Mamakos, R.Ullmann, and P.Mockapetris. New DNS RR Definitions. October 1990.
+
[RFC1183] C.F.Everhart, L. A.Mamakos, R.Ullmann, and P.Mockapetris. New DNS RR Definitions. October 1990.
-
[RFC1706] B.Manning and R.Colella. DNS NSAP Resource Records. October 1994.
+
[RFC1706] B.Manning and R.Colella. DNS NSAP Resource Records. October 1994.
-
[RFC2168] R.Daniel and M.Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R.Daniel and M.Mealling. Resolution of Uniform Resource Identifiers using
the Domain Name System. June 1997.
-
[RFC1876] C.Davis, P.Vixie, T., and I.Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C.Davis, P.Vixie, T., and I.Dickinson. A Means for Expressing Location Information in the
Domain
Name System. January 1996.
-
[RFC2052] A.Gulbrandsen and P.Vixie. A DNS RR for Specifying the
+
[RFC2052] A.Gulbrandsen and P.Vixie. A DNS RR for Specifying the
Location of
Services.. October 1996.
-
[RFC2163] A.Allocchio. Using the Internet DNS to
+
[RFC2163] A.Allocchio. Using the Internet DNS to
Distribute MIXER
Conformant Global Address Mapping. January 1998.
-
[RFC2230] R.Atkinson. Key Exchange Delegation Record for the DNS. October 1997.
+
[RFC2230] R.Atkinson. Key Exchange Delegation Record for the DNS. October 1997.
-
[RFC2536] D.Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+
[RFC2536] D.Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-
[RFC2537] D.Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+
[RFC2537] D.Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-
[RFC2538] D.Eastlake, 3rd and O.Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.
+
[RFC2538] D.Eastlake, 3rd and O.Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.
-
[RFC2539] D.Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+
[RFC2539] D.Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-
[RFC2540] D.Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.
+
[RFC2540] D.Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.
-
[RFC2782] A.Gulbrandsen. P.Vixie. L.Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.
+
[RFC2782] A.Gulbrandsen. P.Vixie. L.Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.
-
[RFC2915] M.Mealling. R.Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+
[RFC2915] M.Mealling. R.Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-
[RFC3110] D.Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+
[RFC3110] D.Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-
[RFC3123] P.Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+
[RFC3123] P.Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
-
[RFC3596] S.Thomson, C.Huitema, V.Ksinant, and M.Souissi. DNS Extensions to support IP
+
[RFC3596] S.Thomson, C.Huitema, V.Ksinant, and M.Souissi. DNS Extensions to support IP
version 6. October 2003.
-
[RFC3597] A.Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.
+
[RFC3597] A.Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.
DNS and the Internet
-
[RFC1101] P. V.Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V.Mockapetris. DNS Encoding of Network Names
and Other Types. April 1989.
-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
Support. October 1989.
-
[RFC1591] J.Postel. Domain Name System Structure and Delegation. March 1994.
+
[RFC1591] J.Postel. Domain Name System Structure and Delegation. March 1994.
-
[RFC2317] H.Eidnes, G.de Groot, and P.Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.
+
[RFC2317] H.Eidnes, G.de Groot, and P.Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.
-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.
+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.
-
[RFC2929] D.Eastlake, 3rd, E.Brunner-Williams, and B.Manning. Domain Name System (DNS) IANA Considerations. September 2000.
+
[RFC2929] D.Eastlake, 3rd, E.Brunner-Williams, and B.Manning. Domain Name System (DNS) IANA Considerations. September 2000.
DNS Operations
-
[RFC1033] M.Lottor. Domain administrators operations guide.. November 1987.
+
[RFC1033] M.Lottor. Domain administrators operations guide.. November 1987.
-
[RFC1537] P.Beertema. Common DNS Data File
+
[RFC1537] P.Beertema. Common DNS Data File
Configuration Errors. October 1993.
-
[RFC1912] D.Barr. Common DNS Operational and
+
[RFC1912] D.Barr. Common DNS Operational and
Configuration Errors. February 1996.
-
[RFC2010] B.Manning and P.Vixie. Operational Criteria for Root Name Servers.. October 1996.
+
[RFC2010] B.Manning and P.Vixie. Operational Criteria for Root Name Servers.. October 1996.
-
[RFC2219] M.Hamilton and R.Wright. Use of DNS Aliases for
+
[RFC2219] M.Hamilton and R.Wright. Use of DNS Aliases for
Network Services.. October 1997.
Internationalized Domain Names
-
[RFC2825] IAB and R.Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R.Daigle. A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols. May 2000.
-
[RFC3490] P.Faltstrom, P.Hoffman, and A.Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.
+
[RFC3490] P.Faltstrom, P.Hoffman, and A.Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.
-
[RFC3491] P.Hoffman and M.Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.
+
[RFC3491] P.Hoffman and M.Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.
-
[RFC3492] A.Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A.Costello. Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in
Applications (IDNA). March 2003.
@@ -487,47 +487,47 @@
-
[RFC1464] R.Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R.Rosenbaum. Using the Domain Name System To Store Arbitrary String
Attributes. May 1993.
-
[RFC1713] A.Romao. Tools for DNS Debugging. November 1994.
+
[RFC1713] A.Romao. Tools for DNS Debugging. November 1994.
-
[RFC1794] T.Brisco. DNS Support for Load
+
[RFC1794] T.Brisco. DNS Support for Load
Balancing. April 1995.
-
[RFC2240] O.Vaughan. A Legal Basis for Domain Name Allocation. November 1997.
+
[RFC2240] O.Vaughan. A Legal Basis for Domain Name Allocation. November 1997.
-
[RFC2345] J.Klensin, T.Wolf, and G.Oglesby. Domain Names and Company Name Retrieval. May 1998.
+
[RFC2345] J.Klensin, T.Wolf, and G.Oglesby. Domain Names and Company Name Retrieval. May 1998.
-
[RFC2352] O.Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.
+
[RFC2352] O.Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.
-
[RFC3071] J.Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+
[RFC3071] J.Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-
[RFC3258] T.Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T.Hardie. Distributing Authoritative Name Servers via
Shared Unicast Addresses. April 2002.
-
[RFC3901] A.Durand and J.Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.
+
[RFC3901] A.Durand and J.Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.
Obsolete and Unimplemented Experimental RFC
-
[RFC1712] C.Farrell, M.Schulze, S.Pleitner, and D.Baldoni. DNS Encoding of Geographical
+
[RFC1712] C.Farrell, M.Schulze, S.Pleitner, and D.Baldoni. DNS Encoding of Geographical
Location. November 1994.
-
[RFC2673] M.Crawford. Binary Labels in the Domain Name System. August 1999.
+
[RFC2673] M.Crawford. Binary Labels in the Domain Name System. August 1999.
-
[RFC2874] M.Crawford and C.Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M.Crawford and C.Huitema. DNS Extensions to Support IPv6 Address Aggregation
and Renumbering. July 2000.
@@ -541,39 +541,39 @@
-
[RFC2065] D.Eastlake, 3rd and C.Kaufman. Domain Name System Security Extensions. January 1997.
+
[RFC2065] D.Eastlake, 3rd and C.Kaufman. Domain Name System Security Extensions. January 1997.
-
[RFC2137] D.Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.
+
[RFC2137] D.Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.
-
[RFC2535] D.Eastlake, 3rd. Domain Name System Security Extensions. March 1999.
+
[RFC2535] D.Eastlake, 3rd. Domain Name System Security Extensions. March 1999.
-
[RFC3008] B.Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B.Wellington. Domain Name System Security (DNSSEC)
Signing Authority. November 2000.
-
[RFC3090] E.Lewis. DNS Security Extension Clarification on Zone Status. March 2001.
+
[RFC3090] E.Lewis. DNS Security Extension Clarification on Zone Status. March 2001.
-
[RFC3445] D.Massey and S.Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.
+
[RFC3445] D.Massey and S.Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.
-
[RFC3655] B.Wellington and O.Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+
[RFC3655] B.Wellington and O.Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-
[RFC3658] O.Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.
+
[RFC3658] O.Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.
-
[RFC3755] S.Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+
[RFC3755] S.Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-
[RFC3757] O.Kolkman, J.Schlyter, and E.Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O.Kolkman, J.Schlyter, and E.Lewis. Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag. April 2004.
-
[RFC3845] J.Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+
[RFC3845] J.Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
@@ -594,14 +594,14 @@
-Other Documents About BIND
+Other Documents About BIND
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 23499407ec5..ffb7b6242f5 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -157,25 +157,25 @@
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4a5697ae27a..2758a8f0713 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]
-
DESCRIPTION
+
DESCRIPTION
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -98,7 +98,7 @@
-
SIMPLE USAGE
+
SIMPLE USAGE
A typical invocation of dig looks like:
@@ -144,7 +144,7 @@
-
OPTIONS
+
OPTIONS
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -248,7 +248,7 @@
-
QUERY OPTIONS
+
QUERY OPTIONS
dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -573,7 +573,7 @@
-
MULTIPLE QUERIES
+
MULTIPLE QUERIES
The BIND 9 implementation of dig
supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-
IDN SUPPORT
+
IDN SUPPORT
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index ebf41d21aea..f9a20e36074 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -51,14 +51,14 @@
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index dffae4298df..c885dbec1c6 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
dnssec-keyfromlabel
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
-
OPTIONS
+
OPTIONS
-a algorithm
@@ -131,7 +131,7 @@
-
GENERATED KEY FILES
+
GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -172,7 +172,7 @@
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index fd1225974d9..17d08e2fd10 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 89cab245c77..9e4b00f563d 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
dnssec-signzone
-
+
@@ -50,7 +50,7 @@
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
-
OPTIONS
+
OPTIONS
-a
@@ -276,7 +276,7 @@
-
EXAMPLE
+
EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -305,14 +305,39 @@ db.example.com.signed
%
-
SEE ALSO
+
KNOWN BUGS
+
+ dnssec-signzone was designed so that it could
+ sign a zone partially, using only a subset of the DNSSEC keys
+ needed to produce a fully-signed zone. This permits a zone
+ administrator, for example, to sign a zone with one key on one
+ machine, move the resulting partially-signed zone to a second
+ machine, and sign it again with a second key.
+
+
+ An unfortunate side-effect of this flexibility is that
+ dnssec-signzone does not check to make sure
+ it's signing a zone with any valid keys at all. An attempt to
+ sign a zone without any keys will appear to succeed, producing
+ a "signed" zone with no signatures. There is no warning issued
+ when a zone is not fully signed.
+
+
+ This will be corrected in a future release. In the meantime, ISC
+ recommends examining the output of dnssec-signzone
+ to confirm that the zone is properly signed by all keys before
+ using it.
+
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index fe37654f8c7..22f6731dba1 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
-
IDN SUPPORT
+
IDN SUPPORT
If host has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -216,12 +216,12 @@
-
FILES
+
FILES
/etc/resolv.conf
-
SEE ALSO
+
SEE ALSO
dig(1),
named(8).
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 10287aabd1d..c6aeb32bc3a 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,14 +50,14 @@
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 723c4849cfd..4cee97f3c6b 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -51,7 +51,7 @@
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 08489e064d3..3e338877670 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
-
OPTIONS
+
OPTIONS
-4
@@ -238,7 +238,7 @@
-
SIGNALS
+
SIGNALS
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -259,7 +259,7 @@
-
CONFIGURATION
+
CONFIGURATION
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -268,7 +268,7 @@
-
FILES
+
FILES
/etc/named.conf
@@ -281,7 +281,7 @@
-
SEE ALSO
+
SEE ALSO
RFC 1033,
RFC 1034,
RFC 1035,
@@ -294,7 +294,7 @@
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 5848fb211f8..a0ce8661aa5 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC2136
to a name server.
@@ -187,7 +187,7 @@
-
INPUT FORMAT
+
INPUT FORMAT
nsupdate
reads input from
filename
@@ -451,7 +451,7 @@
-
EXAMPLES
+
EXAMPLES
The examples below show how
nsupdate
@@ -505,7 +505,7 @@
-
FILES
+
FILES
/etc/resolv.conf
@@ -524,7 +524,7 @@
-
SEE ALSO
+
SEE ALSO
RFC2136,
RFC3007,
RFC2104,
@@ -537,7 +537,7 @@
-
BUGS
+
BUGS
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 4839e89fc63..485e6f4b5b5 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index cb72238a4d3..b4c080126fa 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
rndc.conf
-
DESCRIPTION
+
DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index f88a70e51cf..ae38ad16d1d 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
diff --git a/lib/bind9/api b/lib/bind9/api
index 39934b4fbd2..fbbf923b532 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
LIBINTERFACE = 50
-LIBREVISION = 2
+LIBREVISION = 3
LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 800cbf9bcdb..753db9ce113 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.95.12.3 2009/02/17 03:43:07 marka Exp $ */
+/* $Id: check.c,v 1.95.12.4 2009/06/03 00:06:01 marka Exp $ */
/*! \file */
@@ -1050,9 +1050,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "notify", MASTERZONE | SLAVEZONE },
{ "also-notify", MASTERZONE | SLAVEZONE },
{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
- { "delegation-only", HINTZONE | STUBZONE },
- { "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
- { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
+ { "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
+ { "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
+ { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },
{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE },
{ "notify-source", MASTERZONE | SLAVEZONE },
diff --git a/lib/dns/api b/lib/dns/api
index 5ef8dc035a3..af155ca8f5f 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 51
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 52
+LIBREVISION = 0
+LIBAGE = 2
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index f06d715c4d3..baf3ec5b12e 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
*/
/*
- * $Id: dnssec.c,v 1.93 2008/11/14 23:47:33 tbox Exp $
+ * $Id: dnssec.c,v 1.93.12.4 2009/06/08 23:47:00 tbox Exp $
*/
/*! \file */
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index f8a59d05f87..c5206be63bb 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec.h,v 1.32 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: dnssec.h,v 1.32.332.4 2009/06/08 23:47:00 tbox Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index 70403894036..7f509e6ef13 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keyvalues.h,v 1.23 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: keyvalues.h,v 1.23.48.2 2009/06/04 02:56:14 tbox Exp $ */
#ifndef DNS_KEYVALUES_H
#define DNS_KEYVALUES_H 1
@@ -42,7 +42,7 @@
#define DNS_KEYOWNER_ENTITY 0x0200 /*%< key is assoc. with entity eg host */
#define DNS_KEYOWNER_ZONE 0x0100 /*%< key is zone key */
#define DNS_KEYOWNER_RESERVED 0x0300 /*%< reserved meaning */
-#define DNS_KEYFLAG_RESERVED8 0x0080 /*%< reserved - must be zero */
+#define DNS_KEYFLAG_REVOKE 0x0080 /*%< key revoked (per rfc5001) */
#define DNS_KEYFLAG_RESERVED9 0x0040 /*%< reserved - must be zero */
#define DNS_KEYFLAG_RESERVED10 0x0020 /*%< reserved - must be zero */
#define DNS_KEYFLAG_RESERVED11 0x0010 /*%< reserved - must be zero */
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 54a6993e3e7..f9b8cad21a7 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsec3.c,v 1.6 2008/11/17 23:46:42 marka Exp $ */
+/* $Id: nsec3.c,v 1.6.12.2 2009/06/04 02:56:14 tbox Exp $ */
#include
@@ -943,6 +943,42 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
return (result);
}
+/*%
+ * Determine whether any NSEC3 records that were associated with
+ * 'name' should be deleted or if they should continue to exist.
+ * ISC_TRUE indicates they should be deleted.
+ * ISC_FALSE indicates they should be retained.
+ */
+static isc_result_t
+deleteit(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+ isc_boolean_t *yesno)
+{
+ isc_result_t result;
+ dns_fixedname_t foundname;
+ dns_fixedname_init(&foundname);
+
+ result = dns_db_find(db, name, ver, dns_rdatatype_any,
+ DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
+ (isc_stdtime_t) 0, NULL,
+ dns_fixedname_name(&foundname),
+ NULL, NULL);
+ if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS ||
+ result == DNS_R_ZONECUT) {
+ *yesno = ISC_FALSE;
+ return (ISC_R_SUCCESS);
+ }
+ if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
+ result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
+ *yesno = ISC_TRUE;
+ return (ISC_R_SUCCESS);
+ }
+ /*
+ * Silence compiler.
+ */
+ *yesno = ISC_TRUE;
+ return (result);
+}
+
isc_result_t
dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
@@ -961,7 +997,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
int pass;
- isc_boolean_t exists;
+ isc_boolean_t yesno;
isc_buffer_t buffer;
isc_result_t result;
unsigned char *salt;
@@ -1096,8 +1132,8 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
if (labels <= dns_name_countlabels(origin))
break;
dns_name_getlabelsequence(&empty, 1, labels, &empty);
- CHECK(name_exists(db, version, &empty, &exists));
- if (exists)
+ CHECK(deleteit(db, version, &empty, &yesno));
+ if (!yesno)
break;
CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a1c263e12d4..a5d7c2500f8 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.384.14.12 2009/05/11 02:38:03 tbox Exp $ */
+/* $Id: resolver.c,v 1.384.14.14 2009/06/02 23:47:13 tbox Exp $ */
/*! \file */
@@ -471,6 +471,30 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
return (result);
}
+static isc_boolean_t
+rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
+ dns_namereln_t namereln;
+ dns_rdata_rrsig_t rrsig;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ int order;
+ isc_result_t result;
+ unsigned int labels;
+
+ for (result = dns_rdataset_first(rdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(rdataset)) {
+ dns_rdataset_current(rdataset, &rdata);
+ result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain,
+ &order, &labels);
+ if (namereln == dns_namereln_subdomain)
+ return (ISC_TRUE);
+ dns_rdata_reset(&rdata);
+ }
+ return (ISC_FALSE);
+}
+
static isc_boolean_t
fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
dns_name_t *name;
@@ -484,13 +508,43 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
return (ISC_FALSE);
/*
- * Look for BIND 8 style delegations.
- * Also look for answers to ANY queries where the duplicate NS RRset
- * may have been stripped from the authority section.
+ * A DS RRset can appear anywhere in a zone, even for a delegation-only
+ * zone. So a response to an explicit query for this type should be
+ * excluded from delegation-only fixup.
+ *
+ * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive
+ * response to a query for these types can never violate the
+ * delegation-only assumption: if the query name is below a
+ * zone cut, the response should normally be a referral, which should
+ * be accepted; if the query name is below a zone cut but the server
+ * happens to have authority for the zone of the query name, the
+ * response is a (non-referral) answer. But this does not violate
+ * delegation-only because the query name must be in a different zone
+ * due to the "apex-only" nature of these types. Note that if the
+ * remote server happens to have authority for a child zone of a
+ * delegation-only zone, we may still incorrectly "fix" the response
+ * with NXDOMAIN for queries for other types. Unfortunately it's
+ * generally impossible to differentiate this case from violation of
+ * the delegation-only assumption. Once the resolver learns the
+ * correct zone cut, possibly via a separate query for an "apex-only"
+ * type, queries for other types will be resolved correctly.
+ *
+ * A query for type ANY will be accepted if it hits an exceptional
+ * type above in the answer section as it should be from a child
+ * zone.
+ *
+ * Also accept answers with RRSIG records from the child zone.
+ * Direct queries for RRSIG records should not be answered from
+ * the parent zone.
*/
+
if (message->counts[DNS_SECTION_ANSWER] != 0 &&
(fctx->type == dns_rdatatype_ns ||
- fctx->type == dns_rdatatype_any)) {
+ fctx->type == dns_rdatatype_ds ||
+ fctx->type == dns_rdatatype_soa ||
+ fctx->type == dns_rdatatype_any ||
+ fctx->type == dns_rdatatype_rrsig ||
+ fctx->type == dns_rdatatype_dnskey)) {
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (result == ISC_R_SUCCESS) {
name = NULL;
@@ -499,10 +553,32 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
- type = rdataset->type;
- if (type != dns_rdatatype_ns)
+ if (!dns_name_equal(name, &fctx->name))
continue;
- if (dns_name_issubdomain(name, domain))
+ type = rdataset->type;
+ /*
+ * RRsig from child?
+ */
+ if (type == dns_rdatatype_rrsig &&
+ rrsig_fromchildzone(fctx, rdataset))
+ return (ISC_FALSE);
+ /*
+ * Direct query for apex records or DS.
+ */
+ if (fctx->type == type &&
+ (type == dns_rdatatype_ds ||
+ type == dns_rdatatype_ns ||
+ type == dns_rdatatype_soa ||
+ type == dns_rdatatype_dnskey))
+ return (ISC_FALSE);
+ /*
+ * Indirect query for apex records or DS.
+ */
+ if (fctx->type == dns_rdatatype_any &&
+ (type == dns_rdatatype_ns ||
+ type == dns_rdatatype_ds ||
+ type == dns_rdatatype_soa ||
+ type == dns_rdatatype_dnskey))
return (ISC_FALSE);
}
result = dns_message_nextname(message,
@@ -510,7 +586,14 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
}
}
- /* Look for referral. */
+ /*
+ * A NODATA response to a DS query?
+ */
+ if (fctx->type == dns_rdatatype_ds &&
+ message->counts[DNS_SECTION_ANSWER] == 0)
+ return (ISC_FALSE);
+
+ /* Look for referral or indication of answer from child zone? */
if (message->counts[DNS_SECTION_AUTHORITY] == 0)
goto munge;
@@ -525,13 +608,37 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
if (type == dns_rdatatype_soa &&
dns_name_equal(name, domain))
keep_auth = ISC_TRUE;
+
if (type != dns_rdatatype_ns &&
- type != dns_rdatatype_soa)
+ type != dns_rdatatype_soa &&
+ type != dns_rdatatype_rrsig)
continue;
- if (dns_name_equal(name, domain))
- goto munge;
- if (dns_name_issubdomain(name, domain))
+
+ if (type == dns_rdatatype_rrsig) {
+ if (rrsig_fromchildzone(fctx, rdataset))
+ return (ISC_FALSE);
+ else
+ continue;
+ }
+
+ /* NS or SOA records. */
+ if (dns_name_equal(name, domain)) {
+ /*
+ * If a query for ANY causes a negative
+ * response, we can be sure that this is
+ * an empty node. For other type of queries
+ * we cannot differentiate an empty node
+ * from a node that just doesn't have that
+ * type of record. We only accept the former
+ * case.
+ */
+ if (message->counts[DNS_SECTION_ANSWER] == 0 &&
+ fctx->type == dns_rdatatype_any)
+ return (ISC_FALSE);
+ } else if (dns_name_issubdomain(name, domain)) {
+ /* Referral or answer from child zone. */
return (ISC_FALSE);
+ }
}
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
}
diff --git a/version b/version
index 10a1d31faaa..1b3080fc6f7 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.43.12.4 2009/04/08 06:55:37 marka Exp $
+# $Id: version,v 1.43.12.5 2009/06/04 04:02:41 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -6,5 +6,5 @@
MAJORVER=9
MINORVER=6
PATCHVER=1
-RELEASETYPE=rc
-RELEASEVER=1
+RELEASETYPE=
+RELEASEVER=