algorithm must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- These values are case insensitive.
If no algorithm is specified, then RSASHA1 will be used by @@ -102,20 +101,27 @@ that algorithm will be checked for compatibility with NSEC3.)
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm, and DSA is recommended.
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the -3 option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
- Note 2: DH automatically sets the -k flag.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the -S option (which copies the algorithm from
+ the predecessory key). Previously, the default for newly
+ generated keys was RSASHA1.
Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm.
engineinterval- Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. -
-- If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. -
-- As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. -
-+ Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. +
++ If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. +
++ As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. +
+ diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index f60f93986d..548f5e7842 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -48,34 +48,42 @@ generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034\&. I The \fBname\fR of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&. +.PP +The +\fBdnssec\-keymgr\fR +command acts as a wrapper around +\fBdnssec\-keygen\fR, generating and updating keys as needed to enforce defined security policies such as key rollover scheduling\&. Using +\fBdnssec\-keymgr\fR +may be preferable to direct use of +\fBdnssec\-keygen\fR\&. .SH "OPTIONS" .PP \-a \fIalgorithm\fR .RS 4 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY keys, the value must be one of DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512; specifying any of these algorithms will automatically set the +\fB\-T KEY\fR +option as well\&. (Note: +\fBtsig\-keygen\fR +produces TSIG keys in a more useful format than +\fBdnssec\-keygen\fR\&.) .sp -If no algorithm is specified, then RSASHA1 will be used by default, unless the +These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the \fB\-3\fR -option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If -\fB\-3\fR -is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.) +option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&. .sp -Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&. For TSIG, HMAC\-MD5 is mandatory\&. -.sp -Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option\&. +As of BIND 9\&.12\&.0, this option is mandatory except when using the +\fB\-S\fR +option (which copies the algorithm from the predecessor key)\&. Previously, the default for newly generated keys was RSASHA1\&. .RE .PP \-b \fIkeysize\fR .RS 4 Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&. .sp -The key size does not need to be specified if using a default algorithm\&. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with -\fB\-f KSK\fR)\&. However, if an algorithm is explicitly specified with the -\fB\-a\fR, then there is no default key size, and the -\fB\-b\fR -must be used\&. +If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with +\fB\-f KSK\fR) default to 2048 bits\&. .RE .PP \-n \fInametype\fR @@ -87,7 +95,9 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a .PP \-3 .RS 4 -Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&. +Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example, +\fBdnssec\-keygen \-3a RSASHA1\fR +specifies the NSEC3RSASHA1 algorithm\&. .RE .PP \-C @@ -191,7 +201,9 @@ Specifies the strength value of the key\&. The strength is a number between 0 an Specifies the resource record type to use for the key\&. \fBrrtype\fR must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&. -Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY\&. +Specifying any TSIG algorithm (HMAC\-* or DH) with +\fB\-a\fR +forces this option to KEY\&. .RE .PP \-t \fItype\fR diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 9047ac3912..5cfc5e34c2 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -82,6 +82,13 @@ line. For DNSSEC keys, this must match the name of the zone for which the key is being generated. ++ The dnssec-keymgr command acts as a wrapper + around dnssec-keygen, generating and updating keys + as needed to enforce defined security policies such as key rollover + scheduling. Using dnssec-keymgr may be preferable + to direct use of dnssec-keygen. +
algorithm must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- For TSIG/TKEY, the value must
- be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
- HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
- case insensitive.
+ ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
+ TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
+ HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
+ or HMAC-SHA512; specifying any of these algorithms will
+ automatically set the -T KEY option as well.
+ (Note: tsig-keygen produces TSIG keys in a
+ more useful format than dnssec-keygen.)
- If no algorithm is specified, then RSASHA1 will be used by
- default, unless the -3 option is specified,
- in which case NSEC3RSASHA1 will be used instead. (If
- -3 is used and an algorithm is specified,
- that algorithm will be checked for compatibility with NSEC3.)
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the -3 option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is - mandatory. -
-
- Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
- automatically set the -T KEY option.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the -S option (which copies the algorithm from
+ the predecessor key). Previously, the default for newly
+ generated keys was RSASHA1.
keysize
- The key size does not need to be specified if using a default
- algorithm. The default key size is 1024 bits for zone signing
- keys (ZSKs) and 2048 bits for key signing keys (KSKs,
- generated with -f KSK). However, if an
- algorithm is explicitly specified with the -a,
- then there is no default key size, and the -b
- must be used.
+ If the key size is not specified, some algorithms have
+ pre-defined defaults. For example, RSA keys for use as
+ DNSSEC zone signing keys have a default size of 1024 bits;
+ RSA keys for use as key signing keys (KSKs, generated with
+ -f KSK) default to 2048 bits.
nametype
Specifies the owner type of the key. The value of
nametype must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive. Defaults to ZONE for DNSKEY
- generation.
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 - algorithms are NSEC3-capable. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm.
- Using any TSIG algorithm (HMAC-* or DH) forces this option
- to KEY.
+ Specifying any TSIG algorithm (HMAC-* or DH) with
+ -a forces this option to KEY.
typeinterval- Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. -
-- If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. -
-- As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. -
-+ Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. +
++ If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. +
++ As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. +
+
+ dnssec-keygen no longer has default
+ algorithm settings. It is necessary to explicitly specify the
+ algorithm on the command line with the -a option
+ when generating keys. This may cause errors with existing signing
+ scripts if they rely on current defaults. The intent is to
+ reduce the long-term cost of transitioning to newer algorithms in
+ the event of RSASHA1 being deprecated. [RT #44755]
+
Threads in named are now set to human-readable
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 52c8e280d4..a80861e3b9 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -110,7 +110,6 @@
algorithm must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- These values are case insensitive.
If no algorithm is specified, then RSASHA1 will be used by @@ -120,20 +119,27 @@ that algorithm will be checked for compatibility with NSEC3.)
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm, and DSA is recommended.
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the -3 option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
- Note 2: DH automatically sets the -k flag.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the -S option (which copies the algorithm from
+ the predecessory key). Previously, the default for newly
+ generated keys was RSASHA1.
Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm.
engineinterval- Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. -
-- If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. -
-- As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. -
-+ Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. +
++ If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. +
++ As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. +
++ The dnssec-keymgr command acts as a wrapper + around dnssec-keygen, generating and updating keys + as needed to enforce defined security policies such as key rollover + scheduling. Using dnssec-keymgr may be preferable + to direct use of dnssec-keygen. +
algorithm must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- For TSIG/TKEY, the value must
- be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
- HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
- case insensitive.
+ ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
+ TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
+ HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
+ or HMAC-SHA512; specifying any of these algorithms will
+ automatically set the -T KEY option as well.
+ (Note: tsig-keygen produces TSIG keys in a
+ more useful format than dnssec-keygen.)
- If no algorithm is specified, then RSASHA1 will be used by
- default, unless the -3 option is specified,
- in which case NSEC3RSASHA1 will be used instead. (If
- -3 is used and an algorithm is specified,
- that algorithm will be checked for compatibility with NSEC3.)
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the -3 option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is - mandatory. -
-
- Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
- automatically set the -T KEY option.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the -S option (which copies the algorithm from
+ the predecessor key). Previously, the default for newly
+ generated keys was RSASHA1.
keysize
- The key size does not need to be specified if using a default
- algorithm. The default key size is 1024 bits for zone signing
- keys (ZSKs) and 2048 bits for key signing keys (KSKs,
- generated with -f KSK). However, if an
- algorithm is explicitly specified with the -a,
- then there is no default key size, and the -b
- must be used.
+ If the key size is not specified, some algorithms have
+ pre-defined defaults. For example, RSA keys for use as
+ DNSSEC zone signing keys have a default size of 1024 bits;
+ RSA keys for use as key signing keys (KSKs, generated with
+ -f KSK) default to 2048 bits.
nametype
Specifies the owner type of the key. The value of
nametype must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive. Defaults to ZONE for DNSKEY
- generation.
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 - algorithms are NSEC3-capable. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm.
- Using any TSIG algorithm (HMAC-* or DH) forces this option
- to KEY.
+ Specifying any TSIG algorithm (HMAC-* or DH) with
+ -a forces this option to KEY.
typeinterval- Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. -
-- If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. -
-- As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. -
-+ Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. +
++ If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. +
++ As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. +
+
+ dnssec-keygen no longer has default
+ algorithm settings. It is necessary to explicitly specify the
+ algorithm on the command line with the -a option
+ when generating keys. This may cause errors with existing signing
+ scripts if they rely on current defaults. The intent is to
+ reduce the long-term cost of transitioning to newer algorithms in
+ the event of RSASHA1 being deprecated. [RT #44755]
+
Threads in named are now set to human-readable