From 05da080bbd0c35705081c034cbb1985c274c2656 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Mon, 27 Jun 2016 01:25:44 +0000 Subject: [PATCH] regen master --- bin/python/dnssec-keymgr.8 | 159 +++++++++++++------------ bin/python/dnssec-keymgr.html | 211 ++++++++++++++++++---------------- 2 files changed, 192 insertions(+), 178 deletions(-) diff --git a/bin/python/dnssec-keymgr.8 b/bin/python/dnssec-keymgr.8 index cb8c7479b2..fc91fcf1f3 100644 --- a/bin/python/dnssec-keymgr.8 +++ b/bin/python/dnssec-keymgr.8 @@ -18,12 +18,12 @@ .\" Title: dnssec-keymgr .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2016-04-03 +.\" Date: 2016-06-03 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-KEYMGR" "8" "2016\-04\-03" "ISC" "BIND9" +.TH "DNSSEC\-KEYMGR" "8" "2016\-06\-03" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,7 +47,7 @@ dnssec-keymgr \- Ensures correct DNSKEY coverage for a zone based on a defined policy .SH "SYNOPSIS" .HP \w'\fBdnssec\-keymgr\fR\ 'u -\fBdnssec\-keymgr\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-c\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fItime\fR\fR] [\fB\-k\fR] [\fB\-z\fR] [\fB\-g\ \fR\fB\fIpath\fR\fR] [\fB\-s\ \fR\fB\fIpath\fR\fR] [zone...] +\fBdnssec\-keymgr\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-c\ \fR\fB\fIfile\fR\fR] [\fB\-f\fR] [\fB\-k\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-z\fR] [\fB\-g\ \fR\fB\fIpath\fR\fR] [\fB\-r\ \fR\fB\fIpath\fR\fR] [\fB\-s\ \fR\fB\fIpath\fR\fR] [zone...] .SH "DESCRIPTION" .PP \fBdnssec\-keymgr\fR @@ -95,7 +95,7 @@ is specified, then the DNSSEC policy is read from Force: allow updating of key events even if they are already in the past\&. This is not recommended for use with zones in which keys have already been published\&. However, if a set of keys has been generated all of which have publication and activation dates in the past, but the keys have not been published in a zone as yet, then this option can be used to clean them up and turn them into a proper series of keys with appropriate rollover intervals\&. .RE .PP -\-g \fIkeygen path\fR +\-g \fIkeygen\-path\fR .RS 4 Specifies a path to a \fBdnssec\-keygen\fR @@ -104,6 +104,13 @@ binary\&. Used for testing\&. See also the option\&. .RE .PP +\-h +.RS 4 +Print the +\fBdnssec\-keymgr\fR +help summary and exit\&. +.RE +.PP \-K \fIdirectory\fR .RS 4 Sets the directory in which keys can be found\&. Defaults to the current working directory\&. @@ -124,7 +131,16 @@ and \fBdnssec\-settime\fR\&. .RE .PP -\-s \fIsettime path\fR +\-r \fIrandomdev\fR +.RS 4 +Specifies a path to a file containing random data\&. This is passed to the +\fBdnssec\-keygen\fR +binary using its +\fB\-r\fR +option\&. +.RE +.PP +\-s \fIsettime\-path\fR .RS 4 Specifies a path to a \fBdnssec\-settime\fR @@ -133,6 +149,13 @@ binary\&. Used for testing\&. See also the option\&. .RE .PP +\-v +.RS 4 +Print the +\fBdnssec\-keymgr\fR +version and exit\&. +.RE +.PP \-z .RS 4 Only apply policies to ZSK keys\&. See also the @@ -154,14 +177,14 @@ file can specify three kinds of policies: .IP \(bu 2.3 .\} \fIPolicy classes\fR - (\fBpolicy \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR) - can be inherited by zone policies or other policy classes; these - can be used to create sets of different security profiles\&. For - example, a policy class \fBnormal\fR might specify - 1024\-bit key sizes, but a class \fBextra\fR might - specify 2048 bits instead; \fBextra\fR would be - used for zones that had unusually high security needs\&. - .RE +(\fBpolicy \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR) can be inherited by zone policies or other policy classes; these can be used to create sets of different security profiles\&. For example, a policy class +\fBnormal\fR +might specify 1024\-bit key sizes, but a class +\fBextra\fR +might specify 2048 bits instead; +\fBextra\fR +would be used for zones that had unusually high security needs\&. +.RE .sp .RS 4 .ie n \{\ @@ -171,13 +194,10 @@ file can specify three kinds of policies: .sp -1 .IP \(bu 2.3 .\} - Algorithm policies: - (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR ) - override default per\-algorithm settings\&. For example, by default, - RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This - can be modified using \fBalgorithm\-policy\fR, and the - new key sizes would then be used for any key of type RSASHA256\&. - .RE +Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR +) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using +\fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&. +.RE .sp .RS 4 .ie n \{\ @@ -187,85 +207,62 @@ file can specify three kinds of policies: .sp -1 .IP \(bu 2.3 .\} - Zone policies: - (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR ) - set policy for a single zone by name\&. A zone policy can inherit - a policy class by including a \fBpolicy\fR option\&. - .RE +Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR +) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a +\fBpolicy\fR +option\&. +.RE .PP Options that can be specified in policies: .PP \fBalgorithm\fR .RS 4 - The key algorithm\&. If no policy is defined, the default is - RSASHA256\&. - .RE +The key algorithm\&. If no policy is defined, the default is RSASHA256\&. +.RE .PP \fBcoverage\fR .RS 4 - The length of time to ensure that keys will be correct; no action - will be taken to create new keys to be activated after this time\&. - This can be represented as a number of seconds, or as a duration using - human\-readable units (examples: "1y" or "6 months")\&. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies\&. - If no policy is configured, the default is six months\&. - .RE +The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&. +.RE .PP \fBdirectory\fR .RS 4 - Specifies the directory in which keys should be stored\&. - .RE +Specifies the directory in which keys should be stored\&. +.RE .PP \fBkey\-size\fR .RS 4 - Specifies the number of bits to use in creating keys\&. - Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies\&. If no policy is - configured, the default is 1024 bits for DSA keys and 2048 for - RSA\&. - .RE +Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA\&. +.RE .PP \fBkeyttl\fR .RS 4 - The key TTL\&. If no policy is defined, the default is one hour\&. - .RE +The key TTL\&. If no policy is defined, the default is one hour\&. +.RE .PP \fBpost\-publish\fR .RS 4 - How long after inactivation a key should be deleted from the zone\&. - Note: If \fBroll\-period\fR is not set, this value is - ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a - duration\&. A default value for this option can be set in algorithm - policies as well as in policy classes or zone policies\&. The default - is one month\&. - .RE +How long after inactivation a key should be deleted from the zone\&. Note: If +\fBroll\-period\fR +is not set, this value is ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&. +.RE .PP \fBpre\-publish\fR .RS 4 - How long before activation a key should be published\&. Note: If - \fBroll\-period\fR is not set, this value is ignored\&. - Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies\&. The default is - one month\&. - .RE +How long before activation a key should be published\&. Note: If +\fBroll\-period\fR +is not set, this value is ignored\&. Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&. +.RE .PP \fBroll\-period\fR .RS 4 - How frequently keys should be rolled over\&. - Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies\&. If no policy is - configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not - roll over by default\&. - .RE +How frequently keys should be rolled over\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not roll over by default\&. +.RE .PP \fBstandby\fR .RS 4 - Not yet implemented\&. - .RE +Not yet implemented\&. +.RE .SH "REMAINING WORK" .sp .RS 4 @@ -276,13 +273,16 @@ Options that can be specified in policies: .sp -1 .IP \(bu 2.3 .\} - Enable scheduling of KSK rollovers using the \fB\-P sync\fR - and \fB\-D sync\fR options to - \fBdnssec\-keygen\fR and - \fBdnssec\-settime\fR\&. Check the parent zone - (as in \fBdnssec\-checkds\fR) to determine when it\*(Aqs - safe for the key to roll\&. - .RE +Enable scheduling of KSK rollovers using the +\fB\-P sync\fR +and +\fB\-D sync\fR +options to +\fBdnssec\-keygen\fR +and +\fBdnssec\-settime\fR\&. Check the parent zone (as in +\fBdnssec\-checkds\fR) to determine when it\*(Aqs safe for the key to roll\&. +.RE .sp .RS 4 .ie n \{\ @@ -292,9 +292,8 @@ Options that can be specified in policies: .sp -1 .IP \(bu 2.3 .\} - Allow configuration of standby keys and use of the REVOKE bit, - for keys that use RFC 5011 semantics\&. - .RE +Allow configuration of standby keys and use of the REVOKE bit, for keys that use RFC 5011 semantics\&. +.RE .SH "SEE ALSO" .PP \fBdnssec-coverage\fR(8), diff --git a/bin/python/dnssec-keymgr.html b/bin/python/dnssec-keymgr.html index 4fc43d2b49..dd7c6f79fa 100644 --- a/bin/python/dnssec-keymgr.html +++ b/bin/python/dnssec-keymgr.html @@ -27,16 +27,15 @@

Synopsis

-

dnssec-keymgr [-K directory] [-c file] [-d time] [-k] [-z] [-g path] [-s path] [zone...]

+

dnssec-keymgr [-K directory] [-c file] [-f] [-k] [-q] [-v] [-z] [-g path] [-r path] [-s path] [zone...]

DESCRIPTION

- dnssec-keymgr - is a high level Python wrapper to facilitate the key rollover - process for zones handled by BIND. It uses the BIND commands - for manipulating DNSSEC key metadata: - dnssec-keygen and + dnssec-keymgr is a high level Python wrapper + to facilitate the key rollover process for zones handled by + BIND. It uses the BIND commands for manipulating DNSSEC key + metadata: dnssec-keygen and dnssec-settime.

@@ -102,12 +101,17 @@ option can be used to clean them up and turn them into a proper series of keys with appropriate rollover intervals.

-
-g keygen path
+
-g keygen-path

Specifies a path to a dnssec-keygen binary. Used for testing. See also the -s option.

+
-h
+

+ Print the dnssec-keymgr help summary + and exit. +

-K directory

Sets the directory in which keys can be found. Defaults to the @@ -123,12 +127,23 @@ Quiet: suppress printing of dnssec-keygen and dnssec-settime.

-
-s settime path
+
-r randomdev
+

+ Specifies a path to a file containing random data. + This is passed to the dnssec-keygen binary + using its -r option. + +

+
-s settime-path

Specifies a path to a dnssec-settime binary. Used for testing. See also the -g option.

+
-v
+

+ Print the dnssec-keymgr version and exit. +

-z

Only apply policies to ZSK keys. @@ -143,115 +158,115 @@ of policies:

    -
  • -Policy classes - (policy name { ... };) - can be inherited by zone policies or other policy classes; these - can be used to create sets of different security profiles. For - example, a policy class normal might specify - 1024-bit key sizes, but a class extra might - specify 2048 bits instead; extra would be - used for zones that had unusually high security needs. -
    • -
  • - Algorithm policies: - (algorithm-policy algorithm { ... }; ) - override default per-algorithm settings. For example, by default, - RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This - can be modified using algorithm-policy, and the - new key sizes would then be used for any key of type RSASHA256. -
    • -
  • - Zone policies: - (zone name { ... }; ) - set policy for a single zone by name. A zone policy can inherit - a policy class by including a policy option. -
    • +

  • + Policy classes + (policy name { ... };) + can be inherited by zone policies or other policy classes; these + can be used to create sets of different security profiles. For + example, a policy class normal might specify + 1024-bit key sizes, but a class extra might + specify 2048 bits instead; extra would be + used for zones that had unusually high security needs. +

    • +

  • + Algorithm policies: + (algorithm-policy algorithm { ... }; ) + override default per-algorithm settings. For example, by default, + RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This + can be modified using algorithm-policy, and the + new key sizes would then be used for any key of type RSASHA256. +

    • +

  • + Zone policies: + (zone name { ... }; ) + set policy for a single zone by name. A zone policy can inherit + a policy class by including a policy option. +

Options that can be specified in policies:

algorithm
-
- The key algorithm. If no policy is defined, the default is - RSASHA256. -
+

+ The key algorithm. If no policy is defined, the default is + RSASHA256. +

coverage
-
- The length of time to ensure that keys will be correct; no action - will be taken to create new keys to be activated after this time. - This can be represented as a number of seconds, or as a duration using - human-readable units (examples: "1y" or "6 months"). - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. - If no policy is configured, the default is six months. -
+

+ The length of time to ensure that keys will be correct; no action + will be taken to create new keys to be activated after this time. + This can be represented as a number of seconds, or as a duration using + human-readable units (examples: "1y" or "6 months"). + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. + If no policy is configured, the default is six months. +

directory
-
- Specifies the directory in which keys should be stored. -
+

+ Specifies the directory in which keys should be stored. +

key-size
-
- Specifies the number of bits to use in creating keys. - Takes two arguments: keytype (eihter "zsk" or "ksk") and size. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. If no policy is - configured, the default is 1024 bits for DSA keys and 2048 for - RSA. -
+

+ Specifies the number of bits to use in creating keys. + Takes two arguments: keytype (eihter "zsk" or "ksk") and size. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. If no policy is + configured, the default is 1024 bits for DSA keys and 2048 for + RSA. +

keyttl
-
- The key TTL. If no policy is defined, the default is one hour. -
+

+ The key TTL. If no policy is defined, the default is one hour. +

post-publish
-
- How long after inactivation a key should be deleted from the zone. - Note: If roll-period is not set, this value is - ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a - duration. A default value for this option can be set in algorithm - policies as well as in policy classes or zone policies. The default - is one month. -
+

+ How long after inactivation a key should be deleted from the zone. + Note: If roll-period is not set, this value is + ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a + duration. A default value for this option can be set in algorithm + policies as well as in policy classes or zone policies. The default + is one month. +

pre-publish
-
- How long before activation a key should be published. Note: If - roll-period is not set, this value is ignored. - Takes two arguments: keytype (either "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. The default is - one month. -
+

+ How long before activation a key should be published. Note: If + roll-period is not set, this value is ignored. + Takes two arguments: keytype (either "zsk" or "ksk") and a duration. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. The default is + one month. +

roll-period
-
- How frequently keys should be rolled over. - Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. If no policy is - configured, the default is one year for ZSK's. KSK's do not - roll over by default. -
+

+ How frequently keys should be rolled over. + Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. If no policy is + configured, the default is one year for ZSK's. KSK's do not + roll over by default. +

standby
-
- Not yet implemented. -
+

+ Not yet implemented. +

REMAINING WORK

    -
  • - Enable scheduling of KSK rollovers using the -P sync - and -D sync options to - dnssec-keygen and - dnssec-settime. Check the parent zone - (as in dnssec-checkds) to determine when it's - safe for the key to roll. -
    • -
  • - Allow configuration of standby keys and use of the REVOKE bit, - for keys that use RFC 5011 semantics. -
    • +

  • + Enable scheduling of KSK rollovers using the -P sync + and -D sync options to + dnssec-keygen and + dnssec-settime. Check the parent zone + (as in dnssec-checkds) to determine when it's + safe for the key to roll. +

    • +

  • + Allow configuration of standby keys and use of the REVOKE bit, + for keys that use RFC 5011 semantics. +