From 5b49c0273576baabfb93f18f7cbc87a4a159dee6 Mon Sep 17 00:00:00 2001
From: Tinderbox User
-
-
@@ -1080,7 +1080,7 @@ options {
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.
Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1142,7 +1142,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1205,7 +1205,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1246,12 +1246,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1273,7 +1273,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1288,27 +1288,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1323,14 +1323,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1352,7 +1352,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1363,7 +1363,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1460,7 +1460,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1469,7 +1469,7 @@ $ dnssec-signzone -S -K keys example.net<
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
@@ -1502,7 +1502,7 @@ $ ./configure --enable-native-pkcs11 \
SoftHSMv2, the latest development version of SoftHSM, is available
from
@@ -1540,7 +1540,7 @@ $ /opt/pkcs11/usr/bin/softhsm-util --init-token
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1598,7 +1598,7 @@ $ /opt/pkcs11/usr/bin/softhsm-util --init-token
$ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
@@ -1631,7 +1631,7 @@ $ patch -p1 -d openssl-0.9.8zc \
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1673,7 +1673,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1702,7 +1702,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM (version 1) is a software library developed by the
OpenDNSSEC project
@@ -1777,7 +1777,7 @@ $ ./Configure linux-x86_64 -pthread \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1797,7 +1797,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1819,7 +1819,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1840,7 +1840,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1863,7 +1863,7 @@ $ ./configure --enable-threads \
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1984,7 +1984,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -2016,7 +2016,7 @@ $ dnssec-signzone -E '' -S example.net
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2103,7 +2103,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -2152,7 +2152,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index f11f74b1e5..2a35a9f13f 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -78,28 +78,28 @@
server Statement Definition and
Usage
statistics-channels Statement Grammar
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
Usage
trusted-keys Statement Grammar
-trusted-keys Statement Definition
+trusted-keys Statement Definition
and Usage
-managed-keys Statement Grammar
+managed-keys Statement Grammar
managed-keys Statement Definition
and Usage
view Statement Grammar
-view Statement Definition and Usage
+view Statement Definition and Usage
zone
Statement Grammar
-zone Statement Definition and Usage
+zone Statement Definition and Usage
-Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -2256,6 +2256,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ notify yes_or_no | explicit | master-only; ]
[ recursion yes_or_no; ]
[ request-sit yes_or_no; ]
+ [ nosit-udp-size number ; ]
+ [ sit-secret secret_string ; ]
[ request-nsid yes_or_no; ]
[ rfc2308-type1 yes_or_no; ]
[ use-id-pool yes_or_no; ]
@@ -3602,6 +3604,15 @@ options {
may be limited to receiving smaller responses via
the nosit-udp-size option.
+nosit-udp-size
+
+ Sets the maximum size of UDP responses that will
+ be sent to queries without a valid source identity
+ token. A value below 128 will be silently raised
+ to 128. The default value is 4096, but the
+ max-udp-size option may further
+ limit the response size.
+
sit-secret
If set, this is a shared secret used for generating
@@ -4161,7 +4172,7 @@ options {
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -4205,7 +4216,7 @@ options {
Dual-stack servers are used as servers of last resort to work
around
@@ -4473,7 +4484,7 @@ options {
The interfaces and ports that the server will answer queries
from may be specified using the listen-on option. listen-on takes
@@ -4940,7 +4951,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports,
avoid-v4-udp-ports,
@@ -4982,7 +4993,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -5335,7 +5346,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -6343,7 +6354,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter
out DNS responses from external DNS servers containing
@@ -6466,7 +6477,7 @@ deny-answer-aliases { "example.net"; };
BIND 9 includes a limited
mechanism to modify DNS responses for requests
@@ -6839,7 +6850,7 @@ example.com CNAME rpz-tcp-only.
Excessive almost identical UDP responses
can be controlled by configuring a
@@ -7070,7 +7081,6 @@ example.com CNAME rpz-tcp-only.
[ request-sit yes_or_no ; ]
[ edns yes_or_no ; ]
[ edns-udp-size number ; ]
- [ nosit-udp-size number ; ]
[ max-udp-size number ; ]
[ transfers number ; ]
[ transfer-format ( one-answer | many-answers ) ; ]]
@@ -7195,13 +7205,6 @@ example.com CNAME rpz-tcp-only.
know that there is a firewall that is blocking large
replies from named.
-
- The nosit-udp-size option sets the
- maximum size of UDP responses that will be sent to
- queries without a valid source identity token. The command
- max-udp-size option may further limit
- the response size.
-
The server supports two zone transfer methods. The first, one-answer,
uses one DNS message per resource record transferred. many-answers packs
@@ -7300,7 +7303,7 @@ example.com CNAME rpz-tcp-only.
The statistics-channels statement
@@ -7416,7 +7419,7 @@ example.com CNAME rpz-tcp-only.
The trusted-keys statement defines
@@ -7456,7 +7459,7 @@ example.com CNAME rpz-tcp-only.
managed-keys {
name initial-key flags protocol algorithm key-data ;
[ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7594,7 +7597,7 @@ example.com CNAME rpz-tcp-only.
The view statement is a powerful
feature
@@ -7872,7 +7875,7 @@ zone zone_name [ alt-transfer-source-v6 (ip6_addr | *)
[port ip_port] [dscp ip_dscp] ; ]
[ use-alt-transfer-source yes_or_no; ]
- [ zone-statistics yes_or_no ; ]
+ [ zone-statistics full | terse | none; ]
[ database string ; ]
[ min-refresh-time number ; ]
[ max-refresh-time number ; ]
@@ -7886,7 +7889,7 @@ zone zone_name [ allow-query { address_match_list }; ]
[ server-addresses { [ ip_addr ; ... ] }; ]
[ server-names { [ namelist ] }; ]
- [ zone-statistics yes_or_no ; ]
+ [ zone-statistics full | terse | none; ]
};
zone zone_name [class] {
@@ -7916,10 +7919,10 @@ zone zone_name [
The type keyword is required
for the zone configuration unless
@@ -8247,7 +8250,7 @@ zone zone_name [
The zone's name may optionally be followed by a class. If
a class is not specified, class IN (for Internet),
@@ -8269,7 +8272,7 @@ zone zone_name [
- allow-notify
@@ -8531,11 +8534,11 @@ zone zone_name [
- zone-statistics
- If yes, the server will keep
- statistical
- information for this zone, which can be dumped to the
- statistics-file defined in
- the server options.
+ See the description of
+ zone-statistics in
+ the section called “options Statement Definition and
+ Usage”.
- server-addresses
-
@@ -9152,7 +9155,7 @@ example.com. NS ns2.example.net.
When multiple views are in use, a zone may be
referenced by more than one of them. Often, the views
@@ -9214,7 +9217,7 @@ view external {
@@ -9227,7 +9230,7 @@ view external {
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -10400,7 +10403,7 @@ view external {
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -10603,7 +10606,7 @@ view external {
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -10858,7 +10861,7 @@ view external {
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -10919,7 +10922,7 @@ view external {
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -10934,7 +10937,7 @@ view external {
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
@@ -10945,7 +10948,7 @@ view external {
Syntax: $ORIGIN
domain-name
@@ -10974,7 +10977,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
@@ -11010,7 +11013,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $TTL
default-ttl
@@ -11029,7 +11032,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $GENERATE
range
@@ -11400,11 +11403,17 @@ HOST-127.EXAMPLE. MX 0 .
A subset of Name Server Statistics is collected and shown
per zone for which the server has the authority when
zone-statistics is set to
- yes.
- These statistics counters are shown with their zone and view
- names.
- In some cases the view names are omitted for the default view.
+ full (or yes
+ for backward compatibility. See the description of
+ zone-statistics in the section called “options Statement Definition and
+ Usage”
+ for further details.
+
+ These statistics counters are shown with their zone and
+ view names. The view name is omitted when the server is
+ not configured with explicit views.
There are currently two user interfaces to get access to the
statistics.
@@ -11472,7 +11481,7 @@ HOST-127.EXAMPLE. MX 0 .