ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

regen master

Browse Source
This commit is contained in:
Tinderbox User
2017-09-01 01:11:29 +00:00
parent 0996c94099
commit e640ea9343
8 changed files with 249 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
bin/dnssec/dnssec-keyfromlabel.8
View File

@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. These values are case insensitive\&.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
@@ -63,14 +63,20 @@ option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&.
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
\fB\-3\fR
option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
.sp
Note 2: DH automatically sets the \-k flag\&.
As of BIND 9\&.12\&.0, this option is mandatory except when using the
\fB\-S\fR
option (which copies the algorithm from the predecessory key)\&. Previously, the default for newly generated keys was RSASHA1\&.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&.
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-E \fIengine\fR

64
bin/dnssec/dnssec-keyfromlabel.html
View File

@@ -92,7 +92,6 @@
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
@@ -102,20 +101,27 @@
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
</p>
<p>
Note 2: DH automatically sets the -k flag.
As of BIND 9.12.0, this option is mandatory except when using
the <code class="option">-S</code> option (which copies the algorithm from
the predecessory key). Previously, the default for newly
generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
@@ -367,28 +373,28 @@
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>

42
bin/dnssec/dnssec-keygen.8
View File

@@ -48,34 +48,42 @@ generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034\&. I
The
\fBname\fR
of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
.PP
The
\fBdnssec\-keymgr\fR
command acts as a wrapper around
\fBdnssec\-keygen\fR, generating and updating keys as needed to enforce defined security policies such as key rollover scheduling\&. Using
\fBdnssec\-keymgr\fR
may be preferable to direct use of
\fBdnssec\-keygen\fR\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY keys, the value must be one of DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512; specifying any of these algorithms will automatically set the
\fB\-T KEY\fR
option as well\&. (Note:
\fBtsig\-keygen\fR
produces TSIG keys in a more useful format than
\fBdnssec\-keygen\fR\&.)
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
\fB\-3\fR
option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&. For TSIG, HMAC\-MD5 is mandatory\&.
.sp
Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option\&.
As of BIND 9\&.12\&.0, this option is mandatory except when using the
\fB\-S\fR
option (which copies the algorithm from the predecessor key)\&. Previously, the default for newly generated keys was RSASHA1\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
The key size does not need to be specified if using a default algorithm\&. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with
\fB\-f KSK\fR)\&. However, if an algorithm is explicitly specified with the
\fB\-a\fR, then there is no default key size, and the
\fB\-b\fR
must be used\&.
If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
\fB\-f KSK\fR) default to 2048 bits\&.
.RE
.PP
\-n \fInametype\fR
@@ -87,7 +95,9 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&.
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-C
@@ -191,7 +201,9 @@ Specifies the strength value of the key\&. The strength is a number between 0 an
Specifies the resource record type to use for the key\&.
\fBrrtype\fR
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY\&.
Specifying any TSIG algorithm (HMAC\-* or DH) with
\fB\-a\fR
forces this option to KEY\&.
.RE
.PP
\-t \fItype\fR

118
bin/dnssec/dnssec-keygen.html
View File

@@ -82,6 +82,13 @@
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
<p>
The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
as needed to enforce defined security policies such as key rollover
scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
</div>
<div class="refsection">
@@ -95,27 +102,26 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
or HMAC-SHA512; specifying any of these algorithms will
automatically set the <code class="option">-T KEY</code> option as well.
(Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
As of BIND 9.12.0, this option is mandatory except when using
the <code class="option">-S</code> option (which copies the algorithm from
the predecessor key). Previously, the default for newly
generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
@@ -130,13 +136,11 @@
this parameter.
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
If the key size is not specified, some algorithms have
pre-defined defaults. For example, RSA keys for use as
DNSSEC zone signing keys have a default size of 1024 bits;
RSA keys for use as key signing keys (KSKs, generated with
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
@@ -144,22 +148,20 @@
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
@@ -320,8 +322,8 @@
<p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
Specifying any TSIG algorithm (HMAC-* or DH) with
<code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
@@ -425,28 +427,28 @@
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>

11
doc/arm/Bv9ARM.ch09.html
View File

@@ -487,6 +487,17 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> no longer has default
algorithm settings. It is necessary to explicitly specify the
algorithm on the command line with the <code class="option">-a</code> option
when generating keys. This may cause errors with existing signing
scripts if they rely on current defaults. The intent is to
reduce the long-term cost of transitioning to newer algorithms in
the event of RSASHA1 being deprecated. [RT #44755]
</p>
</li>
<li class="listitem">
<p>
Threads in <span class="command"><strong>named</strong></span> are now set to human-readable

64
doc/arm/man.dnssec-keyfromlabel.html
View File

@@ -110,7 +110,6 @@
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
@@ -120,20 +119,27 @@
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
</p>
<p>
Note 2: DH automatically sets the -k flag.
As of BIND 9.12.0, this option is mandatory except when using
the <code class="option">-S</code> option (which copies the algorithm from
the predecessory key). Previously, the default for newly
generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
@@ -385,28 +391,28 @@
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>

118
doc/arm/man.dnssec-keygen.html
View File

@@ -100,6 +100,13 @@
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
<p>
The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
as needed to enforce defined security policies such as key rollover
scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
</div>
<div class="refsection">
@@ -113,27 +120,26 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
or HMAC-SHA512; specifying any of these algorithms will
automatically set the <code class="option">-T KEY</code> option as well.
(Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
As of BIND 9.12.0, this option is mandatory except when using
the <code class="option">-S</code> option (which copies the algorithm from
the predecessor key). Previously, the default for newly
generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
@@ -148,13 +154,11 @@
this parameter.
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
If the key size is not specified, some algorithms have
pre-defined defaults. For example, RSA keys for use as
DNSSEC zone signing keys have a default size of 1024 bits;
RSA keys for use as key signing keys (KSKs, generated with
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
@@ -162,22 +166,20 @@
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
@@ -338,8 +340,8 @@
<p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
Specifying any TSIG algorithm (HMAC-* or DH) with
<code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
@@ -443,28 +445,28 @@
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>

11
doc/arm/notes.html
View File

@@ -448,6 +448,17 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> no longer has default
algorithm settings. It is necessary to explicitly specify the
algorithm on the command line with the <code class="option">-a</code> option
when generating keys. This may cause errors with existing signing
scripts if they rely on current defaults. The intent is to
reduce the long-term cost of transitioning to newer algorithms in
the event of RSASHA1 being deprecated. [RT #44755]
</p>
</li>
<li class="listitem">
<p>
Threads in <span class="command"><strong>named</strong></span> are now set to human-readable