diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index a4b40c880d..68ee1a2042 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.6.14.1 2009/07/11 01:55:20 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.6.14.2 2010/01/15 20:35:06 tbox Exp $
.\"
.hy 0
.ad l
@@ -43,7 +43,13 @@ gets keys with the given label from a crypto hardware and builds key files for D
.RS 4
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR
-must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or DH (Diffie Hellman). These values are case insensitive.
+.sp
+If no algorithm is specified, then RSASHA1 will be used by default, unless the
+\fB\-3\fR
+option is specified, in which case NSEC3RSASHA1 will be used instead. (If
+\fB\-3\fR
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
.sp
@@ -138,9 +144,7 @@ file contains algorithm specific fields. For obvious security reasons, this file
\fBdnssec\-keygen\fR(8),
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
-RFC 2539,
-RFC 2845,
-RFC 4033.
+RFC 4034.
.SH "AUTHOR"
.PP
Internet Systems Consortium
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index f435aa3d42..1c0738a870 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -45,10 +45,18 @@
Selects the cryptographic algorithm. The value of
- algorithm must be one of RSAMD5 (RSA)
- or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+ algorithm must be one of RSAMD5,
+ RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
+ RSASHA512 or DH (Diffie Hellman).
These values are case insensitive.
+
+ If no algorithm is specified, then RSASHA1 will be used by
+ default, unless the -3 option is specified,
+ in which case NSEC3RSASHA1 will be used instead. (If
+ -3 is used and an algorithm is specified,
+ that algorithm will be checked for compatibility with NSEC3.)
+
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
@@ -112,7 +120,7 @@
-
GENERATED KEY FILES
+
GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -153,17 +161,15 @@
-
SEE ALSO
+
SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
- RFC 2539,
- RFC 2845,
- RFC 4033.
+ RFC 4034.
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
algorithm
- Selects the cryptographic algorithm. The value of
- algorithm must be one of RSAMD5 (RSA) or RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
- These values are case insensitive.
+ Selects the cryptographic algorithm. For DNSSEC keys, the value
+ of algorithm must be one of RSAMD5, RSASHA1,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
+ For TSIG/TKEY, the value must
+ be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
+ HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
+ case insensitive.
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -67,11 +70,10 @@
-b keysize
Specifies the number of bits in the key. The choice of key
- size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
- between
- 512 and 2048 bits. Diffie Hellman keys must be between
+ size depends on the algorithm used. RSA keys must be
+ between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
- bits and an exact multiple of 64. HMAC-MD5 keys must be
+ bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
-n nametype
@@ -225,7 +227,7 @@
BIND 9 Administrator Reference Manual,
RFC 2539,
RFC 2845,
- RFC 4033.
+ RFC 4034.
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 232410b6c4..6086ebc123 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -50,7 +50,7 @@
dnssec-keyfromlabel {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}
-
DESCRIPTION
+
DESCRIPTION
dnssec-keyfromlabel
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,16 +58,24 @@
-
OPTIONS
+
OPTIONS
- -a
algorithm
-
Selects the cryptographic algorithm. The value of
- algorithm must be one of RSAMD5 (RSA)
- or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+ algorithm must be one of RSAMD5,
+ RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
+ RSASHA512 or DH (Diffie Hellman).
These values are case insensitive.
+
+ If no algorithm is specified, then RSASHA1 will be used by
+ default, unless the -3 option is specified,
+ in which case NSEC3RSASHA1 will be used instead. (If
+ -3 is used and an algorithm is specified,
+ that algorithm will be checked for compatibility with NSEC3.)
+
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
@@ -131,7 +139,7 @@
-
GENERATED KEY FILES
+
GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -172,17 +180,15 @@
-
SEE ALSO
+
SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
- RFC 2539,
- RFC 2845,
- RFC 4033.
+ RFC 4034.
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}
-
DESCRIPTION
+
DESCRIPTION
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -63,15 +63,18 @@
-
OPTIONS
+
OPTIONS
- -a
algorithm
-
- Selects the cryptographic algorithm. The value of
- algorithm must be one of RSAMD5 (RSA) or RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
- These values are case insensitive.
+ Selects the cryptographic algorithm. For DNSSEC keys, the value
+ of algorithm must be one of RSAMD5, RSASHA1,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
+ For TSIG/TKEY, the value must
+ be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
+ HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
+ case insensitive.
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -85,11 +88,10 @@
- -b
keysize
Specifies the number of bits in the key. The choice of key
- size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
- between
- 512 and 2048 bits. Diffie Hellman keys must be between
+ size depends on the algorithm used. RSA keys must be
+ between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
- bits and an exact multiple of 64. HMAC-MD5 keys must be
+ bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
- -n
nametype
@@ -171,7 +173,7 @@
-
GENERATED KEYS
+
GENERATED KEYS
When dnssec-keygen completes
successfully,
@@ -217,7 +219,7 @@
-
EXAMPLE
+
EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -238,16 +240,16 @@
-
SEE ALSO
+
SEE ALSO
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
RFC 2845,
- RFC 4033.
+ RFC 4034.
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
-
DESCRIPTION
+
DESCRIPTION
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
-
EXAMPLE
+
EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -320,7 +320,7 @@ db.example.com.signed
%
-
KNOWN BUGS
+
KNOWN BUGS
dnssec-signzone was designed so that it could
sign a zone partially, using only a subset of the DNSSEC keys
@@ -345,14 +345,14 @@ db.example.com.signed
-
SEE ALSO
+
SEE ALSO
dnssec-keygen(8),
BIND 9 Administrator Reference Manual,
RFC 4033.
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-z]
-
DESCRIPTION
+
DESCRIPTION
named-checkconf
checks the syntax, but not the semantics, of a named
configuration file.
-
RETURN VALUES
+
RETURN VALUES
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
-
SEE ALSO
+
SEE ALSO
named(8),
named-checkzone(8),
BIND 9 Administrator Reference Manual.
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
-
DESCRIPTION
+
DESCRIPTION
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
-
RETURN VALUES
+
RETURN VALUES
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
-
SEE ALSO
+
SEE ALSO
named(8),
named-checkconf(8),
RFC 1035,
@@ -272,7 +272,7 @@
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
-
DESCRIPTION
+
DESCRIPTION
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
-
SIGNALS
+
SIGNALS
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -259,7 +259,7 @@
-
CONFIGURATION
+
CONFIGURATION
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -276,7 +276,7 @@
-
FILES
+
FILES
/etc/named.conf
@@ -289,7 +289,7 @@
-
SEE ALSO
+
SEE ALSO
RFC 1033,
RFC 1034,
RFC 1035,
@@ -302,7 +302,7 @@
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
nsupdate [-d] [-D] [[-g] | [-o] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
-
DESCRIPTION
+
DESCRIPTION
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC2136
to a name server.
@@ -187,7 +187,7 @@
-
INPUT FORMAT
+
INPUT FORMAT
nsupdate
reads input from
filename
@@ -451,7 +451,7 @@
-
EXAMPLES
+
EXAMPLES
The examples below show how
nsupdate
@@ -505,7 +505,7 @@
-
FILES
+
FILES
/etc/resolv.conf
@@ -524,7 +524,7 @@
-
SEE ALSO
+
SEE ALSO
RFC2136,
RFC3007,
RFC2104,
@@ -537,7 +537,7 @@
-
BUGS
+
BUGS
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index aa44d9912b..321f14358e 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -48,7 +48,7 @@
rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
-
DESCRIPTION
+
DESCRIPTION
rndc-confgen
generates configuration files
for rndc. It can be used as a
@@ -64,7 +64,7 @@
-
EXAMPLES
+
EXAMPLES
To allow rndc to be used with
no manual configuration, run
@@ -188,7 +188,7 @@
-
SEE ALSO
+
SEE ALSO
rndc(8),
rndc.conf(5),
named(8),
@@ -196,7 +196,7 @@
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
-
DESCRIPTION
+
DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
-
EXAMPLE
+
EXAMPLE
options {
default-server localhost;
@@ -209,7 +209,7 @@
-
NAME SERVER CONFIGURATION
+
NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
-
SEE ALSO
+
SEE ALSO
rndc(8),
rndc-confgen(8),
mmencode(1),
@@ -227,7 +227,7 @@
-
AUTHOR
+
AUTHOR
Internet Systems Consortium
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
-
DESCRIPTION
+
DESCRIPTION
rndc
controls the operation of a name
server. It supersedes the ndc utility
@@ -79,7 +79,7 @@
-
OPTIONS
+
OPTIONS
- -b
source-address
@@ -151,7 +151,7 @@
-
LIMITATIONS
+
LIMITATIONS
rndc
does not yet support all the commands of
the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
-
SEE ALSO
+
SEE ALSO
rndc.conf(5),
rndc-confgen(8),
named(8),
@@ -175,7 +175,7 @@
-
AUTHOR
+
AUTHOR
Internet Systems Consortium