ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Document -M tag_min:tag_max

Browse Source 
A new argument has been added to dnssec-keygen and dnssec-keyfromlabel
to restrict the tag value of key generated / imported to a particular
range.  This is intended to be used by multi-signers.

Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
This commit is contained in:
Mark Andrews
2024-08-07 15:47:05 +10:00
parent 329e5eee9b
commit 0c347fb321
2 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
bin/dnssec/dnssec-keyfromlabel.rst
View File

@@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
Description
~~~~~~~~~~~
@@ -123,6 +123,18 @@ Options
place, in which case the existing TTL would take precedence. Setting
the default TTL to ``0`` or ``none`` removes it.
.. option:: -M tag_min:tag_max
This option sets the range of key tag values
that ``dnssec-keyfromlabel`` will accept. If the key tag of the new
key or the key tag of the revoked version of the new key is
outside this range, the new key will be rejected. This is
designed to be used when generating keys in a multi-signer
scenario, where each operator is given a range of key tags to
prevent collisions among different operators. The valid
values for ``tag_min`` and ``tag_max`` are [0..65535]. The
default allows all key tag values to be accepted.
.. option:: -p protocol
This option sets the protocol value for the key. The protocol is a number between

15
bin/dnssec/dnssec-keygen.rst
View File

@@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
@@ -150,6 +150,19 @@ Options
This option provides a configuration file that contains a ``dnssec-policy`` statement
(matching the policy set with :option:`-k`).
.. option:: -M tag_min:tag_max
This option sets the range of acceptable key tag values that ``dnssec-keygen``
will produce. If the key tag of the new key or the key tag of
the revoked version of the new key is outside this range,
the new key will be rejected and another new key will be generated.
This is designed to be used when generating keys in a multi-signer
scenario, where each operator is given a range of key tags to
prevent collisions among different operators. The valid values
for ``tag_min`` and ``tag_max`` are [0..65535]. The default allows all
key tag values to be produced. This option is ignored when ``-k policy``
is specified.
.. option:: -n nametype
This option specifies the owner type of the key. The value of ``nametype`` must