added "known bugs" section to dnssec-signzone man page, edited

KNOWN-DEFECTS a bit
2009-06-09 01:47:19 +00:00
parent 4b24acd9f1
commit 2d7fc2d5a6
4 changed files with 76 additions and 15 deletions
--- a/8
+++ b/8
@@ -6,8 +6,10 @@ machine, and sign it again with a second key.

 An unfortunate side-effect of this flexibility is that dnssec-signzone
 does not check to make sure it's signing a zone with any valid keys at
-all; an attempt to sign a zone with no keys may appear to have succeeded.
+all.  An attempt to sign a zone without any keys will appear to succeed,
+producing a "signed" zone with no signatures.  There is no warning issued
+when a zone is not signed.

-This will be corrected in the next release.  In the meantime, ISC
+This will be corrected in a future release.  In the meantime, ISC
 recommends examining the output of dnssec-signzone to confirm that
-the zone is properly signed by all keys.
+the zone is properly signed by all keys before using it.
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.47.44.3 2009/06/08 22:23:06 each Exp $
+.\" $Id: dnssec-signzone.8,v 1.47.44.4 2009/06/09 01:47:19 each Exp $
 .\"
 .hy 0
 .ad l
@@ -36,7 +36,7 @@
 .el .ne 3
 .IP "\\$1" \\$2
 ..
-.TH "DNSSEC-SIGNZONE" 8 "June 05, 2009" "" ""
+.TH "DNSSEC-SIGNZONE" 8 "June 08, 2009" "" ""
 .SH NAME
 dnssec-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
@@ -160,6 +160,13 @@ This example re\-signs a previously signed zone with default parameters\&. The p
 db\&.example\&.com\&.signed
 %
 .fi
+.SH "KNOWN BUGS"
+.PP
+ \fBdnssec\-signzone\fR was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone\&. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key\&.
+.PP
+An unfortunate side\-effect of this flexibility is that \fBdnssec\-signzone\fR does not check to make sure it's signing a zone with any valid keys at all\&. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures\&. There is no warning issued when a zone is not fully signed\&.
+.PP
+This will be corrected in a future release\&. In the meantime, ISC recommends examining the output of \fBdnssec\-signzone\fR to confirm that the zone is properly signed by all keys before using it\&.
 .SH "SEE ALSO"
 .PP
 \fBdnssec\-keygen\fR(8), BIND 9 Administrator Reference Manual, RFC 4033\&.
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,10 +18,10 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: dnssec-signzone.docbook,v 1.31.44.5 2009/06/08 23:47:00 tbox Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.31.44.6 2009/06/09 01:47:19 each Exp $ -->
 <refentry id="man.dnssec-signzone">
  <refentryinfo>
-    <date>June 05, 2009</date>
+    <date>June 08, 2009</date>
  </refentryinfo>

  <refmeta>
@@ -490,6 +490,33 @@ db.example.com.signed
 %</programlisting>
  </refsect1>

+  <refsect1>
+    <title>KNOWN BUGS</title>
+    <para>
+        <command>dnssec-signzone</command> was designed so that it could
+        sign a zone partially, using only a subset of the DNSSEC keys
+        needed to produce a fully-signed zone.  This permits a zone
+        administrator, for example, to sign a zone with one key on one
+        machine, move the resulting partially-signed zone to a second
+        machine, and sign it again with a second key.
+    </para>
+    <para>
+        An unfortunate side-effect of this flexibility is that
+        <command>dnssec-signzone</command> does not check to make sure
+        it's signing a zone with any valid keys at all.  An attempt to
+        sign a zone without any keys will appear to succeed, producing
+        a "signed" zone with no signatures.  There is no warning issued
+        when a zone is not fully signed.
+    </para>
+
+    <para>
+        This will be corrected in a future release.  In the meantime, ISC
+        recommends examining the output of <command>dnssec-signzone</command>
+        to confirm that the zone is properly signed by all keys before
+        using it.
+    </para>
+  </refsect1>
+
  <refsect1>
    <title>SEE ALSO</title>
    <para><citerefentry>
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 - Copyright (C) 2000-2003 Internet Software Consortium.
 - 
 - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.html,v 1.33.44.3 2009/06/08 22:23:07 each Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.33.44.4 2009/06/09 01:47:19 each Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id215233"></a><h2>DESCRIPTION</h2>
+<a name="id215236"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
      signs a zone.  It generates
      NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id215250"></a><h2>OPTIONS</h2>
+<a name="id215253"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -258,7 +258,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id216041"></a><h2>EXAMPLE</h2>
+<a name="id216044"></a><h2>EXAMPLE</h2>
 <p>
      The following command signs the <strong class="userinput"><code>example.com</code></strong>
      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -287,14 +287,39 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id216094"></a><h2>SEE ALSO</h2>
+<a name="id216098"></a><h2>KNOWN BUGS</h2>
+<p>
+        <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
+        sign a zone partially, using only a subset of the DNSSEC keys
+        needed to produce a fully-signed zone.  This permits a zone
+        administrator, for example, to sign a zone with one key on one
+        machine, move the resulting partially-signed zone to a second
+        machine, and sign it again with a second key.
+    </p>
+<p>
+        An unfortunate side-effect of this flexibility is that
+        <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
+        it's signing a zone with any valid keys at all.  An attempt to
+        sign a zone without any keys will appear to succeed, producing
+        a "signed" zone with no signatures.  There is no warning issued
+        when a zone is not fully signed.
+    </p>
+<p>
+        This will be corrected in a future release.  In the meantime, ISC
+        recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
+        to confirm that the zone is properly signed by all keys before
+        using it.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id216132"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4033</em>.
    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id216118"></a><h2>AUTHOR</h2>
+<a name="id216155"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
 </div>