From 9d557856c2a19ec95ee73245f60a92f8675cf5ba Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Thu, 22 Oct 2015 05:53:09 +0000 Subject: [PATCH] regen master --- bin/check/named-checkzone.html | 2 +- bin/confgen/ddns-confgen.html | 2 +- bin/dig/dig.html | 4 +- bin/dig/host.html | 4 +- bin/dnssec/dnssec-dsfromkey.html | 2 +- bin/dnssec/dnssec-keyfromlabel.html | 4 +- bin/dnssec/dnssec-keygen.html | 4 +- bin/dnssec/dnssec-settime.html | 6 +- bin/dnssec/dnssec-signzone.html | 6 +- bin/named/lwresd.html | 4 +- bin/python/dnssec-checkds.html | 2 +- bin/rndc/rndc.html | 4 +- bin/tools/named-journalprint.html | 4 +- doc/arm/Bv9ARM.ch04.html | 112 +++++++++++++-------------- doc/arm/Bv9ARM.ch06.html | 4 +- doc/arm/Bv9ARM.ch09.html | 2 +- doc/arm/Bv9ARM.ch12.html | 2 +- doc/arm/man.ddns-confgen.html | 2 +- doc/arm/man.delv.html | 2 +- doc/arm/man.dig.html | 4 +- doc/arm/man.dnssec-checkds.html | 2 +- doc/arm/man.dnssec-coverage.html | 2 +- doc/arm/man.dnssec-dsfromkey.html | 2 +- doc/arm/man.dnssec-keyfromlabel.html | 4 +- doc/arm/man.dnssec-keygen.html | 4 +- doc/arm/man.dnssec-settime.html | 6 +- doc/arm/man.dnssec-signzone.html | 6 +- doc/arm/man.host.html | 4 +- doc/arm/man.lwresd.html | 4 +- doc/arm/man.named-checkzone.html | 2 +- doc/arm/man.named-journalprint.html | 4 +- doc/arm/man.rndc.html | 4 +- doc/arm/notes.html | 2 +- 33 files changed, 111 insertions(+), 111 deletions(-) diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 7c0051de32..234a9985a6 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -212,7 +212,7 @@
-r mode

Check for records that are treated as different by DNSSEC but - are semantically equal in plain DNS. + are semantically equal in plain DNS. Possible modes are "fail", "warn" (default) and "ignore". diff --git a/bin/confgen/ddns-confgen.html b/bin/confgen/ddns-confgen.html index 153c3e572c..4414289291 100644 --- a/bin/confgen/ddns-confgen.html +++ b/bin/confgen/ddns-confgen.html @@ -60,7 +60,7 @@ local DDNS key for use with nsupdate -l: it does this when a zone is configured with update-policy local;. - ddns-confgen is only needed when a + ddns-confgen is only needed when a more elaborate configuration is required: for instance, if nsupdate is to be used from a remote system. diff --git a/bin/dig/dig.html b/bin/dig/dig.html index f23974f12f..bebdd6753e 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -74,7 +74,7 @@

The IN and CH class names overlap with the IN and CH top level domain names. Either use the -t and - -c options to specify the type and class, + -c options to specify the type and class, use the -q the specify the domain name, or use "IN." and "CH." when looking up these top level domains.

@@ -771,7 +771,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr reply from the server. If you'd like to turn off the IDN support for some reason, defines the IDN_DISABLE environment variable. - The IDN support is disabled if the variable is set when + The IDN support is disabled if the variable is set when dig runs.

diff --git a/bin/dig/host.html b/bin/dig/host.html index 549916cc27..b9d8d69ba6 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -178,7 +178,7 @@ /etc/resolv.conf.

- The -s option tells host + The -s option tells host not to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior. @@ -198,7 +198,7 @@

IDN SUPPORT

If host has been built with IDN (internationalized - domain name) support, it can accept and display non-ASCII domain names. + domain name) support, it can accept and display non-ASCII domain names. host appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index cf52abb16a..269ab16cde 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -94,7 +94,7 @@

Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS - records and printed. Useful only in zone file mode. + records and printed. Useful only in zone file mode.

-l domain

diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 89e40034de..93037d9bf1 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -281,7 +281,7 @@

If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero.

@@ -313,7 +313,7 @@ footprint).

-

dnssec-keyfromlabel +

dnssec-keyfromlabel creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index c89b781363..2aeda3c217 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -328,7 +328,7 @@

If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero.

@@ -361,7 +361,7 @@ footprint).

-

dnssec-keygen +

dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index 8e5c38c046..e366fb215c 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -65,8 +65,8 @@ fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be - set to the present time. If no other values are specified, - then the key's publication and activation dates will also + set to the present time. If no other values are specified, + then the key's publication and activation dates will also be set to the present time.

-K directory
@@ -178,7 +178,7 @@

If the key is being set to be an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero.

diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 5a87858736..ae8e312642 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -74,7 +74,7 @@ (-S) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with $INCLUDE. This option - cannot be combined with -O raw, + cannot be combined with -O raw, -O map, or serial number updating.

-E engine
@@ -328,7 +328,7 @@

Normally, when a previously-signed zone is passed as input to the signer, and a DNSKEY record has been removed and - replaced with a new one, signatures from the old key + replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The -Q @@ -391,7 +391,7 @@

If the key's activation date is set and in the past, the key is published (regardless of publication date) and - used to sign the zone. + used to sign the zone.

diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index 5438acf78a..c6afd57f62 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -39,7 +39,7 @@ server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.

-

lwresd +

lwresd listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that lwresd can only be used by @@ -123,7 +123,7 @@ trace, record, size, and - mctx. + mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.

diff --git a/bin/python/dnssec-checkds.html b/bin/python/dnssec-checkds.html index 556a21ce15..f7f49de367 100644 --- a/bin/python/dnssec-checkds.html +++ b/bin/python/dnssec-checkds.html @@ -49,7 +49,7 @@

-l domain

- Check for a DLV record in the specified lookaside domain, + Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone's parent. For example, to check for DLV records for "example.com" in ISC's DLV zone, use: diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 93e176029a..2b78d631c3 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -556,7 +556,7 @@ operations (such as signing or generating NSEC3 chains) is stored in the zone in the form of DNS resource records of type - sig-signing-type. + sig-signing-type. rndc signing -list converts these records into a human-readable form, indicating which keys are currently signing @@ -582,7 +582,7 @@ flags, iterations, and salt, in that order.

- Currently, the only defined value for hash algorithm + Currently, the only defined value for hash algorithm is 1, representing SHA-1. The flags may be set to 0 or 1, diff --git a/bin/tools/named-journalprint.html b/bin/tools/named-journalprint.html index eee59983f8..66b91a7441 100644 --- a/bin/tools/named-journalprint.html +++ b/bin/tools/named-journalprint.html @@ -34,10 +34,10 @@

named-journalprint prints the contents of a zone journal file in a human-readable - form. + form.

- Journal files are automatically created by named + Journal files are automatically created by named when changes are made to dynamic zones (e.g., by nsupdate). They record each addition or deletion of a resource record, in binary format, allowing the diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 45c3910fd8..f437f657d3 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -579,7 +579,7 @@ nameserver 172.16.72.4

TSIG keys can be generated using the tsig-keygen command; the output of the command is a key directive - suitable for inclusion in named.conf. The + suitable for inclusion in named.conf. The key name, algorithm and size can be specified by command line parameters; the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.

@@ -661,7 +661,7 @@ key "host1-host2." { signed using the specified key. Keys may also be specified in the also-notify statement of a master or slave zone, causing NOTIFY messages to be signed using - the specified key. + the specified key.

Keys can also be specified in a server @@ -770,7 +770,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

The TKEY process is initiated by a client or server by sending a query of type TKEY to a TKEY-aware server. The query must include - an appropriate KEY record in the additional section, and + an appropriate KEY record in the additional section, and must be signed using either TSIG or SIG(0) with a previously established key. The server's response, if successful, will contain a TKEY record in its answer section. After this transaction, @@ -1112,15 +1112,15 @@ options {

Converting from insecure to secure

Changing a zone from insecure to secure can be done in two - ways: using a dynamic DNS update, or the + ways: using a dynamic DNS update, or the auto-dnssec zone option.

-

For either method, you need to configure - named so that it can see the +

For either method, you need to configure + named so that it can see the K* files which contain the public and private parts of the keys that will be used to sign the zone. These files - will have been generated by + will have been generated by dnssec-keygen. You can do this by placing them - in the key-directory, as specified in + in the key-directory, as specified in named.conf:

 	zone example.net {
@@ -1146,7 +1146,7 @@ options {
 	> send
 

While the update request will complete almost immediately, - the zone will not be completely signed until + the zone will not be completely signed until named has had time to walk the zone and generate the NSEC and RRSIG records. The NSEC record at the apex will be added last, to signal that there is a complete NSEC @@ -1164,7 +1164,7 @@ options { > send

Again, this update request will complete almost - immediately; however, the record won't show up until + immediately; however, the record won't show up until named has had a chance to build/remove the relevant chain. A private type record will be created to record the state of the operation (see below for more details), and will @@ -1173,17 +1173,17 @@ options { is happening, other updates are possible as well.

Fully automatic zone signing

-

To enable automatic signing, add the - auto-dnssec option to the zone statement in - named.conf. - auto-dnssec has two possible arguments: - allow or +

To enable automatic signing, add the + auto-dnssec option to the zone statement in + named.conf. + auto-dnssec has two possible arguments: + allow or maintain.

-

With - auto-dnssec allow, +

With + auto-dnssec allow, named can search the key directory for keys matching the zone, insert them into the zone, and use them to - sign the zone. It will do so only when it receives an + sign the zone. It will do so only when it receives an rndc sign <zonename>.

@@ -1191,7 +1191,7 @@ options { functionality, but will also automatically adjust the zone's DNSKEY records on schedule according to the keys' timing metadata. (See dnssec-keygen(8) and - dnssec-settime(8) for more information.) + dnssec-settime(8) for more information.)

named will periodically search the key directory @@ -1205,7 +1205,7 @@ options {

If keys are present in the key directory the first time the zone - is loaded, the zone will be signed immediately, without waiting for an + is loaded, the zone will be signed immediately, without waiting for an rndc sign or rndc loadkeys command. (Those commands can still be used when there are unscheduled key changes, however.) @@ -1227,10 +1227,10 @@ options { the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM record will appear in the zone.

-

Using the +

Using the auto-dnssec option requires the zone to be - configured to allow dynamic updates, by adding an - allow-update or + configured to allow dynamic updates, by adding an + allow-update or update-policy statement to the zone configuration. If this has not been done, the configuration will fail.

@@ -1278,14 +1278,14 @@ options {

DNSKEY rollovers

As with insecure-to-secure conversions, rolling DNSSEC - keys can be done in two ways: using a dynamic DNS update, or the + keys can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

Dynamic DNS update method

To perform key rollovers via dynamic update, you need to add - the K* files for the new keys so that + the K* files for the new keys so that named can find them. You can then add the new - DNSKEY RRs via dynamic update. + DNSKEY RRs via dynamic update. named will then cause the zone to be signed with the new keys. When the signing is complete the private type records will be updated so that the last octet is non @@ -1299,14 +1299,14 @@ options { be able to verify at least one signature when you remove the old DNSKEY.

The old DNSKEY can be removed via UPDATE. Take care to - specify the correct key. + specify the correct key. named will clean out any signatures generated by the old key after the update completes.

Automatic key rollovers

When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), - if the auto-dnssec zone option is set to + if the auto-dnssec zone option is set to maintain, named will automatically carry out the key rollover. If the key's algorithm has not previously been used to sign the zone, then the zone will @@ -1344,9 +1344,9 @@ options { nsupdate. All signatures, NSEC or NSEC3 chains, and associated NSEC3PARAM records will be removed automatically. This will take place after the update request completes.

-

This requires the - dnssec-secure-to-insecure option to be set to - yes in +

This requires the + dnssec-secure-to-insecure option to be set to + yes in named.conf.

In addition, if the auto-dnssec maintain zone statement is used, it should be removed or changed to @@ -1364,9 +1364,9 @@ options {

named only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT - state. + state. named supports UPDATES to zones where the NSEC3 - records in the chain have mixed OPTOUT state. + records in the chain have mixed OPTOUT state. named does not support changing the OPTOUT state of an individual NSEC3 record, the entire chain needs to be changed if the OPTOUT state of an individual NSEC3 needs to be @@ -1376,7 +1376,7 @@ options {

Dynamic Trust Anchor Management

BIND 9.7.0 introduces support for RFC 5011, dynamic trust - anchor management. Using this feature allows + anchor management. Using this feature allows named to keep track of changes to critical DNSSEC keys without any need for the operator to make changes to configuration files.

@@ -1384,9 +1384,9 @@ options {

Validating Resolver

To configure a validating resolver to use RFC 5011 to - maintain a trust anchor, configure the trust anchor using a + maintain a trust anchor, configure the trust anchor using a managed-keys statement. Information about - this can be found in + this can be found in the section called “managed-keys Statement Definition and Usage”.

@@ -1408,21 +1408,21 @@ options { timer has completed, the active KSK can be revoked, and the zone can be "rolled over" to the newly accepted key.

The easiest way to place a stand-by key in a zone is to - use the "smart signing" features of - dnssec-keygen and + use the "smart signing" features of + dnssec-keygen and dnssec-signzone. If a key with a publication date in the past, but an activation date which is unset or in - the future, " + the future, " dnssec-signzone -S" will include the DNSKEY record in the zone, but will not sign with it:

 $ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net
 $ dnssec-signzone -S -K keys example.net
 
-

To revoke a key, the new command +

To revoke a key, the new command dnssec-revoke has been added. This adds the - REVOKED bit to the key flags and re-generates the - K*.key and + REVOKED bit to the key flags and re-generates the + K*.key and K*.private files.

After revoking the active key, the zone must be signed with both the revoked KSK and the new active KSK. (Smart @@ -1440,7 +1440,7 @@ $ dnssec-signzone -S -K keys example.net< "Kexample.com.+005+10128".

If two keys have IDs exactly 128 apart, and one is revoked, then the two key IDs will collide, causing several - problems. To prevent this, + problems. To prevent this, dnssec-keygen will not generate a new key if another key is present which may collide. This checking will only occur if the new keys are written to the same directory @@ -1724,8 +1724,8 @@ $ ./Configure solaris64-x86_64-cc \ (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)

- After configuring, run - make and + After configuring, run + make and make test.

@@ -1872,9 +1872,9 @@ $ ./configure --enable-threads \ PKCS#11 Tools

BIND 9 includes a minimal set of tools to operate the - HSM, including + HSM, including pkcs11-keygen to generate a new key pair - within the HSM, + within the HSM, pkcs11-list to list objects currently available, pkcs11-destroy to remove objects, and @@ -1911,7 +1911,7 @@ $ export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${L For example, when operating an AEP Keyper, it is necessary to specify the location of the "machine" file, which stores information about the Keyper for use by the provider - library. If the machine file is in + library. If the machine file is in /opt/Keyper/PKCS11Provider/machine, use:

@@ -1920,12 +1920,12 @@ $ export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11P

Such environment variables must be set whenever running - any tool that uses the HSM, including - pkcs11-keygen, - pkcs11-list, - pkcs11-destroy, - dnssec-keyfromlabel, - dnssec-signzone, + any tool that uses the HSM, including + pkcs11-keygen, + pkcs11-list, + pkcs11-destroy, + dnssec-keyfromlabel, + dnssec-signzone, dnssec-keygen, and named.

@@ -2033,7 +2033,7 @@ example.net.signed $ dnssec-signzone -E '' -S example.net

- This causes + This causes dnssec-signzone to run as if it were compiled without the --with-pkcs11 option.

@@ -2051,7 +2051,7 @@ $ dnssec-signzone -E '' -S example.netnamed must have access to the HSM PIN. In OpenSSL-based PKCS#11, this is accomplished by placing the PIN into the openssl.cnf file - (in the above examples, + (in the above examples, /opt/pkcs11/usr/ssl/openssl.cnf).

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 5acd0d420c..0d0da0d19b 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -2669,11 +2669,11 @@ badresp:1,adberr:0,findfail:0,valfail:0] event payloads which are encoded using Protocol Buffers (libprotobuf-c, a mechanism for serializing structured data developed - by Google, Inc.; see + by Google, Inc.; see https://developers.google.com/protocol-buffers).

- To enable dnstap at compile time, + To enable dnstap at compile time, the fstrm and protobuf-c libraries must be available, and BIND must be configured with --enable-dnstap. diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 709145e452..71d4af36ed 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -245,7 +245,7 @@ whose assistance is gratefully acknowledged.

- To enable dnstap at compile time, + To enable dnstap at compile time, the fstrm and protobuf-c libraries must be available, and BIND must be configured with --enable-dnstap. diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index bd6d485165..29529edee8 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -449,7 +449,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm

removes all A RRs for foo.dynamic.example.com using the given key.

-
   
+
 $ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"

removes all RRs for foo.dynamic.example.com using the given key. diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 3840d0fd83..3100130ba4 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -79,7 +79,7 @@ local DDNS key for use with nsupdate -l: it does this when a zone is configured with update-policy local;. - ddns-confgen is only needed when a + ddns-confgen is only needed when a more elaborate configuration is required: for instance, if nsupdate is to be used from a remote system. diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index a71cb182de..27e1914b3a 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -414,7 +414,7 @@

+[no]all

Set or clear the display options - +[no]comments, + +[no]comments, +[no]rrcomments, and +[no]trust as a group.

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index b6cbce36d5..f303ed742e 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -92,7 +92,7 @@

The IN and CH class names overlap with the IN and CH top level domain names. Either use the -t and - -c options to specify the type and class, + -c options to specify the type and class, use the -q the specify the domain name, or use "IN." and "CH." when looking up these top level domains.

@@ -789,7 +789,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr reply from the server. If you'd like to turn off the IDN support for some reason, defines the IDN_DISABLE environment variable. - The IDN support is disabled if the variable is set when + The IDN support is disabled if the variable is set when dig runs.

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 4a41e20dcb..35b0d0ddda 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -68,7 +68,7 @@

-l domain

- Check for a DLV record in the specified lookaside domain, + Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone's parent. For example, to check for DLV records for "example.com" in ISC's DLV zone, use: diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 84910a5bb5..f7fe0c3161 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -97,7 +97,7 @@

The length of time to check for DNSSEC coverage. Key events scheduled further into the future than duration - will be ignored, and assumed to be correct. + will be ignored, and assumed to be correct.

The value of duration can be set in seconds, diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 84c17bb66f..ed468f25d8 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -113,7 +113,7 @@

Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS - records and printed. Useful only in zone file mode. + records and printed. Useful only in zone file mode.

-l domain

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 509d00f602..70750fe0df 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -300,7 +300,7 @@

If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero.

@@ -332,7 +332,7 @@ footprint).

-

dnssec-keyfromlabel +

dnssec-keyfromlabel creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index d37c6c66a6..fadad71da0 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -346,7 +346,7 @@

If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero.

@@ -379,7 +379,7 @@ footprint).

-

dnssec-keygen +

dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index ffb89b290e..e4768c5281 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -84,8 +84,8 @@ fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be - set to the present time. If no other values are specified, - then the key's publication and activation dates will also + set to the present time. If no other values are specified, + then the key's publication and activation dates will also be set to the present time.

-K directory
@@ -197,7 +197,7 @@

If the key is being set to be an explicit successor to another - key, then the default prepublication interval is 30 days; + key, then the default prepublication interval is 30 days; otherwise it is zero.

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index fb9b0957c4..3cadb9f391 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -92,7 +92,7 @@ (-S) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with $INCLUDE. This option - cannot be combined with -O raw, + cannot be combined with -O raw, -O map, or serial number updating.

-E engine
@@ -346,7 +346,7 @@

Normally, when a previously-signed zone is passed as input to the signer, and a DNSKEY record has been removed and - replaced with a new one, signatures from the old key + replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The -Q @@ -409,7 +409,7 @@

If the key's activation date is set and in the past, the key is published (regardless of publication date) and - used to sign the zone. + used to sign the zone.

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index a028258090..b5eae32ba2 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -196,7 +196,7 @@ /etc/resolv.conf.

- The -s option tells host + The -s option tells host not to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior. @@ -216,7 +216,7 @@

IDN SUPPORT

If host has been built with IDN (internationalized - domain name) support, it can accept and display non-ASCII domain names. + domain name) support, it can accept and display non-ASCII domain names. host appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html index a86257fa44..a9500635cd 100644 --- a/doc/arm/man.lwresd.html +++ b/doc/arm/man.lwresd.html @@ -57,7 +57,7 @@ server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.

-

lwresd +

lwresd listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that lwresd can only be used by @@ -141,7 +141,7 @@ trace, record, size, and - mctx. + mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 487c324ba0..97caa68a23 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -230,7 +230,7 @@
-r mode

Check for records that are treated as different by DNSSEC but - are semantically equal in plain DNS. + are semantically equal in plain DNS. Possible modes are "fail", "warn" (default) and "ignore". diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index e230f04c5c..54e33a2810 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -53,10 +53,10 @@

named-journalprint prints the contents of a zone journal file in a human-readable - form. + form.

- Journal files are automatically created by named + Journal files are automatically created by named when changes are made to dynamic zones (e.g., by nsupdate). They record each addition or deletion of a resource record, in binary format, allowing the diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 605e119166..83188a6739 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -574,7 +574,7 @@ operations (such as signing or generating NSEC3 chains) is stored in the zone in the form of DNS resource records of type - sig-signing-type. + sig-signing-type. rndc signing -list converts these records into a human-readable form, indicating which keys are currently signing @@ -600,7 +600,7 @@ flags, iterations, and salt, in that order.

- Currently, the only defined value for hash algorithm + Currently, the only defined value for hash algorithm is 1, representing SHA-1. The flags may be set to 0 or 1, diff --git a/doc/arm/notes.html b/doc/arm/notes.html index e126d78c16..54844749b0 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -206,7 +206,7 @@ whose assistance is gratefully acknowledged.

- To enable dnstap at compile time, + To enable dnstap at compile time, the fstrm and protobuf-c libraries must be available, and BIND must be configured with --enable-dnstap.