diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index 9ab7885cc3..f8452ed16b 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keyfromlabel.8,v 1.14 2009/10/17 01:14:35 tbox Exp $ +.\" $Id: dnssec-keyfromlabel.8,v 1.15 2009/10/23 01:14:47 tbox Exp $ .\" .hy 0 .ad l @@ -47,11 +47,13 @@ of the key is specified on the command line. This must match the name of the zon .RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR -must be one of RSAMD5 (RSA), RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. These values are case insensitive. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR -option is specified, in which case NSEC3RSASHA1 will be used instead. +option is specified, in which case NSEC3RSASHA1 will be used instead. (If +\fB\-3\fR +is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.) .sp Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. .sp @@ -203,9 +205,7 @@ file contains algorithm\-specific fields. For obvious security reasons, this fil \fBdnssec\-keygen\fR(8), \fBdnssec\-signzone\fR(8), BIND 9 Administrator Reference Manual, -RFC 2539, -RFC 2845, -RFC 4033. +RFC 4034. .SH "AUTHOR" .PP Internet Systems Consortium diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 2369456e21..7bb428785b 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,16 @@

Selects the cryptographic algorithm. The value of - algorithm must be one of RSAMD5 (RSA), - RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). + algorithm must be one of RSAMD5, RSASHA1, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. These values are case insensitive.

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.)

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement @@ -153,7 +155,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -200,7 +202,7 @@

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -239,17 +241,15 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, - RFC 2539, - RFC 2845, - RFC 4033. + RFC 4034.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 016241ed5a..ed62ada8f8 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.50 2009/10/17 01:14:35 tbox Exp $ +.\" $Id: dnssec-keygen.8,v 1.51 2009/10/23 01:14:47 tbox Exp $ .\" .hy 0 .ad l @@ -48,11 +48,13 @@ of the key is specified on the command line. For DNSSEC keys, this must match th .RS 4 Selects the cryptographic algorithm. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR -option is specified, in which case NSEC3RSASHA1 will be used instead. +option is specified, in which case NSEC3RSASHA1 will be used instead. (If +\fB\-3\fR +is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.) .sp Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory. .sp @@ -61,7 +63,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the .PP \-b \fIkeysize\fR .RS 4 -Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits. +Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. .sp The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with \fB\-f KSK\fR). However, if an algorithm is explicitly specified with the @@ -79,7 +81,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a .PP \-3 .RS 4 -Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. +Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256 and RSASHA512 algorithms are NSEC3\-capable. .RE .PP \-C @@ -268,7 +270,7 @@ and BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, -RFC 4033. +RFC 4034. .SH "AUTHOR" .PP Internet Systems Consortium diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 8d680d6630..c7365c80c6 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -53,7 +53,8 @@

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. + For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are case insensitive. @@ -61,7 +62,9 @@

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.)

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement @@ -77,10 +80,10 @@

Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be + size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be + bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.

@@ -108,7 +111,8 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by - default. + default. Note that RSASHA256 and RSASHA512 algorithms + are NSEC3-capable.

-C

@@ -220,7 +224,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -267,7 +271,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -313,7 +317,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -334,16 +338,16 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, - RFC 4033. + RFC 4034.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index b5a0dd3c9f..7295cc1ff7 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -78,28 +78,28 @@
server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage
-
managed-keys Statement Grammar
+
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -2363,9 +2363,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files should be found, if different than the current working - directory. The directory specified must be an absolute - path. (Note that this option has no effect on the paths - for files containing non-DNSSEC keys such as + directory. (Note that this option has no effect on the + paths for files containing non-DNSSEC keys such as bind.keys, rndc.key or session.key.) @@ -3430,7 +3429,7 @@ options {

-Forwarding

+Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3474,7 +3473,7 @@ options {

-Dual-stack Servers

+Dual-stack Servers

Dual-stack servers are used as servers of last resort to work around @@ -3671,7 +3670,7 @@ options {

-Interfaces

+Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4123,7 +4122,7 @@ avoid-v6-udp-ports {};

-UDP Port Lists

+UDP Port Lists

use-v4-udp-ports, avoid-v4-udp-ports, @@ -4165,7 +4164,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Operating System Resource Limits

+Operating System Resource Limits

The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -5123,7 +5122,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Content Filtering

+Content Filtering

BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5453,7 +5452,7 @@ deny-answer-aliases { "example.net"; };

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement @@ -5504,7 +5503,7 @@ deny-answer-aliases { "example.net"; };

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5513,7 +5512,7 @@ deny-answer-aliases { "example.net"; };
 
 

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

The trusted-keys statement defines @@ -5553,7 +5552,7 @@ deny-answer-aliases { "example.net"; };

-managed-keys Statement Grammar

+managed-keys Statement Grammar
managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5648,6 +5647,21 @@ deny-answer-aliases { "example.net"; };
             managed-keys may only be set at the top
             level of named.conf, not within a view.
           

+

+ In the current implementation, the managed keys database is + stored as a master-format zone file called + managed-keys.bind. When the key database + is changed, the zone is updated. As with any other dynamic + zone, changes will be written into a journal file, + managed-keys.bind.jnl. They are committed + to the master file as soon as possible afterward; in the case + of the managed key database, this will usually occur within 30 + seconds. So, whenever named is using + automatic key maintenace, those two files can be expected to + exist in the working directory. (For this reason among others, + the working directory should be always be writable by + named.) +

If the dnssec-lookaside option is set to auto, named @@ -5673,7 +5687,7 @@ deny-answer-aliases { "example.net"; };

-view Statement Definition and Usage

+view Statement Definition and Usage

The view statement is a powerful feature @@ -5953,10 +5967,10 @@ zone zone_name [

-zone Statement Definition and Usage

+zone Statement Definition and Usage

-Zone Types

+Zone Types
@@ -6167,7 +6181,7 @@ zone zone_name [

-Class

+Class

The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), @@ -6189,7 +6203,7 @@ zone zone_name [

-Zone Options

+Zone Options
allow-notify

@@ -6859,7 +6873,7 @@ zone zone_name [

-Zone File

+Zone File

Types of Resource Records and When to Use Them

@@ -6872,7 +6886,7 @@ zone zone_name [

-Resource Records

+Resource Records

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -7609,7 +7623,7 @@ zone zone_name [

-Textual expression of RRs

+Textual expression of RRs

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -7812,7 +7826,7 @@ zone zone_name [

-Discussion of MX Records

+Discussion of MX Records

As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -8068,7 +8082,7 @@ zone zone_name [

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -8129,7 +8143,7 @@ zone zone_name [

-Other Zone File Directives

+Other Zone File Directives

The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -8144,7 +8158,7 @@ zone zone_name [

-The @ (at-sign)

+The @ (at-sign)

When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -8155,7 +8169,7 @@ zone zone_name [

-The $ORIGIN Directive

+The $ORIGIN Directive

Syntax: $ORIGIN domain-name @@ -8184,7 +8198,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $INCLUDE Directive

+The $INCLUDE Directive

Syntax: $INCLUDE filename @@ -8220,7 +8234,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $TTL Directive

+The $TTL Directive

Syntax: $TTL default-ttl @@ -8239,7 +8253,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-BIND Master File Extension: the $GENERATE Directive

+BIND Master File Extension: the $GENERATE Directive

Syntax: $GENERATE range @@ -8663,7 +8677,7 @@ HOST-127.EXAMPLE. MX 0 .

-Name Server Statistics Counters

+Name Server Statistics Counters
@@ -9220,7 +9234,7 @@ HOST-127.EXAMPLE. MX 0 .

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters
@@ -9374,7 +9388,7 @@ HOST-127.EXAMPLE. MX 0 .

-Resolver Statistics Counters

+Resolver Statistics Counters
@@ -9757,7 +9771,7 @@ HOST-127.EXAMPLE. MX 0 .

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

Socket I/O statistics counters are defined per socket types, which are @@ -9912,7 +9926,7 @@ HOST-127.EXAMPLE. MX 0 .

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 836f16fb98..50a850e165 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -46,10 +46,10 @@

Table of Contents

Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
@@ -122,7 +122,7 @@ zone "example.com" {

-Chroot and Setuid +Chroot and Setuid

On UNIX servers, it is possible to run BIND @@ -148,7 +148,7 @@ zone "example.com" {

-The chroot Environment

+The chroot Environment

In order for a chroot environment to @@ -176,7 +176,7 @@ zone "example.com" {

-Using the setuid Function

+Using the setuid Function

Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index d79c282d90..edfb4832f2 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -45,18 +45,18 @@

-Common Problems

+Common Problems

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@

-Where Can I Get Help?

+Where Can I Get Help?

The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 2aca0934f4..2fcc2aec1e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -45,21 +45,21 @@

-Acknowledgments

+Acknowledgments

A Brief History of the DNS and BIND @@ -162,7 +162,7 @@

-General DNS Reference Information

+General DNS Reference Information

IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@

-Bibliography

+Bibliography

Standards

-

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

+

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

-

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

+

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

-

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and +

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and Specification. November 1987.

@@ -268,42 +268,42 @@

Proposed Standards

-

[RFC2181] R., R. Bush Elz. Clarifications to the DNS +

[RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997.

-

[RFC2308] M. Andrews. Negative Caching of DNS +

[RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998.

-

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

+

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

-

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

+

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

-

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

+

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

-

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

+

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

-

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

+

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

-

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

+

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

-

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

+

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

-

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

+

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

-

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

+

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

-

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret +

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.

@@ -312,19 +312,19 @@

DNS Security Proposed Standards

-

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

+

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

-

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

+

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

-

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

+

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

-

[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

+

[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

-

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS +

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS Security Extensions. March 2005.

@@ -332,146 +332,146 @@

Other Important RFCs About DNS Implementation

-

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely +

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.

-

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation +

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993.

-

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

+

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

-

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS +

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.

Resource Record Types

-

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

+

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

-

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

+

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

-

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using +

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.

-

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the +

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain Name System. January 1996.

-

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the +

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of Services.. October 1996.

-

[RFC2163] A. Allocchio. Using the Internet DNS to +

[RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.

-

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

+

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

-

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

+

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

-

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

+

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

-

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

+

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

-

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

+

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

-

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

+

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

-

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

+

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

-

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

+

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

-

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

+

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

-

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

+

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

-

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP +

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP version 6. October 2003.

-

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

+

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

DNS and the Internet

-

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names +

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989.

-

[RFC1123] Braden. Requirements for Internet Hosts - Application and +

[RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989.

-

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

+

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

-

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

+

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

-

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

+

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

-

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

+

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

DNS Operations

-

[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

+

[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

-

[RFC1537] P. Beertema. Common DNS Data File +

[RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993.

-

[RFC1912] D. Barr. Common DNS Operational and +

[RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996.

-

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

+

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

-

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for +

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997.

Internationalized Domain Names

-

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, +

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.

-

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

+

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

-

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

+

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

-

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode +

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA). March 2003.

@@ -487,47 +487,47 @@

-

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String +

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993.

-

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

+

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

-

[RFC1794] T. Brisco. DNS Support for Load +

[RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995.

-

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

+

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

-

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

+

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

-

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

+

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

-

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

+

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

-

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via +

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.

-

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

+

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

Obsolete and Unimplemented Experimental RFC

-

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical +

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical Location. November 1994.

-

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

+

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

-

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation +

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation and Renumbering. July 2000.

@@ -541,39 +541,39 @@

-

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

+

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

-

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

+

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

-

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

+

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

-

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) +

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) Signing Authority. November 2000.

-

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

+

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

-

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

+

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

-

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

+

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

-

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

+

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

-

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

+

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

-

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record +

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.

-

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

+

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

@@ -594,14 +594,14 @@

-Other Documents About BIND +Other Documents About BIND

-Bibliography

+Bibliography
-

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

+

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 0727e92cca..d60bda27d1 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -157,28 +157,28 @@
server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage
-
managed-keys Statement Grammar
+
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -187,31 +187,31 @@
7. BIND 9 Security Considerations
Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
8. Troubleshooting
-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?
A. Appendices
-
Acknowledgments
+
Acknowledgments
A Brief History of the DNS and BIND
-
General DNS Reference Information
+
General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
-
Other Documents About BIND
+
Other Documents About BIND
I. Manual pages
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index c4ae4d9d3e..fad2f908cf 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -48,7 +48,7 @@

ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]

-

DESCRIPTION

+

DESCRIPTION

ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -75,7 +75,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm

@@ -142,7 +142,7 @@

-

SEE ALSO

+

SEE ALSO

nsupdate(1), named.conf(5), named(8), @@ -150,7 +150,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 4f82e99754..e7e51c704e 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -52,7 +52,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -144,7 +144,7 @@

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid @@ -248,7 +248,7 @@

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -573,7 +573,7 @@

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 173a778dcd..aa1de9ac0e 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,14 +51,14 @@

dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

@@ -119,7 +119,7 @@

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -134,7 +134,7 @@

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -148,13 +148,13 @@

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -164,7 +164,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 67ca1f0027..d1644226d9 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -63,20 +63,22 @@

-

OPTIONS

+

OPTIONS

-a algorithm

Selects the cryptographic algorithm. The value of - algorithm must be one of RSAMD5 (RSA), - RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). + algorithm must be one of RSAMD5, RSASHA1, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. These values are case insensitive.

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.)

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement @@ -172,7 +174,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -219,7 +221,7 @@

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -258,17 +260,15 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, - RFC 2539, - RFC 2845, - RFC 4033. + RFC 4034.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 54587c0f7b..20ca67be94 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,14 +64,15 @@

-

OPTIONS

+

OPTIONS

-a algorithm

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. + For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are case insensitive. @@ -79,7 +80,9 @@

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, - in which case NSEC3RSASHA1 will be used instead. + in which case NSEC3RSASHA1 will be used instead. (If + -3 is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.)

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement @@ -95,10 +98,10 @@

Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be + size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be + bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.

@@ -126,7 +129,8 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by - default. + default. Note that RSASHA256 and RSASHA512 algorithms + are NSEC3-capable.

-C

@@ -238,7 +242,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -285,7 +289,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -331,7 +335,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -352,16 +356,16 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, - RFC 4033. + RFC 4034.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index c86cd8c7c2..dcc32a1b4c 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -91,14 +91,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index b2d0292220..a4ff91ddb7 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-settime [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, @@ -75,7 +75,7 @@

-

OPTIONS

+

OPTIONS

-f

@@ -106,7 +106,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -151,7 +151,7 @@

-

PRINTING OPTIONS

+

PRINTING OPTIONS

dnssec-settime can also be used to print the timing metadata associated with a key. @@ -177,7 +177,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -185,7 +185,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 6935cda17d..60b0881e90 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

dnssec-signzone [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

-

OPTIONS

+

OPTIONS

-a

@@ -397,7 +397,7 @@

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -427,14 +427,14 @@ db.example.com.signed %

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 82f1d0b402..1435323bb6 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

-

DESCRIPTION

+

DESCRIPTION

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@

-

IDN SUPPORT

+

IDN SUPPORT

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8).

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index afbeff79c7..55f08c73b4 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,14 @@

named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file.

-

OPTIONS

+

OPTIONS

-h

@@ -96,21 +96,21 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 081fa67101..bfc7516b37 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -257,14 +257,14 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), RFC 1035, @@ -272,7 +272,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 339722af23..346d211ef4 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

named [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -246,7 +246,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -267,7 +267,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -284,7 +284,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -297,7 +297,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -310,7 +310,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 0934734769..3699de927d 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -210,7 +210,7 @@

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from filename @@ -474,7 +474,7 @@

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate @@ -528,7 +528,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -551,7 +551,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 2136, RFC 3007, @@ -566,7 +566,7 @@

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index b087a9a740..260e0c4884 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@

-

OPTIONS

+

OPTIONS

-a
@@ -173,7 +173,7 @@
-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -190,7 +190,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), named(8), @@ -198,7 +198,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 2c8df27697..3f930c1a37 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@

-

EXAMPLE

+

EXAMPLE

       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -219,7 +219,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), @@ -227,7 +227,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index a09d5bfcc6..653b30feab 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@

-

OPTIONS

+

OPTIONS

-b source-address

@@ -151,7 +151,7 @@

-

LIMITATIONS

+

LIMITATIONS

rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -165,7 +165,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -175,7 +175,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium