Compare commits

..

3 Commits

Author SHA1 Message Date
peterd
fa5b7371c9 updated Bv9ARM.xml ch five 2020-04-23 10:38:34 +00:00
peterd
1629db4804 updated Bv9ARM.xml ch five 2020-04-23 10:18:15 +00:00
peterd
3c28decfa6 updated Arm ch05 2020-04-23 09:33:05 +00:00
3016 changed files with 137872 additions and 115972 deletions

View File

@@ -11,7 +11,6 @@ BraceWrapping:
AfterFunction: false # should also be MultiLine, but not yet supported
AfterExternBlock: false
BeforeElse: false
BeforeWhile: false
IndentBraces: false
SplitEmptyFunction: true
AllowShortIfStatementsOnASingleLine: false
@@ -20,7 +19,6 @@ AlwaysBreakAfterReturnType: All
Cpp11BracedListStyle: false
ColumnLimit: 80
AlignAfterOpenBracket: Align
AlignConsecutiveBitFields: true
AlignConsecutiveDeclarations: false
AlignConsecutiveMacros: true
AlignTrailingComments: true
@@ -64,7 +62,6 @@ IncludeCategories:
Priority: 1
- Regex: '.*'
Priority: 0
IndentExternBlock: NoIndent
KeepEmptyLinesAtTheStartOfBlocks: false
MaxEmptyLinesToKeep: 1
PenaltyBreakAssignment: 30

View File

@@ -11,7 +11,6 @@ BraceWrapping:
AfterFunction: false # should also be MultiLine, but not yet supported
AfterExternBlock: false
BeforeElse: false
BeforeWhile: false
IndentBraces: false
SplitEmptyFunction: true
AllowShortIfStatementsOnASingleLine: false
@@ -20,7 +19,6 @@ AlwaysBreakAfterReturnType: All
Cpp11BracedListStyle: false
ColumnLimit: 80
AlignAfterOpenBracket: Align
AlignConsecutiveBitFields: true
AlignConsecutiveDeclarations: true
AlignConsecutiveMacros: true
AlignTrailingComments: true
@@ -52,7 +50,6 @@ IncludeCategories:
Priority: 1
- Regex: '".*"'
Priority: 9
IndentExternBlock: NoIndent
KeepEmptyLinesAtTheStartOfBlocks: false
MaxEmptyLinesToKeep: 1
PenaltyBreakAssignment: 30

View File

@@ -106,9 +106,6 @@
(list
"--enable=all"
"--suppress=missingIncludeSystem"
"--suppress=nullPointerRedundantCheck"
(concat "--suppressions-list=" (expand-file-name
(concat directory-of-current-dir-locals-file "util/suppressions.txt")))
(concat "-include=" (expand-file-name
(concat directory-of-current-dir-locals-file "config.h")))
)

2
.gitattributes vendored
View File

@@ -1,8 +1,6 @@
*.sln.in eol=crlf
*.vcxproj.* eol=crlf
/fuzz/dns_rdata_fromwire_text.in/input-* -text
.gitignore export-ignore
/conftools export-ignore
/doc/design export-ignore

36
.gitignore vendored
View File

@@ -14,7 +14,6 @@
*_test
*.ipch # vscode/intellisense precompiled header
*~
__pycache__/
.ccache/
.cproject
.deps/
@@ -39,6 +38,7 @@ __pycache__/
/depcomp
/install-sh
/isc-config.sh
/libltdl/*
/libtool
/ltmain.sh
/m4/libtool.m4
@@ -56,45 +56,13 @@ Makefile
Makefile.in
ans.run
gen.dSYM/
kyua.log
named.memstats
named.run
timestamp
/compile_commands.json
# Gets generated by Build Ear (bear)
/compile_commands.commands.json
/cppcheck_html/
/cppcheck.results
/tsan
/util/check-make-install
/INSTALL
doc/man/dnssec-cds.8in
doc/man/dnssec-checkds.8in
doc/man/dnssec-coverage.8in
doc/man/dnssec-dsfromkey.8in
doc/man/dnssec-importkey.8in
doc/man/dnssec-keyfromlabel.8in
doc/man/dnssec-keygen.8in
doc/man/dnssec-keymgr.8in
doc/man/dnssec-revoke.8in
doc/man/dnssec-settime.8in
doc/man/dnssec-signzone.8in
doc/man/dnssec-verify.8in
doc/man/named-checkconf.8in
doc/man/named-checkzone.8in
doc/man/named-journalprint.8in
doc/man/named-nzd2nzf.8in
doc/man/nsec3hash.8in
doc/man/pkcs11-destroy.8in
doc/man/pkcs11-keygen.8in
doc/man/pkcs11-list.8in
doc/man/pkcs11-tokens.8in
# clangd index directory
/\.cache/
# GNU Global index files
/GPATH
/GRTAGS
/GTAGS
# Emacs specific files
\.dir-locals-2.el
/emacs.desktop
/emacs.desktop-lock

File diff suppressed because it is too large Load Diff

View File

@@ -1,32 +0,0 @@
<!--
THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE.
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### CVE-specific actions
- [ ] Assign a CVE identifier
- [ ] Determine CVSS score
- [ ] Determine the range of BIND versions affected (including the Subscription Edition)
- [ ] Determine whether workarounds for the problem exists
- [ ] Prepare a detailed description of the problem which should include the following by default:
- instructions for reproducing the problem (a system test is good enough)
- explanation of code flow which triggers the problem (a system test is *not* good enough)
- [ ] Prepare a private merge request containing the following items in separate commits:
- a test for the issue (may be moved to a separate merge request for deferred merging)
- a fix for the issue
- documentation updates (`CHANGES`, release notes, anything else applicable)
- [ ] Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
- [ ] Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
- [ ] Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
- [ ] Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
### Release-specific actions
- [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
- [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
- [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order

View File

@@ -1,59 +1,36 @@
## Release Schedule
**Code Freeze:**
**Tagging Deadline:**
**Public Release:**
## Documentation Review Links
**Closed issues assigned to the milestone without a release note:**
- []()
- []()
- []()
**Merge requests merged into the milestone without a release note:**
- []()
- []()
- []()
**Merge requests merged into the milestone without a `CHANGES` entry:**
- []()
- []()
- []()
## Release Checklist
### Before the Code Freeze
## 2 Working Days Before the Tagging Deadline
- [ ] ***(QA)*** Inform Support and Marketing of impending release (and give estimated release dates).
- [ ] ***(QA)*** Ensure there are no permanent test failures on any platform.
- [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
- [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
- [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
### Before the Tagging Deadline
## Before the Tagging Deadline
- [ ] ***(QA)*** Look for outstanding documentation issues (e.g. `CHANGES` mistakes) and address them if any are found.
- [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well.
- [ ] ***(QA)*** Update API files for libraries with new version information.
- [ ] ***(QA)*** Change software version and library versions in `configure.ac` (new major release only).
- [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
- [ ] ***(QA)*** Update `CHANGES`.
- [ ] ***(QA)*** Update `CHANGES.SE` (Subscription Edition only).
- [ ] ***(QA)*** Update `README.md`.
- [ ] ***(QA)*** Update `version`.
- [ ] ***(QA)*** Build documentation on `docs.isc.org`.
- [ ] ***(QA)*** Inform Support/Marketing of impending release (and give estimated release dates).
- [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
- [ ] ***(SwEng)*** Update API files for libraries with new version information.
- [ ] ***(SwEng)*** Change software version and library versions in `configure.ac` (new major release only).
- [ ] ***(SwEng)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
- [ ] ***(SwEng)*** Update `CHANGES`.
- [ ] ***(SwEng)*** Update `CHANGES.SE` (Subscription Edition only).
- [ ] ***(SwEng)*** Update `README.md`.
- [ ] ***(SwEng)*** Update `version`.
- [ ] ***(SwEng)*** Build documentation on `docs.isc.org`.
- [ ] ***(QA)*** Check that all the above steps were performed correctly.
- [ ] ***(QA)*** Check that the contents of release notes match the merge requests comprising the releases.
- [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
- [ ] ***(QA)*** Check that the formatting of the generated man pages is correct.
- [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9_x_y`).
- [ ] ***(SwEng)*** Tag the releases[^2]. (Tags may only be pushed to the public repository for releases which are *not* security releases.)
- [ ] ***(SwEng)*** If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` to allow development to continue on the maintenance branch whilst release engineering continues.
### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
## Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
- [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
- [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
@@ -64,14 +41,13 @@
- [ ] ***(QA)*** Notify Support that the releases have been prepared.
- [ ] ***(Support)*** Send out ASNs (if applicable).
### On the Day of Public Release
## On the Day of Public Release
- [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- [ ] ***(Support)*** Place tarballs in public location on FTP site.
- [ ] ***(Support)*** Publish links to downloads on ISC website.
- [ ] ***(Support)*** Write release email to *bind-announce*.
- [ ] ***(Support)*** Write email to *bind-users* (if a major release).
- [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition.
- [ ] ***(Support)*** Update tickets in case of waiting support customers.
- [ ] ***(QA)*** Build and test any outstanding private packages.
- [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).
@@ -81,11 +57,10 @@
- [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
- [ ] ***(Marketing)*** Write blog article (if a major release).
- [ ] ***(QA)*** Ensure all new tags are annotated and signed.
- [ ] ***(QA)*** Push tags for the published releases to the public repository.
- [ ] ***(QA)*** Merge the automatically prepared `prep 9.x.y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_x`).
- [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
- [ ] ***(QA)*** Prepare empty release notes for the next set of releases.
- [ ] ***(QA)*** Sanitize all confidential issues assigned to the release milestone and make them public.
- [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Flake8, PyLint) by modifying the relevant `Dockerfile`.
- [ ] ***(SwEng)*** Push tags for the published releases to the public repository.
- [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
- [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check:sid:amd64` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
[^2]: Preferred command line: `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]`, where `[alphatag]` is an optional string such as `b1`, `rc1`, etc.

View File

@@ -29,6 +29,7 @@ path_classifiers:
- "**/*.5"
- "**/*.8"
queries:
- exclude: libltdl/
- exclude: fuzz/
- exclude: "bin/tests/system/*/ans*/*.py"
- exclude: cpp/use-of-goto

View File

@@ -4,4 +4,3 @@ disable=
C0115, # missing-class-docstring
C0116, # missing-function-docstring
R0801, # duplicate-code
C0103, # invalid-name

797
CHANGES
View File

@@ -1,808 +1,29 @@
5592. [bug] Add globally available thread_id (isc_tid_v) that's
incremented for each new thread, but the old thread
ids are reused, so the maximum thread_id always
correspond to the maximum number of threads running
at the time. This fixes the hazard pointer tables
overflow on machines with many cores. [GL #2396]
5591. [bug] Fix a crash happening when "stale-answer-client-timeout"
is triggered and there is no (stale) data for it in the
cache. [GL #2503]
5590. [bug] Process NSEC3PARAM queue when loading a dynamic zone.
This will immediately create NSEC3 records for zones
that use "dnssec-policy" and "nsec3param". [GL #2498]
5589. [placeholder]
5588. [func] Add "purge-keys" option to "dnssec-policy". This sets
the time how long key files should be retained after
they have become obsolete. [GL #2408]
5587. [bug] A standalone libtool script no longer needs to be
present in PATH in order to build BIND 9 from a source
tarball prepared using "make dist". [GL #2504]
5586. [bug] An invalid direction field in a LOC record resulted in
an INSIST failure. [GL #2499]
5585. [func] Implementations of memory contexts and memory pools were
refactored to reduce lock contention for shared memory
contexts by replacing mutexes with atomic operations.
The internal memory allocator was simplified so that it
is only a thin wrapper around the system allocator.
Since this change makes the "-M external" named option
redundant, the latter was removed. [GL #2433]
5584. [bug] Rollback setting IP_DONTFRAG option on the UDP sockets.
[GL #2487]
5583. [func] Changes to DoH configuration syntax:
- When "http" is specified in "listen-on" or
"listen-on-v6" statements, "tls" must also now
be specified. If an unencrypted connection is
desired (for example, when running behind a
reverse proxy), use "tls none".
- "http default" can how be specified in "listen-on"
and "listen-on-v6" statements to use the default
HTTP endpoint, "/dns-query". It is no longer
necessary to include an "http" statement in
named.conf unless overriding this value.
[GL #2472]
5582. [bug] BIND 9 failed to build when static OpenSSL libraries
were used and the *.pc files for libssl and/or libcrypto
were unavailable. This has been fixed by ensuring the
correct linking order for libssl and libcrypto is always
used. [GL #2402]
5581. [bug] Fix memory leak happening when inline-signed zones
were added to the configuration followed by a
reconfiguration of named. [GL #2041]
5580. [test] The system test framework no longer differentiates
between SKIPPED and UNTESTED system test results. Any
system test which is not run is now marked as SKIPPED.
[GL !4517]
5579. [bug] If an invalid key name (e.g. "a..b") is
specified in an primaries list in named.conf
the wrong size is passed to isc_mem_put
resulting in the returned memory being put
on the wrong freed list. [GL #2460]
--- 9.17.10 released ---
5578. [protocol] Make "check-names" accept A records below "_spf",
"_spf_rate", and "_spf_verify" labels in order to cater
for the "exists" SPF mechanism specified in RFC 7208
section 5.7 and appendix D.1. [GL #2377]
5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by
correctly implementing Equation (2) of the "Flexible and
Robust Key Rollover" paper. [GL #2375]
5576. [experimental] Initial server-side implementation of DNS-over-HTTPS
(DoH). Support for both TLS-encrypted and unencrypted
HTTP/2 connections has been added to the network manager
and integrated into named. (Note: there is currently no
client-side support for DNS-over-HTTPS; this will be
added to dig in a future release.) [GL #1144]
5575. [bug] When migrating to KASP, BIND 9 considered keys with the
"Inactive" and/or "Delete" timing metadata to be
possible active keys. This has been fixed. [GL #2406]
5574. [func] Incoming zone transfers can now use TLS. Addresses in a
"primaries" list take an optional "tls" argument,
specifying either a previously configured "tls" block or
"ephemeral"; SOA queries and zone transfer requests are
then sent via TLS. [GL #2392]
5573. [func] When serve-stale is enabled and stale data is available,
named now returns stale answers upon encountering any
unexpected error in the query resolution process.
However, the "stale-refresh-time" window is still only
started upon a timeout. [GL #2434]
5572. [bug] Address potential double free in generatexml().
[GL #2420]
5571. [bug] named failed to start when its configuration included a
zone with a non-builtin "allow-update" ACL attached.
[GL #2413]
5570. [bug] Improve performance of the DNSSEC verification code by
reducing the number of repeated calls to
dns_dnssec_keyfromrdata(). [GL #2073]
5569. [bug] Emit useful error message when "rndc retransfer" is
applied to a zone of inappropriate type. [GL #2342]
5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
keys. [GL #2178]
5567. [bug] Dig now reports unknown dash options while pre-parsing
the options. This prevents "-multi" instead of "+multi"
from reporting memory usage before ending option parsing
with "Invalid option: -lti". [GL #2403]
5566. [func] Add "stale-answer-client-timeout" option, which is the
amount of time a recursive resolver waits before
attempting to answer the query using stale data from
cache. [GL #2247]
5565. [func] The SONAMEs for BIND 9 libraries now include the current
BIND 9 version number, in an effort to tightly couple
internal libraries with a specific release. [GL #2387]
5564. [cleanup] Network manager's TLSDNS module was refactored to use
libuv and libssl directly instead of a stack of TCP/TLS
sockets. [GL #2335]
5563. [cleanup] Changed several obsolete configuration options to
ancient, making them fatal errors. Also cleaned up the
number of clause flags in the configuration parser.
[GL #1086]
5562. [placeholder]
5561. [bug] KASP incorrectly set signature validity to the value of
the DNSKEY signature validity. This is now fixed.
[GL #2383]
5560. [func] The default value of "max-stale-ttl" has been changed
from 12 hours to 1 day and the default value of
"stale-answer-ttl" has been changed from 1 second to 30
seconds, following RFC 8767 recommendations. [GL #2248]
--- 9.17.9 released ---
5559. [bug] The --with-maxminddb=PATH form of the build-time option
enabling support for libmaxminddb was not working
correctly. This has been fixed. [GL #2366]
5558. [bug] Asynchronous hook modules could trigger an assertion
failure when the fetch handle was detached too late.
Thanks to Jinmei Tatuya at Infoblox. [GL #2379]
5557. [bug] Prevent RBTDB instances from being destroyed by multiple
threads at the same time. [GL #2317]
5556. [bug] Further tweak newline printing in dnssec-signzone and
dnssec-verify. [GL #2359]
5555. [placeholder]
5554. [bug] dnssec-signzone and dnssec-verify were missing newlines
between log messages. [GL #2359]
5553. [bug] When reconfiguring named, removing "auto-dnssec" did not
turn off DNSSEC maintenance. [GL #2341]
5552. [func] When switching to "dnssec-policy none;", named now
permits a safe transition to insecure mode and publishes
the CDS and CDNSKEY DELETE records, as described in RFC
8078. [GL #1750]
5551. [bug] named no longer attempts to assign threads to CPUs
outside the CPU affinity set. Thanks to Ole Bjørn
Hessen. [GL #2245]
5550. [func] dnssec-signzone and named now log a warning when falling
back to the "increment" SOA serial method. [GL #2058]
5549. [protocol] ipv4only.arpa is now served when DNS64 is configured.
[GL #385]
5548. [placeholder]
5547. [placeholder]
--- 9.17.8 released ---
5546. [placeholder]
5545. [func] OS support for load-balanced sockets is no longer
required to receive incoming queries in multiple netmgr
threads. [GL #2137]
5544. [func] Restore the default value of "nocookie-udp-size" to 4096
bytes. [GL #2250]
5543. [bug] Fix UDP performance issues caused by making netmgr
callbacks asynchronous-only. [GL #2320]
5542. [bug] Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
[GL #2321]
5541. [func] Adjust the "max-recursion-queries" default from 75 to
100. [GL #2305]
5540. [port] Fix building with native PKCS#11 support for AEP Keyper.
[GL #2315]
5539. [bug] Tighten handling of missing DNS COOKIE responses over
UDP by falling back to TCP. [GL #2275]
5538. [func] Add NSEC3 support to KASP. A new option for
"dnssec-policy", "nsec3param", can be used to set the
desired NSEC3 parameters. NSEC3 salt collisions are
automatically prevented during resalting. Salt
generation is now logged with zone context. [GL #1620]
5537. [func] The query plugin mechanism has been extended
to support asynchronous operations. For example, a
plugin can now trigger recursion and resume
processing when it is complete. Thanks to Jinmei
Tatuya at Infoblox. [GL #2141]
5536. [func] Dig can now report the DNS64 prefixes in use
(+dns64prefix). [GL #1154]
5535. [bug] dig/nslookup/host could crash on shutdown after an
interrupt. [GL #2287] [GL #2288]
5534. [bug] The CNAME synthesized from a DNAME was incorrectly
followed when the QTYPE was CNAME or ANY. [GL #2280]
--- 9.17.7 released ---
5533. [func] Add the "stale-refresh-time" option, a time window that
starts after a failed lookup, during which a stale RRset
is served directly from cache before a new attempt to
refresh it is made. [GL #2066]
5532. [cleanup] Unused header files were removed:
bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
lib/isccfg/include/isccfg/dnsconf.h and code related
to those files. [GL #1913]
5531. [func] Add support for DNS over TLS (DoT) to dig and named.
dig output now includes the transport protocol used.
[GL #1816] [GL #1840]
5530. [bug] dnstap did not capture responses to forwarded UPDATE
requests. [GL #2252]
5529. [func] The network manager API is now used by named to send
zone transfer requests. [GL #2016]
5528. [func] Convert dig, host, and nslookup to use the network
manager API. As a side effect of this change, "dig
+unexpected" no longer works, and has been disabled.
[GL #2140]
5527. [bug] A NULL pointer dereference occurred when creating an NTA
recheck query failed. [GL #2244]
5526. [bug] Fix a race/NULL dereference in TCPDNS read. [GL #2227]
5525. [placeholder]
5524. [func] Added functionality to the network manager to support
outgoing DNS queries in addition to incoming ones.
[GL #2235]
5523. [bug] The initial lookup in a zone transitioning to/from a
signed state could fail if the DNSKEY RRset was not
found. [GL #2236]
5522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
5521. [func] All use of libltdl was dropped. libuv's shared library
handling interface is now used instead. [GL !4278]
5520. [bug] Fixed a number of shutdown races, reference counting
errors, and spurious log messages that could occur
in the network manager. [GL #2221]
5519. [cleanup] Unused source code was removed: lib/dns/dbtable.c,
lib/dns/portlist.c, lib/isc/bufferlist.c, and code
related to those files. [GL #2060]
5518. [bug] Stub zones now work correctly with primary servers using
"minimal-responses yes". [GL #1736]
5517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
[GL #2208]
--- 9.17.6 released ---
5516. [func] The default EDNS buffer size has been changed from 4096
to 1232 bytes, the EDNS buffer size probing has been
removed, and named now sets the DF (Don't Fragment) flag
on outgoing UDP packets. [GL #2183]
5515. [func] Add 'rndc dnssec -rollover' command to trigger a manual
rollover for a specific key. [GL #1749]
5514. [bug] Fix KASP expected key size for Ed25519 and Ed448.
[GL #2171]
5513. [doc] The ARM section describing the "rrset-order" statement
was rewritten to make it unambiguous and up-to-date with
the source code. [GL #2139]
5512. [bug] "rrset-order" rules using "order none" were causing
named to crash despite named-checkconf treating them as
valid. [GL #2139]
5511. [bug] 'dig -u +yaml' failed to display timestamps to the
microsecond. [GL #2190]
5510. [bug] Implement the attach/detach semantics for dns_message_t
to fix a data race in accessing an already-destroyed
fctx->rmessage. [GL #2124]
5509. [bug] filter-aaaa: named crashed upon shutdown if it was in
the process of recursing for A RRsets. [GL #1040]
5508. [func] Added new parameter "-expired" for "rndc dumpdb" that
also prints expired RRsets (awaiting cleanup) to the
dump file. [GL #1870]
5507. [bug] Named could compute incorrect SIG(0) responses.
[GL #2109]
5506. [bug] Properly handle failed sysconf() calls, so we don't
report invalid memory size. [GL #2166]
5505. [bug] Updating contents of a mixed-case RPZ could cause some
rules to be ignored. [GL #2169]
5504. [func] The "glue-cache" option has been marked as deprecated.
The glue cache feature will be permanently enabled in a
future release. [GL #2146]
5503. [bug] Cleaned up reference counting of network manager
handles, now using isc_nmhandle_attach() and _detach()
instead of _ref() and _unref(). [GL #2122]
--- 9.17.5 released ---
5502. [func] 'dig +bufsize=0' no longer disables EDNS. [GL #2054]
5501. [func] Log CDS/CDNSKEY publication. [GL #1748]
5500. [bug] Fix (non-)publication of CDS and CDNSKEY records.
[GL #2103]
5499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime.
[GL #1748]
5498. [test] The --with-gperftools-profiler configure option was
removed. [GL !4045]
5497. [placeholder]
5496. [bug] Address a TSAN report by ensuring each rate limiter
object holds a reference to its task. [GL #2081]
5495. [bug] With query minimization enabled, named failed to
resolve ip6.arpa. names that had extra labels to the
left of the IPv6 part. [GL #1847]
5494. [bug] Silence the EPROTO syslog message on older systems.
[GL #1928]
5493. [bug] Fix off-by-one error when calculating new hash table
size. [GL #2104]
5492. [bug] Tighten LOC parsing to reject a period (".") and/or "m"
as a value. Fix handling of negative altitudes which are
not whole meters. [GL #2074]
5491. [bug] rbtversion->glue_table_size could be read without the
appropriate lock being held. [GL #2080]
5490. [func] Refactor readline support to use pkg-config and add
support for the editline library. [GL !3942]
5489. [bug] Named erroneously accepted certain invalid resource
records that were incorrectly processed after
subsequently being written to disk and loaded back, as
the wire format differed. Such records include: CERT,
IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
X25. [GL !3953]
5488. [bug] NTA code needed to have a weak reference on its
associated view to prevent the latter from being deleted
while NTA tests were being performed. [GL #2067]
5487. [cleanup] Update managed keys log messages to be less confusing.
[GL #2027]
5486. [func] Add 'rndc dnssec -checkds' command, which signals to
named that the DS record for a given zone or key has
been updated in the parent zone. [GL #1613]
--- 9.17.4 released ---
5485. [placeholder]
5484. [func] Expire zero TTL records quickly rather than using them
for stale answers. [GL #1829]
5483. [func] Keeping "stale" answers in cache has been disabled by
default and can be re-enabled with a new configuration
option "stale-cache-enable". [GL #1712]
5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
not yet finished after adding a new IPv6 address to the
system, BIND 9 would fail to bind to IPv6 addresses in a
tentative state. [GL #2038]
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
5479. [security] named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled. (CVE-2020-8621) [GL #1997]
5478. [security] It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message.
(CVE-2020-8620) [GL #1996]
5477. [bug] The idle timeout for connected TCP sockets, which was
previously set to a high fixed value, is now derived
from the client query processing timeout configured for
a resolver. [GL #2024]
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
overridden by other rules that were loaded from RPZ
zones which appeared later in the "response-policy"
statement. This has been fixed. [GL #1619]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
5473. [func] The RBT hash table implementation has been changed
to use a faster hash function (HalfSipHash2-4) and
Fibonacci hashing for better distribution. Setting
"max-cache-size" now preallocates a fixed-size hash
table so that rehashing does not cause resolution
brownouts while the hash table is grown. [GL #1775]
5472. [func] The statistics channel has been updated to use the
new network manager. [GL #2022]
5471. [bug] The introduction of KASP support inadvertently caused
the second field of "sig-validity-interval" to always be
calculated in hours, even in cases when it should have
been calculated in days. This has been fixed. (Thanks to
Tony Finch.) [GL !3735]
5470. [port] gsskrb5_register_acceptor_identity() is now only called
if gssapi_krb5.h is present. [GL #1995]
5469. [port] On illumos, a constant called SEC is already defined in
<sys/time.h>, which conflicts with an identically named
constant in libbind9. This conflict has been resolved.
[GL #1993]
5468. [bug] Addressed potential double unlock in process_fd().
[GL #2005]
5467. [func] The control channel and the rndc utility have been
updated to use the new network manager. To support
this, the network manager was updated to enable
the initiation of client TCP connections. Its
internal reference counting has been refactored.
Note: As a side effect of this change, rndc cannot
currently be used with UNIX-domain sockets, and its
default timeout has changed from 60 seconds to 30.
These will be addressed in a future release.
[GL #1759]
5466. [bug] Addressed an error in recursive clients stats reporting.
[GL #1719]
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
or trusted-keys if the bindkeys-file (bind.keys) cannot
be parsed. [GL #1235]
5464. [bug] Requesting more than 128 files to be saved when rolling
dnstap log files caused a buffer overflow. This has been
fixed. [GL #1989]
5463. [placeholder]
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
5461. [bug] The STALE rdataset header attribute was updated while
the write lock was not being held, leading to incorrect
statistics. The header attributes are now converted to
use atomic operations. [GL #1475]
5460. [cleanup] tsig-keygen was previously an alias for
ddns-confgen and was documented in the ddns-confgen
man page. This has been reversed; tsig-keygen is
now the primary name. [GL #1998]
5459. [bug] Fixed bad isc_mem_put() size when an invalid type was
specified in an "update-policy" rule. [GL #1990]
--- 9.17.3 released ---
5458. [bug] Prevent a theoretically possible NULL dereference caused
by a data race between zone_maintenance() and
dns_zone_setview_helper(). [GL #1627]
5457. [placeholder]
5456. [func] Added "primaries" as a synonym for "masters" in
named.conf, and "primary-only" as a synonym for
"master-only" in the parameters to "notify", to bring
terminology up-to-date with RFC 8499. [GL #1948]
5455. [bug] named could crash when cleaning dead nodes in
lib/dns/rbtdb.c that were being reused. [GL #1968]
5454. [bug] Address a startup crash that occurred when the server
was under load and the root zone had not yet been
loaded. [GL #1862]
5453. [bug] named crashed on shutdown when a new rndc connection was
received during shutdown. [GL #1747]
5452. [bug] The "blackhole" ACL was accidentally disabled for client
queries. [GL #1936]
5451. [func] Add 'rndc dnssec -status' command. [GL #1612]
5450. [placeholder]
5449. [bug] Fix a socket shutdown race in netmgr udp. [GL #1938]
5448. [bug] Fix a race condition in isc__nm_tcpdns_send().
[GL #1937]
5447. [bug] IPv6 addresses ending in "::" could break YAML
parsing. A "0" is now appended to such addresses
in YAML output from dig, mdig, delv, and dnstap-read.
[GL #1952]
5446. [bug] The validator could fail to accept a properly signed
RRset if an unsupported algorithm appeared earlier in
the DNSKEY RRset than a supported algorithm. It could
also stop if it detected a malformed public key.
[GL #1689]
5445. [cleanup] Disable and disallow static linking. [GL #1933]
5444. [bug] 'rndc dnstap -roll <value>' did not limit the number of
saved files to <value>. [GL !3728]
5443. [bug] The "primary" and "secondary" keywords, when used
as parameters for "check-names", were not
processed correctly and were being ignored. [GL #1949]
5442. [func] Add support for outgoing TCP connections in netmgr.
[GL #1958]
5441. [placeholder]
5440. [placeholder]
5439. [bug] The DS RRset returned by dns_keynode_dsset() was used in
a non-thread-safe manner. [GL #1926]
--- 9.17.2 released ---
5438. [bug] Fix a race in TCP accepting code. [GL #1930]
5437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr().
[GL #1808]
5436. [security] It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer.
(CVE-2020-8618) [GL #1850]
5435. [tests] Add RFC 4592 responses examples to the wildcard system
test. [GL #1718]
5434. [security] It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone
content and query patterns. (CVE-2020-8619) [GL #1111]
[GL #1718]
5433. [placeholder]
5432. [bug] Check the question section when processing AXFR, IXFR,
and SOA replies when transferring a zone in. [GL #1683]
5431. [func] Reject DS records at the zone apex when loading
master files. Log but otherwise ignore attempts to
add DS records at the zone apex via UPDATE. [GL #1798]
5430. [doc] Update docs - with netmgr, a separate listening socket
is created for each IPv6 interface (just as with IPv4).
[GL #1782]
5429. [cleanup] Move BIND binaries which are neither daemons nor
administrative programs to $bindir. [GL #1724]
5428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr
has been destroyed. Thanks to Petr Menšík. [GL !3316]
5427. [placeholder]
5426. [bug] Don't abort() when setting SO_INCOMING_CPU on the socket
fails. [GL #1911]
5425. [func] The default value of "max-stale-ttl" has been changed
from 1 week to 12 hours. [GL #1877]
5424. [bug] With KASP, when creating a successor key, the "goal"
state of the current active key (predecessor) was not
changed and thus never removed from the zone. [GL #1846]
5423. [bug] Fix a bug in keymgr_key_has_successor(): it incorrectly
returned true if any other key in the keyring had a
successor. [GL #1845]
5422. [bug] When using dnssec-policy, print correct key timing
metadata. [GL #1843]
5421. [bug] Fix a race that could cause named to crash when looking
up the nodename of an RBT node if the tree was modified.
[GL #1857]
5420. [bug] Add missing isc_{mutex,conditional}_destroy() calls
that caused a memory leak on FreeBSD. [GL #1893]
5419. [func] Add new dig command line option, "+qid=<num>", which
allows the query ID to be set to an arbitrary value.
Add a new ./configure option, --enable-singletrace,
which allows trace logging of a single query when QID is
set to 0. [GL #1851]
5418. [bug] delv failed to parse deprecated trusted-keys-style
trust anchors. [GL #1860]
5417. [cleanup] The code determining the advertised UDP buffer size in
outgoing EDNS queries has been refactored to improve its
clarity. [GL #1868]
5416. [bug] Fix a lock order inversion in lib/isc/unix/socket.c.
[GL #1859]
5415. [test] Address race in dnssec system test that led to
test failures. [GL #1852]
5414. [test] Adjust time allowed for journal truncation to occur
in nsupdate system test to avoid test failure.
[GL #1855]
5413. [test] Address race in autosign system test that led to
test failures. [GL #1852]
5412. [bug] 'provide-ixfr no;' failed to return up-to-date responses
when the serial was greater than or equal to the
current serial. [GL #1714]
5411. [cleanup] TCP accept code has been refactored to use a single
accept() and pass the accepted socket to child threads
for processing. [GL !3320]
5410. [func] Add the ability to specify per-type record count limits,
which are enforced when adding records via UPDATE, in an
"update-policy" statement. [GL #1657]
5409. [performance] When looking up NSEC3 data in a zone database, skip the
check for empty non-terminal nodes; the NSEC3 tree does
not have any. [GL #1834]
5408. [protocol] Print Extended DNS Errors if present in OPT record.
[GL #1835]
5407. [func] Zone timers are now exported via statistics channel.
Thanks to Paul Frieden, Verizon Media. [GL #1232]
5406. [func] Add a new logging category, "rpz-passthru", which allows
RPZ passthru actions to be logged in a separate channel.
[GL #54]
5405. [bug] 'named-checkconf -p' could include spurious text in
server-addresses statements due to an uninitialized DSCP
value. [GL #1812]
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
5403. [func] Do not set UDP receive/send buffer sizes - use system
defaults. [GL #1713]
5402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
Enable use of SO_REUSEADDR on all platforms which
support it. [GL !3365]
5401. [bug] The number of input queues allocated during dnstap
initialization was too low, which could prevent some
dnstap data from being logged. [GL #1795]
5400. [func] Add engine support to OpenSSL EdDSA implementation.
[GL #1763]
5399. [func] Add engine support to OpenSSL ECDSA implementation.
[GL #1534]
5398. [bug] Named could fail to restart if a zone with a double
quote (") in its name was added with 'rndc addzone'.
[GL #1695]
5397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
Thanks to Aaron Thompson. [GL !3326]
5396. [func] When necessary (i.e. in libuv >= 1.37), use the
UV_UDP_RECVMMSG flag to enable recvmmsg() support in
libuv. [GL #1797]
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5394. [cleanup] Named formerly attempted to change the effective UID and
GID in named_os_openfile(), which could trigger a
spurious log message if they were already set to the
desired values. This has been fixed. [GL #1042]
[GL #1090]
5393. [cleanup] Unused and/or redundant APIs were removed from libirs.
[GL #1758]
5392. [bug] It was possible for named to crash during shutdown
or reconfiguration if an RPZ zone was still being
updated. [GL #1779]
5391. [func] The BIND 9 build system has been changed to use a
typical autoconf+automake+libtool stack. When building
from the Git repository, run "autoreconf -fi" first.
[GL #4]
5391. [func] The BIND 9 build system has been changed to use the
usual stack of autoconf+automake+libtool. [GL #4]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5390. [placeholder]
5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller
5389. [bug] Finish the PKCS#11 code cleanup, fix couple of smaller
bugs and use PKCS#11 v3.0 EdDSA macros and constants.
Thanks to Aaron Thompson. [GL !3391]
5388. [func] Reject AXFR streams where the message ID is not
5388. [func] Reject AXFR streams where the message id is not
consistent. [GL #1674]
5387. [placeholder]
5386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c.
[GL #1737]
5386. [cleanup] Address Coverity warnings in keymgr.c [GL #1737]
5385. [func] Make ISC rwlock implementation the default again.
[GL #1753]
5384. [bug] With "dnssec-policy" in effect, "inline-signing" was
implicitly set to "yes". Now "inline-signing" is only
set to "yes" if the zone is not dynamic. [GL #1709]
5384. [bug] With dnssec-policy, inline-signing was implicitly set
to yes. Change and only set inline-signing to yes
if the zone is not dynamic. [GL #1709]
--- 9.17.1 released ---

View File

@@ -7,8 +7,8 @@ people.
Diversity is one of our huge strengths, but it can also lead to communication
issues and unhappiness. To that end, we have a few ground rules that we ask
people to adhere to. This code applies equally to the core development team,
open source contributors and those seeking help and guidance.
people to adhere to. This code applies equally to the core development team, open source contributors and those
seeking help and guidance.
This isn't an exhaustive list of things that you can't do. Rather, take it in
the spirit in which it's intended - a guide to make it easier to enrich all of

View File

@@ -8,8 +8,8 @@
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
## BIND 9 Source Access and Contributor Guidelines
*May 28, 2020*
## BIND Source Access and Contributor Guidelines
*Feb 22, 2018*
### Contents
@@ -19,12 +19,12 @@
### Introduction
Thank you for using BIND 9!
Thank you for using BIND!
BIND is open source software that implements the Domain Name System (DNS)
protocols for the Internet. It is a reference implementation of those
protocols, but it is also production-grade software, suitable for use in
high-volume and high-reliability applications. It is very
high-volume and high-reliability applications. It is by far the most
widely used DNS software, providing a robust and stable platform on top of
which organizations can build distributed computing systems with the
knowledge that those systems are fully compliant with published DNS
@@ -33,34 +33,35 @@ standards.
BIND is and will always remain free and openly available. It can be
used and modified in any way by anyone.
BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
BIND is maintained by the [Internet Systems Consortium](https://www.isc.org),
a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
anyone can see the source, but only ISC employees have commit access.
In the past, the source could only be seen once ISC had published
a release; read access to the source repository was restricted just
as commit access was. That has changed, as ISC now provides a
public git repository of the BIND source tree (see below).
Until recently, the source could only be seen once ISC had published
a release: read access to the source repository was restricted just
as commit access was. That's now changing, with the opening of a
public git mirror to the BIND source tree (see below).
At ISC, we're committed to
building communities that are welcoming and inclusive: environments where people
At [Internet Systems Consortium](https://www.isc.org), we're committed to
building communities that are welcoming and inclusive; environments where people
are encouraged to share ideas, treat each other with respect, and collaborate
towards the best solutions. To reinforce our commitment, ISC
has adopted a slightly modified version of the Django
[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
for the BIND 9 project, as well as for the conduct of our developers throughout
the industry.
towards the best solutions. To reinforce our commitment, the [Internet Systems
Consortium](https://www.isc.org) has adopted the Contributor Covenant version
1.4 as our Code of Conduct for BIND 9 project, as well as for the conduct of our
developers throughout the industry.
### <a name="access"></a>Access to source code
Public BIND releases are always available from the
[ISC FTP site](ftp://ftp.isc.org/isc/bind9).
A public-access git repository is also available at
[https://gitlab.isc.org](https://gitlab.isc.org). This repository
contains all public release branches. Upcoming releases can be viewed in
their current state at any time. Short-lived development branches
contain unreviewed work in progress. Commits which address security
vulnerablilities are withheld until after public disclosure.
A public-access GIT repository is also available at
[https://gitlab.isc.org](https://gitlab.isc.org).
This repository is a mirror, updated several times per day, of the
source repository maintained by ISC. It contains all the public release
branches; upcoming releases can be viewed in their current state at any
time. It does *not* contain development branches or unreviewed work in
progress. Commits which address security vulnerablilities are withheld
until after public disclosure.
You can browse the source online via
[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
@@ -75,58 +76,55 @@ branch, use:
> $ git checkout v9_12
Whenever a branch is ready for publication, a tag is placed of the
Whenever a branch is ready for publication, a tag will be placed of the
form `v9_X_Y`. The 9.12.0 release, for instance, is tagged as `v9_12_0`.
The branch in which the next major release is being developed is called
`main`.
`master`.
### <a name="bugs"></a>Reporting bugs
Reports of flaws in the BIND package, including software bugs, errors
in the documentation, missing files in the tarball, suggested changes
or requests for new features, etc., can be filed using
or requests for new features, etc, can be filed using
[https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
Due to a large ticket backlog, we are sometimes slow to respond,
especially if a bug is cosmetic or if a feature request is vague or
low in priority, but we try at least to acknowledge legitimate
low in priority, but we will try at least to acknowledge legitimate
bug reports within a week.
ISC's GitLab system is publicly readable; however, you must have
an account to create a new issue. You can either register locally or
ISC's ticketing system is publicly readable; however, you must have
an account to file a new issue. You can either register locally or
use credentials from an existing account at GitHub, GitLab, Google,
Twitter, or Facebook.
### Reporting possible security issues
If you think you may be seeing a potential security vulnerability in BIND
(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
report it immediately by emailing to security-officer@isc.org. Plain-text
e-mail is not a secure choice for communications concerning undisclosed
security issues so please encrypt your communications to us if possible,
using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
Do not discuss undisclosed security vulnerabilities on any public mailing list.
ISC has a long history of handling reported vulnerabilities promptly and
effectively and we respect and acknowledge responsible reporters.
ISC's Security Vulnerability Disclosure Policy is documented at
[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
If you have a crash, you may want to consult
["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
[What to do if your BIND or DHCP server has crashed.](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
### <a name="contrib"></a>Contributing code
BIND is licensed under the
[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
Earlier versions (BIND 9.10 and earlier) were licensed under the
[ISC License](https://www.isc.org/licenses/)
[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
ISC does not require an explicit copyright assignment for patch
contributions. However, by submitting a patch to ISC, you implicitly
certify that you are the author of the code, that you intend to relinquish
certify that you are the author of the code, that you intend to reliquish
exclusive copyright, and that you grant permission to publish your work
under the open source license used for the BIND version(s) to which your
patch will be applied.
@@ -134,19 +132,20 @@ patch will be applied.
#### <a name="bind"></a>BIND code
Patches for BIND may be submitted directly via merge requests in
[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source
[ISC's Gitlab](https://gitlab.isc.org/isc-projects/bind9/) source
repository for BIND.
Patches can also be submitted as diffs against a specific version of
BIND -- preferably the current top of the `main` branch. Diffs may
BIND -- preferably the current top of the `master` branch. Diffs may
be generated using either `git format-patch` or `git diff`.
Those wanting to write code for BIND may be interested in the
[developer information](doc/dev/dev.md) page, which includes information
about BIND design and coding practices, including discussion of internal
APIs and overall system architecture.
APIs and overall system architecture. (This is a work in progress, and
still quite preliminary.)
Every patch submitted is reviewed by ISC engineers following our
Every patch submitted will be reviewed by ISC engineers following our
[code review process](doc/dev/dev.md#reviews) before it is merged.
It may take considerable time to review patch submissions, especially if
@@ -157,7 +156,7 @@ we're busy with other work, it may take us a long time to get to it.
To ensure your patch is acted on as promptly as possible, please:
* Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
* Run `make check` to ensure your change hasn't caused any
* Run `make` `check` to ensure your change hasn't caused any
functional regressions.
* Document your work, both in the patch itself and in the
accompanying email.
@@ -183,24 +182,28 @@ All functional changes should be documented. There are three types
of documentation in the BIND source tree:
* Man pages are kept alongside the source code for the commands
they document, in files ending in `.rst`: for example, the
`named` man page is `bin/named/named.rst`.
* The *BIND 9 Administrator Reference Manual* is in the .rst files in
`doc/arm/`; the PDF and HTML versions are automatically generated from
the `.rst` files.
they document, in files ending in `.docbook`; for example, the
`named` man page is `bin/named/named.docbook`.
* The *BIND 9 Administrator Reference Manual* is mostly in
`doc/arm/Bv9ARM-book.xml`, plus a few other XML files that are included
in it.
* API documentation is in the header file describing the API, in
Doxygen-formatted comments.
It is not necessary to edit any documentation files other than these;
all PDF, HTML, and `nroff`-format man page files will be updated
automatically from the `docbook` and `XML` files after merging.
Patches to improve existing documentation are also very welcome!
##### Tests
BIND is a large and complex project. We rely heavily on continuous
automated testing and cannot merge new code without adequate test coverage.
Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
Please see [the 'Testing' section of doc/dev/dev.md](doc/dev/dev.md#testing)
for more information.
#### Thanks
Thank you for your interest in contributing to the ongoing development
of BIND 9.
of BIND.

View File

@@ -1,8 +1,8 @@
Copyright (C) 1996-2021 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2020 Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
file, You can obtain one at http://mozilla.org/MPL/2.0/.
-----------------------------------------------------------------------------
@@ -367,25 +367,3 @@ distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-----------------------------------------------------------------------------
Copyright Joyent, Inc. and other Node contributors. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.

View File

@@ -1,25 +1,11 @@
include $(top_srcdir)/Makefile.top
SUBDIRS = . lib doc bin fuzz
SUBDIRS = . libltdl lib bin # doc
BUILT_SOURCES = bind.keys.h
CLEANFILES = bind.keys.h
bind.keys.h: bind.keys Makefile
${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
${PERL} ${top_srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
dist_sysconf_DATA = bind.keys
.PHONY: doc
EXTRA_DIST = \
util/bindkeys.pl \
contrib \
CHANGES \
COPYRIGHT \
LICENSE \
*.md
dist-hook:
find $(distdir) -type f -name .gitignore -delete
git rev-parse --short HEAD | cut -b1-7 > $(distdir)/srcid

View File

@@ -1,52 +0,0 @@
SPHINX_V = $(SPHINX_V_@AM_V@)
SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
SPHINX_V_0 = -q
SPHINX_V_1 = -n
AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
AM_V_SPHINX_0 = @echo " SPHINX $@";
SPHINXBUILDDIR = $(builddir)/_build
common_SPHINXOPTS = \
-W \
-c $(srcdir) \
-a \
$(SPHINX_V)
ALLSPHINXOPTS = \
$(common_SPHINXOPTS) \
-D version="$(PACKAGE_VERSION)" \
-D today="$(RELEASE_DATE)" \
-D release="$(PACKAGE_VERSION)" \
$(SPHINXOPTS) \
$(srcdir)
man_SPHINXOPTS = \
$(common_SPHINXOPTS) \
-D version="@""PACKAGE_VERSION@"\
-D today="@""RELEASE_DATE@" \
-D release="@""PACKAGE_VERSION@"\
$(SPHINXOPTS) \
$(srcdir)
AM_V_SED = $(AM_V_SED_@AM_V@)
AM_V_SED_ = $(AM_V_SED_@AM_DEFAULT_V@)
AM_V_SED_0 = @echo " SED $@";
AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
AM_V_CFG_TEST_0 = @echo " CFG_GEN $@";
AM_V_RST_OPTIONS = $(AM_V_CFG_TEST_@AM_V@)
AM_V_RST_OPTIONS_ = $(AM_V_RST_OPTIONS_@AM_DEFAULT_V@)
AM_V_RST_OPTIONS_0 = @echo " RST_OPTIONS $@";
AM_V_RST_ZONEOPT = $(AM_V_CFG_TEST_@AM_V@)
AM_V_RST_ZONEOPT_ = $(AM_V_RST_ZONEOPT_@AM_DEFAULT_V@)
AM_V_RST_ZONEOPT_0 = @echo " RST_ZONEOPT $@";
AM_V_RST_GRAMMARS = $(AM_V_CFG_TEST_@AM_V@)
AM_V_RST_GRAMMARS_ = $(AM_V_RST_GRAMMARS_@AM_DEFAULT_V@)
AM_V_RST_GRAMMARS_0 = @echo " RST_GRAMMARS $@";

View File

@@ -3,9 +3,8 @@
AM_CPPFLAGS += \
$(CMOCKA_CFLAGS) \
-DNAMED_PLUGINDIR=\"$(libdir)/named\" \
-DSKIPPED_TEST_EXIT_CODE=77 \
-DTESTS_DIR=\"$(abs_srcdir)\"
-DTESTS=\"$(abs_srcdir)\" \
-DNAMED_PLUGINDIR=\"$(libdir)/named\"
LDADD = \
$(CMOCKA_LIBS)

View File

@@ -11,12 +11,10 @@ AM_CPPFLAGS = \
-include $(top_builddir)/config.h \
-I$(srcdir)/include
AM_LDFLAGS =
if HOST_MACOS
AM_LDFLAGS += \
-Wl,-flat_namespace
endif HOST_MACOS
if HAVE_GSSAPI
AM_CPPFLAGS += \
$(GSSAPI_CFLAGS)
endif
LIBISC_CFLAGS = \
-I$(top_srcdir)/include \
@@ -25,6 +23,16 @@ LIBISC_CFLAGS = \
-I$(top_srcdir)/lib/isc/include \
-I$(top_builddir)/lib/isc/include
if HAVE_JSON_C
LIBISC_CFLAGS += \
$(JSON_C_CFLAGS)
endif HAVE_JSON_C
if HAVE_LIBXML2
LIBISC_CFLAGS += \
$(LIBXML2_CFLAGS)
endif HAVE_LIBXML2
LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
LIBDNS_CFLAGS = \
@@ -63,3 +71,9 @@ LIBBIND9_CFLAGS = \
LIBBIND9_LIBS = \
$(top_builddir)/lib/bind9/libbind9.la
LIBLTDL_CFLAGS = \
-I$(top_srcdir)/libltdl
LIBLTDL_LIBS = \
$(top_builddir)/libltdl/libltdlc.la

View File

@@ -8,19 +8,20 @@
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
Setting the `CPPFLAGS` environment variable before running `configure`
can be used to enable certain compile-time options that are not
explicitly defined in `configure`.
Setting the `STD_CDEFINES` environment variable before running `configure`
can be used to enable certain compile-time options that are not explicitly
defined in `configure`.
Some of these settings are:
| Setting | Description |
| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| `-DCHECK_LOCAL=0` | Don't check out-of-zone addresses in `named-checkzone` |
| `-DCHECK_SIBLING=0` | Don't check sibling glue in `named-checkzone` |
| `-DISC_FACILITY=LOG_LOCAL0` | Change the default syslog facility for `named` |
| `-DISC_HEAP_CHECK` | Test heap consistency after every heap operation; used when debugging |
| `-DISC_MEM_DEFAULTFILL=1` | Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier |
| `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult |
| `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` |
| `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports |
|Setting |Description |
|-----------------------------------|----------------------------------------|
|`-DISC_MEM_DEFAULTFILL=1`|Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier.|
|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`|
|`-DISC_BUFFER_USEINLINE=0`|Disable the use of inline functions to implement the `isc_buffer` API: this reduces performance but may be useful when debugging |
|`-DISC_HEAP_CHECK`|Test heap consistency after every heap operation; used when debugging|

View File

@@ -13,7 +13,7 @@
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
the OpenSSL cryptography library, and the `nghttp2` HTTP/2 library.
and the OpenSSL cryptography library.
The following C11 features are used in BIND 9:
@@ -42,16 +42,16 @@ offer support on a "best effort" basis for some.
### Regularly tested platforms
As of Nov 2020, BIND 9.17 is fully supported and regularly tested on the
As of Mar 2020, BIND 9.17 is fully supported and regularly tested on the
following systems:
* Debian 9, 10
* Ubuntu LTS 16.04, 20.04
* Fedora 33
* Ubuntu LTS 16.04, 18.04
* Fedora 31
* Red Hat Enterprise Linux / CentOS 7, 8
* FreeBSD 11.4, 12.2
* OpenBSD 6.8
* Alpine Linux 3.13
* FreeBSD 11.3, 12.1
* OpenBSD 6.6
* Alpine Linux
The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
@@ -61,7 +61,7 @@ The following are platforms on which BIND is known to build and run.
ISC makes every effort to fix bugs on these platforms, but may be unable to
do so quickly due to lack of hardware, less familiarity on the part of
engineering staff, and other constraints. With the exception of Windows
Server 2016, none of these are tested regularly by ISC.
Server 2012 R2, none of these are tested regularly by ISC.
* Windows Server 2012 R2, 2016 / x64
* Windows 10 / x64

182
README.md
View File

@@ -15,6 +15,7 @@
1. [Introduction](#intro)
1. [Reporting bugs and getting help](#help)
1. [Contributing to BIND](#contrib)
1. [BIND 9.17 features](#features)
1. [Building BIND](#build)
1. [macOS](#macos)
1. [Dependencies](#dependencies)
@@ -27,26 +28,26 @@
### <a name="intro"/> Introduction
BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the Domain Name System (DNS) protocol.
implementation of the DNS (Domain Name System) protocol.
The BIND name server, `named`, can act as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
The BIND name server, `named`, is able to serve as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
implements views for split-horizon DNS, automatic DNSSEC zone signing and
key management, catalog zones to facilitate provisioning of zone data
throughout a name server constellation, response policy zones (RPZ) to
protect clients from malicious data, response rate limiting (RRL) and
recursive query limits to reduce distributed denial of service attacks,
and many other advanced DNS features. BIND also includes a suite of
and many other advanced DNS features. BIND also includes a suite of
administrative tools, including the `dig` and `delv` DNS lookup tools,
`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
administration, and more.
BIND 9 began as a complete rewrite of the BIND architecture that was
BIND 9 began as a complete re-write of the BIND architecture that was
used in versions 4 and 8. Internet Systems Consortium
([https://www.isc.org](https://www.isc.org)), a 501(c)(3) US public benefit
([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
corporation dedicated to providing software and services in support of the
Internet infrastructure, developed BIND 9 and is responsible for its
ongoing maintenance and improvement. BIND is open source software
ongoing maintenance and improvement. BIND is open source software
licensed under the terms of the Mozilla Public License, version 2.0.
For a summary of features introduced in past major releases of BIND,
@@ -64,19 +65,19 @@ For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
### <a name="help"/> Reporting bugs and getting help
To report non-security-sensitive bugs or request new features, you may
open an issue in the BIND 9 project on the
open an Issue in the BIND 9 project on the
[ISC GitLab server](https://gitlab.isc.org) at
[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
Please note that, unless you explicitly mark the newly created issue as
"confidential," it will be publicly readable. Please do not include any
Please note that, unless you explicitly mark the newly created Issue as
"confidential", it will be publicly readable. Please do not include any
information in bug reports that you consider to be confidential unless
the issue has been marked as such. In particular, if submitting the
contents of your configuration file in a non-confidential issue, it is
advisable to obscure key secrets; this can be done automatically by
the issue has been marked as such. In particular, if submitting the
contents of your configuration file in a non-confidential Issue, it is
advisable to obscure key secrets: this can be done automatically by
using `named-checkconf -px`.
If you are reporting a bug that is a potential security issue, such as an
If the bug you are reporting is a potential security issue, such as an
assertion failure or other crash in `named`, please do *NOT* use GitLab to
report it. Instead, send mail to
[security-officer@isc.org](mailto:security-officer@isc.org) using our
@@ -85,12 +86,11 @@ to our key can be found at
[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
discuss the bug on any public mailing list.
For a general overview of ISC security policies, read the Knowledgebase
For a general overview of ISC security policies, read the Knowledge Base
article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
Professional support and training for BIND are available from
ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
for more information.
ISC at [https://www.isc.org/support](https://www.isc.org/support).
To join the __BIND Users__ mailing list, or view the archives, visit
[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
@@ -102,7 +102,7 @@ may also want to join the __BIND Workers__ mailing list, at
### <a name="contrib"/> Contributing to BIND
ISC maintains a public git repository for BIND; details can be found
at [https://www.isc.org/sourceaccess/](https://www.isc.org/sourceaccess/).
at [http://www.isc.org/git/](http://www.isc.org/git/).
Information for BIND contributors can be found in the following files:
- General information: [CONTRIBUTING.md](CONTRIBUTING.md)
@@ -112,48 +112,59 @@ Information for BIND contributors can be found in the following files:
Patches for BIND may be submitted as
[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
on the [ISC GitLab server](https://gitlab.isc.org).
in the [ISC GitLab server](https://gitlab.isc.org) at
at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
By default, external contributors do not have the ability to fork BIND on the
GitLab server; if you wish to contribute code to BIND, you may request
By default, external contributors don't have ability to fork BIND in the
GitLab server, but if you wish to contribute code to BIND, you may request
permission to do so. Thereafter, you can create git branches and directly
submit requests that they be reviewed and merged.
If you prefer, you may also submit code by opening a
[GitLab issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
[GitLab Issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
including your patch as an attachment, preferably generated by
`git format-patch`.
### <a name="build"/> Building BIND 9
### <a name="features"/> BIND 9.17 features
At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. BIND also requires the
`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, and a
cryptography provider library such as OpenSSL or a hardware service
module supporting PKCS#11. On Linux, BIND requires the `libcap` library
to set process privileges, though this requirement can be overridden by
disabling capability support at compile time. See [Compile-time
options](#opts) below for details on other libraries that may be
required to support optional features.
BIND 9.17 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.16 and earlier releases. New features include:
* New option "max-ixfr-ratio" to limit the size of outgoing IXFR responses
before falling back to full zone transfers.
* "rndc nta -d" and "rndc secroots" now include "validate-except" entries
when listing negative trust anchors.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. BIND also requires the
`libuv` asynchronous I/O library, and a cryptography provider library
such as OpenSSL or a hardware service module supporting PKCS#11. On
Linux, BIND requires the `libcap` library to set process privileges,
though this requirement can be overridden by disabling capability
support at compile time. See [Compile-time options](#opts) below
for details on other libraries that may be required to support
optional features.
Successful builds have been observed on many versions of Linux and
Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
BIND 9 is also available for Windows Server 2012 R2 and higher. See
BIND is also available for Windows Server 2012 R2 and higher. See
`win32utils/build.txt` for details on building for Windows
systems.
To build on a Unix or Linux system, use:
To build on a UNIX or Linux system, use:
$ autoreconf -fi (if you are building in the git repository)
$ ./configure
$ make
If you're using Emacs, you might find `make tags` helpful.
If you're planning on making changes to the BIND 9 source, you should run
`make depend`. If you're using Emacs, you might find `make tags` helpful.
Several environment variables, which can be set before running `configure`,
Several environment variables that can be set before running `configure` will
affect compilation. Significant ones are:
|Variable|Description |
@@ -170,32 +181,22 @@ command:
#### <a name="macos"> macOS
Building on macOS assumes that the "Command Tools for Xcode" are installed.
These can be downloaded from
Building on macOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from
[https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
or, if you have Xcode already installed, you can run `xcode-select --install`.
(Note that an Apple ID may be required to access the download page.)
#### <a name="dependencies"> Dependencies
To build BIND you need to have the following packages installed:
libuv
pkg-config / pkgconfig / pkgconf
To build BIND from the git repository, you need the following tools
installed:
autoconf (includes autoreconf)
automake
libtool
or, if you have Xcode already installed, you can run `xcode-select
--install`. (Note that an Apple ID may be required to access the download
page.)
#### <a name="opts"/> Compile-time options
To see a full list of configuration options, run `configure --help`.
To build shared libraries, specify `--with-libtool` on the `configure`
command line.
For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix
using `--with-openssl=<PREFIX>` on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the
@@ -208,15 +209,15 @@ least one of the following libraries: `libxml2`
[https://github.com/json-c/json-c](https://github.com/json-c/json-c).
If these are installed at a nonstandard location, then:
* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`.
* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`,
* for `json-c`, adjust `PKG_CONFIG_PATH`.
To support compression on the HTTP statistics channel, the server must be
linked against `libzlib`. If this is installed in a nonstandard location,
linked against `libzlib`. If this is installed in a nonstandard location,
specify the prefix using `--with-zlib=/prefix`.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with `liblmdb`. If this is installed in a
database, the server must be linked with liblmdb. If this is installed in a
nonstandard location, specify the prefix using `with-lmdb=/prefix`.
To support MaxMind GeoIP2 location-based ACLs, the server must be linked
@@ -233,8 +234,8 @@ and BIND must be configured with `--enable-dnstap`.
Certain compiled-in constants and default settings can be decreased to
values better suited to small machines, e.g. OpenWRT boxes, by specifying
`--with-tuning=small` on the `configure` command line. This decreases
memory usage by using smaller structures, but degrades performance.
`--with-tuning=small` on the `configure` command line. This will decrease
memory usage by using smaller structures, but will degrade performance.
On Linux, process capabilities are managed in user space using
the `libcap` library, which can be installed on most Linux systems via
@@ -247,54 +248,51 @@ to handle files bigger than 2GB. This can be done by using
Support for the "fixed" rrset-order option can be enabled or disabled by
specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
configure command line. By default, fixed rrset-order is disabled to
configure command line. By default, fixed rrset-order is disabled to
reduce memory footprint.
The `--enable-querytrace` option causes `named` to log every step of
processing every query. The `--enable-singletrace` option turns on the
same verbose tracing, but allows an individual query to be separately
traced by setting its query ID to 0. These options should only be enabled
when debugging, because they have a significant negative impact on query
performance.
processing every query. This should only be enabled when debugging, because
it has a significant negative impact on query performance.
`make install` installs `named` and the various BIND 9 libraries. By
`make install` will install `named` and the various BIND 9 libraries. By
default, installation is into /usr/local, but this can be changed with the
`--prefix` option when running `configure`.
You may specify the option `--sysconfdir` to set the directory where
configuration files like `named.conf` go by default, and `--localstatedir`
to set the default parent directory of `run/named.pid`. `--sysconfdir`
to set the default parent directory of `run/named.pid`. `--sysconfdir`
defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
### <a name="testing"/> Automated testing
A system test suite can be run with `make check`. The system tests require
A system test suite can be run with `make check`. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with each other). These
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command
`bin/tests/system/ifconfig.sh up` as root.
Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
and are skipped if these are not available. Some tests require Python
and the `dnspython` module and are skipped if these are not available.
and will be skipped if these are not available. Some tests require Python
and the `dnspython` module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the CMocka unit testing framework. To build
Unit tests are implemented using the CMocka unit testing framework. To build
them, use `configure --with-cmocka`. Execution of tests is done by the automake
parallel test driver; unit tests are also run by `make check`.
### <a name="doc"/> Documentation
The *BIND 9 Administrator Reference Manual* (ARM) is included with the source
distribution, and in .rst format, in the `doc/arm`
directory. HTML and PDF versions are automatically generated and can
be viewed at [https://bind9.readthedocs.io/en/latest/index.html](https://bind9.readthedocs.io/en/latest/index.html).
The *BIND 9 Administrator Reference Manual* is included with the source
distribution, in DocBook XML, HTML, and PDF format, in the `doc/arm`
directory.
Man pages for some of the programs in the BIND 9 distribution
are also included in the BIND ARM.
Some of the programs in the BIND 9 distribution have man pages in their
directories. In particular, the command line options of `named` are
documented in `bin/named/named.8`.
Frequently (and not-so-frequently) asked questions and their answers
can be found in the ISC Knowledgebase at
can be found in the ISC Knowledge Base at
[https://kb.isc.org](https://kb.isc.org).
Additional information on various subjects can be found in other
@@ -303,8 +301,8 @@ Additional information on various subjects can be found in other
### <a name="changes"/> Change log
A detailed list of all changes that have been made throughout the
development of BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
|Category |Description |
@@ -322,12 +320,12 @@ the change that was made; these categories are:
| [cleanup] | Minor corrections and refactoring |
| [doc] | Documentation |
| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
| [placeholder] | Used in the main development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
In general, [func] and [experimental] tags only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently supported releases.
All other change types may be applied to all currently-supported releases.
#### Bug report identifiers
@@ -337,7 +335,7 @@ and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
GitLab database. Most of these are publicly readable, unless they include
information which is confidential or security-sensitive.
information which is confidential or security sensitive.
To look up a GitLab issue by its number, use the URL
[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
@@ -367,7 +365,7 @@ GitLab instance, which is not visible to the public.
* This product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit.
[https://www.OpenSSL.org/](https://www.OpenSSL.org/)
[http://www.OpenSSL.org/](http://www.OpenSSL.org/)
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com).
* This product includes software written by Tim Hudson (tjh@cryptsoft.com).
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson (tjh@cryptsoft.com)

View File

@@ -24,11 +24,11 @@ LDADD = \
$(LIBISCCFG_LIBS) \
$(LIBBIND9_LIBS)
bin_PROGRAMS = named-checkconf named-checkzone
sbin_PROGRAMS = named-checkconf named-checkzone
install-exec-hook:
ln -f $(DESTDIR)$(bindir)/named-checkzone \
$(DESTDIR)$(bindir)/named-compilezone
ln -f $(DESTDIR)$(sbindir)/named-checkzone \
$(DESTDIR)$(sbindir)/named-compilezone
uninstall-hook:
-rm -f $(DESTDIR)$(bindir)/named-compilezone
-rm -f $(DESTDIR)$(sbindir)/named-compilezone

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

152
bin/check/named-checkconf.8 Normal file
View File

@@ -0,0 +1,152 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: named-checkconf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-10
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\-CHECKCONF" "8" "2014\-01\-10" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
named-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkconf\fR\ 'u
\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
checks the syntax, but not the semantics, of a
\fBnamed\fR
configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
/etc/named\&.conf
is read by default\&.
.PP
Note: files that
\fBnamed\fR
reads in separate parser contexts, such as
rndc\&.key
and
bind\&.keys, are not automatically read by
\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
\fBnamed\fR
to fail to run, even if
\fBnamed\-checkconf\fR
was successful\&.
\fBnamed\-checkconf\fR
can be run on these files explicitly, however\&.
.SH "OPTIONS"
.PP
\-h
.RS 4
Print the usage summary and exit\&.
.RE
.PP
\-j
.RS 4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
\-l
.RS 4
List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
.RE
.PP
\-c
.RS 4
Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
\fBplugin\fR
statements to be ignored\&.
.RE
.PP
\-i
.RS 4
Ignore warnings on deprecated options\&.
.RE
.PP
\-p
.RS 4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&. See also the
\fB\-x\fR
option\&.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkconf\fR
program and exit\&.
.RE
.PP
\-x
.RS 4
When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
named\&.conf
and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
\fB\-p\fR\&.
.RE
.PP
\-z
.RS 4
Perform a test load of all master zones found in
named\&.conf\&.
.RE
.PP
filename
.RS 4
The name of the configuration file to be checked\&. If not specified, it defaults to
/etc/named\&.conf\&.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkconf\fR
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed-checkzone\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -185,7 +185,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
const char *zname;
const char *zfile = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *primariesobj = NULL;
const cfg_obj_t *mastersobj = NULL;
const cfg_obj_t *inviewobj = NULL;
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *classobj = NULL;
@@ -279,12 +279,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
* Is the redirect zone configured as a slave?
*/
if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
cfg_map_get(zoptions, "primaries", &primariesobj);
if (primariesobj == NULL) {
cfg_map_get(zoptions, "masters", &primariesobj);
}
if (primariesobj != NULL) {
cfg_map_get(zoptions, "masters", &mastersobj);
if (mastersobj != NULL) {
return (ISC_R_SUCCESS);
}
}
@@ -534,12 +530,7 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
}
classobj = cfg_tuple_get(vconfig, "class");
tresult = config_getclass(classobj, dns_rdataclass_in,
&viewclass);
if (tresult != ISC_R_SUCCESS) {
CHECK(tresult);
}
CHECK(config_getclass(classobj, dns_rdataclass_in, &viewclass));
if (dns_rdataclass_ismeta(viewclass)) {
CHECK(ISC_R_FAILURE);
}

View File

@@ -0,0 +1,229 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
<info>
<date>2014-01-10</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkconf</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkconf</application></refname>
<refpurpose>named configuration file syntax checking tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named-checkconf</command>
<arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
<arg choice="opt" rep="norepeat"><option>-p</option>
<arg choice="opt" rep="norepeat"><option>-x</option>
</arg></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkconf</command>
checks the syntax, but not the semantics, of a
<command>named</command> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <filename>/etc/named.conf</filename> is read
by default.
</para>
<para>
Note: files that <command>named</command> reads in separate
parser contexts, such as <filename>rndc.key</filename> and
<filename>bind.keys</filename>, are not automatically read
by <command>named-checkconf</command>. Configuration
errors in these files may cause <command>named</command> to
fail to run, even if <command>named-checkconf</command> was
successful. <command>named-checkconf</command> can be run
on these files explicitly, however.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zonefile read the journal if it exists.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>
List all the configured zones. Each line of output
contains the zone name, class (e.g. IN), view, and type
(e.g. master or slave).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c</term>
<listitem>
<para>
Check "core" configuration only. This suppresses the loading
of plugin modules, and causes all parameters to
<command>plugin</command> statements to be ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Ignore warnings on deprecated options.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Print out the <filename>named.conf</filename> and included files
in canonical form if no errors were detected.
See also the <option>-x</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkconf</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
contents of <filename>named.conf</filename> and related
files to be shared &mdash; for example, when submitting
bug reports &mdash; without compromising private data.
This option cannot be used without <option>-p</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Perform a test load of all master zones found in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the configuration file to be checked. If not
specified, it defaults to <filename>/etc/named.conf</filename>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkconf</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,180 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkconf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkconf"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">named-checkconf</span>
&#8212; named configuration file syntax checking tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-checkconf</code>
[<code class="option">-chjlvz</code>]
[<code class="option">-p</code>
[<code class="option">-x</code>
]]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span class="command"><strong>named</strong></span> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <code class="filename">/etc/named.conf</code> is read
by default.
</p>
<p>
Note: files that <span class="command"><strong>named</strong></span> reads in separate
parser contexts, such as <code class="filename">rndc.key</code> and
<code class="filename">bind.keys</code>, are not automatically read
by <span class="command"><strong>named-checkconf</strong></span>. Configuration
errors in these files may cause <span class="command"><strong>named</strong></span> to
fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
successful. <span class="command"><strong>named-checkconf</strong></span> can be run
on these files explicitly, however.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the usage summary and exit.
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd>
<p>
When loading a zonefile read the journal if it exists.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
List all the configured zones. Each line of output
contains the zone name, class (e.g. IN), view, and type
(e.g. master or slave).
</p>
</dd>
<dt><span class="term">-c</span></dt>
<dd>
<p>
Check "core" configuration only. This suppresses the loading
of plugin modules, and causes all parameters to
<span class="command"><strong>plugin</strong></span> statements to be ignored.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Ignore warnings on deprecated options.
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
See also the <code class="option">-x</code> option.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkconf</strong></span>
program and exit.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
contents of <code class="filename">named.conf</code> and related
files to be shared &#8212; for example, when submitting
bug reports &#8212; without compromising private data.
This option cannot be used without <code class="option">-p</code>.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd>
<p>
The name of the configuration file to be checked. If not
specified, it defaults to <code class="filename">/etc/named.conf</code>.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,105 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_named-checkconf:
named-checkconf - named configuration file syntax checking tool
---------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
Description
~~~~~~~~~~~
``named-checkconf`` checks the syntax, but not the semantics, of a
``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
errors. If no file is specified,
``/etc/named.conf`` is read by default.
Note: files that ``named`` reads in separate parser contexts, such as
``rndc.key`` and ``bind.keys``, are not automatically read by
``named-checkconf``. Configuration errors in these files may cause
``named`` to fail to run, even if ``named-checkconf`` was successful.
However, ``named-checkconf`` can be run on these files explicitly.
Options
~~~~~~~
``-h``
This option prints the usage summary and exits.
``-j``
When loading a zonefile, this option instructs ``named`` to read the journal if it exists.
``-l``
This option lists all the configured zones. Each line of output contains the zone
name, class (e.g. IN), view, and type (e.g. primary or secondary).
``-c``
This option specifies that only the "core" configuration should be checked. This suppresses the loading of
plugin modules, and causes all parameters to ``plugin`` statements to
be ignored.
``-i``
This option ignores warnings on deprecated options.
``-p``
This option prints out the ``named.conf`` and included files in canonical form if
no errors were detected. See also the ``-x`` option.
``-t directory``
This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the
configuration file are processed as if run by a similarly chrooted
``named``.
``-v``
This option prints the version of the ``named-checkconf`` program and exits.
``-x``
When printing the configuration files in canonical form, this option obscures
shared secrets by replacing them with strings of question marks
(``?``). This allows the contents of ``named.conf`` and related files
to be shared - for example, when submitting bug reports -
without compromising private data. This option cannot be used without
``-p``.
``-z``
This option performs a test load of all zones of type ``primary`` found in ``named.conf``.
``filename``
This indicates the name of the configuration file to be checked. If not specified,
it defaults to ``/etc/named.conf``.
Return Values
~~~~~~~~~~~~~
``named-checkconf`` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.

329
bin/check/named-checkzone.8 Normal file
View File

@@ -0,0 +1,329 @@
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: named-checkzone
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-19
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\-CHECKZONE" "8" "2014\-02\-19" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
named-checkzone, named-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkzone\fR\ 'u
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP \w'\fBnamed\-compilezone\fR\ 'u
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkzone\fR
checks the syntax and integrity of a zone file\&. It performs the same checks as
\fBnamed\fR
does when loading a zone\&. This makes
\fBnamed\-checkzone\fR
useful for checking zone files before configuring them into a name server\&.
.PP
\fBnamed\-compilezone\fR
is similar to
\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\fR
configuration file\&.
.SH "OPTIONS"
.PP
\-d
.RS 4
Enable debugging\&.
.RE
.PP
\-h
.RS 4
Print the usage summary and exit\&.
.RE
.PP
\-q
.RS 4
Quiet mode \- exit code only\&.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkzone\fR
program and exit\&.
.RE
.PP
\-j
.RS 4
When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
\&.jnl\&.
.RE
.PP
\-J \fIfilename\fR
.RS 4
When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
.RE
.PP
\-c \fIclass\fR
.RS 4
Specify the class of the zone\&. If not specified, "IN" is assumed\&.
.RE
.PP
\-i \fImode\fR
.RS 4
Perform post\-load zone integrity checks\&. Possible modes are
\fB"full"\fR
(default),
\fB"full\-sibling"\fR,
\fB"local"\fR,
\fB"local\-sibling"\fR
and
\fB"none"\fR\&.
.sp
Mode
\fB"full"\fR
checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks MX records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks SRV records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
\fB"local"\fR
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
.sp
Mode
\fB"full\-sibling"\fR
and
\fB"local\-sibling"\fR
disable sibling glue checks but are otherwise the same as
\fB"full"\fR
and
\fB"local"\fR
respectively\&.
.sp
Mode
\fB"none"\fR
disables the checks\&.
.RE
.PP
\-f \fIformat\fR
.RS 4
Specify the format of the zone file\&. Possible formats are
\fB"text"\fR
(default),
\fB"raw"\fR, and
\fB"map"\fR\&.
.RE
.PP
\-F \fIformat\fR
.RS 4
Specify the format of the output file specified\&. For
\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
.sp
Possible formats are
\fB"text"\fR
(default), which is the standard textual representation of the zone, and
\fB"map"\fR,
\fB"raw"\fR, and
\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
\fBnamed\fR\&.
\fB"raw=N"\fR
specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
.RE
.PP
\-k \fImode\fR
.RS 4
Perform
\fB"check\-names"\fR
checks with the specified failure mode\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR\&.
.RE
.PP
\-l \fIttl\fR
.RS 4
Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
\fBmax\-zone\-ttl\fR
option in
named\&.conf\&.
.RE
.PP
\-L \fIserial\fR
.RS 4
When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
.RE
.PP
\-m \fImode\fR
.RS 4
Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-M \fImode\fR
.RS 4
Check if a MX record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-n \fImode\fR
.RS 4
Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR\&.
.RE
.PP
\-o \fIfilename\fR
.RS 4
Write zone output to
filename\&. If
filename
is
\-
then write to standard out\&. This is mandatory for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-r \fImode\fR
.RS 4
Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-s \fIstyle\fR
.RS 4
Specify the style of the dumped zone file\&. Possible styles are
\fB"full"\fR
(default) and
\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
\fBnamed\-checkzone\fR
this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
.RE
.PP
\-S \fImode\fR
.RS 4
Check if a SRV record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-T \fImode\fR
.RS 4
Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR\&.
.RE
.PP
\-w \fIdirectory\fR
.RS 4
chdir to
directory
so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
named\&.conf\&.
.RE
.PP
\-D
.RS 4
Dump zone file in canonical format\&. This is always enabled for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-W \fImode\fR
.RS 4
Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
zonename
.RS 4
The domain name of the zone being checked\&.
.RE
.PP
filename
.RS 4
The name of the zone file\&.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkzone\fR
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed-checkconf\fR(8),
RFC 1035,
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -72,9 +72,9 @@ usage(void) {
fprintf(stderr,
"usage: %s [-djqvD] [-c class] "
"[-f inputformat] [-F outputformat] [-J filename] "
"[-s (full|relative)] [-t directory] [-w directory] "
"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
"[-r (ignore|warn|fail)] "
"[-i (full|full-sibling|local|local-sibling|none)] "
"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
"[-W (ignore|warn)] "

View File

@@ -0,0 +1,529 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
<info>
<date>2014-02-19</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkzone</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkzone</application></refname>
<refname><application>named-compilezone</application></refname>
<refpurpose>zone file validity checking or converting tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named-checkzone</command>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-compilezone</command>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkzone</command>
checks the syntax and integrity of a zone file. It performs the
same checks as <command>named</command> does when loading a
zone. This makes <command>named-checkzone</command> useful for
checking zone files before configuring them into a name server.
</para>
<para>
<command>named-compilezone</command> is similar to
<command>named-checkzone</command>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <command>named</command>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<command>named</command> configuration file.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Enable debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode - exit code only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkzone</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <filename>.jnl</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-J <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specify the class of the zone. If not specified, "IN" is assumed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform post-load zone integrity checks. Possible modes are
<command>"full"</command> (default),
<command>"full-sibling"</command>,
<command>"local"</command>,
<command>"local-sibling"</command> and
<command>"none"</command>.
</para>
<para>
Mode <command>"full"</command> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks MX records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks SRV records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <command>"local"</command> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</para>
<para>
Mode <command>"full-sibling"</command> and
<command>"local-sibling"</command> disable sibling glue
checks but are otherwise the same as <command>"full"</command>
and <command>"local"</command> respectively.
</para>
<para>
Mode <command>"none"</command> disables the checks.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the zone file.
Possible formats are <command>"text"</command> (default),
<command>"raw"</command>, and <command>"map"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-F <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the output file specified.
For <command>named-checkzone</command>,
this does not cause any effects unless it dumps the zone
contents.
</para>
<para>
Possible formats are <command>"text"</command> (default),
which is the standard textual representation of the zone,
and <command>"map"</command>, <command>"raw"</command>,
and <command>"raw=N"</command>, which store the zone in a
binary format for rapid loading by <command>named</command>.
<command>"raw=N"</command> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <command>named</command>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform <command>"check-names"</command> checks with the
specified failure mode.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<command>max-zone-ttl</command> option in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">serial</replaceable></term>
<listitem>
<para>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a MX record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
Write zone output to <filename>filename</filename>.
If <filename>filename</filename> is <filename>-</filename> then
write to standard out.
This is mandatory for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">style</replaceable></term>
<listitem>
<para>
Specify the style of the dumped zone file.
Possible styles are <command>"full"</command> (default)
and <command>"relative"</command>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <command>named-checkzone</command>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a SRV record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <command>"warn"</command>
(default), <command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
chdir to <filename>directory</filename> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Dump zone file in canonical format.
This is always enabled for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <command>"warn"</command> (default)
and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonename</term>
<listitem>
<para>
The domain name of the zone being checked.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the zone file.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkzone</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC 1035</citetitle>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,429 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">named-checkzone</span>,
<span class="application">named-compilezone</span>
&#8212; zone file validity checking or converting tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-checkzone</code>
[<code class="option">-d</code>]
[<code class="option">-h</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{zonename}
{filename}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">named-compilezone</code>
[<code class="option">-d</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
{zonename}
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span class="command"><strong>named</strong></span> does when loading a
zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for
checking zone files before configuring them into a name server.
</p>
<p>
<span class="command"><strong>named-compilezone</strong></span> is similar to
<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <span class="command"><strong>named</strong></span>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<span class="command"><strong>named</strong></span> configuration file.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-d</span></dt>
<dd>
<p>
Enable debugging.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the usage summary and exit.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode - exit code only.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkzone</strong></span>
program and exit.
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd>
<p>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <code class="filename">.jnl</code>.
</p>
</dd>
<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specify the class of the zone. If not specified, "IN" is assumed.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform post-load zone integrity checks. Possible modes are
<span class="command"><strong>"full"</strong></span> (default),
<span class="command"><strong>"full-sibling"</strong></span>,
<span class="command"><strong>"local"</strong></span>,
<span class="command"><strong>"local-sibling"</strong></span> and
<span class="command"><strong>"none"</strong></span>.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks MX records which refer to in-zone hostnames.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks SRV records which refer to in-zone hostnames.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</p>
<p>
Mode <span class="command"><strong>"full-sibling"</strong></span> and
<span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
and <span class="command"><strong>"local"</strong></span> respectively.
</p>
<p>
Mode <span class="command"><strong>"none"</strong></span> disables the checks.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
Specify the format of the zone file.
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
</p>
</dd>
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
Specify the format of the output file specified.
For <span class="command"><strong>named-checkzone</strong></span>,
this does not cause any effects unless it dumps the zone
contents.
</p>
<p>
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
which is the standard textual representation of the zone,
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
binary format for rapid loading by <span class="command"><strong>named</strong></span>.
<span class="command"><strong>"raw=N"</strong></span> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform <span class="command"><strong>"check-names"</strong></span> checks with the
specified failure mode.
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<span class="command"><strong>max-zone-ttl</strong></span> option in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd>
<p>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if a MX record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Write zone output to <code class="filename">filename</code>.
If <code class="filename">filename</code> is <code class="filename">-</code> then
write to standard out.
This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd>
<p>
Specify the style of the dumped zone file.
Possible styles are <span class="command"><strong>"full"</strong></span> (default)
and <span class="command"><strong>"relative"</strong></span>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <span class="command"><strong>named-checkzone</strong></span>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if a SRV record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <span class="command"><strong>"warn"</strong></span>
(default), <span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
chdir to <code class="filename">directory</code> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd>
<p>
Dump zone file in canonical format.
This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">zonename</span></dt>
<dd>
<p>
The domain name of the zone being checked.
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd>
<p>
The name of the zone file.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>(8)
</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,215 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_named-checkzone:
named-checkzone, named-compilezone - zone file validity checking or converting tool
-----------------------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
Description
~~~~~~~~~~~
``named-checkzone`` checks the syntax and integrity of a zone file. It
performs the same checks as ``named`` does when loading a zone. This
makes ``named-checkzone`` useful for checking zone files before
configuring them into a name server.
``named-compilezone`` is similar to ``named-checkzone``, but it always
dumps the zone contents to a specified file in a specified format.
It also applies stricter check levels by default, since the
dump output is used as an actual zone file loaded by ``named``.
When manually specified otherwise, the check levels must at least be as
strict as those specified in the ``named`` configuration file.
Options
~~~~~~~
``-d``
This option enables debugging.
``-h``
This option prints the usage summary and exits.
``-q``
This option sets quiet mode, which only sets an exit code to indicate
successful or failed completion.
``-v``
This option prints the version of the ``named-checkzone`` program and exits.
``-j``
When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
file name is assumed to be the zone file name with the
string ``.jnl`` appended.
``-J filename``
When loading the zone file, this option tells ``named`` to read the journal from the given file, if
it exists. This implies ``-j``.
``-c class``
This option specifies the class of the zone. If not specified, ``IN`` is assumed.
``-i mode``
This option performs post-load zone integrity checks. Possible modes are
``full`` (the default), ``full-sibling``, ``local``,
``local-sibling``, and ``none``.
Mode ``full`` checks that MX records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks MX records which refer to in-zone hostnames.
Mode ``full`` checks that SRV records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks SRV records which refer to in-zone hostnames.
Mode ``full`` checks that delegation NS records refer to A or AAAA
records (both in-zone and out-of-zone hostnames). It also checks that
glue address records in the zone match those advertised by the child.
Mode ``local`` only checks NS records which refer to in-zone
hostnames or verifies that some required glue exists, i.e., when the
name server is in a child zone.
Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
checks, but are otherwise the same as ``full`` and ``local``,
respectively.
Mode ``none`` disables the checks.
``-f format``
This option specifies the format of the zone file. Possible formats are ``text``
(the default), ``raw``, and ``map``.
``-F format``
This option specifies the format of the output file specified. For
``named-checkzone``, this does not have any effect unless it dumps
the zone contents.
Possible formats are ``text`` (the default), which is the standard
textual representation of the zone, and ``map``, ``raw``, and
``raw=N``, which store the zone in a binary format for rapid
loading by ``named``. ``raw=N`` specifies the format version of the
raw zone file: if ``N`` is 0, the raw file can be read by any version of
``named``; if N is 1, the file can only be read by release 9.9.0 or
higher. The default is 1.
``-k mode``
This option performs ``check-names`` checks with the specified failure mode.
Possible modes are ``fail`` (the default for ``named-compilezone``),
``warn`` (the default for ``named-checkzone``), and ``ignore``.
``-l ttl``
This option sets a maximum permissible TTL for the input file. Any record with a
TTL higher than this value causes the zone to be rejected. This
is similar to using the ``max-zone-ttl`` option in ``named.conf``.
``-L serial``
When compiling a zone to ``raw`` or ``map`` format, this option sets the "source
serial" value in the header to the specified serial number. This is
expected to be used primarily for testing purposes.
``-m mode``
This option specifies whether MX records should be checked to see if they are
addresses. Possible modes are ``fail``, ``warn`` (the default), and
``ignore``.
``-M mode``
This option checks whether a MX record refers to a CNAME. Possible modes are
``fail``, ``warn`` (the default), and ``ignore``.
``-n mode``
This option specifies whether NS records should be checked to see if they are
addresses. Possible modes are ``fail`` (the default for
``named-compilezone``), ``warn`` (the default for ``named-checkzone``),
and ``ignore``.
``-o filename``
This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
the zone output is written to standard output. This is mandatory for ``named-compilezone``.
``-r mode``
This option checks for records that are treated as different by DNSSEC but are
semantically equal in plain DNS. Possible modes are ``fail``,
``warn`` (the default), and ``ignore``.
``-s style``
This option specifies the style of the dumped zone file. Possible styles are
``full`` (the default) and ``relative``. The ``full`` format is most
suitable for processing automatically by a separate script.
The relative format is more human-readable and is thus
suitable for editing by hand. For ``named-checkzone``, this does not
have any effect unless it dumps the zone contents. It also does not
have any meaning if the output format is not text.
``-S mode``
This option checks whether an SRV record refers to a CNAME. Possible modes are
``fail``, ``warn`` (the default), and ``ignore``.
``-t directory``
This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
configuration file are processed as if run by a similarly chrooted
``named``.
``-T mode``
This option checks whether Sender Policy Framework (SPF) records exist and issues a
warning if an SPF-formatted TXT record is not also present. Possible
modes are ``warn`` (the default) and ``ignore``.
``-w directory``
This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
``$INCLUDE`` directives work. This is similar to the directory clause in
``named.conf``.
``-D``
This option dumps the zone file in canonical format. This is always enabled for
``named-compilezone``.
``-W mode``
This option specifies whether to check for non-terminal wildcards. Non-terminal
wildcards are almost always the result of a failure to understand the
wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn``
(the default) and ``ignore``.
``zonename``
This indicates the domain name of the zone being checked.
``filename``
This is the name of the zone file.
Return Values
~~~~~~~~~~~~~
``named-checkzone`` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference
Manual.

View File

@@ -77,7 +77,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -108,7 +108,7 @@
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
</ItemDefinitionGroup>
@@ -118,26 +118,6 @@
<ItemGroup>
<ClCompile Include="..\named-checkconf.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
<Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
<Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\bin\check\win32\checktool.vcxproj">
<Project>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -104,20 +104,6 @@
<OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
</Lib>
</ItemDefinitionGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
<Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -77,7 +77,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
@@ -114,7 +114,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<PostBuildEvent>
@@ -129,23 +129,6 @@ copy /Y named-checkzone.exe named-compilezone.exe
<ItemGroup>
<ClCompile Include="..\named-checkzone.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
<Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\bin\check\win32\checktool.vcxproj">
<Project>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -20,11 +20,11 @@ libconfgen_la_SOURCES = \
util.c \
unix/os.c
sbin_PROGRAMS = tsig-keygen rndc-confgen
sbin_PROGRAMS = rndc-confgen ddns-confgen
install-exec-hook:
ln -f $(DESTDIR)$(sbindir)/tsig-keygen \
$(DESTDIR)$(sbindir)/ddns-confgen
ln -f $(DESTDIR)$(sbindir)/ddns-confgen \
$(DESTDIR)$(sbindir)/tsig-confgen
uninstall-hook:
-rm -f $(DESTDIR)$(sbindir)/ddns-confgen
-rm -f $(DESTDIR)$(sbindir)/tsig-confgen

148
bin/confgen/ddns-confgen.8 Normal file
View File

@@ -0,0 +1,148 @@
.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: ddns-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-03-06
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DDNS\-CONFGEN" "8" "2014\-03\-06" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ddns-confgen \- ddns key generation tool
.SH "SYNOPSIS"
.HP \w'\fBtsig\-keygen\fR\ 'u
\fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [name]
.HP \w'\fBddns\-confgen\fR\ 'u
\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
.SH "DESCRIPTION"
.PP
\fBtsig\-keygen\fR
and
\fBddns\-confgen\fR
are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
\fBrndc\fR
command channel\&.
.PP
When run as
\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
\fBtsig\-key\fR\&.
.PP
When run as
\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
\fBnsupdate\fR
and
\fBnamed\fR
when setting up dynamic DNS, including an example
\fBupdate\-policy\fR
statement\&. (This usage similar to the
\fBrndc\-confgen\fR
command for setting up command channel security\&.)
.PP
Note that
\fBnamed\fR
itself can configure a local DDNS key for use with
\fBnsupdate \-l\fR: it does this when a zone is configured with
\fBupdate\-policy local;\fR\&.
\fBddns\-confgen\fR
is only needed when a more elaborate configuration is required: for instance, if
\fBnsupdate\fR
is to be used from a remote system\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of options and arguments\&.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the DDNS authentication key\&. The default is
\fBddns\-key\fR
when neither the
\fB\-s\fR
nor
\fB\-z\fR
option is specified; otherwise, the default is
\fBddns\-key\fR
as a separate label followed by the argument of the option, e\&.g\&.,
\fBddns\-key\&.example\&.com\&.\fR
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
.RE
.PP
\-q
.RS 4
(\fBddns\-confgen\fR
only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
\fBtsig\-keygen\fR\&.
.RE
.PP
\-s \fIname\fR
.RS 4
(\fBddns\-confgen\fR
only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIname\fR
using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
\fB\-z\fR
option\&.
.RE
.PP
\-z \fIzone\fR
.RS 4
(\fBddns\-confgen\fR
only\&.) Generate configuration example to allow dynamic updates of a zone: The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIzone\fR
using the "zonesub" nametype, allowing updates to all subdomain names within that
\fIzone\fR\&. This option cannot be used with the
\fB\-s\fR
option\&.
.RE
.SH "SEE ALSO"
.PP
\fBnsupdate\fR(1),
\fBnamed.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -12,8 +12,9 @@
/*! \file */
/**
* tsig-keygen generates TSIG keys that can be used in named configuration
* files for dynamic DNS.
* ddns-confgen generates configuration files for dynamic DNS. It can
* be used as a convenient alternative to writing the ddns.key file
* and the corresponding key and update-policy statements in named.conf.
*/
#include <stdarg.h>

View File

@@ -0,0 +1,213 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
<info>
<date>2014-03-06</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>ddns-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>ddns-confgen</application></refname>
<refpurpose>ddns key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>tsig-keygen</command>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat">name</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>ddns-confgen</command>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="plain" rep="norepeat">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain" rep="norepeat">-z <replaceable class="parameter">zone</replaceable></arg>
</group>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>tsig-keygen</command> and <command>ddns-confgen</command>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<command>rndc</command> command channel.
</para>
<para>
When run as <command>tsig-keygen</command>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <constant>tsig-key</constant>.
</para>
<para>
When run as <command>ddns-confgen</command>, the generated
key is accompanied by configuration text and instructions
that can be used with <command>nsupdate</command> and
<command>named</command> when setting up dynamic DNS,
including an example <command>update-policy</command>
statement. (This usage similar to the
<command>rndc-confgen</command> command for setting
up command channel security.)
</para>
<para>
Note that <command>named</command> itself can configure a
local DDNS key for use with <command>nsupdate -l</command>:
it does this when a zone is configured with
<command>update-policy local;</command>.
<command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance,
if <command>nsupdate</command> is to be used from a remote
system.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of options and arguments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the DDNS authentication key.
The default is <constant>ddns-key</constant> when neither
the <option>-s</option> nor <option>-z</option> option is
specified; otherwise, the default
is <constant>ddns-key</constant> as a separate label
followed by the argument of the option, e.g.,
<constant>ddns-key.example.com.</constant>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
(<command>ddns-confgen</command> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <command>tsig-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <command>named.conf</command>
text shows how to set an update policy for the specified
<replaceable class="parameter">name</replaceable>
using the "name" nametype. The default key name is
ddns-key.<replaceable class="parameter">name</replaceable>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <option>-z</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z <replaceable class="parameter">zone</replaceable></term>
<listitem>
<para>
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">zone</replaceable>
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<replaceable class="parameter">zone</replaceable>.
This option cannot be used with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,187 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">ddns-confgen</span>
&#8212; ddns key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">tsig-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[name]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">ddns-confgen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[
-s <em class="replaceable"><code>name</code></em>
| -z <em class="replaceable"><code>zone</code></em>
]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<span class="command"><strong>rndc</strong></span> command channel.
</p>
<p>
When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <code class="constant">tsig-key</code>.
</p>
<p>
When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
key is accompanied by configuration text and instructions
that can be used with <span class="command"><strong>nsupdate</strong></span> and
<span class="command"><strong>named</strong></span> when setting up dynamic DNS,
including an example <span class="command"><strong>update-policy</strong></span>
statement. (This usage similar to the
<span class="command"><strong>rndc-confgen</strong></span> command for setting
up command channel security.)
</p>
<p>
Note that <span class="command"><strong>named</strong></span> itself can configure a
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with
<span class="command"><strong>update-policy local;</strong></span>.
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance,
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of options and arguments.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd>
<p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code> when neither
the <code class="option">-s</code> nor <code class="option">-z</code> option is
specified; otherwise, the default
is <code class="constant">ddns-key</code> as a separate label
followed by the argument of the option, e.g.,
<code class="constant">ddns-key.example.com.</code>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <span class="command"><strong>named.conf</strong></span>
text shows how to set an update policy for the specified
<em class="replaceable"><code>name</code></em>
using the "name" nametype. The default key name is
ddns-key.<em class="replaceable"><code>name</code></em>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <code class="option">-z</code> option.
</p>
</dd>
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <span class="command"><strong>named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>zone</code></em>
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<em class="replaceable"><code>zone</code></em>.
This option cannot be used with the <code class="option">-s</code> option.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -198,4 +198,5 @@ write_key_file(const char *keyfile, const char *user, const char *keyname,
if (fclose(fd)) {
fatal("fclose(%s) failed\n", keyfile);
}
fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
}

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

210
bin/confgen/rndc-confgen.8 Normal file
View File

@@ -0,0 +1,210 @@
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: rndc-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2013-03-14
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "RNDC\-CONFGEN" "8" "2013\-03\-14" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
rndc-confgen \- rndc key generation tool
.SH "SYNOPSIS"
.HP \w'\fBrndc\-confgen\fR\ 'u
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-A\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
.SH "DESCRIPTION"
.PP
\fBrndc\-confgen\fR
generates configuration files for
\fBrndc\fR\&. It can be used as a convenient alternative to writing the
rndc\&.conf
file and the corresponding
\fBcontrols\fR
and
\fBkey\fR
statements in
named\&.conf
by hand\&. Alternatively, it can be run with the
\fB\-a\fR
option to set up a
rndc\&.key
file and avoid the need for a
rndc\&.conf
file and a
\fBcontrols\fR
statement altogether\&.
.SH "OPTIONS"
.PP
\-a
.RS 4
Do automatic
\fBrndc\fR
configuration\&. This creates a file
rndc\&.key
in
/etc
(or whatever
\fIsysconfdir\fR
was specified as when
BIND
was built) that is read by both
\fBrndc\fR
and
\fBnamed\fR
on startup\&. The
rndc\&.key
file defines a default command channel and authentication key allowing
\fBrndc\fR
to communicate with
\fBnamed\fR
on the local host with no further configuration\&.
.sp
Running
\fBrndc\-confgen \-a\fR
allows BIND 9 and
\fBrndc\fR
to be used as drop\-in replacements for BIND 8 and
\fBndc\fR, with no changes to the existing BIND 8
named\&.conf
file\&.
.sp
If a more elaborate configuration than that generated by
\fBrndc\-confgen \-a\fR
is required, for example if rndc is to be used remotely, you should run
\fBrndc\-confgen\fR
without the
\fB\-a\fR
option and set up a
rndc\&.conf
and
named\&.conf
as directed\&.
.RE
.PP
\-A \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is the hash size\&.
.RE
.PP
\-c \fIkeyfile\fR
.RS 4
Used with the
\fB\-a\fR
option to specify an alternate location for
rndc\&.key\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBrndc\-confgen\fR\&.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is
\fBrndc\-key\fR\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Specifies the command channel port where
\fBnamed\fR
listens for connections from
\fBrndc\fR\&. The default is 953\&.
.RE
.PP
\-s \fIaddress\fR
.RS 4
Specifies the IP address where
\fBnamed\fR
listens for command channel connections from
\fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
.RE
.PP
\-t \fIchrootdir\fR
.RS 4
Used with the
\fB\-a\fR
option to specify a directory where
\fBnamed\fR
will run chrooted\&. An additional copy of the
rndc\&.key
will be written relative to this directory so that it will be found by the chrooted
\fBnamed\fR\&.
.RE
.PP
\-u \fIuser\fR
.RS 4
Used with the
\fB\-a\fR
option to set the owner of the
rndc\&.key
file generated\&. If
\fB\-t\fR
is also specified only the file in the chroot area has its owner changed\&.
.RE
.SH "EXAMPLES"
.PP
To allow
\fBrndc\fR
to be used with no manual configuration, run
.PP
\fBrndc\-confgen \-a\fR
.PP
To print a sample
rndc\&.conf
file and corresponding
\fBcontrols\fR
and
\fBkey\fR
statements to be manually inserted into
named\&.conf, run
.PP
\fBrndc\-confgen\fR
.SH "SEE ALSO"
.PP
\fBrndc\fR(8),
\fBrndc.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -76,7 +76,6 @@ Usage:\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-q: suppress printing written key path\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
@@ -105,7 +104,6 @@ main(int argc, char **argv) {
char *chrootdir = NULL;
char *user = NULL;
bool keyonly = false;
bool quiet = false;
int len;
keydef = keyfile = RNDC_KEYFILE;
@@ -166,9 +164,6 @@ main(int argc, char **argv) {
isc_commandline_argument);
}
break;
case 'q':
quiet = true;
break;
case 'r':
fatal("The -r option has been deprecated.");
break;
@@ -232,9 +227,6 @@ main(int argc, char **argv) {
if (keyonly) {
write_key_file(keyfile, chrootdir == NULL ? user : NULL,
keyname, &key_txtbuffer, alg);
if (!quiet) {
printf("wrote key file \"%s\"\n", keyfile);
}
if (chrootdir != NULL) {
char *buf;
@@ -244,9 +236,6 @@ main(int argc, char **argv) {
(*keyfile != '/') ? "/" : "", keyfile);
write_key_file(buf, user, keyname, &key_txtbuffer, alg);
if (!quiet) {
printf("wrote key file \"%s\"\n", buf);
}
isc_mem_put(mctx, buf, len);
}
} else {

View File

@@ -0,0 +1,271 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
<info>
<date>2013-03-14</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>rndc-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>rndc-confgen</application></refname>
<refpurpose>rndc key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2001</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>rndc-confgen</command>
<arg choice="opt" rep="norepeat"><option>-a</option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>rndc-confgen</command>
generates configuration files
for <command>rndc</command>. It can be used as a
convenient alternative to writing the
<filename>rndc.conf</filename> file
and the corresponding <command>controls</command>
and <command>key</command>
statements in <filename>named.conf</filename> by hand.
Alternatively, it can be run with the <command>-a</command>
option to set up a <filename>rndc.key</filename> file and
avoid the need for a <filename>rndc.conf</filename> file
and a <command>controls</command> statement altogether.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Do automatic <command>rndc</command> configuration.
This creates a file <filename>rndc.key</filename>
in <filename>/etc</filename> (or whatever
<varname>sysconfdir</varname>
was specified as when <acronym>BIND</acronym> was
built)
that is read by both <command>rndc</command>
and <command>named</command> on startup. The
<filename>rndc.key</filename> file defines a default
command channel and authentication key allowing
<command>rndc</command> to communicate with
<command>named</command> on the local host
with no further configuration.
</para>
<para>
Running <command>rndc-confgen -a</command> allows
BIND 9 and <command>rndc</command> to be used as
drop-in
replacements for BIND 8 and <command>ndc</command>,
with no changes to the existing BIND 8
<filename>named.conf</filename> file.
</para>
<para>
If a more elaborate configuration than that
generated by <command>rndc-confgen -a</command>
is required, for example if rndc is to be used remotely,
you should run <command>rndc-confgen</command> without
the
<command>-a</command> option and set up a
<filename>rndc.conf</filename> and
<filename>named.conf</filename>
as directed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">keyfile</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
an alternate location for <filename>rndc.key</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>rndc-confgen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <constant>rndc-key</constant>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Specifies the command channel port where <command>named</command>
listens for connections from <command>rndc</command>.
The default is 953.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">address</replaceable></term>
<listitem>
<para>
Specifies the IP address where <command>named</command>
listens for command channel connections from
<command>rndc</command>. The default is the loopback
address 127.0.0.1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">chrootdir</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
a directory where <command>named</command> will run
chrooted. An additional copy of the <filename>rndc.key</filename>
will be written relative to this directory so that
it will be found by the chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to set the
owner
of the <filename>rndc.key</filename> file generated.
If
<command>-t</command> is also specified only the file
in
the chroot area has its owner changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
<para>
To allow <command>rndc</command> to be used with
no manual configuration, run
</para>
<para><userinput>rndc-confgen -a</userinput>
</para>
<para>
To print a sample <filename>rndc.conf</filename> file and
corresponding <command>controls</command> and <command>key</command>
statements to be manually inserted into <filename>named.conf</filename>,
run
</para>
<para><userinput>rndc-confgen</userinput>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,226 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">rndc-confgen</span>
&#8212; rndc key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">rndc-confgen</code>
[<code class="option">-a</code>]
[<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>rndc-confgen</strong></span>
generates configuration files
for <span class="command"><strong>rndc</strong></span>. It can be used as a
convenient alternative to writing the
<code class="filename">rndc.conf</code> file
and the corresponding <span class="command"><strong>controls</strong></span>
and <span class="command"><strong>key</strong></span>
statements in <code class="filename">named.conf</code> by hand.
Alternatively, it can be run with the <span class="command"><strong>-a</strong></span>
option to set up a <code class="filename">rndc.key</code> file and
avoid the need for a <code class="filename">rndc.conf</code> file
and a <span class="command"><strong>controls</strong></span> statement altogether.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a</span></dt>
<dd>
<p>
Do automatic <span class="command"><strong>rndc</strong></span> configuration.
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
<code class="varname">sysconfdir</code>
was specified as when <acronym class="acronym">BIND</acronym> was
built)
that is read by both <span class="command"><strong>rndc</strong></span>
and <span class="command"><strong>named</strong></span> on startup. The
<code class="filename">rndc.key</code> file defines a default
command channel and authentication key allowing
<span class="command"><strong>rndc</strong></span> to communicate with
<span class="command"><strong>named</strong></span> on the local host
with no further configuration.
</p>
<p>
Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
drop-in
replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>,
with no changes to the existing BIND 8
<code class="filename">named.conf</code> file.
</p>
<p>
If a more elaborate configuration than that
generated by <span class="command"><strong>rndc-confgen -a</strong></span>
is required, for example if rndc is to be used remotely,
you should run <span class="command"><strong>rndc-confgen</strong></span> without
the
<span class="command"><strong>-a</strong></span> option and set up a
<code class="filename">rndc.conf</code> and
<code class="filename">named.conf</code>
as directed.
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
an alternate location for <code class="filename">rndc.key</code>.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>rndc-confgen</strong></span>.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd>
<p>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <code class="constant">rndc-key</code>.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Specifies the command channel port where <span class="command"><strong>named</strong></span>
listens for connections from <span class="command"><strong>rndc</strong></span>.
The default is 953.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
<dd>
<p>
Specifies the IP address where <span class="command"><strong>named</strong></span>
listens for command channel connections from
<span class="command"><strong>rndc</strong></span>. The default is the loopback
address 127.0.0.1.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
a directory where <span class="command"><strong>named</strong></span> will run
chrooted. An additional copy of the <code class="filename">rndc.key</code>
will be written relative to this directory so that
it will be found by the chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to set the
owner
of the <code class="filename">rndc.key</code> file generated.
If
<span class="command"><strong>-t</strong></span> is also specified only the file
in
the chroot area has its owner changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLES</h2>
<p>
To allow <span class="command"><strong>rndc</strong></span> to be used with
no manual configuration, run
</p>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
</p>
<p>
To print a sample <code class="filename">rndc.conf</code> file and
corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
statements to be manually inserted into <code class="filename">named.conf</code>,
run
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,119 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_rndc-confgen:
rndc-confgen - rndc key generation tool
---------------------------------------
Synopsis
~~~~~~~~
:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
Description
~~~~~~~~~~~
``rndc-confgen`` generates configuration files for ``rndc``. It can be
used as a convenient alternative to writing the ``rndc.conf`` file and
the corresponding ``controls`` and ``key`` statements in ``named.conf``
by hand. Alternatively, it can be run with the ``-a`` option to set up a
``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
``controls`` statement altogether.
Options
~~~~~~~
``-a``
This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
in ``/etc`` (or a different ``sysconfdir`` specified when BIND
was built) that is read by both ``rndc`` and ``named`` on startup.
The ``rndc.key`` file defines a default command channel and
authentication key allowing ``rndc`` to communicate with ``named`` on
the local host with no further configuration.
If a more elaborate configuration than that generated by
``rndc-confgen -a`` is required, for example if rndc is to be used
remotely, run ``rndc-confgen`` without the ``-a`` option
and set up ``rndc.conf`` and ``named.conf`` as directed.
``-A algorithm``
This option specifies the algorithm to use for the TSIG key. Available choices
are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
hmac-sha512. The default is hmac-sha256.
``-b keysize``
This option specifies the size of the authentication key in bits. The size must be between
1 and 512 bits; the default is the hash size.
``-c keyfile``
This option is used with the ``-a`` option to specify an alternate location for
``rndc.key``.
``-h``
This option prints a short summary of the options and arguments to
``rndc-confgen``.
``-k keyname``
This option specifies the key name of the ``rndc`` authentication key. This must be a
valid domain name. The default is ``rndc-key``.
``-p port``
This option specifies the command channel port where ``named`` listens for
connections from ``rndc``. The default is 953.
``-q``
This option prevets printing the written path in automatic configuration mode.
``-s address``
This option specifies the IP address where ``named`` listens for command-channel
connections from ``rndc``. The default is the loopback address
127.0.0.1.
``-t chrootdir``
This option is used with the ``-a`` option to specify a directory where ``named``
runs chrooted. An additional copy of the ``rndc.key`` is
written relative to this directory, so that it is found by the
chrooted ``named``.
``-u user``
This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file.
If ``-t`` is also specified, only the file in the chroot
area has its owner changed.
Examples
~~~~~~~~
To allow ``rndc`` to be used with no manual configuration, run:
``rndc-confgen -a``
To print a sample ``rndc.conf`` file and the corresponding ``controls`` and
``key`` statements to be manually inserted into ``named.conf``, run:
``rndc-confgen``
See Also
~~~~~~~~
:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

View File

@@ -1,101 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
tsig-keygen, ddns-confgen - TSIG key generation tool
----------------------------------------------------
Synopsis
~~~~~~~~
:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name]
:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
Description
~~~~~~~~~~~
``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
utility that generates keys for use in TSIG signing. The resulting keys
can be used, for example, to secure dynamic DNS updates to a zone, or for
the ``rndc`` command channel.
When run as ``tsig-keygen``, a domain name can be specified on the
command line to be used as the name of the generated key. If no
name is specified, the default is ``tsig-key``.
When run as ``ddns-confgen``, the key name can specified using ``-k``
parameter and defaults to ``ddns-key``. The generated key is accompanied
by configuration text and instructions that can be used with ``nsupdate``
and ``named`` when setting up dynamic DNS, including an example
``update-policy`` statement. (This usage is similar to the ``rndc-confgen``
command for setting up command-channel security.)
Note that ``named`` itself can configure a local DDNS key for use with
``nsupdate -l``; it does this when a zone is configured with
``update-policy local;``. ``ddns-confgen`` is only needed when a more
elaborate configuration is required: for instance, if ``nsupdate`` is to
be used from a remote system.
Options
~~~~~~~
``-a algorithm``
This option specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
and hmac-sha512. The default is hmac-sha256. Options are
case-insensitive, and the "hmac-" prefix may be omitted.
``-h``
This option prints a short summary of options and arguments.
``-k keyname``
This option specifies the key name of the DDNS authentication key. The
default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is
specified; otherwise, the default is ``ddns-key`` as a separate label
followed by the argument of the option, e.g., ``ddns-key.example.com.``
The key name must have the format of a valid domain name, consisting of
letters, digits, hyphens, and periods.
``-q`` (``ddns-confgen`` only)
This option enables quiet mode, which prints only the key, with no
explanatory text or usage examples. This is essentially identical to
``tsig-keygen``.
``-s name`` (``ddns-confgen`` only)
This option generates a configuration example to allow dynamic updates
of a single hostname. The example ``named.conf`` text shows how to set
an update policy for the specified name using the "name" nametype. The
default key name is ``ddns-key.name``. Note that the "self" nametype
cannot be used, since the name to be updated may differ from the key
name. This option cannot be used with the ``-z`` option.
``-z zone`` (``ddns-confgen`` only)
This option generates a configuration example to allow
dynamic updates of a zone. The example ``named.conf`` text shows how
to set an update policy for the specified zone using the "zonesub"
nametype, allowing updates to all subdomain names within that zone.
This option cannot be used with the ``-s`` option.
See Also
~~~~~~~~
:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -30,7 +30,7 @@ notify(const char *fmt, ...) {
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fprintf(stderr, "\n");
fputs("\n", stderr);
}
}

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -114,14 +114,6 @@
<ClCompile Include="..\util.c" />
<ClCompile Include="os.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -11,8 +11,8 @@
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\tsig-keygen.c">
<ClCompile Include="..\ddns-confgen.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>
</Project>

View File

@@ -13,7 +13,7 @@
<PropertyGroup Label="Globals">
<ProjectGuid>{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>tsigkeygen</RootNamespace>
<RootNamespace>ddnsconfgen</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
@@ -45,14 +45,14 @@
<OutDir>..\..\..\Build\$(Configuration)\</OutDir>
<IntDir>.\$(Configuration)\</IntDir>
<IntDirSharingDetected>None</IntDirSharingDetected>
<TargetName>tsig-keygen</TargetName>
<TargetName>ddns-confgen</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
<LinkIncremental>false</LinkIncremental>
<OutDir>..\..\..\Build\$(Configuration)\</OutDir>
<IntDir>.\$(Configuration)\</IntDir>
<IntDirSharingDetected>None</IntDirSharingDetected>
<TargetName>tsig-keygen</TargetName>
<TargetName>ddns-confgen</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
<ClCompile>
@@ -69,20 +69,20 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
copy /Y tsig-keygen.exe ddns-confgen.exe
copy /Y tsig-keygen.ilk ddns-confgen.ilk
copy /Y ddns-confgen.exe tsig-keygen.exe
copy /Y ddns-confgen.ilk tsig-keygen.ilk
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
@@ -104,7 +104,7 @@ copy /Y tsig-keygen.ilk ddns-confgen.ilk
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
@@ -114,28 +114,17 @@ copy /Y tsig-keygen.ilk ddns-confgen.ilk
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
copy /Y tsig-keygen.exe ddns-confgen.exe
copy /Y ddns-confgen.exe tsig-keygen.exe
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\tsig-keygen.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\bin\confgen\win32\confgentool.vcxproj">
<Project>{64964B03-4815-41F0-9057-E766A94AF197}</Project>
</ProjectReference>
<ClCompile Include="..\ddns-confgen.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">

View File

@@ -1,3 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
</Project>
</Project>

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -69,15 +69,15 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -98,7 +98,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
@@ -108,24 +108,13 @@
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\rndc-confgen.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\bin\confgen\win32\confgentool.vcxproj">
<Project>{64964B03-4815-41F0-9057-E766A94AF197}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

437
bin/delv/delv.1 Normal file
View File

@@ -0,0 +1,437 @@
.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: delv
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-04-23
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DELV" "1" "2014\-04\-23" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
delv \- DNS lookup and validation utility
.SH "SYNOPSIS"
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [@server] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [\fB\-h\fR]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [\fB\-v\fR]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdelv\fR
is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
\fBnamed\fR\&.
.PP
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy\&.
.PP
Unless it is told to query a specific name server,
\fBdelv\fR
will try each of the servers listed in
/etc/resolv\&.conf\&. If no usable server addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.PP
When no command line arguments or options are given,
\fBdelv\fR
will perform an NS query for "\&." (the root zone)\&.
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdelv\fR
looks like:
.sp
.if n \{\
.RS 4
.\}
.nf
delv @server name type
.fi
.if n \{\
.RE
.\}
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
\fIserver\fR
argument is a hostname,
\fBdelv\fR
resolves that name before querying that name server (note, however, that this initial lookup is
\fInot\fR
validated by DNSSEC)\&.
.sp
If no
\fIserver\fR
argument is provided,
\fBdelv\fR
consults
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.RE
.PP
\fBname\fR
.RS 4
is the domain name to be looked up\&.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, etc\&.
\fItype\fR
can be any valid query type\&. If no
\fItype\fR
argument is supplied,
\fBdelv\fR
will perform a lookup for an A record\&.
.RE
.SH "OPTIONS"
.PP
\-a \fIanchor\-file\fR
.RS 4
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBtrust\-anchors\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
\fBdelv\fR
as if it had been configured as a
\fBstatic\-key\fR\&.
\fBdelv\fR
does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update
/etc/bind\&.keys
to use DNSSEC validation in
\fBdelv\fR\&.
.RE
.PP
\-b \fIaddress\fR
.RS 4
Sets the source IP address of the query to
\fIaddress\fR\&. This must be a valid address on one of the host\*(Aqs network interfaces or "0\&.0\&.0\&.0" or "::"\&. An optional source port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS 4
Sets the query class for the requested data\&. Currently, only class "IN" is supported in
\fBdelv\fR
and any other value is ignored\&.
.RE
.PP
\-d \fIlevel\fR
.RS 4
Set the systemwide debug level to
\fBlevel\fR\&. The allowed range is from 0 to 99\&. The default is 0 (no debugging)\&. Debugging traces from
\fBdelv\fR
become more verbose as the debug level increases\&. See the
\fB+mtrace\fR,
\fB+rtrace\fR, and
\fB+vtrace\fR
options below for additional debugging details\&.
.RE
.PP
\-h
.RS 4
Display the
\fBdelv\fR
help usage output and exit\&.
.RE
.PP
\-i
.RS 4
Insecure mode\&. This disables internal DNSSEC validation\&. (Note, however, this does not set the CD bit on upstream queries\&. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
\fBdelv\fR
to time out\&. When it is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fR\&.)
.RE
.PP
\-m
.RS 4
Enables memory usage debugging\&.
.RE
.PP
\-p \fIport#\fR
.RS 4
Specifies a destination port to use for queries instead of the standard DNS port number 53\&. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number\&.
.RE
.PP
\-q \fIname\fR
.RS 4
Sets the query name to
\fIname\fR\&. While the query name can be specified without using the
\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH)\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Sets the query type to
\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR\&. As with
\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous\&. it is sometimes necessary to disambiguate names from types\&.
.sp
The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup, in which case it is "PTR"\&.
.RE
.PP
\-v
.RS 4
Print the
\fBdelv\fR
version and exit\&.
.RE
.PP
\-x \fIaddr\fR
.RS 4
Performs a reverse lookup, mapping an addresses to a name\&.
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR
or
\fItype\fR
arguments\&.
\fBdelv\fR
automatically performs a lookup for a name like
11\&.12\&.13\&.10\&.in\-addr\&.arpa
and sets the query type to PTR\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-4
.RS 4
Forces
\fBdelv\fR
to only use IPv4\&.
.RE
.PP
\-6
.RS 4
Forces
\fBdelv\fR
to only use IPv6\&.
.RE
.SH "QUERY OPTIONS"
.PP
\fBdelv\fR
provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed\&.
.PP
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
no
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. The query options are:
.PP
\fB+[no]cdflag\fR
.RS 4
Controls whether to set the CD (checking disabled) bit in queries sent by
\fBdelv\fR\&. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver\&. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis\&. Setting the CD flag on queries will cause the resolver to return invalid responses, which
\fBdelv\fR
can then validate internally and report the errors in detail\&.
.RE
.PP
\fB+[no]class\fR
.RS 4
Controls whether to display the CLASS when printing a record\&. The default is to display the CLASS\&.
.RE
.PP
\fB+[no]ttl\fR
.RS 4
Controls whether to display the TTL when printing a record\&. The default is to display the TTL\&.
.RE
.PP
\fB+[no]rtrace\fR
.RS 4
Toggle resolver fetch logging\&. This reports the name and type of each query sent by
\fBdelv\fR
in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation\&.
.sp
This is equivalent to setting the debug level to 1 in the "resolver" logging category\&. Setting the systemwide debug level to 1 using the
\fB\-d\fR
option will product the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]mtrace\fR
.RS 4
Toggle message logging\&. This produces a detailed dump of the responses received by
\fBdelv\fR
in the process of carrying out the resolution and validation process\&.
.sp
This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category\&. Setting the systemwide debug level to 10 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]vtrace\fR
.RS 4
Toggle validation logging\&. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid\&.
.sp
This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category\&. Setting the systemwide debug level to 3 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggle the display of comment lines in the output\&. The default is to print comments\&.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is to print per\-record comments\&.
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
.RE
.PP
\fB+[no]trust\fR
.RS 4
Controls whether to display the trust level when printing a record\&. The default is to display the trust level\&.
.RE
.PP
\fB+[no]split[=W]\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4)\&.
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear the display options
\fB+[no]comments\fR,
\fB+[no]rrcomments\fR, and
\fB+[no]trust\fR
as a group\&.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdelv\fR
output\&.
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Indicates whether to display RRSIG records in the
\fBdelv\fR
output\&. The default is to do so\&. Note that (unlike in
\fBdig\fR) this does
\fInot\fR
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR\&.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS 4
Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
.RE
.PP
\fB+[no]unknownformat\fR
.RS 4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
.PP
\fB+[no]yaml\fR
.RS 4
Print response data in YAML format\&.
.RE
.SH "FILES"
.PP
/etc/bind\&.keys
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8),
RFC4034,
RFC4035,
RFC4431,
RFC5074,
RFC5155\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -72,6 +72,7 @@
#include <isccfg/log.h>
#include <isccfg/namedconf.h>
#include <irs/netdb.h>
#include <irs/resconf.h>
#define CHECK(r) \
@@ -135,83 +136,73 @@ parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
static void
usage(void) {
fprintf(stderr,
"Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] "
"[q-class]\n"
"Where: domain is in the Domain Name System\n"
" q-class is one of (in,hs,ch,...) [default: in]\n"
" q-type is one of "
"(a,any,mx,ns,soa,hinfo,axfr,txt,...) "
"[default:a]\n"
" q-opt is one of:\n"
" -4 (use IPv4 query "
"transport "
"only)\n"
" -6 (use IPv6 query "
"transport "
"only)\n"
" -a anchor-file (specify root trust "
"anchor)\n"
" -b address[#port] (bind to source "
"address/port)\n"
" -c class (option included for "
"compatibility;\n"
" -d level (set debugging level)\n"
" -h (print help and exit)\n"
" -i (disable DNSSEC "
"validation)\n"
" -m (enable memory usage "
"debugging)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
" -t type (specify query type)\n"
" only IN is supported)\n"
" -v (print version and "
"exit)\n"
" -x dot-notation (shortcut for reverse "
"lookups)\n"
" d-opt is of the form +keyword[=value], where "
"keyword "
"is:\n"
" +[no]all (Set or clear all "
"display "
"flags)\n"
" +[no]class (Control display of "
"class)\n"
" +[no]comments (Control display of "
"comment lines)\n"
" +[no]crypto (Control display of "
"cryptographic\n"
" fields in records)\n"
" +[no]dlv (Obsolete)\n"
" +[no]dnssec (Display DNSSEC "
"records)\n"
" +[no]mtrace (Trace messages "
"received)\n"
" +[no]multiline (Print records in an "
"expanded format)\n"
" +[no]root (DNSSEC validation trust "
"anchor)\n"
" +[no]rrcomments (Control display of "
"per-record "
"comments)\n"
" +[no]rtrace (Trace resolver "
"fetches)\n"
" +[no]short (Short form answer)\n"
" +[no]split=## (Split hex/base64 fields "
"into chunks)\n"
" +[no]tcp (TCP mode)\n"
" +[no]ttl (Control display of ttls "
"in records)\n"
" +[no]trust (Control display of "
"trust "
"level)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 "
"\"unknown\" format)\n"
" +[no]vtrace (Trace validation "
"process)\n"
" +[no]yaml (Present the results as "
"YAML)\n");
fputs("Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] "
"[q-class]\n"
"Where: domain is in the Domain Name System\n"
" q-class is one of (in,hs,ch,...) [default: in]\n"
" q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) "
"[default:a]\n"
" q-opt is one of:\n"
" -4 (use IPv4 query transport "
"only)\n"
" -6 (use IPv6 query transport "
"only)\n"
" -a anchor-file (specify root trust "
"anchor)\n"
" -b address[#port] (bind to source "
"address/port)\n"
" -c class (option included for "
"compatibility;\n"
" -d level (set debugging level)\n"
" -h (print help and exit)\n"
" -i (disable DNSSEC "
"validation)\n"
" -m (enable memory usage "
"debugging)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
" -t type (specify query type)\n"
" only IN is supported)\n"
" -v (print version and exit)\n"
" -x dot-notation (shortcut for reverse "
"lookups)\n"
" d-opt is of the form +keyword[=value], where keyword "
"is:\n"
" +[no]all (Set or clear all display "
"flags)\n"
" +[no]class (Control display of "
"class)\n"
" +[no]comments (Control display of "
"comment lines)\n"
" +[no]crypto (Control display of "
"cryptographic\n"
" fields in records)\n"
" +[no]dlv (Obsolete)\n"
" +[no]dnssec (Display DNSSEC records)\n"
" +[no]mtrace (Trace messages received)\n"
" +[no]multiline (Print records in an "
"expanded format)\n"
" +[no]root (DNSSEC validation trust "
"anchor)\n"
" +[no]rrcomments (Control display of "
"per-record "
"comments)\n"
" +[no]rtrace (Trace resolver fetches)\n"
" +[no]short (Short form answer)\n"
" +[no]split=## (Split hex/base64 fields "
"into chunks)\n"
" +[no]tcp (TCP mode)\n"
" +[no]ttl (Control display of ttls "
"in records)\n"
" +[no]trust (Control display of trust "
"level)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 "
"\"unknown\" format)\n"
" +[no]vtrace (Trace validation "
"process)\n"
" +[no]yaml (Present the results as "
"YAML)\n",
stderr);
exit(1);
}
@@ -610,14 +601,11 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_name_t *keyname;
isc_result_t result;
bool match_root = false;
enum {
INITIAL_KEY,
STATIC_KEY,
INITIAL_DS,
STATIC_DS,
TRUSTED
} anchortype;
const cfg_obj_t *obj;
enum { INITIAL_KEY,
STATIC_KEY,
INITIAL_DS,
STATIC_DS,
TRUSTED } anchortype;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
@@ -650,30 +638,21 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
/* What type of trust anchor is this? */
obj = cfg_tuple_get(key, "anchortype");
if (cfg_obj_isvoid(obj)) {
/*
* "anchortype" is not defined, this must be a static-key
* configured with trusted-keys.
*/
atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
if (strcasecmp(atstr, "static-key") == 0) {
anchortype = STATIC_KEY;
} else if (strcasecmp(atstr, "static-ds") == 0) {
anchortype = STATIC_DS;
} else if (strcasecmp(atstr, "initial-key") == 0) {
anchortype = INITIAL_KEY;
} else if (strcasecmp(atstr, "initial-ds") == 0) {
anchortype = INITIAL_DS;
} else {
atstr = cfg_obj_asstring(obj);
if (strcasecmp(atstr, "static-key") == 0) {
anchortype = STATIC_KEY;
} else if (strcasecmp(atstr, "static-ds") == 0) {
anchortype = STATIC_DS;
} else if (strcasecmp(atstr, "initial-key") == 0) {
anchortype = INITIAL_KEY;
} else if (strcasecmp(atstr, "initial-ds") == 0) {
anchortype = INITIAL_DS;
} else {
delv_log(ISC_LOG_ERROR,
"key '%s': invalid initialization method '%s'",
keynamestr, atstr);
result = ISC_R_FAILURE;
goto cleanup;
}
delv_log(ISC_LOG_ERROR,
"key '%s': invalid initialization method '%s'",
keynamestr, atstr);
result = ISC_R_FAILURE;
goto cleanup;
}
isc_buffer_init(&databuf, data, sizeof(data));
@@ -1734,7 +1713,7 @@ main(int argc, char *argv[]) {
char namestr[DNS_NAME_FORMATSIZE];
dns_rdataset_t *rdataset;
dns_namelist_t namelist;
unsigned int resopt;
unsigned int resopt, clopt;
isc_appctx_t *actx = NULL;
isc_taskmgr_t *taskmgr = NULL;
isc_socketmgr_t *socketmgr = NULL;
@@ -1781,8 +1760,9 @@ main(int argc, char *argv[]) {
#endif /* ifndef WIN32 */
/* Create client */
result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr, 0,
&client, srcaddr4, srcaddr6);
clopt = DNS_CLIENTCREATEOPT_USECACHE;
result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
clopt, &client, srcaddr4, srcaddr6);
if (result != ISC_R_SUCCESS) {
delv_log(ISC_LOG_ERROR, "dns_client_create: %s",
isc_result_totext(result));

699
bin/delv/delv.docbook Normal file
View File

@@ -0,0 +1,699 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
<info>
<date>2014-04-23</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>delv</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>delv</refname>
<refpurpose>DNS lookup and validation utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat">@server</arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option></arg>
<arg choice="opt" rep="norepeat"><option>-m</option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">type</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="opt" rep="repeat">queryopt</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="repeat">queryopt</arg>
<arg choice="opt" rep="repeat">query</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>delv</command>
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <command>named</command>.
</para>
<para>
<command>delv</command> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
anchor for the root zone ("."). Records returned by
<command>delv</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <command>delv</command> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</para>
<para>
Unless it is told to query a specific name server,
<command>delv</command> will try each of the servers listed in
<filename>/etc/resolv.conf</filename>. If no usable server
addresses are found, <command>delv</command> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</para>
<para>
When no command line arguments or options are given,
<command>delv</command> will perform an NS query for "."
(the root zone).
</para>
</refsection>
<refsection><info><title>SIMPLE USAGE</title></info>
<para>
A typical invocation of <command>delv</command> looks like:
<programlisting> delv @server name type </programlisting>
where:
<variablelist>
<varlistentry>
<term><constant>server</constant></term>
<listitem>
<para>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<parameter>server</parameter> argument is a hostname,
<command>delv</command> resolves that name before
querying that name server (note, however, that this
initial lookup is <emphasis>not</emphasis> validated
by DNSSEC).
</para>
<para>
If no <parameter>server</parameter> argument is
provided, <command>delv</command> consults
<filename>/etc/resolv.conf</filename>; if an
address is found there, it queries the name server at
that address. If either of the <option>-4</option> or
<option>-6</option> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<command>delv</command> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>name</constant></term>
<listitem>
<para>
is the domain name to be looked up.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type</constant></term>
<listitem>
<para>
indicates what type of query is required &mdash;
ANY, A, MX, etc.
<parameter>type</parameter> can be any valid query
type. If no
<parameter>type</parameter> argument is supplied,
<command>delv</command> will perform a lookup for an
A record.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">anchor-file</replaceable></term>
<listitem>
<para>
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
one or more trust anchors for the root zone (".").
</para>
<para>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options.
</para>
<para>
Note: When reading the trust anchor file,
<command>delv</command> treats <option>trust-anchors</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <command>delv</command>
as if it had been configured as a <command>static-key</command>.
<command>delv</command> does not consult the managed keys
database maintained by <command>named</command>. This means
that if either of the keys in
<filename>/etc/bind.keys</filename> is revoked
and rolled over, it will be necessary to update
<filename>/etc/bind.keys</filename> to use DNSSEC
validation in <command>delv</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">address</replaceable></term>
<listitem>
<para>
Sets the source IP address of the query to
<parameter>address</parameter>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <command>delv</command>
and any other value is ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Set the systemwide debug level to <option>level</option>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
Debugging traces from <command>delv</command> become
more verbose as the debug level increases.
See the <option>+mtrace</option>, <option>+rtrace</option>,
and <option>+vtrace</option> options below for additional
debugging details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Display the <command>delv</command> help usage output and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <command>delv</command> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <command>dig +cd</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m</term>
<listitem>
<para>
Enables memory usage debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port#</replaceable></term>
<listitem>
<para>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
Sets the query name to <parameter>name</parameter>.
While the query name can be specified without using the
<option>-q</option>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Sets the query type to <parameter>type</parameter>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<option>-q</option>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</para>
<para>
The default query type is "A", unless the <option>-x</option>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the <command>delv</command> version and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x <replaceable class="parameter">addr</replaceable></term>
<listitem>
<para>
Performs a reverse lookup, mapping an addresses to
a name. <parameter>addr</parameter> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <option>-x</option> is used, there is no need to provide
the <parameter>name</parameter> or <parameter>type</parameter>
arguments. <command>delv</command> automatically performs a
lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Forces <command>delv</command> to only use IPv4.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Forces <command>delv</command> to only use IPv6.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>QUERY OPTIONS</title></info>
<para><command>delv</command>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</para>
<para>
Each query option is identified by a keyword preceded by a plus sign
(<literal>+</literal>). Some keywords set or reset an
option. These may be preceded by the string
<literal>no</literal> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <option>+keyword=value</option>.
The query options are:
<variablelist>
<varlistentry>
<term><option>+[no]cdflag</option></term>
<listitem>
<para>
Controls whether to set the CD (checking disabled) bit in
queries sent by <command>delv</command>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <command>delv</command> can then
validate internally and report the errors in detail.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]class</option></term>
<listitem>
<para>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]ttl</option></term>
<listitem>
<para>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rtrace</option></term>
<listitem>
<para>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <command>delv</command>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</para>
<para>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <option>-d</option> option will
product the same output (but will affect other logging
categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]mtrace</option></term>
<listitem>
<para>
Toggle message logging. This produces a detailed dump of
the responses received by <command>delv</command> in the
process of carrying out the resolution and validation process.
</para>
<para>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]vtrace</option></term>
<listitem>
<para>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</para>
<para>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]short</option></term>
<listitem>
<para>
Provide a terse answer. The default is to print the answer in a
verbose form.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]comments</option></term>
<listitem>
<para>
Toggle the display of comment lines in the output. The default
is to print comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rrcomments</option></term>
<listitem>
<para>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]crypto</option></term>
<listitem>
<para>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]trust</option></term>
<listitem>
<para>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]split[=W]</option></term>
<listitem>
<para>
Split long hex- or base64-formatted fields in resource
records into chunks of <parameter>W</parameter> characters
(where <parameter>W</parameter> is rounded up to the nearest
multiple of 4).
<parameter>+nosplit</parameter> or
<parameter>+split=0</parameter> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]all</option></term>
<listitem>
<para>
Set or clear the display options
<option>+[no]comments</option>,
<option>+[no]rrcomments</option>, and
<option>+[no]trust</option> as a group.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]multiline</option></term>
<listitem>
<para>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <command>delv</command>
output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]dnssec</option></term>
<listitem>
<para>
Indicates whether to display RRSIG records in the
<command>delv</command> output. The default is to
do so. Note that (unlike in <command>dig</command>)
this does <emphasis>not</emphasis> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<option>-i</option> or <option>+noroot</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]root[=ROOT]</option></term>
<listitem>
<para>
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <option>-a</option> must be used to specify a file
containing the key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]tcp</option></term>
<listitem>
<para>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]unknownformat</option></term>
<listitem>
<para>
Print all RDATA in unknown RR type presentation format
(RFC 3597). The default is to print RDATA for known types
in the type's presentation format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]yaml</option></term>
<listitem>
<para>
Print response data in YAML format.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/bind.keys</filename></para>
<para><filename>/etc/resolv.conf</filename></para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC4034</citetitle>,
<citetitle>RFC4035</citetitle>,
<citetitle>RFC4431</citetitle>,
<citetitle>RFC5074</citetitle>,
<citetitle>RFC5155</citetitle>.
</para>
</refsection>
</refentry>

588
bin/delv/delv.html Normal file
View File

@@ -0,0 +1,588 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>delv</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.delv"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
delv
&#8212; DNS lookup and validation utility
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[@server]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-i</code>]
[<code class="option">-m</code>]
[<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
[<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
[name]
[type]
[class]
[queryopt...]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-h</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-v</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[queryopt...]
[query...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>delv</strong></span>
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <span class="command"><strong>named</strong></span>.
</p>
<p>
<span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchor for the root zone ("."). Records returned by
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <span class="command"><strong>delv</strong></span> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</p>
<p>
Unless it is told to query a specific name server,
<span class="command"><strong>delv</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server
addresses are found, <span class="command"><strong>delv</strong></span> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</p>
<p>
When no command line arguments or options are given,
<span class="command"><strong>delv</strong></span> will perform an NS query for "."
(the root zone).
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
</p>
<pre class="programlisting"> delv @server name type </pre>
<p>
where:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a hostname,
<span class="command"><strong>delv</strong></span> resolves that name before
querying that name server (note, however, that this
initial lookup is <span class="emphasis"><em>not</em></span> validated
by DNSSEC).
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span class="command"><strong>delv</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span class="command"><strong>delv</strong></span> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd>
<p>
is the domain name to be looked up.
</p>
</dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd>
<p>
indicates what type of query is required &#8212;
ANY, A, MX, etc.
<em class="parameter"><code>type</code></em> can be any valid query
type. If no
<em class="parameter"><code>type</code></em> argument is supplied,
<span class="command"><strong>delv</strong></span> will perform a lookup for an
A record.
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
<dd>
<p>
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
one or more trust anchors for the root zone (".").
</p>
<p>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<code class="option">+root=NAME</code> options.
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
<span class="command"><strong>delv</strong></span> does not consult the managed keys
database maintained by <span class="command"><strong>named</strong></span>. This means
that if either of the keys in
<code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
<dd>
<p>
Sets the source IP address of the query to
<em class="parameter"><code>address</code></em>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <span class="command"><strong>delv</strong></span>
and any other value is ignored.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Set the systemwide debug level to <code class="option">level</code>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
Debugging traces from <span class="command"><strong>delv</strong></span> become
more verbose as the debug level increases.
See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
and <code class="option">+vtrace</code> options below for additional
debugging details.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <span class="command"><strong>delv</strong></span> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <span class="command"><strong>dig +cd</strong></span>.)
</p>
</dd>
<dt><span class="term">-m</span></dt>
<dd>
<p>
Enables memory usage debugging.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
<dd>
<p>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</p>
</dd>
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
Sets the query name to <em class="parameter"><code>name</code></em>.
While the query name can be specified without using the
<code class="option">-q</code>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Sets the query type to <em class="parameter"><code>type</code></em>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<code class="option">-q</code>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</p>
<p>
The default query type is "A", unless the <code class="option">-x</code>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the <span class="command"><strong>delv</strong></span> version and exit.
</p>
</dd>
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
<dd>
<p>
Performs a reverse lookup, mapping an addresses to
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <code class="option">-x</code> is used, there is no need to provide
the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
arguments. <span class="command"><strong>delv</strong></span> automatically performs a
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</p>
</dd>
<dt><span class="term">-4</span></dt>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
<p><span class="command"><strong>delv</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded by the string
<code class="literal">no</code> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <code class="option">+keyword=value</code>.
The query options are:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd>
<p>
Controls whether to set the CD (checking disabled) bit in
queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <span class="command"><strong>delv</strong></span> can then
validate internally and report the errors in detail.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
<dd>
<p>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
<dd>
<p>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
<p>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <span class="command"><strong>delv</strong></span>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</p>
<p>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <code class="option">-d</code> option will
product the same output (but will affect other logging
categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
<p>
Toggle message logging. This produces a detailed dump of
the responses received by <span class="command"><strong>delv</strong></span> in the
process of carrying out the resolution and validation process.
</p>
<p>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
<p>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</p>
<p>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd>
<p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd>
<p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd>
<p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
<dd>
<p>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</p>
</dd>
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
<dd>
<p>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
<dd>
<p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
multiple of 4).
<em class="parameter"><code>+nosplit</code></em> or
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd>
<p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd>
<p>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
output.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd>
<p>
Indicates whether to display RRSIG records in the
<span class="command"><strong>delv</strong></span> output. The default is to
do so. Note that (unlike in <span class="command"><strong>dig</strong></span>)
this does <span class="emphasis"><em>not</em></span> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd>
<p>
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <code class="option">-a</code> must be used to specify a file
containing the key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd>
<p>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
<dd>
<p>
Print all RDATA in unknown RR type presentation format
(RFC 3597). The default is to print RDATA for known types
in the type's presentation format.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
<dd>
<p>
Print response data in YAML format.
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">RFC4034</em>,
<em class="citetitle">RFC4035</em>,
<em class="citetitle">RFC4431</em>,
<em class="citetitle">RFC5074</em>,
<em class="citetitle">RFC5155</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,336 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_delv:
delv - DNS lookup and validation utility
----------------------------------------
Synopsis
~~~~~~~~
:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
:program:`delv` [**-h**]
:program:`delv` [**-v**]
:program:`delv` [queryopt...] [query...]
Description
~~~~~~~~~~~
``delv`` is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as ``named``.
``delv`` sends to a specified name server all queries needed to
fetch and validate the requested data; this includes the original
requested query, subsequent queries to follow CNAME or DNAME chains,
queries for DNSKEY, and DS records to establish a chain of trust for
DNSSEC validation. It does not perform iterative resolution, but
simulates the behavior of a name server configured for DNSSEC validating
and forwarding.
By default, responses are validated using the built-in DNSSEC trust anchor
for the root zone ("."). Records returned by ``delv`` are either fully
validated or were not signed. If validation fails, an explanation of the
failure is included in the output; the validation process can be traced
in detail. Because ``delv`` does not rely on an external server to carry
out validation, it can be used to check the validity of DNS responses in
environments where local name servers may not be trustworthy.
Unless it is told to query a specific name server, ``delv`` tries
each of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, ``delv`` sends queries to the localhost
addresses (127.0.0.1 for IPv4, ::1 for IPv6).
When no command-line arguments or options are given, ``delv``
performs an NS query for "." (the root zone).
Simple Usage
~~~~~~~~~~~~
A typical invocation of ``delv`` looks like:
::
delv @server name type
where:
``server``
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, ``delv`` resolves that name before querying that name
server (note, however, that this initial lookup is *not* validated by
DNSSEC).
If no ``server`` argument is provided, ``delv`` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the ``-4`` or ``-6``
options is in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, ``delv``
sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
``name``
is the domain name to be looked up.
``type``
indicates what type of query is required - ANY, A, MX, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, ``delv`` performs a lookup for an A record.
Options
~~~~~~~
``-a anchor-file``
This option specifies a file from which to read DNSSEC trust anchors. The default
is ``/etc/bind.keys``, which is included with BIND 9 and contains one
or more trust anchors for the root zone (".").
Keys that do not match the root zone name are ignored. An alternate
key name can be specified using the ``+root=NAME`` options.
Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``,
``initial-key``, and ``static-key`` identically. That is, for a managed key,
it is the *initial* key that is trusted; :rfc:`5011` key management is not
supported. ``delv`` does not consult the managed-keys database maintained by
``named``, which means that if either of the keys in ``/etc/bind.keys`` is
revoked and rolled over, ``/etc/bind.keys`` must be updated to
use DNSSEC validation in ``delv``.
``-b address``
This option sets the source IP address of the query to ``address``. This must be
a valid address on one of the host's network interfaces, or ``0.0.0.0``,
or ``::``. An optional source port may be specified by appending
``#<port>``
``-c class``
This option sets the query class for the requested data. Currently, only class
"IN" is supported in ``delv`` and any other value is ignored.
``-d level``
This option sets the systemwide debug level to ``level``. The allowed range is
from 0 to 99. The default is 0 (no debugging). Debugging traces from
``delv`` become more verbose as the debug level increases. See the
``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
additional debugging details.
``-h``
This option displays the ``delv`` help usage output and exits.
``-i``
This option sets insecure mode, which disables internal DNSSEC validation. (Note,
however, that this does not set the CD bit on upstream queries. If the
server being queried is performing DNSSEC validation, then it does
not return invalid data; this can cause ``delv`` to time out. When it
is necessary to examine invalid data to debug a DNSSEC problem, use
``dig +cd``.)
``-m``
This option enables memory usage debugging.
``-p port#``
This option specifies a destination port to use for queries, instead of the
standard DNS port number 53. This option is used with a name
server that has been configured to listen for queries on a
non-standard port number.
``-q name``
This option sets the query name to ``name``. While the query name can be
specified without using the ``-q`` option, it is sometimes necessary to
disambiguate names from types or classes (for example, when looking
up the name "ns", which could be misinterpreted as the type NS, or
"ch", which could be misinterpreted as class CH).
``-t type``
This option sets the query type to ``type``, which can be any valid query type
supported in BIND 9 except for zone transfer types AXFR and IXFR. As
with ``-q``, this is useful to distinguish query-name types or classes
when they are ambiguous. It is sometimes necessary to disambiguate
names from types.
The default query type is "A", unless the ``-x`` option is supplied
to indicate a reverse lookup, in which case it is "PTR".
``-v``
This option prints the ``delv`` version and exits.
``-x addr``
This option performs a reverse lookup, mapping an address to a name. ``addr``
is an IPv4 address in dotted-decimal notation, or a colon-delimited
IPv6 address. When ``-x`` is used, there is no need to provide the
``name`` or ``type`` arguments; ``delv`` automatically performs a
lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
query type to PTR. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
``-4``
This option forces ``delv`` to only use IPv4.
``-6``
This option forces ``delv`` to only use IPv6.
Query Options
~~~~~~~~~~~~~
``delv`` provides a number of query options which affect the way results
are displayed, and in some cases the way lookups are performed.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option. These may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options like the timeout interval. They have the form
``+keyword=value``. The query options are:
``+[no]cdflag``
This option controls whether to set the CD (checking disabled) bit in queries
sent by ``delv``. This may be useful when troubleshooting DNSSEC
problems from behind a validating resolver. A validating resolver
blocks invalid responses, making it difficult to retrieve them
for analysis. Setting the CD flag on queries causes the resolver
to return invalid responses, which ``delv`` can then validate
internally and report the errors in detail.
``+[no]class``
This option controls whether to display the CLASS when printing a record. The
default is to display the CLASS.
``+[no]ttl``
This option controls whether to display the TTL when printing a record. The
default is to display the TTL.
``+[no]rtrace``
This option toggles resolver fetch logging. This reports the name and type of each
query sent by ``delv`` in the process of carrying out the resolution
and validation process, including the original query
and all subsequent queries to follow CNAMEs and to establish a chain
of trust for DNSSEC validation.
This is equivalent to setting the debug level to 1 in the "resolver"
logging category. Setting the systemwide debug level to 1 using the
``-d`` option produces the same output, but affects other
logging categories as well.
``+[no]mtrace``
This option toggles message logging. This produces a detailed dump of the
responses received by ``delv`` in the process of carrying out the
resolution and validation process.
This is equivalent to setting the debug level to 10 for the "packets"
module of the "resolver" logging category. Setting the systemwide
debug level to 10 using the ``-d`` option produces the same
output, but affects other logging categories as well.
``+[no]vtrace``
This option toggles validation logging. This shows the internal process of the
validator as it determines whether an answer is validly signed,
unsigned, or invalid.
This is equivalent to setting the debug level to 3 for the
"validator" module of the "dnssec" logging category. Setting the
systemwide debug level to 3 using the ``-d`` option produces the
same output, but affects other logging categories as well.
``+[no]short``
This option toggles between verbose and terse answers. The default is to print the answer in a
verbose form.
``+[no]comments``
This option toggles the display of comment lines in the output. The default is to
print comments.
``+[no]rrcomments``
This option toggles the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
to print per-record comments.
``+[no]crypto``
This option toggles the display of cryptographic fields in DNSSEC records. The
contents of these fields are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted,
they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
``+[no]trust``
This option controls whether to display the trust level when printing a record.
The default is to display the trust level.
``+[no]split[=W]``
This option splits long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
``+[no]all``
This option sets or clears the display options ``+[no]comments``,
``+[no]rrcomments``, and ``+[no]trust`` as a group.
``+[no]multiline``
This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
verbose multi-line format with human-readable comments. The default
is to print each record on a single line, to facilitate machine
parsing of the ``delv`` output.
``+[no]dnssec``
This option indicates whether to display RRSIG records in the ``delv`` output.
The default is to do so. Note that (unlike in ``dig``) this does
*not* control whether to request DNSSEC records or to
validate them. DNSSEC records are always requested, and validation
always occurs unless suppressed by the use of ``-i`` or
``+noroot``.
``+[no]root[=ROOT]``
This option indicates whether to perform conventional DNSSEC validation, and if so,
specifies the name of a trust anchor. The default is to validate using a
trust anchor of "." (the root zone), for which there is a built-in key. If
specifying a different trust anchor, then ``-a`` must be used to specify a
file containing the key.
``+[no]tcp``
This option controls whether to use TCP when sending queries. The default is to
use UDP unless a truncated response has been received.
``+[no]unknownformat``
This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
``+[no]yaml``
This option prints response data in YAML format.
Files
~~~~~
``/etc/bind.keys``
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

View File

@@ -75,7 +75,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,26 +107,12 @@
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\delv.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
<Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -25,15 +25,6 @@ libdighost_la_SOURCES = \
bin_PROGRAMS = dig host nslookup
nslookup_CPPFLAGS = \
$(AM_CPPFLAGS)
nslookup_LDADD = \
$(LDADD)
if HAVE_READLINE
nslookup_CPPFLAGS += \
$(READLINE_CFLAGS)
nslookup_LDADD += \
$(READLINE_LIBS)
endif HAVE_READLINE
nslookup_LDADD = \
$(LDADD) \
$(READLINE_LIB)

853
bin/dig/dig.1 Normal file
View File

@@ -0,0 +1,853 @@
.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dig
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-19
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DIG" "1" "2014\-02\-19" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dig \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [\fB\-h\fR]
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [global\-queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdig\fR
is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
\fBdig\fR
to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
\fBdig\fR\&.
.PP
Although
\fBdig\fR
is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file\&. A brief summary of its command\-line arguments and options is printed when the
\fB\-h\fR
option is given\&. Unlike earlier versions, the BIND 9 implementation of
\fBdig\fR
allows multiple lookups to be issued from the command line\&.
.PP
Unless it is told to query a specific name server,
\fBdig\fR
will try each of the servers listed in
/etc/resolv\&.conf\&. If no usable server addresses are found,
\fBdig\fR
will send the query to the local host\&.
.PP
When no command line arguments or options are given,
\fBdig\fR
will perform an NS query for "\&." (the root)\&.
.PP
It is possible to set per\-user defaults for
\fBdig\fR
via
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
\fB\-r\fR
option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
and
\fB\-c\fR
options to specify the type and class, use the
\fB\-q\fR
the specify the domain name, or use "IN\&." and "CH\&." when looking up these top level domains\&.
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdig\fR
looks like:
.sp
.if n \{\
.RS 4
.\}
.nf
dig @server name type
.fi
.if n \{\
.RE
.\}
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
\fIserver\fR
argument is a hostname,
\fBdig\fR
resolves that name before querying that name server\&.
.sp
If no
\fIserver\fR
argument is provided,
\fBdig\fR
consults
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
\fBdig\fR
will send the query to the local host\&. The reply from the name server that responds is displayed\&.
.RE
.PP
\fBname\fR
.RS 4
is the name of the resource record that is to be looked up\&.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, SIG, etc\&.
\fItype\fR
can be any valid query type\&. If no
\fItype\fR
argument is supplied,
\fBdig\fR
will perform a lookup for an A record\&.
.RE
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only\&.
.RE
.PP
\-b \fIaddress\fR\fI[#port]\fR
.RS 4
Set the source IP address of the query\&. The
\fIaddress\fR
must be a valid address on one of the host\*(Aqs network interfaces, or "0\&.0\&.0\&.0" or "::"\&. An optional port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS 4
Set the query class\&. The default
\fIclass\fR
is IN; other classes are HS for Hesiod records or CH for Chaosnet records\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
Batch mode:
\fBdig\fR
reads a list of lookup requests to process from the given
\fIfile\fR\&. Each line in the file should be organized in the same way they would be presented as queries to
\fBdig\fR
using the command\-line interface\&.
.RE
.PP
\-k \fIkeyfile\fR
.RS 4
Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
\fBtsig-keygen\fR(8)\&. When using TSIG authentication with
\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used\&. In BIND, this is done by providing appropriate
\fBkey\fR
and
\fBserver\fR
statements in
named\&.conf\&.
.RE
.PP
\-m
.RS 4
Enable memory usage debugging\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Send the query to a non\-standard port on the server, instead of the default port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&.
.RE
.PP
\-q \fIname\fR
.RS 4
The domain name to query\&. This is useful to distinguish the
\fIname\fR
from other arguments\&.
.RE
.PP
\-r
.RS 4
Do not read options from
${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
.RE
.PP
\-t \fItype\fR
.RS 4
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
\fItype\fR
to
ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
\fIN\fR\&.
.sp
All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
.RE
.PP
\-u
.RS 4
Print query times in microseconds instead of milliseconds\&.
.RE
.PP
\-v
.RS 4
Print the version number and exit\&.
.RE
.PP
\-x \fIaddr\fR
.RS 4
Simplified reverse lookups, for mapping addresses to names\&. The
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When the
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR,
\fIclass\fR
and
\fItype\fR
arguments\&.
\fBdig\fR
automatically performs a lookup for a name like
94\&.2\&.0\&.192\&.in\-addr\&.arpa
and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-y \fI[hmac:]\fR\fIkeyname:secret\fR
.RS 4
Sign queries using TSIG with the given authentication key\&.
\fIkeyname\fR
is the name of the key, and
\fIsecret\fR
is the base64 encoded shared secret\&.
\fIhmac\fR
is the name of the key algorithm; valid choices are
hmac\-md5,
hmac\-sha1,
hmac\-sha224,
hmac\-sha256,
hmac\-sha384, or
hmac\-sha512\&. If
\fIhmac\fR
is not specified, the default is
hmac\-md5
or if MD5 was disabled
hmac\-sha256\&.
.sp
NOTE: You should use the
\fB\-k\fR
option and avoid the
\fB\-y\fR
option, because with
\fB\-y\fR
the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
\fBps\fR(1)
or in a history file maintained by the user\*(Aqs shell\&.
.RE
.SH "QUERY OPTIONS"
.PP
\fBdig\fR
provides a number of query options which affect the way in which lookups are made and the results displayed\&. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies\&.
.PP
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
no
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
+cd
is equivalent to
+cdflag\&. The query options are:
.PP
\fB+[no]aaflag\fR
.RS 4
A synonym for
\fI+[no]aaonly\fR\&.
.RE
.PP
\fB+[no]aaonly\fR
.RS 4
Sets the "aa" flag in the query\&.
.RE
.PP
\fB+[no]additional\fR
.RS 4
Display [do not display] the additional section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]adflag\fR
.RS 4
Set [do not set] the AD (authentic data) bit in the query\&. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server\&. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range\&. AD=0 indicate that some part of the answer was insecure or not validated\&. This bit is set by default\&.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear all display flags\&.
.RE
.PP
\fB+[no]answer\fR
.RS 4
Display [do not display] the answer section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]authority\fR
.RS 4
Display [do not display] the authority section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]badcookie\fR
.RS 4
Retry lookup with the new server cookie if a BADCOOKIE response is received\&.
.RE
.PP
\fB+[no]besteffort\fR
.RS 4
Attempt to display the contents of messages which are malformed\&. The default is to not display malformed answers\&.
.RE
.PP
\fB+bufsize=B\fR
.RS 4
Set the UDP message buffer size advertised using EDNS0 to
\fIB\fR
bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0 respectively\&. Values outside this range are rounded up or down appropriately\&. Values other than zero will cause a EDNS query to be sent\&.
.RE
.PP
\fB+[no]cdflag\fR
.RS 4
Set [do not set] the CD (checking disabled) bit in the query\&. This requests the server to not perform DNSSEC validation of responses\&.
.RE
.PP
\fB+[no]class\fR
.RS 4
Display [do not display] the CLASS when printing the record\&.
.RE
.PP
\fB+[no]cmd\fR
.RS 4
Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR
and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
.sp
Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
\fB+[no]cmd\fR,
\fB+[no]question\fR,
\fB+[no]stats\fR, and
\fB+[no]rrcomments\fR\&.
.RE
.PP
\fB+[no]cookie\fR\fB[=####]\fR
.RS 4
Send a COOKIE EDNS option, with optional value\&. Replaying a COOKIE from a previous response will allow the server to identify a previous client\&. The default is
\fB+cookie\fR\&.
.sp
\fB+cookie\fR
is also set when +trace is set to better emulate the default queries from a nameserver\&.
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
.RE
.PP
\fB+[no]defname\fR
.RS 4
Deprecated, treated as a synonym for
\fI+[no]search\fR
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query\&.
.RE
.PP
\fB+domain=somename\fR
.RS 4
Set the search list to contain the single domain
\fIsomename\fR, as if specified in a
\fBdomain\fR
directive in
/etc/resolv\&.conf, and enable search list processing as if the
\fI+search\fR
option were given\&.
.RE
.PP
\fB+dscp=value\fR
.RS 4
Set the DSCP code point to be used when sending the query\&. Valid DSCP code points are in the range [0\&.\&.63]\&. By default no code point is explicitly set\&.
.RE
.PP
\fB+[no]edns[=#]\fR
.RS 4
Specify the EDNS version to query with\&. Valid values are 0 to 255\&. Setting the EDNS version will cause a EDNS query to be sent\&.
\fB+noedns\fR
clears the remembered EDNS version\&. EDNS is set to 0 by default\&.
.RE
.PP
\fB+[no]ednsflags[=#]\fR
.RS 4
Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value\&. Decimal, hex and octal encodings are accepted\&. Setting a named flag (e\&.g\&. DO) will silently be ignored\&. By default, no Z bits are set\&.
.RE
.PP
\fB+[no]ednsnegotiation\fR
.RS 4
Enable / disable EDNS version negotiation\&. By default EDNS version negotiation is enabled\&.
.RE
.PP
\fB+[no]ednsopt[=code[:value]]\fR
.RS 4
Specify EDNS option with code point
\fBcode\fR
and optionally payload of
\fBvalue\fR
as a hexadecimal string\&.
\fBcode\fR
can be either an EDNS option name (for example,
NSID
or
ECS), or an arbitrary numeric value\&.
\fB+noednsopt\fR
clears the EDNS options to be sent\&.
.RE
.PP
\fB+[no]expire\fR
.RS 4
Send an EDNS Expire option\&.
.RE
.PP
\fB+[no]expandaaaa\fR
.RS 4
When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
.RE
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
.RE
.PP
\fB+[no]header\-only\fR
.RS 4
Send a query with a DNS header without a question section\&. The default is to add a question section\&. The query type and query name are ignored when this is set\&.
.RE
.PP
\fB+[no]identify\fR
.RS 4
Show [or do not show] the IP address and port number that supplied the answer when the
\fI+short\fR
option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
.RE
.PP
\fB+[no]idnin\fR
.RS 4
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
.RS 4
Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
.RE
.PP
\fB+[no]keepalive\fR
.RS 4
Send [or do not send] an EDNS Keepalive option\&.
.RE
.PP
\fB+[no]keepopen\fR
.RS 4
Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup\&. The default is
\fB+nokeepopen\fR\&.
.RE
.PP
\fB+[no]mapped\fR
.RS 4
Allow mapped IPv4 over IPv6 addresses to be used\&. The default is
\fB+mapped\fR\&.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print records like the SOA records in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdig\fR
output\&.
.RE
.PP
\fB+ndots=D\fR
.RS 4
Set the number of dots that have to appear in
\fIname\fR
to
\fID\fR
for it to be considered absolute\&. The default value is that defined using the ndots statement in
/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
/etc/resolv\&.conf
if
\fB+search\fR
is set\&.
.RE
.PP
\fB+[no]nsid\fR
.RS 4
Include an EDNS name server ID request when sending a query\&.
.RE
.PP
\fB+[no]nssearch\fR
.RS 4
When this option is set,
\fBdig\fR
attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&. Addresses of servers that that did not respond are also printed\&.
.RE
.PP
\fB+[no]onesoa\fR
.RS 4
Print only one (starting) SOA record when performing an AXFR\&. The default is to print both the starting and ending SOA records\&.
.RE
.PP
\fB+[no]opcode=value\fR
.RS 4
Set [restore] the DNS message opcode to the specified value\&. The default value is QUERY (0)\&.
.RE
.PP
\fB+padding=value\fR
.RS 4
Pad the size of the query packet using the EDNS Padding option to blocks of
\fIvalue\fR
bytes\&. For example,
\fB+padding=32\fR
would cause a 48\-byte query to be padded to 64 bytes\&. The default block size is 0, which disables padding\&. The maximum is 512\&. Values are ordinarily expected to be powers of two, such as 128; however, this is not mandatory\&. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE\&.
.RE
.PP
\fB+[no]qr\fR
.RS 4
Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE
.PP
\fB+[no]question\fR
.RS 4
Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE
.PP
\fB+[no]raflag\fR
.RS 4
Set [do not set] the RA (Recursion Available) bit in the query\&. The default is +noraflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]rdflag\fR
.RS 4
A synonym for
\fI+[no]recurse\fR\&.
.RE
.PP
\fB+[no]recurse\fR
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
option, and when using
\fI+trace\fR
except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR
.RS 4
Sets the number of times to retry UDP queries to server to
\fIT\fR
instead of the default, 2\&. Unlike
\fI+tries\fR, this does not include the initial query\&.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is not to print record comments unless multiline mode is active\&.
.RE
.PP
\fB+[no]search\fR
.RS 4
Use [do not use] the search list defined by the searchlist or domain directive in
resolv\&.conf
(if any)\&. The search list is not used by default\&.
.sp
\*(Aqndots\*(Aq from
resolv\&.conf
(default 1) which may be overridden by
\fI+ndots\fR
determines if the name will be treated as relative or not and hence whether a search is eventually performed or not\&.
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE
.PP
\fB+[no]showsearch\fR
.RS 4
Perform [do not perform] a search showing intermediate results\&.
.RE
.PP
\fB+[no]sigchase\fR
.RS 4
This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+split=W\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4)\&.
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
.RE
.PP
\fB+[no]stats\fR
.RS 4
Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE
.PP
\fB+[no]subnet=addr[/prefix\-length]\fR
.RS 4
Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address or network prefix\&.
.sp
\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
\fBdig +subnet=0\fR
for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
\fInot\fR
be used when resolving this query\&.
.RE
.PP
\fB+[no]tcflag\fR
.RS 4
Set [do not set] the TC (TrunCation) bit in the query\&. The default is +notcflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless a type
any
or
ixfr=N
query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
.RE
.PP
\fB+timeout=T\fR
.RS 4
Sets the timeout for a query to
\fIT\fR
seconds\&. The default timeout is 5 seconds\&. An attempt to set
\fIT\fR
to less than 1 will result in a query timeout of 1 second being applied\&.
.RE
.PP
\fB+[no]topdown\fR
.RS 4
This feature is related to
\fBdig +sigchase\fR, which is obsolete and has been removed\&. Use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]trace\fR
.RS 4
Toggle tracing of the delegation path from the root name servers for the name being looked up\&. Tracing is disabled by default\&. When tracing is enabled,
\fBdig\fR
makes iterative queries to resolve the name being looked up\&. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup\&.
.sp
If @server is also specified, it affects only the initial query for the root zone name servers\&.
.sp
\fB+dnssec\fR
is also set when +trace is set to better emulate the default queries from a nameserver\&.
.RE
.PP
\fB+tries=T\fR
.RS 4
Sets the number of times to try UDP queries to server to
\fIT\fR
instead of the default, 3\&. If
\fIT\fR
is less than or equal to zero, the number of tries is silently rounded up to 1\&.
.RE
.PP
\fB+trusted\-key=####\fR
.RS 4
Formerly specified trusted keys for use with
\fBdig +sigchase\fR\&. This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]ttlid\fR
.RS 4
Display [do not display] the TTL when printing the record\&.
.RE
.PP
\fB+[no]ttlunits\fR
.RS 4
Display [do not display] the TTL in friendly human\-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks\&. Implies +ttlid\&.
.RE
.PP
\fB+[no]unexpected\fR
.RS 4
Accept [do not accept] answers from unexpected sources\&. By default,
\fBdig\fR
won\*(Aqt accept a reply from a source other than the one to which it sent the query\&.
.RE
.PP
\fB+[no]unknownformat\fR
.RS 4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
.PP
\fB+[no]vc\fR
.RS 4
Use [do not use] TCP when querying name servers\&. This alternate syntax to
\fI+[no]tcp\fR
is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
.RE
.PP
\fB+[no]yaml\fR
.RS 4
Print the responses (and, if
\fB+qr\fR
is in use, also the outgoing queries) in a detailed YAML format\&.
.RE
.PP
\fB+[no]zflag\fR
.RS 4
Set [do not set] the last unassigned DNS header flag in a DNS query\&. This flag is off by default\&.
.RE
.SH "MULTIPLE QUERIES"
.PP
The BIND 9 implementation of
\fBdig \fR
supports specifying multiple queries on the command line (in addition to supporting the
\fB\-f\fR
batch file option)\&. Each of those queries can be supplied with its own set of flags, options and query options\&.
.PP
In this case, each
\fIquery\fR
argument represent an individual query in the command\-line syntax described above\&. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query\&.
.PP
A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except
\fB+[no]cmd\fR
and
\fB+[no]short\fR
options) can be overridden by a query\-specific set of query options\&. For example:
.sp
.if n \{\
.RS 4
.\}
.nf
dig +qr www\&.isc\&.org any \-x 127\&.0\&.0\&.1 isc\&.org ns +noqr
.fi
.if n \{\
.RE
.\}
.sp
shows how
\fBdig\fR
could be used from the command line to make three lookups: an ANY query for
www\&.isc\&.org, a reverse lookup of 127\&.0\&.0\&.1 and a query for the NS records of
isc\&.org\&. A global query option of
\fI+qr\fR
is applied, so that
\fBdig\fR
shows the initial query it made for each lookup\&. The final query has a local query option of
\fI+noqr\fR
which means that
\fBdig\fR
will not print the initial query when it looks up the NS records for
isc\&.org\&.
.SH "IDN SUPPORT"
.PP
If
\fBdig\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBdig\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
\fI+noidnin\fR
and
\fI+noidnout\fR
or define the
\fBIDN_DISABLE\fR
environment variable\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.PP
${HOME}/\&.digrc
.SH "SEE ALSO"
.PP
\fBdelv\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8),
\fBdnssec-keygen\fR(8),
RFC 1035\&.
.SH "BUGS"
.PP
There are probably too many query options\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -30,7 +30,6 @@
#include <pk11/site.h>
#include <dns/byaddr.h>
#include <dns/dns64.h>
#include <dns/fixedname.h>
#include <dns/masterdump.h>
#include <dns/message.h>
@@ -98,12 +97,11 @@ rcode_totext(dns_rcode_t rcode) {
/*% print usage */
static void
print_usage(FILE *fp) {
fprintf(fp,
"Usage: dig [@global-server] [domain] [q-type] [q-class] "
"{q-opt}\n"
" {global-d-opt} host [@local-server] "
"{local-d-opt}\n"
" [ host [@local-server] {local-d-opt} [...]]\n");
fputs("Usage: dig [@global-server] [domain] [q-type] [q-class] "
"{q-opt}\n"
" {global-d-opt} host [@local-server] {local-d-opt}\n"
" [ host [@local-server] {local-d-opt} [...]]\n",
fp);
}
#if TARGET_OS_IPHONE
@@ -118,8 +116,9 @@ usage(void);
static void
usage(void) {
print_usage(stderr);
fprintf(stderr, "\nUse \"dig -h\" (or \"dig -h | more\") "
"for complete list of options\n");
fputs("\nUse \"dig -h\" (or \"dig -h | more\") "
"for complete list of options\n",
stderr);
exit(1);
}
#endif /* if TARGET_OS_IPHONE */
@@ -134,187 +133,179 @@ version(void) {
static void
help(void) {
print_usage(stdout);
printf("Where: domain is in the Domain Name System\n"
" q-class is one of (in,hs,ch,...) [default: in]\n"
" q-type is one of "
"(a,any,mx,ns,soa,hinfo,axfr,txt,...) "
"[default:a]\n"
" (Use ixfr=version for type ixfr)\n"
" q-opt is one of:\n"
" -4 (use IPv4 query transport "
"only)\n"
" -6 (use IPv6 query transport "
"only)\n"
" -b address[#port] (bind to source "
"address/port)\n"
" -c class (specify query class)\n"
" -f filename (batch mode)\n"
" -k keyfile (specify tsig key file)\n"
" -m (enable memory usage "
"debugging)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
" -r (do not read ~/.digrc)\n"
" -t type (specify query type)\n"
" -u (display times in usec "
"instead of msec)\n"
" -x dot-notation (shortcut for reverse "
"lookups)\n"
" -y [hmac:]name:key (specify named base64 "
"tsig "
"key)\n"
" d-opt is of the form +keyword[=value], where "
"keyword "
"is:\n"
" +[no]aaflag (Set AA flag in query "
"(+[no]aaflag))\n"
" +[no]aaonly (Set AA flag in query "
"(+[no]aaflag))\n"
" +[no]additional (Control display of "
"additional section)\n"
" +[no]adflag (Set AD flag in query "
"(default on))\n"
" +[no]all (Set or clear all display "
"flags)\n"
" +[no]answer (Control display of "
"answer "
"section)\n"
" +[no]authority (Control display of "
"authority section)\n"
" +[no]badcookie (Retry BADCOOKIE "
"responses)\n"
" +[no]besteffort (Try to parse even "
"illegal "
"messages)\n"
" +bufsize[=###] (Set EDNS0 Max UDP packet "
"size)\n"
" +[no]cdflag (Set checking disabled "
"flag in query)\n"
" +[no]class (Control display of class "
"in records)\n"
" +[no]cmd (Control display of "
"command line -\n"
" global option)\n"
" +[no]comments (Control display of "
"packet "
"header\n"
" and section name "
"comments)\n"
" +[no]cookie (Add a COOKIE option to "
"the request)\n"
" +[no]crypto (Control display of "
"cryptographic\n"
" fields in records)\n"
" +[no]defname (Use search list "
"(+[no]search))\n"
" +[no]dns64prefix (Get the DNS64 prefixes "
"from ipv4only.arpa)\n"
" +[no]dnssec (Request DNSSEC records)\n"
" +domain=### (Set default domainname)\n"
" +[no]dscp[=###] (Set the DSCP value to "
"### "
"[0..63])\n"
" +[no]edns[=###] (Set EDNS version) [0]\n"
" +ednsflags=### (Set EDNS flag bits)\n"
" +[no]ednsnegotiation (Set EDNS version "
"negotiation)\n"
" +ednsopt=###[:value] (Send specified EDNS "
"option)\n"
" +noednsopt (Clear list of +ednsopt "
"options)\n"
" +[no]expandaaaa (Expand AAAA records)\n"
" +[no]expire (Request time to expire)\n"
" +[no]fail (Don't try next server on "
"SERVFAIL)\n"
" +[no]header-only (Send query without a "
"question section)\n"
" +[no]identify (ID responders in short "
"answers)\n"
fputs("Where: domain is in the Domain Name System\n"
" q-class is one of (in,hs,ch,...) [default: in]\n"
" q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) "
"[default:a]\n"
" (Use ixfr=version for type ixfr)\n"
" q-opt is one of:\n"
" -4 (use IPv4 query transport "
"only)\n"
" -6 (use IPv6 query transport "
"only)\n"
" -b address[#port] (bind to source "
"address/port)\n"
" -c class (specify query class)\n"
" -f filename (batch mode)\n"
" -k keyfile (specify tsig key file)\n"
" -m (enable memory usage "
"debugging)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
" -r (do not read ~/.digrc)\n"
" -t type (specify query type)\n"
" -u (display times in usec "
"instead of msec)\n"
" -x dot-notation (shortcut for reverse "
"lookups)\n"
" -y [hmac:]name:key (specify named base64 tsig "
"key)\n"
" d-opt is of the form +keyword[=value], where keyword "
"is:\n"
" +[no]aaflag (Set AA flag in query "
"(+[no]aaflag))\n"
" +[no]aaonly (Set AA flag in query "
"(+[no]aaflag))\n"
" +[no]additional (Control display of "
"additional section)\n"
" +[no]adflag (Set AD flag in query "
"(default on))\n"
" +[no]all (Set or clear all display "
"flags)\n"
" +[no]answer (Control display of answer "
"section)\n"
" +[no]authority (Control display of "
"authority section)\n"
" +[no]badcookie (Retry BADCOOKIE "
"responses)\n"
" +[no]besteffort (Try to parse even illegal "
"messages)\n"
" +bufsize=### (Set EDNS0 Max UDP packet "
"size)\n"
" +[no]cdflag (Set checking disabled "
"flag in query)\n"
" +[no]class (Control display of class "
"in records)\n"
" +[no]cmd (Control display of "
"command line -\n"
" global option)\n"
" +[no]comments (Control display of packet "
"header\n"
" and section name "
"comments)\n"
" +[no]cookie (Add a COOKIE option to "
"the request)\n"
" +[no]crypto (Control display of "
"cryptographic\n"
" fields in records)\n"
" +[no]defname (Use search list "
"(+[no]search))\n"
" +[no]dnssec (Request DNSSEC records)\n"
" +domain=### (Set default domainname)\n"
" +[no]dscp[=###] (Set the DSCP value to ### "
"[0..63])\n"
" +[no]edns[=###] (Set EDNS version) [0]\n"
" +ednsflags=### (Set EDNS flag bits)\n"
" +[no]ednsnegotiation (Set EDNS version "
"negotiation)\n"
" +ednsopt=###[:value] (Send specified EDNS "
"option)\n"
" +noednsopt (Clear list of +ednsopt "
"options)\n"
" +[no]expandaaaa (Expand AAAA records)\n"
" +[no]expire (Request time to expire)\n"
" +[no]fail (Don't try next server on "
"SERVFAIL)\n"
" +[no]header-only (Send query without a "
"question section)\n"
" +[no]identify (ID responders in short "
"answers)\n"
#ifdef HAVE_LIBIDN2
" +[no]idnin (Parse IDN names "
"[default=on on tty])\n"
" +[no]idnout (Convert IDN response "
"[default=on on tty])\n"
" +[no]idnin (Parse IDN names "
"[default=on on tty])\n"
" +[no]idnout (Convert IDN response "
"[default=on on tty])\n"
#endif /* ifdef HAVE_LIBIDN2 */
" +[no]ignore (Don't revert to TCP for "
"TC responses.)\n"
" +[no]keepalive (Request EDNS TCP "
"keepalive)\n"
" +[no]keepopen (Keep the TCP socket open "
"between "
"queries)\n"
" +[no]mapped (Allow mapped IPv4 over "
"IPv6)\n"
" +[no]multiline (Print records in an "
"expanded format)\n"
" +ndots=### (Set search NDOTS value)\n"
" +[no]nsid (Request Name Server ID)\n"
" +[no]nssearch (Search all authoritative "
"nameservers)\n"
" +[no]onesoa (AXFR prints only one soa "
"record)\n"
" +[no]opcode=### (Set the opcode of the "
"request)\n"
" +padding=### (Set padding block size "
"[0])\n"
" +[no]qr (Print question before "
"sending)\n"
" +[no]question (Control display of "
"question section)\n"
" +[no]raflag (Set RA flag in query "
"(+[no]raflag))\n"
" +[no]rdflag (Recursive mode "
"(+[no]recurse))\n"
" +[no]recurse (Recursive mode "
"(+[no]rdflag))\n"
" +retry=### (Set number of UDP "
"retries) [2]\n"
" +[no]rrcomments (Control display of "
"per-record "
"comments)\n"
" +[no]search (Set whether to use "
"searchlist)\n"
" +[no]short (Display nothing except "
"short\n"
" form of answers - global "
"option)\n"
" +[no]showsearch (Search with intermediate "
"results)\n"
" +[no]split=## (Split hex/base64 fields "
"into chunks)\n"
" +[no]stats (Control display of "
"statistics)\n"
" +subnet=addr (Set edns-client-subnet "
"option)\n"
" +[no]tcflag (Set TC flag in query "
"(+[no]tcflag))\n"
" +[no]tcp (TCP mode (+[no]vc))\n"
" +timeout=### (Set query timeout) [5]\n"
" +[no]tls (DNS over TLS mode)\n"
" +[no]trace (Trace delegation down "
"from root "
"[+dnssec])\n"
" +tries=### (Set number of UDP "
"attempts) [3]\n"
" +[no]ttlid (Control display of ttls "
"in records)\n"
" +[no]ttlunits (Display TTLs in "
"human-readable units)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 "
"\"unknown\" "
"format)\n"
" +[no]vc (TCP mode (+[no]tcp))\n"
" +[no]yaml (Present the results as "
"YAML)\n"
" +[no]zflag (Set Z flag in query)\n"
" global d-opts and servers (before host name) affect "
"all "
"queries.\n"
" local d-opts and servers (after host name) affect only "
"that lookup.\n"
" -h (print help and exit)\n"
" -v (print version "
"and exit)\n");
" +[no]ignore (Don't revert to TCP for "
"TC responses.)\n"
" +[no]keepalive (Request EDNS TCP "
"keepalive)\n"
" +[no]keepopen (Keep the TCP socket open "
"between "
"queries)\n"
" +[no]mapped (Allow mapped IPv4 over "
"IPv6)\n"
" +[no]multiline (Print records in an "
"expanded format)\n"
" +ndots=### (Set search NDOTS value)\n"
" +[no]nsid (Request Name Server ID)\n"
" +[no]nssearch (Search all authoritative "
"nameservers)\n"
" +[no]onesoa (AXFR prints only one soa "
"record)\n"
" +[no]opcode=### (Set the opcode of the "
"request)\n"
" +padding=### (Set padding block size "
"[0])\n"
" +[no]qr (Print question before "
"sending)\n"
" +[no]question (Control display of "
"question section)\n"
" +[no]raflag (Set RA flag in query "
"(+[no]raflag))\n"
" +[no]rdflag (Recursive mode "
"(+[no]recurse))\n"
" +[no]recurse (Recursive mode "
"(+[no]rdflag))\n"
" +retry=### (Set number of UDP "
"retries) [2]\n"
" +[no]rrcomments (Control display of "
"per-record "
"comments)\n"
" +[no]search (Set whether to use "
"searchlist)\n"
" +[no]short (Display nothing except "
"short\n"
" form of answers - global "
"option)\n"
" +[no]showsearch (Search with intermediate "
"results)\n"
" +[no]split=## (Split hex/base64 fields "
"into chunks)\n"
" +[no]stats (Control display of "
"statistics)\n"
" +subnet=addr (Set edns-client-subnet "
"option)\n"
" +[no]tcflag (Set TC flag in query "
"(+[no]tcflag))\n"
" +[no]tcp (TCP mode (+[no]vc))\n"
" +timeout=### (Set query timeout) [5]\n"
" +[no]trace (Trace delegation down "
"from root "
"[+dnssec])\n"
" +tries=### (Set number of UDP "
"attempts) [3]\n"
" +[no]ttlid (Control display of ttls "
"in records)\n"
" +[no]ttlunits (Display TTLs in "
"human-readable units)\n"
" +[no]unexpected (Print replies from "
"unexpected sources\n"
" default=off)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 "
"\"unknown\" "
"format)\n"
" +[no]vc (TCP mode (+[no]tcp))\n"
" +[no]yaml (Present the results as "
"YAML)\n"
" +[no]zflag (Set Z flag in query)\n"
" global d-opts and servers (before host name) affect all "
"queries.\n"
" local d-opts and servers (after host name) affect only "
"that lookup.\n"
" -h (print help and exit)\n"
" -v (print version and exit)\n",
stdout);
}
/*%
@@ -339,22 +330,13 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
}
if (query->lookup->stats) {
const char *proto;
diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
if (query->lookup->use_usec) {
printf(";; Query time: %ld usec\n", (long)diff);
} else {
printf(";; Query time: %ld msec\n", (long)diff / 1000);
}
if (query->lookup->tls_mode) {
proto = "TLS";
} else if (query->lookup->tcp_mode) {
proto = "TCP";
} else {
proto = "UDP";
}
printf(";; SERVER: %s(%s) (%s)\n", fromtext, query->servname,
proto);
printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
time(&tnow);
(void)localtime_r(&tnow, &tmnow);
@@ -476,50 +458,6 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
return (ISC_R_SUCCESS);
}
/*%
* short_form message print handler. Calls above say_message()
*/
static isc_result_t
dns64prefix_answer(dns_message_t *msg, isc_buffer_t *buf) {
dns_rdataset_t *rdataset = NULL;
dns_fixedname_t fixed;
dns_name_t *name;
isc_result_t result;
isc_netprefix_t prefix[10];
size_t i, count = 10;
name = dns_fixedname_initname(&fixed);
result = dns_name_fromstring(name, "ipv4only.arpa", 0, NULL);
check_result(result, "dns_name_fromstring");
result = dns_message_findname(msg, DNS_SECTION_ANSWER, name,
dns_rdatatype_aaaa, dns_rdatatype_none,
NULL, &rdataset);
if (result == DNS_R_NXDOMAIN || result == DNS_R_NXRRSET) {
return (ISC_R_SUCCESS);
} else if (result != ISC_R_SUCCESS) {
return (result);
}
result = dns_dns64_findprefix(rdataset, prefix, &count);
if (result == ISC_R_NOTFOUND)
return (ISC_R_SUCCESS);
if (count > 10)
count = 10;
for (i = 0; i < count; i++) {
result = isc_netaddr_totext(&prefix[i].addr, buf);
if (result != ISC_R_SUCCESS) {
return (result);
}
result = isc_buffer_printf(buf, "/%u\n", prefix[i].prefixlen);
if (result != ISC_R_SUCCESS) {
return (result);
}
}
return (ISC_R_SUCCESS);
}
/*%
* short_form message print handler. Calls above say_message()
*/
@@ -606,12 +544,9 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
dns_master_style_t *style = NULL;
unsigned int styleflags = 0;
bool isquery = (msg == query->lookup->sendmsg);
bool dns64prefix = query->lookup->dns64prefix;
UNUSED(msgbuf);
dig_idnsetup(query->lookup, true);
styleflags |= DNS_STYLEFLAG_REL_OWNER;
if (yaml) {
msg->indent.string = " ";
@@ -671,16 +606,14 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
check_result(result, "dns_master_stylecreate");
if (query->lookup->cmdline[0] != 0) {
if (!short_form && !dns64prefix && printcmd) {
printf("%s", query->lookup->cmdline);
if (!short_form && printcmd) {
fputs(query->lookup->cmdline, stdout);
}
query->lookup->cmdline[0] = '\0';
}
debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
query->lookup->comments ? "comments" : "nocomments",
short_form ? "short_form"
: dns64prefix ? "dns64prefix_form"
: "long_form");
short_form ? "short_form" : "long_form");
flags = 0;
if (!headers) {
@@ -701,6 +634,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
if (yaml) {
enum { Q = 0x1, R = 0x2 }; /* Q:query; R:ecursive */
unsigned int tflag = 0;
isc_sockaddr_t saddr;
char sockstr[ISC_SOCKADDR_FORMATSIZE];
uint16_t sport;
char *hash;
@@ -733,25 +667,15 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
if (!isc_time_isepoch(&query->time_sent)) {
char tbuf[100];
if (query->lookup->use_usec) {
isc_time_formatISO8601us(&query->time_sent,
tbuf, sizeof(tbuf));
} else {
isc_time_formatISO8601ms(&query->time_sent,
tbuf, sizeof(tbuf));
}
isc_time_formatISO8601ms(&query->time_sent, tbuf,
sizeof(tbuf));
printf(" query_time: !!timestamp %s\n", tbuf);
}
if (!isquery && !isc_time_isepoch(&query->time_recv)) {
char tbuf[100];
if (query->lookup->use_usec) {
isc_time_formatISO8601us(&query->time_recv,
tbuf, sizeof(tbuf));
} else {
isc_time_formatISO8601ms(&query->time_recv,
tbuf, sizeof(tbuf));
}
isc_time_formatISO8601ms(&query->time_recv, tbuf,
sizeof(tbuf));
printf(" response_time: !!timestamp %s\n", tbuf);
}
@@ -781,9 +705,10 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
printf(" response_port: %u\n", sport);
}
if (query->handle != NULL) {
isc_sockaddr_t saddr =
isc_nmhandle_localaddr(query->handle);
if (query->sock != NULL &&
isc_socket_getsockname(query->sock, &saddr) ==
ISC_R_SUCCESS)
{
sport = isc_sockaddr_getport(&saddr);
isc_sockaddr_format(&saddr, sockstr, sizeof(sockstr));
hash = strchr(sockstr, '#');
@@ -801,7 +726,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
printf(" %s:\n", isquery ? "query_message_data"
: "response_message_data");
result = dns_message_headertotext(msg, style, flags, buf);
} else if (query->lookup->comments && !short_form && !dns64prefix) {
} else if (query->lookup->comments && !short_form) {
if (query->lookup->cmdline[0] != '\0' && printcmd) {
printf("; %s\n", query->lookup->cmdline);
}
@@ -882,7 +807,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
repopulate_buffer:
if (query->lookup->comments && headers && !short_form && !dns64prefix) {
if (query->lookup->comments && headers && !short_form) {
result = dns_message_pseudosectiontotext(
msg, DNS_PSEUDOSECTION_OPT, style, flags, buf);
if (result == ISC_R_NOSPACE) {
@@ -896,7 +821,7 @@ repopulate_buffer:
}
if (query->lookup->section_question && headers) {
if (!short_form && !dns64prefix) {
if (!short_form) {
result = dns_message_sectiontotext(
msg, DNS_SECTION_QUESTION, style, flags, buf);
if (result == ISC_R_NOSPACE) {
@@ -906,18 +831,13 @@ repopulate_buffer:
}
}
if (query->lookup->section_answer) {
if (!short_form && !dns64prefix) {
if (!short_form) {
result = dns_message_sectiontotext(
msg, DNS_SECTION_ANSWER, style, flags, buf);
if (result == ISC_R_NOSPACE) {
goto buftoosmall;
}
check_result(result, "dns_message_sectiontotext");
} else if (dns64prefix) {
result = dns64prefix_answer(msg, buf);
if (result == ISC_R_NOSPACE)
goto buftoosmall;
check_result(result, "dns64prefix_answer");
} else {
result = short_answer(msg, flags, buf, query);
if (result == ISC_R_NOSPACE) {
@@ -927,7 +847,7 @@ repopulate_buffer:
}
}
if (query->lookup->section_authority) {
if (!short_form && !dns64prefix) {
if (!short_form) {
result = dns_message_sectiontotext(
msg, DNS_SECTION_AUTHORITY, style, flags, buf);
if (result == ISC_R_NOSPACE) {
@@ -937,7 +857,7 @@ repopulate_buffer:
}
}
if (query->lookup->section_additional) {
if (!short_form && !dns64prefix) {
if (!short_form) {
result = dns_message_sectiontotext(
msg, DNS_SECTION_ADDITIONAL, style, flags, buf);
if (result == ISC_R_NOSPACE) {
@@ -979,9 +899,6 @@ repopulate_buffer:
if (style != NULL) {
dns_master_styledestroy(&style, mctx);
}
dig_idnsetup(query->lookup, false);
return (result);
}
@@ -1031,9 +948,8 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
* XXX doc options
*/
static dig_lookup_t *
plus_option(char *option, bool is_batchfile, bool *need_clone,
dig_lookup_t *lookup) {
static void
plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
isc_result_t result;
char *cmd, *value, *last = NULL, *code, *extra;
uint32_t num;
@@ -1044,7 +960,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
if ((cmd = strtok_r(option, "=", &last)) == NULL) {
printf(";; Invalid option %s\n", option);
return (lookup);
return;
}
if (strncasecmp(cmd, "no", 2) == 0) {
cmd += 2;
@@ -1123,13 +1039,12 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
break;
case 'u': /* bufsize */
FULLCHECK("bufsize");
if (value == NULL) {
goto need_value;
}
if (!state) {
goto invalid_option;
}
if (value == NULL) {
lookup->udpsize = DEFAULT_EDNS_BUFSIZE;
break;
}
result = parse_uint(&num, value, COMMSIZE,
"buffer size");
if (result != ISC_R_SUCCESS) {
@@ -1176,7 +1091,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
case 'o': /* cookie */
FULLCHECK("cookie");
if (state && lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
lookup->sendcookie = state;
if (value != NULL) {
@@ -1211,57 +1126,13 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
usesearch = state;
}
break;
case 'n':
switch (cmd[2]) {
case 's':
switch (cmd[3]) {
case '6': /* dns64prefix */
FULLCHECK("dns64prefix");
if (state) {
if (*need_clone) {
lookup = clone_lookup(
default_lookup,
true);
}
*need_clone = true;
lookup->dns64prefix = state;
strlcpy(lookup->textname,
"ipv4only.arpa",
sizeof(lookup->textname));
printcmd = false;
lookup->section_additional =
false;
lookup->section_answer = true;
lookup->section_authority =
false;
lookup->section_question =
false;
lookup->comments = false;
lookup->stats = false;
lookup->rrcomments = -1;
lookup->rdtype =
dns_rdatatype_aaaa;
lookup->rdtypeset = true;
ISC_LIST_APPEND(lookup_list,
lookup, link);
}
break;
case 's': /* dnssec */
FULLCHECK("dnssec");
dnssec:
if (state && lookup->edns == -1) {
lookup->edns =
DEFAULT_EDNS_VERSION;
}
lookup->dnssec = state;
break;
default:
goto invalid_option;
}
break;
default:
goto invalid_option;
case 'n': /* dnssec */
FULLCHECK("dnssec");
dnssec:
if (state && lookup->edns == -1) {
lookup->edns = 0;
}
lookup->dnssec = state;
break;
case 'o': /* domain ... but treat "do" as synonym for dnssec */
if (cmd[2] == '\0') {
@@ -1311,8 +1182,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
break;
}
if (value == NULL) {
lookup->edns =
DEFAULT_EDNS_VERSION;
lookup->edns = 0;
break;
}
result = parse_uint(&num, value,
@@ -1527,7 +1397,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
case 'i': /* nsid */
FULLCHECK("nsid");
if (state && lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
lookup->nsid = state;
break;
@@ -1597,7 +1467,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
case 'p':
FULLCHECK("padding");
if (state && lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
if (value == NULL) {
goto need_value;
@@ -1611,24 +1481,6 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
break;
case 'q':
switch (cmd[1]) {
case 'i': /* qid */
FULLCHECK("qid");
if (!state) {
lookup->setqid = false;
lookup->qid = 0;
break;
}
if (value == NULL) {
goto need_value;
}
result = parse_uint(&num, value, MAXQID, "qid");
if (result != ISC_R_SUCCESS) {
warn("Couldn't parse qid");
goto exit_or_usage;
}
lookup->setqid = true;
lookup->qid = num;
break;
case 'r': /* qr */
FULLCHECK("qr");
lookup->qr = state;
@@ -1783,7 +1635,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
break;
}
if (lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
if (lookup->ecs_addr != NULL) {
isc_mem_free(mctx, lookup->ecs_addr);
@@ -1836,13 +1688,6 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
timeout = 1;
}
break;
case 'l':
FULLCHECK("tls");
lookup->tls_mode = state;
if (!lookup->tcp_mode_set) {
lookup->tcp_mode = state;
}
break;
case 'o':
FULLCHECK("topdown");
fprintf(stderr, ";; +topdown option is deprecated");
@@ -1926,8 +1771,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
switch (cmd[2]) {
case 'e':
FULLCHECK("unexpected");
fprintf(stderr, ";; +unexpected option "
"is deprecated");
lookup->accept_reply_unexpected_src = state;
break;
case 'k':
FULLCHECK("unknownformat");
@@ -1971,7 +1815,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
fprintf(stderr, "Invalid option: +%s\n", option);
usage();
}
return (lookup);
return;
#if !TARGET_OS_IPHONE
exit_or_usage:
@@ -2097,10 +1941,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
srcport = 0;
}
if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) {
isc_sockaddr_fromin6(&localaddr, &in6, srcport);
isc_sockaddr_fromin6(&bind_address, &in6, srcport);
isc_net_disableipv4();
} else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) {
isc_sockaddr_fromin(&localaddr, &in4, srcport);
isc_sockaddr_fromin(&bind_address, &in4, srcport);
isc_net_disableipv6();
} else {
if (hash != NULL) {
@@ -2144,7 +1988,6 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
fatal("Couldn't parse port number");
}
port = num;
port_set = true;
return (value_from_next);
case 'q':
if (!config_only) {
@@ -2341,20 +2184,16 @@ preparse_args(int argc, char **argv) {
continue;
}
/* Look for dash value option. */
if (strpbrk(option, dash_opts) != &option[0]) {
goto invalid_option;
}
if (strlen(option) > 1U) {
/* value in option. */
if (strpbrk(option, dash_opts) != &option[0] ||
strlen(option) > 1U) {
/* Error or value in option. */
continue;
}
/* Dash value is next argument so we need to skip it. */
rc--, rv++;
/* Handle missing argument */
if (rc == 0) {
invalid_option:
fprintf(stderr, "Invalid option: -%s\n", option);
usage();
break;
}
}
}
@@ -2411,7 +2250,7 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) {
debug("making new lookup");
default_lookup = make_empty_lookup();
default_lookup->adflag = true;
default_lookup->edns = DEFAULT_EDNS_VERSION;
default_lookup->edns = 0;
default_lookup->sendcookie = true;
#ifndef NOPOSIX
@@ -2486,8 +2325,7 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) {
}
}
} else if (rv[0][0] == '+') {
lookup = plus_option(&rv[0][1], is_batchfile,
&need_clone, lookup);
plus_option(&rv[0][1], is_batchfile, lookup);
} else if (rv[0][0] == '-') {
if (rc <= 1) {
if (dash_option(&rv[0][1], NULL, &lookup,

1431
bin/dig/dig.docbook Normal file

File diff suppressed because it is too large Load Diff

1155
bin/dig/dig.html Normal file

File diff suppressed because it is too large Load Diff

View File

@@ -1,637 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dig:
dig - DNS lookup utility
------------------------
Synopsis
~~~~~~~~
:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
:program:`dig` [**-h**]
:program:`dig` [global-queryopt...] [query...]
Description
~~~~~~~~~~~
``dig`` is a flexible tool for interrogating DNS name servers. It
performs DNS lookups and displays the answers that are returned from the
name server(s) that were queried. Most DNS administrators use ``dig`` to
troubleshoot DNS problems because of its flexibility, ease of use, and
clarity of output. Other lookup tools tend to have less functionality
than ``dig``.
Although ``dig`` is normally used with command-line arguments, it also
has a batch mode of operation for reading lookup requests from a file. A
brief summary of its command-line arguments and options is printed when
the ``-h`` option is given. The BIND 9
implementation of ``dig`` allows multiple lookups to be issued from the
command line.
Unless it is told to query a specific name server, ``dig`` tries each
of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, ``dig`` sends the query to the local host.
When no command-line arguments or options are given, ``dig``
performs an NS query for "." (the root).
It is possible to set per-user defaults for ``dig`` via
``${HOME}/.digrc``. This file is read and any options in it are applied
before the command-line arguments. The ``-r`` option disables this
feature, for scripts that need predictable behavior.
The IN and CH class names overlap with the IN and CH top-level domain
names. Either use the ``-t`` and ``-c`` options to specify the type and
class, use the ``-q`` to specify the domain name, or use "IN." and
"CH." when looking up these top-level domains.
Simple Usage
~~~~~~~~~~~~
A typical invocation of ``dig`` looks like:
::
dig @server name type
where:
``server``
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, ``dig`` resolves that name before querying that name
server.
If no ``server`` argument is provided, ``dig`` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the ``-4`` or ``-6``
options are in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, ``dig``
sends the query to the local host. The reply from the name server
that responds is displayed.
``name``
is the name of the resource record that is to be looked up.
``type``
indicates what type of query is required - ANY, A, MX, SIG, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, ``dig`` performs a lookup for an A record.
Options
~~~~~~~
``-4``
This option indicates that only IPv4 should be used.
``-6``
This option indicates that only IPv6 should be used.
``-b address[#port]``
This option sets the source IP address of the query. The ``address`` must be a
valid address on one of the host's network interfaces, or "0.0.0.0"
or "::". An optional port may be specified by appending ``#port``.
``-c class``
This option sets the query class. The default ``class`` is IN; other classes are
HS for Hesiod records or CH for Chaosnet records.
``-f file``
This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from
the given ``file``. Each line in the file should be organized in the
same way it would be presented as a query to ``dig`` using the
command-line interface.
``-k keyfile``
This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key
files can be generated using ``tsig-keygen``. When using TSIG
authentication with ``dig``, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is done
by providing appropriate ``key`` and ``server`` statements in
``named.conf``.
``-m``
This option enables memory usage debugging.
``-p port``
This option sends the query to a non-standard port on the server, instead of the
default port 53. This option is used to test a name server that
has been configured to listen for queries on a non-standard port
number.
``-q name``
This option specifies the domain name to query. This is useful to distinguish the ``name``
from other arguments.
``-r``
This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
scripts that need predictable behavior.
``-t type``
This option indicates the resource record type to query, which can be any valid query type. If
it is a resource record type supported in BIND 9, it can be given by
the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
``A``, unless the ``-x`` option is supplied to indicate a reverse
lookup. A zone transfer can be requested by specifying a type of
AXFR. When an incremental zone transfer (IXFR) is required, set the
``type`` to ``ixfr=N``. The incremental zone transfer contains
all changes made to the zone since the serial number in the zone's
SOA record was ``N``.
All resource record types can be expressed as ``TYPEnn``, where ``nn`` is
the number of the type. If the resource record type is not supported
in BIND 9, the result is displayed as described in :rfc:`3597`.
``-u``
This option indicates that print query times should be provided in microseconds instead of milliseconds.
``-v``
This option prints the version number and exits.
``-x addr``
This option sets simplified reverse lookups, for mapping addresses to names. The
``addr`` is an IPv4 address in dotted-decimal notation, or a
colon-delimited IPv6 address. When the ``-x`` option is used, there is no
need to provide the ``name``, ``class``, and ``type`` arguments.
``dig`` automatically performs a lookup for a name like
``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
and IN respectively. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
``-y [hmac:]keyname:secret``
This option signs queries using TSIG with the given authentication key.
``keyname`` is the name of the key, and ``secret`` is the
base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
``hmac-sha256``.
.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option,
because with ``-y`` the shared secret is supplied as a command-line
argument in clear text. This may be visible in the output from ``ps1`` or
in a history file maintained by the user's shell.
Query Options
~~~~~~~~~~~~~
``dig`` provides a number of query options which affect the way in which
lookups are made and the results displayed. Some of these set or reset
flag bits in the query header, some determine which sections of the
answer get printed, and others determine the timeout and retry
strategies.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option; these may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options, like the timeout interval. They have the form
``+keyword=value``. Keywords may be abbreviated, provided the
abbreviation is unambiguous; for example, ``+cd`` is equivalent to
``+cdflag``. The query options are:
``+[no]aaflag``
This option is a synonym for ``+[no]aaonly``.
``+[no]aaonly``
This option sets the ``aa`` flag in the query.
``+[no]additional``
This option displays [or does not display] the additional section of a reply. The
default is to display it.
``+[no]adflag``
This option sets [or does not set] the AD (authentic data) bit in the query. This
requests the server to return whether all of the answer and authority
sections have been validated as secure, according to the security
policy of the server. ``AD=1`` indicates that all records have been
validated as secure and the answer is not from a OPT-OUT range. ``AD=0``
indicates that some part of the answer was insecure or not validated.
This bit is set by default.
``+[no]all``
This option sets or clears all display flags.
``+[no]answer``
This option displays [or does not display] the answer section of a reply. The default
is to display it.
``+[no]authority``
This option displays [or does not display] the authority section of a reply. The
default is to display it.
``+[no]badcookie``
This option retries the lookup with a new server cookie if a BADCOOKIE response is
received.
``+[no]besteffort``
This option attempts to display the contents of messages which are malformed. The
default is to not display malformed answers.
``+bufsize[=B]``
This option sets the UDP message buffer size advertised using EDNS0 to
``B`` bytes. The maximum and minimum sizes of this buffer are 65535 and
0, respectively. ``+bufsize`` restores the default buffer size.
``+[no]cdflag``
This option sets [or does not set] the CD (checking disabled) bit in the query. This
requests the server to not perform DNSSEC validation of responses.
``+[no]class``
This option displays [or does not display] the CLASS when printing the record.
``+[no]cmd``
This option toggles the printing of the initial comment in the output, identifying the
version of ``dig`` and the query options that have been applied. This option
always has a global effect; it cannot be set globally and then overridden on a
per-lookup basis. The default is to print this comment.
``+[no]comments``
This option toggles the display of some comment lines in the output, with
information about the packet header and OPT pseudosection, and the names of
the response section. The default is to print these comments.
Other types of comments in the output are not affected by this option, but
can be controlled using other command-line switches. These include
``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
``+[no]cookie=####``
This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
from a previous response allows the server to identify a previous
client. The default is ``+cookie``.
``+cookie`` is also set when ``+trace`` is set to better emulate the
default queries from a nameserver.
``+[no]crypto``
This option toggles the display of cryptographic fields in DNSSEC records. The
contents of these fields are unnecessary for debugging most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted,
they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
``+[no]defname``
This option, which is deprecated, is treated as a synonym for ``+[no]search``.
``+[no]dns64prefix``
Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
``+[no]dnssec``
This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
the OPT record in the additional section of the query.
``+domain=somename``
This option sets the search list to contain the single domain ``somename``, as if
specified in a ``domain`` directive in ``/etc/resolv.conf``, and
enables search list processing as if the ``+search`` option were
given.
``+dscp=value``
This option sets the DSCP code point to be used when sending the query. Valid DSCP
code points are in the range [0...63]. By default no code point is
explicitly set.
``+[no]edns[=#]``
This option specifies the EDNS version to query with. Valid values are 0 to 255.
Setting the EDNS version causes an EDNS query to be sent.
``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
default.
``+[no]ednsflags[=#]``
This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
Decimal, hex, and octal encodings are accepted. Setting a named flag
(e.g., DO) is silently ignored. By default, no Z bits are set.
``+[no]ednsnegotiation``
This option enables/disables EDNS version negotiation. By default, EDNS version
negotiation is enabled.
``+[no]ednsopt[=code[:value]]``
This option specifies the EDNS option with code point ``code`` and an optional payload
of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
option name (for example, ``NSID`` or ``ECS``) or an arbitrary
numeric value. ``+noednsopt`` clears the EDNS options to be sent.
``+[no]expire``
This option sends an EDNS Expire option.
``+[no]fail``
This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is
to not try the next server, which is the reverse of normal stub
resolver behavior.
``+[no]header-only``
This option sends a query with a DNS header without a question section. The
default is to add a question section. The query type and query name
are ignored when this is set.
``+[no]identify``
This option shows [or does not show] the IP address and port number that supplied
the answer, when the ``+short`` option is enabled. If short form
answers are requested, the default is not to show the source address
and port number of the server that provided the answer.
``+[no]idnin``
This option processes [or does not process] IDN domain names on input. This requires
``IDN SUPPORT`` to have been enabled at compile time.
The default is to process IDN input when standard output is a tty.
The IDN processing on input is disabled when ``dig`` output is redirected
to files, pipes, and other non-tty file descriptors.
``+[no]idnout``
This option converts [or does not convert] puny code on output. This requires
``IDN SUPPORT`` to have been enabled at compile time.
The default is to process puny code on output when standard output is
a tty. The puny code processing on output is disabled when ``dig`` output
is redirected to files, pipes, and other non-tty file descriptors.
``+[no]ignore``
This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
default, TCP retries are performed.
``+[no]keepalive``
This option sends [or does not send] an EDNS Keepalive option.
``+[no]keepopen``
This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
creating a new TCP socket for each lookup. The default is
``+nokeepopen``.
``+[no]mapped``
This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is
``+mapped``.
``+[no]multiline``
This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
with human-readable comments. The default is to print each record on
a single line to facilitate machine parsing of the ``dig`` output.
``+ndots=D``
This option sets the number of dots (``D``) that must appear in ``name`` for
it to be considered absolute. The default value is that defined using
the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
statement is present. Names with fewer dots are interpreted as
relative names, and are searched for in the domains listed in the
``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
``+search`` is set.
``+[no]nsid``
When enabled, this option includes an EDNS name server ID request when sending a query.
``+[no]nssearch``
When this option is set, ``dig`` attempts to find the authoritative
name servers for the zone containing the name being looked up, and
display the SOA record that each name server has for the zone.
Addresses of servers that did not respond are also printed.
``+[no]onesoa``
When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
default is to print both the starting and ending SOA records.
``+[no]opcode=value``
When enabled, this option sets (restores) the DNS message opcode to the specified value. The
default value is QUERY (0).
``+padding=value``
This option pads the size of the query packet using the EDNS Padding option to
blocks of ``value`` bytes. For example, ``+padding=32`` causes a
48-byte query to be padded to 64 bytes. The default block size is 0,
which disables padding; the maximum is 512. Values are ordinarily
expected to be powers of two, such as 128; however, this is not
mandatory. Responses to padded queries may also be padded, but only
if the query uses TCP or DNS COOKIE.
``+qid=value``
This option specifies the query ID to use when sending queries.
``+[no]qr``
This option toggles the display of the query message as it is sent. By default, the query
is not printed.
``+[no]question``
This option toggles the display of the question section of a query when an answer is
returned. The default is to print the question section as a comment.
``+[no]raflag``
This option sets [or does not set] the RA (Recursion Available) bit in the query. The
default is ``+noraflag``. This bit is ignored by the server for
QUERY.
``+[no]rdflag``
This option is a synonym for ``+[no]recurse``.
``+[no]recurse``
This option toggles the setting of the RD (recursion desired) bit in the query.
This bit is set by default, which means ``dig`` normally sends
recursive queries. Recursion is automatically disabled when the
``+nssearch`` or ``+trace`` query option is used.
``+retry=T``
This option sets the number of times to retry UDP queries to server to ``T``
instead of the default, 2. Unlike ``+tries``, this does not include
the initial query.
``+[no]rrcomments``
This option toggles the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
not to print record comments unless multiline mode is active.
``+[no]search``
This option uses [or does not use] the search list defined by the searchlist or domain
directive in ``resolv.conf``, if any. The search list is not used by
default.
``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
``+ndots``, determines whether the name is treated as relative
and hence whether a search is eventually performed.
``+[no]short``
This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
form. This option always has a global effect; it cannot be set globally and
then overridden on a per-lookup basis.
``+[no]showsearch``
This option performs [or does not perform] a search showing intermediate results.
``+[no]sigchase``
This feature is now obsolete and has been removed; use ``delv``
instead.
``+split=W``
This option splits long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
``+[no]stats``
This option toggles the printing of statistics: when the query was made, the size of the
reply, etc. The default behavior is to print the query statistics as a
comment after each lookup.
``+[no]subnet=addr[/prefix-length]``
This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
address or network prefix.
``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
sends an EDNS CLIENT-SUBNET option with an empty address and a source
prefix-length of zero, which signals a resolver that the client's
address information must *not* be used when resolving this query.
``+[no]tcflag``
This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
``+notcflag``. This bit is ignored by the server for QUERY.
``+[no]tcp``
This option indicates whether to use TCP when querying name servers.
The default behavior is to use UDP unless a type ``any`` or ``ixfr=N``
query is requested, in which case the default is TCP. AXFR queries
always use TCP.
``+timeout=T``
This option sets the timeout for a query to ``T`` seconds. The default timeout is
5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
``+[no]tls``
This option indicates whether to use DNS over TLS (DoT) when querying
name servers.
``+[no]topdown``
This feature is related to ``dig +sigchase``, which is obsolete and
has been removed. Use ``delv`` instead.
``+[no]trace``
This option toggles tracing of the delegation path from the root name servers for
the name being looked up. Tracing is disabled by default. When
tracing is enabled, ``dig`` makes iterative queries to resolve the
name being looked up. It follows referrals from the root servers,
showing the answer from each server that was used to resolve the
lookup.
If ``@server`` is also specified, it affects only the initial query for
the root zone name servers.
``+dnssec`` is also set when ``+trace`` is set, to better emulate the
default queries from a name server.
``+tries=T``
This option sets the number of times to try UDP queries to server to ``T``
instead of the default, 3. If ``T`` is less than or equal to zero,
the number of tries is silently rounded up to 1.
``+trusted-key=####``
This option formerly specified trusted keys for use with ``dig +sigchase``. This
feature is now obsolete and has been removed; use ``delv`` instead.
``+[no]ttlid``
This option displays [or does not display] the TTL when printing the record.
``+[no]ttlunits``
This option displays [or does not display] the TTL in friendly human-readable time
units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
hours, days, and weeks. This implies ``+ttlid``.
``+[no]unknownformat``
This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
``+[no]vc``
This option uses [or does not use] TCP when querying name servers. This alternate
syntax to ``+[no]tcp`` is provided for backwards compatibility. The
``vc`` stands for "virtual circuit."
``+[no]yaml``
When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
outgoing queries) in a detailed YAML format.
``+[no]zflag``
This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
This flag is off by default.
Multiple Queries
~~~~~~~~~~~~~~~~
The BIND 9 implementation of ``dig`` supports specifying multiple
queries on the command line (in addition to supporting the ``-f`` batch
file option). Each of those queries can be supplied with its own set of
flags, options, and query options.
In this case, each ``query`` argument represents an individual query in
the command-line syntax described above. Each consists of any of the
standard options and flags, the name to be looked up, an optional query
type and class, and any query options that should be applied to that
query.
A global set of query options, which should be applied to all queries,
can also be supplied. These global query options must precede the first
tuple of name, class, type, options, flags, and query options supplied
on the command line. Any global query options (except ``+[no]cmd`` and
``+[no]short`` options) can be overridden by a query-specific set of
query options. For example:
::
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
shows how ``dig`` can be used from the command line to make three
lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
and a query for the NS records of ``isc.org``. A global query option of
``+qr`` is applied, so that ``dig`` shows the initial query it made for
each lookup. The final query has a local query option of ``+noqr`` which
means that ``dig`` does not print the initial query when it looks up the
NS records for ``isc.org``.
IDN Support
~~~~~~~~~~~
If ``dig`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``dig``
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, use the parameters
``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
variable.
Files
~~~~~
``/etc/resolv.conf``
``${HOME}/.digrc``
See Also
~~~~~~~~
:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
Bugs
~~~~
There are probably too many query options.

File diff suppressed because it is too large Load Diff

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -19,14 +19,13 @@
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/bufferlist.h>
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/list.h>
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/netmgr.h>
#include <isc/print.h>
#include <isc/refcount.h>
#include <isc/sockaddr.h>
#include <isc/socket.h>
@@ -61,8 +60,6 @@
#define MAXPORT 0xffff
/*% Max serial number */
#define MAXSERIAL 0xffffffff
/*% Max query ID */
#define MAXQID 0xffff
/*% Default TCP Timeout */
#define TCP_TIMEOUT 10
@@ -72,10 +69,6 @@
#define SERVER_TIMEOUT 1
#define LOOKUP_LIMIT 64
#define DEFAULT_EDNS_VERSION 0
#define DEFAULT_EDNS_BUFSIZE 1232
/*%
* Lookup_limit is just a limiter, keeping too many lookups from being
* created. It's job is mainly to prevent the program from running away
@@ -90,39 +83,36 @@ typedef struct dig_server dig_server_t;
typedef ISC_LIST(dig_server_t) dig_serverlist_t;
typedef struct dig_searchlist dig_searchlist_t;
#define DIG_LOOKUP_MAGIC ISC_MAGIC('D', 'i', 'g', 'l')
#define DIG_VALID_LOOKUP(x) ISC_MAGIC_VALID((x), DIG_LOOKUP_MAGIC)
#define DIG_QUERY_MAGIC ISC_MAGIC('D', 'i', 'g', 'q')
#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
/*% The dig_lookup structure */
struct dig_lookup {
unsigned int magic;
isc_refcount_t references;
bool aaonly, adflag, badcookie, besteffort, cdflag, comments,
dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa,
expire, header_only, identify, /*%< Append an "on server <foo>"
message */
identify_previous_line, /*% Prepend a "Nameserver <foo>:"
message, with newline and tab */
idnin, idnout, ignore, mapped, multiline, need_search,
new_search, noclass, nocrypto, nottl,
ns_search_only, /*%< dig +nssearch, host -C */
nsid, /*% Name Server ID (RFC 5001) */
onesoa, pending, /*%< Pending a successful answer */
print_unknown_format, qr, raflag, recurse, section_additional,
section_answer, section_authority, section_question,
seenbadcookie, sendcookie, servfail_stops,
setqid, /*% use a speciied query ID */
stats, tcflag, tcp_keepalive, tcp_mode, tcp_mode_set,
tls_mode, /*% connect using TLS */
bool pending, /*%< Pending a successful answer */
waiting_connect, doing_xfr, ns_search_only, /*%< dig
* +nssearch,
* host -C */
identify, /*%< Append an "on server <foo>" message */
identify_previous_line, /*% Prepend a "Nameserver <foo>:"
* message, with newline and tab */
ignore, recurse, aaonly, adflag, cdflag, raflag, tcflag, zflag,
trace, /*% dig +trace */
trace_root, /*% initial query for either +trace or +nssearch */
ttlunits, use_usec, waiting_connect, zflag;
char textname[MXNAME]; /*% Name we're going to be looking up */
trace_root, /*% initial query for either +trace or +nssearch
* */
tcp_mode, tcp_mode_set, comments, stats, section_question,
section_answer, section_authority, section_additional,
servfail_stops, new_search, need_search, done_as_is, besteffort,
dnssec, expire, sendcookie, seenbadcookie, badcookie,
nsid, /*% Name Server ID (RFC 5001) */
tcp_keepalive, header_only, ednsneg, mapped,
print_unknown_format, multiline, nottl, noclass, onesoa,
use_usec, nocrypto, ttlunits, idnin, idnout, expandaaaa, qr,
accept_reply_unexpected_src; /*% print replies from
* unexpected
* sources. */
char textname[MXNAME]; /*% Name we're going to be
* looking up */
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
@@ -148,7 +138,7 @@ struct dig_lookup {
dig_query_t *xfr_q;
uint32_t retries;
int nsfound;
int16_t udpsize;
uint16_t udpsize;
int16_t edns;
int16_t padding;
uint32_t ixfr_serial;
@@ -167,18 +157,15 @@ struct dig_lookup {
dns_opcode_t opcode;
int rrcomments;
unsigned int eoferr;
uint16_t qid;
};
/*% The dig_query structure */
struct dig_query {
unsigned int magic;
dig_lookup_t *lookup;
bool first_pass;
bool first_soa_rcvd;
bool second_rr_rcvd;
bool first_repeat_rcvd;
bool warn_id;
bool waiting_connect, pending_free, waiting_senddone, first_pass,
first_soa_rcvd, second_rr_rcvd, first_repeat_rcvd, recv_made,
warn_id, timedout;
uint32_t first_rr_serial;
uint32_t second_rr_serial;
uint32_t msg_count;
@@ -186,12 +173,9 @@ struct dig_query {
bool ixfr_axfr;
char *servname;
char *userarg;
isc_buffer_t sendbuf;
isc_buffer_t recvbuf, lengthbuf, tmpsendbuf, sendbuf;
char *recvspace, *tmpsendspace, lengthspace[4];
isc_refcount_t references;
isc_nmhandle_t *handle;
isc_nmhandle_t *readhandle;
isc_nmhandle_t *sendhandle;
isc_socket_t *sock;
ISC_LINK(dig_query_t) link;
ISC_LINK(dig_query_t) clink;
isc_sockaddr_t sockaddr;
@@ -199,8 +183,6 @@ struct dig_query {
isc_time_t time_recv;
uint64_t byte_count;
isc_timer_t *timer;
uint8_t tries;
isc_tlsctx_t *tlsctx;
};
struct dig_server {
@@ -229,14 +211,13 @@ extern unsigned int extrabytes;
extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
showsearch, yaml;
extern in_port_t port;
extern bool port_set;
extern unsigned int timeout;
extern isc_mem_t *mctx;
extern isc_refcount_t sendcount;
extern int sendcount;
extern int ndots;
extern int lookup_counter;
extern int exitcode;
extern isc_sockaddr_t localaddr;
extern isc_sockaddr_t bind_address;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
@@ -401,38 +382,32 @@ setup_text_key(void);
* Routines exported from dig.c for use by dig for iOS
*/
/*%
/*%<
* Call once only to set up libraries, parse global
* parameters and initial command line query parameters
*/
void
dig_setup(int argc, char **argv);
/*%
/*%<
* Call to supply new parameters for the next lookup
*/
void
dig_query_setup(bool, bool, int argc, char **argv);
/*%
/*%<
* set the main application event cycle running
*/
void
dig_startup(void);
/*%
/*%<
* Initiates the next lookup cycle
*/
void
dig_query_start(void);
/*%
* Activate/deactivate IDN filtering of output.
*/
void
dig_idnsetup(dig_lookup_t *lookup, bool active);
/*%
/*%<
* Cleans up the application
*/
void

278
bin/dig/host.1 Normal file
View File

@@ -0,0 +1,278 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: host
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2009-01-20
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "HOST" "1" "2009\-01\-20" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
host \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBhost\fR\ 'u
\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
.SH "DESCRIPTION"
.PP
\fBhost\fR
is a simple utility for performing DNS lookups\&. It is normally used to convert names to IP addresses and vice versa\&. When no arguments or options are given,
\fBhost\fR
prints a short summary of its command line arguments and options\&.
.PP
\fIname\fR
is the domain name that is to be looked up\&. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
\fBhost\fR
will by default perform a reverse lookup for that address\&.
\fIserver\fR
is an optional argument which is either the name or IP address of the name server that
\fBhost\fR
should query instead of the server or servers listed in
/etc/resolv\&.conf\&.
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only for query transport\&. See also the
\fB\-6\fR
option\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only for query transport\&. See also the
\fB\-4\fR
option\&.
.RE
.PP
\-a
.RS 4
"All"\&. The
\fB\-a\fR
option is normally equivalent to
\fB\-v \-t \fR\fBANY\fR\&. It also affects the behaviour of the
\fB\-l\fR
list zone option\&.
.RE
.PP
\-A
.RS 4
"Almost all"\&. The
\fB\-A\fR
option is equivalent to
\fB\-a\fR
except RRSIG, NSEC, and NSEC3 records are omitted from the output\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records\&. The default class is IN (Internet)\&.
.RE
.PP
\-C
.RS 4
Check consistency:
\fBhost\fR
will query the SOA records for zone
\fIname\fR
from all the listed authoritative name servers for that zone\&. The list of name servers is defined by the NS records that are found for the zone\&.
.RE
.PP
\-d
.RS 4
Print debugging traces\&. Equivalent to the
\fB\-v\fR
verbose option\&.
.RE
.PP
\-l
.RS 4
List zone: The
\fBhost\fR
command performs a zone transfer of zone
\fIname\fR
and prints out the NS, PTR and address records (A/AAAA)\&.
.sp
Together, the
\fB\-l \-a\fR
options print all records in the zone\&.
.RE
.PP
\-N \fIndots\fR
.RS 4
The number of dots that have to be in
\fIname\fR
for it to be considered absolute\&. The default value is that defined using the ndots statement in
/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
/etc/resolv\&.conf\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Specify the port on the server to query\&. The default is 53\&.
.RE
.PP
\-r
.RS 4
Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
\fIname\fR\&. The
\fB\-r\fR
option enables
\fBhost\fR
to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers\&.
.RE
.PP
\-R \fInumber\fR
.RS 4
Number of retries for UDP queries: If
\fInumber\fR
is negative or zero, the number of retries will default to 1\&. The default value is 1, or the value of the
\fIattempts\fR
option in
/etc/resolv\&.conf, if set\&.
.RE
.PP
\-s
.RS 4
Do
\fInot\fR
send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Query type: The
\fItype\fR
argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc\&.
.sp
When no query type is specified,
\fBhost\fR
automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records\&. If the
\fB\-C\fR
option is given, queries will be made for SOA records\&. If
\fIname\fR
is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
\fBhost\fR
will query for PTR records\&.
.sp
If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like
\fB\-t \fR\fBIXFR=12345678\fR)\&.
.RE
.PP
\-T, \-U
.RS 4
TCP/UDP: By default,
\fBhost\fR
uses UDP when making queries\&. The
\fB\-T\fR
option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&. Type ANY queries default to TCP but can be forced to UDP initially using
\fB\-U\fR\&.
.RE
.PP
\-m \fIflag\fR
.RS 4
Memory usage debugging: the flag can be
\fIrecord\fR,
\fIusage\fR, or
\fItrace\fR\&. You can specify the
\fB\-m\fR
option more than once to set multiple flags\&.
.RE
.PP
\-v
.RS 4
Verbose output\&. Equivalent to the
\fB\-d\fR
debug option\&. Verbose output can also be enabled by setting the
\fIdebug\fR
option in
/etc/resolv\&.conf\&.
.RE
.PP
\-V
.RS 4
Print the version number and exit\&.
.RE
.PP
\-w
.RS 4
Wait forever: The query timeout is set to the maximum possible\&. See also the
\fB\-W\fR
option\&.
.RE
.PP
\-W \fIwait\fR
.RS 4
Timeout: Wait for up to
\fIwait\fR
seconds for a reply\&. If
\fIwait\fR
is less than one, the wait interval is set to one second\&.
.sp
By default,
\fBhost\fR
will wait for 5 seconds for UDP responses and 10 seconds for TCP connections\&. These defaults can be overridden by the
\fItimeout\fR
option in
/etc/resolv\&.conf\&.
.sp
See also the
\fB\-w\fR
option\&.
.RE
.SH "IDN SUPPORT"
.PP
If
\fBhost\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBhost\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBhost\fR
runs\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -107,34 +107,32 @@ show_usage(void);
static void
show_usage(void) {
fprintf(stderr,
"Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
"time]\n"
" [-R number] [-m flag] [-p port] hostname "
"[server]\n"
" -a is equivalent to -v -t ANY\n"
" -A is like -a but omits RRSIG, NSEC, NSEC3\n"
" -c specifies query class for non-IN data\n"
" -C compares SOA records on authoritative nameservers\n"
" -d is equivalent to -v\n"
" -l lists all hosts in a domain, using AXFR\n"
" -m set memory debugging flag (trace|record|usage)\n"
" -N changes the number of dots allowed before root "
"lookup "
"is done\n"
" -p specifies the port on the server to query\n"
" -r disables recursive processing\n"
" -R specifies number of retries for UDP packets\n"
" -s a SERVFAIL response should stop query\n"
" -t specifies the query type\n"
" -T enables TCP/IP mode\n"
" -U enables UDP mode\n"
" -v enables verbose output\n"
" -V print version number and exit\n"
" -w specifies to wait forever for a reply\n"
" -W specifies how long to wait for a reply\n"
" -4 use IPv4 query transport only\n"
" -6 use IPv6 query transport only\n");
fputs("Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
"time]\n"
" [-R number] [-m flag] [-p port] hostname [server]\n"
" -a is equivalent to -v -t ANY\n"
" -A is like -a but omits RRSIG, NSEC, NSEC3\n"
" -c specifies query class for non-IN data\n"
" -C compares SOA records on authoritative nameservers\n"
" -d is equivalent to -v\n"
" -l lists all hosts in a domain, using AXFR\n"
" -m set memory debugging flag (trace|record|usage)\n"
" -N changes the number of dots allowed before root lookup "
"is done\n"
" -p specifies the port on the server to query\n"
" -r disables recursive processing\n"
" -R specifies number of retries for UDP packets\n"
" -s a SERVFAIL response should stop query\n"
" -t specifies the query type\n"
" -T enables TCP/IP mode\n"
" -U enables UDP mode\n"
" -v enables verbose output\n"
" -V print version number and exit\n"
" -w specifies to wait forever for a reply\n"
" -W specifies how long to wait for a reply\n"
" -4 use IPv4 query transport only\n"
" -6 use IPv6 query transport only\n",
stderr);
exit(1);
}

416
bin/dig/host.docbook Normal file
View File

@@ -0,0 +1,416 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
<info>
<date>2009-01-20</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>host</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>host</refname>
<refpurpose>DNS lookup utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>host</command>
<arg choice="opt" rep="norepeat"><option>-aACdlnrsTUwv</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="port">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>host</command>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<command>host</command>
prints a short summary of its command line arguments and options.
</para>
<para><parameter>name</parameter> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <command>host</command> will by
default
perform a reverse lookup for that address.
<parameter>server</parameter> is an optional argument which
is either
the name or IP address of the name server that <command>host</command>
should query instead of the server or servers listed in
<filename>/etc/resolv.conf</filename>.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Use IPv4 only for query transport.
See also the <option>-6</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Use IPv6 only for query transport.
See also the <option>-4</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
<listitem>
<para>
"All". The <option>-a</option> option is normally equivalent
to <option>-v -t <literal>ANY</literal></option>.
It also affects the behaviour of the <option>-l</option>
list zone option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
"Almost all". The <option>-A</option> option is equivalent
to <option>-a</option> except RRSIG, NSEC, and NSEC3
records are omitted from the output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Query class: This can be used to lookup HS (Hesiod) or CH
(Chaosnet) class resource records. The default class is IN
(Internet).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Check consistency: <command>host</command> will query the
SOA records for zone <parameter>name</parameter> from all
the listed authoritative name servers for that zone. The
list of name servers is defined by the NS records that are
found for the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Print debugging traces.
Equivalent to the <option>-v</option> verbose option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>
List zone:
The <command>host</command> command performs a zone transfer of
zone <parameter>name</parameter> and prints out the NS,
PTR and address records (A/AAAA).
</para>
<para>
Together, the <option>-l -a</option>
options print all records in the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-N <replaceable class="parameter">ndots</replaceable></term>
<listitem>
<para>
The number of dots that have to be
in <parameter>name</parameter> for it to be considered
absolute. The default value is that defined using the
ndots statement in <filename>/etc/resolv.conf</filename>,
or 1 if no ndots statement is present. Names with fewer
dots are interpreted as relative names and will be
searched for in the domains listed in
the <type>search</type> or <type>domain</type> directive
in <filename>/etc/resolv.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Specify the port on the server to query. The default is 53.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Non-recursive query:
Setting this option clears the RD (recursion desired) bit
in the query. This should mean that the name server
receiving the query will not attempt to
resolve <parameter>name</parameter>.
The <option>-r</option> option
enables <command>host</command> to mimic the behavior of a
name server by making non-recursive queries and expecting
to receive answers to those queries that can be
referrals to other name servers.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">number</replaceable></term>
<listitem>
<para>
Number of retries for UDP queries:
If <parameter>number</parameter> is negative or zero, the
number of retries will default to 1. The default value is
1, or the value of the <parameter>attempts</parameter>
option in <filename>/etc/resolv.conf</filename>, if set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Do <emphasis>not</emphasis> send the query to the next
nameserver if any server responds with a SERVFAIL
response, which is the reverse of normal stub resolver
behavior.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Query type:
The <parameter>type</parameter> argument can be any
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
</para>
<para>
When no query type is specified, <command>host</command>
automatically selects an appropriate query type. By default, it
looks for A, AAAA, and MX records.
If the <option>-C</option> option is given, queries will
be made for SOA records.
If <parameter>name</parameter> is a dotted-decimal IPv4
address or colon-delimited IPv6
address, <command>host</command> will query for PTR
records.
</para>
<para>
If a query type of IXFR is chosen the starting serial
number can be specified by appending an equal followed by
the starting serial number
(like <option>-t <literal>IXFR=12345678</literal></option>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T</term>
<term>-U</term>
<listitem>
<para>
TCP/UDP:
By default, <command>host</command> uses UDP when making
queries. The <option>-T</option> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <option>-U</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Memory usage debugging: the flag can
be <parameter>record</parameter>, <parameter>usage</parameter>,
or <parameter>trace</parameter>. You can specify
the <option>-m</option> option more than once to set
multiple flags.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Verbose output.
Equivalent to the <option>-d</option> debug option.
Verbose output can also be enabled by setting
the <parameter>debug</parameter> option
in <filename>/etc/resolv.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Print the version number and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>
Wait forever: The query timeout is set to the maximum possible.
See also the <option>-W</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W <replaceable class="parameter">wait</replaceable></term>
<listitem>
<para>
Timeout: Wait for up to <parameter>wait</parameter>
seconds for a reply. If <parameter>wait</parameter> is
less than one, the wait interval is set to one second.
</para>
<para>
By default, <command>host</command> will wait for 5
seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by
the <parameter>timeout</parameter> option
in <filename>/etc/resolv.conf</filename>.
</para>
<para>
See also the <option>-w</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>host</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
</refentry>

339
bin/dig/host.html Normal file
View File

@@ -0,0 +1,339 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.host"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
host
&#8212; DNS lookup utility
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">host</code>
[<code class="option">-aACdlnrsTUwv</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-v</code>]
[<code class="option">-V</code>]
{name}
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<span class="command"><strong>host</strong></span>
prints a short summary of its command line arguments and options.
</p>
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
default
perform a reverse lookup for that address.
<em class="parameter"><code>server</code></em> is an optional argument which
is either
the name or IP address of the name server that <span class="command"><strong>host</strong></span>
should query instead of the server or servers listed in
<code class="filename">/etc/resolv.conf</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd>
<p>
Use IPv4 only for query transport.
See also the <code class="option">-6</code> option.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Use IPv6 only for query transport.
See also the <code class="option">-4</code> option.
</p>
</dd>
<dt><span class="term">-a</span></dt>
<dd>
<p>
"All". The <code class="option">-a</code> option is normally equivalent
to <code class="option">-v -t <code class="literal">ANY</code></code>.
It also affects the behaviour of the <code class="option">-l</code>
list zone option.
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
"Almost all". The <code class="option">-A</code> option is equivalent
to <code class="option">-a</code> except RRSIG, NSEC, and NSEC3
records are omitted from the output.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Query class: This can be used to lookup HS (Hesiod) or CH
(Chaosnet) class resource records. The default class is IN
(Internet).
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Check consistency: <span class="command"><strong>host</strong></span> will query the
SOA records for zone <em class="parameter"><code>name</code></em> from all
the listed authoritative name servers for that zone. The
list of name servers is defined by the NS records that are
found for the zone.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Print debugging traces.
Equivalent to the <code class="option">-v</code> verbose option.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
List zone:
The <span class="command"><strong>host</strong></span> command performs a zone transfer of
zone <em class="parameter"><code>name</code></em> and prints out the NS,
PTR and address records (A/AAAA).
</p>
<p>
Together, the <code class="option">-l -a</code>
options print all records in the zone.
</p>
</dd>
<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
<dd>
<p>
The number of dots that have to be
in <em class="parameter"><code>name</code></em> for it to be considered
absolute. The default value is that defined using the
ndots statement in <code class="filename">/etc/resolv.conf</code>,
or 1 if no ndots statement is present. Names with fewer
dots are interpreted as relative names and will be
searched for in the domains listed in
the <span class="type">search</span> or <span class="type">domain</span> directive
in <code class="filename">/etc/resolv.conf</code>.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Specify the port on the server to query. The default is 53.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Non-recursive query:
Setting this option clears the RD (recursion desired) bit
in the query. This should mean that the name server
receiving the query will not attempt to
resolve <em class="parameter"><code>name</code></em>.
The <code class="option">-r</code> option
enables <span class="command"><strong>host</strong></span> to mimic the behavior of a
name server by making non-recursive queries and expecting
to receive answers to those queries that can be
referrals to other name servers.
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Number of retries for UDP queries:
If <em class="parameter"><code>number</code></em> is negative or zero, the
number of retries will default to 1. The default value is
1, or the value of the <em class="parameter"><code>attempts</code></em>
option in <code class="filename">/etc/resolv.conf</code>, if set.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
Do <span class="emphasis"><em>not</em></span> send the query to the next
nameserver if any server responds with a SERVFAIL
response, which is the reverse of normal stub resolver
behavior.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Query type:
The <em class="parameter"><code>type</code></em> argument can be any
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
</p>
<p>
When no query type is specified, <span class="command"><strong>host</strong></span>
automatically selects an appropriate query type. By default, it
looks for A, AAAA, and MX records.
If the <code class="option">-C</code> option is given, queries will
be made for SOA records.
If <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
address or colon-delimited IPv6
address, <span class="command"><strong>host</strong></span> will query for PTR
records.
</p>
<p>
If a query type of IXFR is chosen the starting serial
number can be specified by appending an equal followed by
the starting serial number
(like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
</p>
</dd>
<dt>
<span class="term">-T, </span><span class="term">-U</span>
</dt>
<dd>
<p>
TCP/UDP:
By default, <span class="command"><strong>host</strong></span> uses UDP when making
queries. The <code class="option">-T</code> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <code class="option">-U</code>.
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd>
<p>
Memory usage debugging: the flag can
be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
or <em class="parameter"><code>trace</code></em>. You can specify
the <code class="option">-m</code> option more than once to set
multiple flags.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Verbose output.
Equivalent to the <code class="option">-d</code> debug option.
Verbose output can also be enabled by setting
the <em class="parameter"><code>debug</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Print the version number and exit.
</p>
</dd>
<dt><span class="term">-w</span></dt>
<dd>
<p>
Wait forever: The query timeout is set to the maximum possible.
See also the <code class="option">-W</code> option.
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
<dd>
<p>
Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
seconds for a reply. If <em class="parameter"><code>wait</code></em> is
less than one, the wait interval is set to one second.
</p>
<p>
By default, <span class="command"><strong>host</strong></span> will wait for 5
seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by
the <em class="parameter"><code>timeout</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p>
<p>
See also the <code class="option">-w</code> option.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>host</strong></span> runs.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,181 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_host:
host - DNS lookup utility
-------------------------
Synopsis
~~~~~~~~
:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
Description
~~~~~~~~~~~
``host`` is a simple utility for performing DNS lookups. It is normally
used to convert names to IP addresses and vice versa. When no arguments
or options are given, ``host`` prints a short summary of its
command-line arguments and options.
``name`` is the domain name that is to be looked up. It can also be a
dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
case ``host`` by default performs a reverse lookup for that address.
``server`` is an optional argument which is either the name or IP
address of the name server that ``host`` should query instead of the
server or servers listed in ``/etc/resolv.conf``.
Options
~~~~~~~
``-4``
This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option.
``-6``
This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option.
``-a``
The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It
also affects the behavior of the ``-l`` list zone option.
``-A``
The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG,
NSEC, and NSEC3 records are omitted from the output.
``-c class``
This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
class resource records. The default class is IN (Internet).
``-C``
This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone
``name`` from all the listed authoritative name servers for that
zone. The list of name servers is defined by the NS records that are
found for the zone.
``-d``
This option prints debugging traces, and is equivalent to the ``-v`` verbose option.
``-l``
This option tells ``named` to list the zone, meaning the ``host`` command performs a zone transfer of zone
``name`` and prints out the NS, PTR, and address records (A/AAAA).
Together, the ``-l -a`` options print all records in the zone.
``-N ndots``
This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
considered absolute. The default value is that defined using the
``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
is present. Names with fewer dots are interpreted as relative names,
and are searched for in the domains listed in the ``search`` or
``domain`` directive in ``/etc/resolv.conf``.
``-p port``
This option specifies the port to query on the server. The default is 53.
``-r``
This option specifies a non-recursive query; setting this option clears the RD (recursion
desired) bit in the query. This means that the name server
receiving the query does not attempt to resolve ``name``. The ``-r``
option enables ``host`` to mimic the behavior of a name server by
making non-recursive queries, and expecting to receive answers to
those queries that can be referrals to other name servers.
``-R number``
This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
the number of retries is silently set to 1. The default value is 1, or
the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
``-s``
This option tells ``named`` *not* to send the query to the next nameserver if any server responds
with a SERVFAIL response, which is the reverse of normal stub
resolver behavior.
``-t type``
This option specifies the query type. The ``type`` argument can be any recognized query type:
CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
When no query type is specified, ``host`` automatically selects an
appropriate query type. By default, it looks for A, AAAA, and MX
records. If the ``-C`` option is given, queries are made for SOA
records. If ``name`` is a dotted-decimal IPv4 address or
colon-delimited IPv6 address, ``host`` queries for PTR records.
If a query type of IXFR is chosen, the starting serial number can be
specified by appending an equals sign (=), followed by the starting serial
number, e.g., ``-t IXFR=12345678``.
``-T``; ``-U``
This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the
``-T`` option makes it use a TCP connection when querying the name
server. TCP is automatically selected for queries that require
it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
to TCP, but can be forced to use UDP initially via ``-U``.
``-m flag``
This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
``trace``. The ``-m`` option can be specified more than once to set
multiple flags.
``-v``
This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output
can also be enabled by setting the ``debug`` option in
``/etc/resolv.conf``.
``-V``
This option prints the version number and exits.
``-w``
This option sets "wait forever": the query timeout is set to the maximum possible. See
also the ``-W`` option.
``-W wait``
This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
less than 1, the wait interval is set to 1 second.
By default, ``host`` waits for 5 seconds for UDP responses and 10
seconds for TCP connections. These defaults can be overridden by the
``timeout`` option in ``/etc/resolv.conf``.
See also the ``-w`` option.
IDN Support
~~~~~~~~~~~
If ``host`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``host``
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, define the ``IDN_DISABLE``
environment variable. IDN support is disabled if the variable is set
when ``host`` runs.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`named(8)`.

View File

@@ -0,0 +1 @@
../../../.clang-format.headers

308
bin/dig/nslookup.1 Normal file
View File

@@ -0,0 +1,308 @@
.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: nslookup
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-24
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NSLOOKUP" "1" "2014\-01\-24" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
nslookup \- query Internet name servers interactively
.SH "SYNOPSIS"
.HP \w'\fBnslookup\fR\ 'u
\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
.SH "DESCRIPTION"
.PP
\fBNslookup\fR
is a program to query Internet domain name servers\&.
\fBNslookup\fR
has two modes: interactive and non\-interactive\&. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain\&. Non\-interactive mode is used to print just the name and requested information for a host or domain\&.
.SH "ARGUMENTS"
.PP
Interactive mode is entered in the following cases:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
when no arguments are given (the default name server will be used)
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server\&.
.RE
.PP
Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument\&. The optional second argument specifies the host name or address of a name server\&.
.PP
Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen\&. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
.sp
.if n \{\
.RS 4
.\}
.nf
nslookup \-query=hinfo \-timeout=10
.fi
.if n \{\
.RE
.\}
.PP
The
\fB\-version\fR
option causes
\fBnslookup\fR
to print the version number and immediately exits\&.
.SH "INTERACTIVE COMMANDS"
.PP
\fBhost\fR [server]
.RS 4
Look up information for host using the current default server or using server, if specified\&. If host is an Internet address and the query type is A or PTR, the name of the host is returned\&. If host is a name and does not have a trailing period, the search list is used to qualify the name\&.
.sp
To look up a host not in the current domain, append a period to the name\&.
.RE
.PP
\fBserver\fR \fIdomain\fR
.RS 4
.RE
.PP
\fBlserver\fR \fIdomain\fR
.RS 4
Change the default server to
\fIdomain\fR;
\fBlserver\fR
uses the initial server to look up information about
\fIdomain\fR, while
\fBserver\fR
uses the current default server\&. If an authoritative answer can\*(Aqt be found, the names of servers that might have the answer are returned\&.
.RE
.PP
\fBroot\fR
.RS 4
not implemented
.RE
.PP
\fBfinger\fR
.RS 4
not implemented
.RE
.PP
\fBls\fR
.RS 4
not implemented
.RE
.PP
\fBview\fR
.RS 4
not implemented
.RE
.PP
\fBhelp\fR
.RS 4
not implemented
.RE
.PP
\fB?\fR
.RS 4
not implemented
.RE
.PP
\fBexit\fR
.RS 4
Exits the program\&.
.RE
.PP
\fBset\fR \fIkeyword\fR\fI[=value]\fR
.RS 4
This command is used to change state information that affects the lookups\&. Valid keywords are:
.PP
\fBall\fR
.RS 4
Prints the current values of the frequently used options to
\fBset\fR\&. Information about the current default server and host is also printed\&.
.RE
.PP
\fBclass=\fR\fIvalue\fR
.RS 4
Change the query class to one of:
.PP
\fBIN\fR
.RS 4
the Internet class
.RE
.PP
\fBCH\fR
.RS 4
the Chaos class
.RE
.PP
\fBHS\fR
.RS 4
the Hesiod class
.RE
.PP
\fBANY\fR
.RS 4
wildcard
.RE
.sp
The class specifies the protocol group of the information\&.
.sp
(Default = IN; abbreviation = cl)
.RE
.PP
\fB\fI[no]\fR\fR\fBdebug\fR
.RS 4
Turn on or off the display of the full response packet and any intermediate response packets when searching\&.
.sp
(Default = nodebug; abbreviation =
[no]deb)
.RE
.PP
\fB\fI[no]\fR\fR\fBd2\fR
.RS 4
Turn debugging mode on or off\&. This displays more about what nslookup is doing\&.
.sp
(Default = nod2)
.RE
.PP
\fBdomain=\fR\fIname\fR
.RS 4
Sets the search list to
\fIname\fR\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBsearch\fR
.RS 4
If the lookup request contains at least one period but doesn\*(Aqt end with a trailing period, append the domain names in the domain search list to the request until an answer is received\&.
.sp
(Default = search)
.RE
.PP
\fBport=\fR\fIvalue\fR
.RS 4
Change the default TCP/UDP name server port to
\fIvalue\fR\&.
.sp
(Default = 53; abbreviation = po)
.RE
.PP
\fBquerytype=\fR\fIvalue\fR
.RS 4
.RE
.PP
\fBtype=\fR\fIvalue\fR
.RS 4
Change the type of the information query\&.
.sp
(Default = A and then AAAA; abbreviations = q, ty)
.sp
\fBNote:\fR
It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBrecurse\fR
.RS 4
Tell the name server to query other servers if it does not have the information\&.
.sp
(Default = recurse; abbreviation = [no]rec)
.RE
.PP
\fBndots=\fR\fInumber\fR
.RS 4
Set the number of dots (label separators) in a domain that will disable searching\&. Absolute names always stop searching\&.
.RE
.PP
\fBretry=\fR\fInumber\fR
.RS 4
Set the number of retries to number\&.
.RE
.PP
\fBtimeout=\fR\fInumber\fR
.RS 4
Change the initial timeout interval for waiting for a reply to number seconds\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBvc\fR
.RS 4
Always use a virtual circuit when sending requests to the server\&.
.sp
(Default = novc)
.RE
.PP
\fB\fI[no]\fR\fR\fBfail\fR
.RS 4
Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response\&.
.sp
(Default = nofail)
.RE
.sp
.RE
.SH "RETURN VALUES"
.PP
\fBnslookup\fR
returns with an exit status of 1 if any query failed, and 0 otherwise\&.
.SH "IDN SUPPORT"
.PP
If
\fBnslookup\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBnslookup\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBnslookup\fR
runs or when the standard output is not a tty\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -37,7 +37,22 @@
#include <dns/rdatatype.h>
#include "dighost.h"
#include "readline.h"
#if defined(HAVE_READLINE)
#if defined(HAVE_EDIT_READLINE_READLINE_H)
#include <edit/readline/readline.h>
#if defined(HAVE_EDIT_READLINE_HISTORY_H)
#include <edit/readline/history.h>
#endif /* if defined(HAVE_EDIT_READLINE_HISTORY_H) */
#elif defined(HAVE_EDITLINE_READLINE_H)
#include <editline/readline.h>
#elif defined(HAVE_READLINE_READLINE_H)
#include <readline/readline.h>
#if defined(HAVE_READLINE_HISTORY_H)
#include <readline/history.h>
#endif /* if defined(HAVE_READLINE_HISTORY_H) */
#endif /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
#endif /* if defined(HAVE_READLINE) */
static bool short_form = true, tcpmode = false, tcpmode_set = false,
identify = false, stats = true, comments = true,
@@ -110,6 +125,8 @@ static const char *rtypetext[] = {
#define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
static void
flush_lookup_list(void);
static void
getinput(isc_task_t *task, isc_event_t *event);
@@ -134,6 +151,7 @@ static void
query_finished(void) {
isc_event_t *event = global_event;
flush_lookup_list();
debug("dighost_shutdown()");
if (!in_use) {
@@ -619,8 +637,6 @@ static void
setoption(char *opt) {
size_t l = strlen(opt);
debugging = true;
#define CHECKOPT(A, N) \
((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
@@ -771,8 +787,7 @@ addlookup(char *opt) {
lookup->recurse = recurse;
lookup->aaonly = aaonly;
lookup->retries = tries;
lookup->setqid = false;
lookup->qid = 0;
lookup->udpsize = 0;
lookup->comments = comments;
if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set) {
lookup->tcp_mode = true;
@@ -831,27 +846,38 @@ do_next_command(char *input) {
static void
get_next_command(void) {
char cmdlinebuf[COMMSIZE];
char *cmdline, *ptr = NULL;
char *buf;
char *ptr;
fflush(stdout);
buf = isc_mem_allocate(mctx, COMMSIZE);
isc_app_block();
if (interactive) {
cmdline = ptr = readline("> ");
if (ptr != NULL && *ptr != 0) {
#ifdef HAVE_READLINE
ptr = readline("> ");
if (ptr != NULL) {
add_history(ptr);
}
#else /* ifdef HAVE_READLINE */
fputs("> ", stderr);
fflush(stderr);
ptr = fgets(buf, COMMSIZE, stdin);
#endif /* ifdef HAVE_READLINE */
} else {
cmdline = fgets(cmdlinebuf, COMMSIZE, stdin);
ptr = fgets(buf, COMMSIZE, stdin);
}
isc_app_unblock();
if (cmdline == NULL) {
if (ptr == NULL) {
in_use = false;
} else {
do_next_command(cmdline);
do_next_command(ptr);
}
if (ptr != NULL) {
#ifdef HAVE_READLINE
if (interactive) {
free(ptr);
}
#endif /* ifdef HAVE_READLINE */
isc_mem_free(mctx, buf);
}
ISC_NORETURN static void
@@ -903,6 +929,46 @@ parse_args(int argc, char **argv) {
}
}
static void
flush_lookup_list(void) {
dig_lookup_t *l, *lp;
dig_query_t *q, *qp;
dig_server_t *s, *sp;
lookup_counter = 0;
l = ISC_LIST_HEAD(lookup_list);
while (l != NULL) {
q = ISC_LIST_HEAD(l->q);
while (q != NULL) {
if (q->sock != NULL) {
isc_socket_cancel(q->sock, NULL,
ISC_SOCKCANCEL_ALL);
isc_socket_detach(&q->sock);
}
isc_buffer_invalidate(&q->recvbuf);
isc_buffer_invalidate(&q->lengthbuf);
qp = q;
q = ISC_LIST_NEXT(q, link);
ISC_LIST_DEQUEUE(l->q, qp, link);
isc_mem_free(mctx, qp);
}
s = ISC_LIST_HEAD(l->my_server_list);
while (s != NULL) {
sp = s;
s = ISC_LIST_NEXT(s, link);
ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
isc_mem_free(mctx, sp);
}
if (l->sendmsg != NULL) {
dns_message_destroy(&l->sendmsg);
}
lp = l;
l = ISC_LIST_NEXT(l, link);
ISC_LIST_DEQUEUE(lookup_list, lp, link);
isc_mem_free(mctx, lp);
}
}
static void
getinput(isc_task_t *task, isc_event_t *event) {
UNUSED(task);

524
bin/dig/nslookup.docbook Normal file
View File

@@ -0,0 +1,524 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. Neither the name of the University nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
<info>
<date>2014-01-24</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>nslookup</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>nslookup</refname>
<refpurpose>query Internet name servers interactively</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2010</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>nslookup</command>
<arg choice="opt" rep="norepeat"><option>-option</option></arg>
<arg choice="opt" rep="norepeat">name | -</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>Nslookup</command>
is a program to query Internet domain name servers. <command>Nslookup</command>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</para>
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
<para>
Interactive mode is entered in the following cases:
<orderedlist numeration="loweralpha" inheritnum="ignore" continuation="restarts">
<listitem>
<para>
when no arguments are given (the default name server will be used)
</para>
</listitem>
<listitem>
<para>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</para>
</listitem>
</orderedlist>
</para>
<para>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</para>
<para>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
<!-- <informalexample> produces bad nroff. -->
<programlisting>
nslookup -query=hinfo -timeout=10
</programlisting>
<!-- </informalexample> -->
</para>
<para>
The <option>-version</option> option causes
<command>nslookup</command> to print the version
number and immediately exits.
</para>
</refsection>
<refsection><info><title>INTERACTIVE COMMANDS</title></info>
<variablelist>
<varlistentry>
<term><constant>host</constant> <optional>server</optional></term>
<listitem>
<para>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</para>
<para>
To look up a host not in the current domain, append a period to
the name.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>root</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>finger</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ls</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>view</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>help</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>?</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>exit</constant></term>
<listitem>
<para>
Exits the program.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>set</constant>
<replaceable>keyword<optional>=value</optional></replaceable></term>
<listitem>
<para>
This command is used to change state information that affects
the lookups. Valid keywords are:
<variablelist>
<varlistentry>
<term><constant>all</constant></term>
<listitem>
<para>
Prints the current values of the frequently used
options to <command>set</command>.
Information about the current default
server and host is also printed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>class=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the query class to one of:
<variablelist>
<varlistentry>
<term><constant>IN</constant></term>
<listitem>
<para>
the Internet class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>CH</constant></term>
<listitem>
<para>
the Chaos class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>HS</constant></term>
<listitem>
<para>
the Hesiod class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ANY</constant></term>
<listitem>
<para>
wildcard
</para>
</listitem>
</varlistentry>
</variablelist>
The class specifies the protocol group of the information.
</para>
<para>
(Default = IN; abbreviation = cl)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</para>
<para>
(Default = nodebug; abbreviation = <optional>no</optional>deb)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
<listitem>
<para>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</para>
<para>
(Default = nod2)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>domain=</constant><replaceable>name</replaceable></term>
<listitem>
<para>
Sets the search list to <replaceable>name</replaceable>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
<listitem>
<para>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</para>
<para>
(Default = search)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>port=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
</para>
<para>
(Default = 53; abbreviation = po)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>querytype=</constant><replaceable>value</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the type of the information query.
</para>
<para>
(Default = A and then AAAA; abbreviations = q, ty)
</para>
<para>
<emphasis role="bold">Note:</emphasis> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
<listitem>
<para>
Tell the name server to query other servers if it does not
have the
information.
</para>
<para>
(Default = recurse; abbreviation = [no]rec)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ndots=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>retry=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of retries to number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>timeout=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Change the initial timeout interval for waiting for a
reply to number seconds.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
<listitem>
<para>
Always use a virtual circuit when sending requests to the
server.
</para>
<para>
(Default = novc)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
<listitem>
<para>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</para>
<para>
(Default = nofail)
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para>
<command>nslookup</command> returns with an exit status of 1
if any query failed, and 0 otherwise.
</para>
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>nslookup</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<command>nslookup</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>nslookup</command> runs or when the standard output is not
a tty.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
</refentry>

409
bin/dig/nslookup.html Normal file
View File

@@ -0,0 +1,409 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nslookup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.nslookup"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
nslookup
&#8212; query Internet name servers interactively
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">nslookup</code>
[<code class="option">-option</code>]
[name | -]
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>Nslookup</strong></span>
is a program to query Internet domain name servers. <span class="command"><strong>Nslookup</strong></span>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<p>
Interactive mode is entered in the following cases:
</p>
<div class="orderedlist"><ol class="orderedlist" type="a">
<li class="listitem">
<p>
when no arguments are given (the default name server will be used)
</p>
</li>
<li class="listitem">
<p>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</p>
</li>
</ol></div>
<p>
</p>
<p>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</p>
<p>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
</p>
<pre class="programlisting">
nslookup -query=hinfo -timeout=10
</pre>
<p>
</p>
<p>
The <code class="option">-version</code> option causes
<span class="command"><strong>nslookup</strong></span> to print the version
number and immediately exits.
</p>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
<dd>
<p>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</p>
<p>
To look up a host not in the current domain, append a period to
the name.
</p>
</dd>
<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</p>
</dd>
<dt><span class="term"><code class="constant">root</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">finger</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">ls</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">view</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">help</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">?</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">exit</code></span></dt>
<dd>
<p>
Exits the program.
</p>
</dd>
<dt><span class="term"><code class="constant">set</code>
<em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
<dd>
<p>
This command is used to change state information that affects
the lookups. Valid keywords are:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">all</code></span></dt>
<dd>
<p>
Prints the current values of the frequently used
options to <span class="command"><strong>set</strong></span>.
Information about the current default
server and host is also printed.
</p>
</dd>
<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the query class to one of:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">IN</code></span></dt>
<dd>
<p>
the Internet class
</p>
</dd>
<dt><span class="term"><code class="constant">CH</code></span></dt>
<dd>
<p>
the Chaos class
</p>
</dd>
<dt><span class="term"><code class="constant">HS</code></span></dt>
<dd>
<p>
the Hesiod class
</p>
</dd>
<dt><span class="term"><code class="constant">ANY</code></span></dt>
<dd>
<p>
wildcard
</p>
</dd>
</dl></div>
<p>
The class specifies the protocol group of the information.
</p>
<p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</p>
<p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
<dd>
<p>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</p>
<p>
(Default = nod2)
</p>
</dd>
<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
Sets the search list to <em class="replaceable"><code>name</code></em>.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
<dd>
<p>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</p>
<p>
(Default = search)
</p>
</dd>
<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
<p>
(Default = 53; abbreviation = po)
</p>
</dd>
<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the type of the information query.
</p>
<p>
(Default = A and then AAAA; abbreviations = q, ty)
</p>
<p>
<span class="bold"><strong>Note:</strong></span> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
<p>
Tell the name server to query other servers if it does not
have the
information.
</p>
<p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Set the number of retries to number.
</p>
</dd>
<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Change the initial timeout interval for waiting for a
reply to number seconds.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
<dd>
<p>
Always use a virtual circuit when sending requests to the
server.
</p>
<p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</p>
<p>
(Default = nofail)
</p>
</dd>
</dl></div>
<p>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>RETURN VALUES</h2>
<p>
<span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
if any query failed, and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
a tty.
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">host</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,216 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_nslookup:
nslookup - query Internet name servers interactively
----------------------------------------------------
Synopsis
~~~~~~~~
:program:`nslookup` [-option] [name | -] [server]
Description
~~~~~~~~~~~
``nslookup`` is a program to query Internet domain name servers.
``nslookup`` has two modes: interactive and non-interactive. Interactive
mode allows the user to query name servers for information about various
hosts and domains or to print a list of hosts in a domain.
Non-interactive mode prints just the name and requested
information for a host or domain.
Arguments
~~~~~~~~~
Interactive mode is entered in the following cases:
a. when no arguments are given (the default name server is used);
b. when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to change the
default query type to host information, with an initial timeout of 10
seconds, type:
::
nslookup -query=hinfo -timeout=10
The ``-version`` option causes ``nslookup`` to print the version number
and immediately exit.
Interactive Commands
~~~~~~~~~~~~~~~~~~~~
``host [server]``
This command looks up information for ``host`` using the current default server or
using ``server``, if specified. If ``host`` is an Internet address and the
query type is A or PTR, the name of the host is returned. If ``host`` is
a name and does not have a trailing period (``.``), the search list is used
to qualify the name.
To look up a host not in the current domain, append a period to the
name.
``server domain`` | ``lserver domain``
These commands change the default server to ``domain``; ``lserver`` uses the initial
server to look up information about ``domain``, while ``server`` uses the
current default server. If an authoritative answer cannot be found,
the names of servers that might have the answer are returned.
``root``
This command is not implemented.
``finger``
This command is not implemented.
``ls``
This command is not implemented.
``view``
This command is not implemented.
``help``
This command is not implemented.
``?``
This command is not implemented.
``exit``
This command exits the program.
``set keyword[=value]``
This command is used to change state information that affects the
lookups. Valid keywords are:
``all``
This keyword prints the current values of the frequently used options to
``set``. Information about the current default server and host is
also printed.
``class=value``
This keyword changes the query class to one of:
``IN``
the Internet class
``CH``
the Chaos class
``HS``
the Hesiod class
``ANY``
wildcard
The class specifies the protocol group of the information. The default
is ``IN``; the abbreviation for this keyword is ``cl``.
``nodebug``
This keyword turns on or off the display of the full response packet, and any
intermediate response packets, when searching. The default for this keyword is
``nodebug``; the abbreviation for this keyword is ``[no]deb``.
``nod2``
This keyword turns debugging mode on or off. This displays more about what
nslookup is doing. The default is ``nod2``.
``domain=name``
This keyword sets the search list to ``name``.
``nosearch``
If the lookup request contains at least one period, but does not end
with a trailing period, this keyword appends the domain names in the domain
search list to the request until an answer is received. The default is ``search``.
``port=value``
This keyword changes the default TCP/UDP name server port to ``value`` from
its default, port 53. The abbreviation for this keyword is ``po``.
``querytype=value`` | ``type=value``
This keyword changes the type of the information query to ``value``. The
defaults are A and then AAAA; the abbreviations for these keywords are
``q`` and ``ty``.
Please note that it is only possible to specify one query type. Only the default
behavior looks up both when an alternative is not specified.
``norecurse``
This keyword tells the name server to query other servers if it does not have
the information. The default is ``recurse``; the abbreviation for this
keyword is ``[no]rec``.
``ndots=number``
This keyword sets the number of dots (label separators) in a domain that
disables searching. Absolute names always stop searching.
``retry=number``
This keyword sets the number of retries to ``number``.
``timeout=number``
This keyword changes the initial timeout interval to wait for a reply to
``number``, in seconds.
``novc``
This keyword indicates that a virtual circuit should always be used when sending requests to the server.
``novc`` is the default.
``nofail``
This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
a referral (nofail), or terminates the query (fail) on such a response. The
default is ``nofail``.
Return Values
~~~~~~~~~~~~~
``nslookup`` returns with an exit status of 1 if any query failed, and 0
otherwise.
IDN Support
~~~~~~~~~~~
If ``nslookup`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``nslookup``
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, define the ``IDN_DISABLE``
environment variable. IDN support is disabled if the variable is set
when ``nslookup`` runs, or when the standard output is not a tty.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.

View File

@@ -1,56 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*
* A little wrapper around readline(), add_history() and free() to make using
* the readline code simpler.
*/
#if defined(HAVE_READLINE_LIBEDIT)
#include <editline/readline.h>
#elif defined(HAVE_READLINE_EDITLINE)
#include <editline.h>
#elif defined(HAVE_READLINE_READLINE)
/* Prevent deprecated functions being declared. */
#define _FUNCTION_DEF 1
/* Ensure rl_message() gets prototype. */
#define USE_VARARGS 1
#define PREFER_STDARG 1
#include <readline/history.h>
#include <readline/readline.h>
#endif
#if !defined(HAVE_READLINE_LIBEDIT) && !defined(HAVE_READLINE_EDITLINE) && \
!defined(HAVE_READLINE_READLINE)
#include <stdio.h>
#include <stdlib.h>
#define RL_MAXCMD (128 * 1024)
static inline char *
readline(const char *prompt) {
char *line, *buf = malloc(RL_MAXCMD);
fprintf(stdout, "%s", prompt);
fflush(stdout);
line = fgets(buf, RL_MAXCMD, stdin);
if (line == NULL) {
free(buf);
return (NULL);
}
return (buf);
};
#define add_history(line)
#endif

View File

@@ -75,7 +75,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,7 +107,7 @@
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
@@ -116,26 +116,6 @@
<ItemGroup>
<ClCompile Include="..\dig.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
<Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
<Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
<Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -109,23 +109,6 @@
<ItemGroup>
<ClCompile Include="..\dighost.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
<Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
<Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -75,7 +75,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,32 +107,12 @@
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\host.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
<Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
<Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
<Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -75,7 +75,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIBD@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@@READLINE_LIBD@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,33 +107,13 @@
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIB@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@@READLINE_LIB@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\dighost.c" />
<ClCompile Include="..\nslookup.c" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
<Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
<Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
<Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
<Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
<Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
</ProjectReference>
<ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
<Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

View File

@@ -14,7 +14,7 @@ LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS)
bin_PROGRAMS = \
sbin_PROGRAMS = \
dnssec-cds \
dnssec-dsfromkey \
dnssec-importkey \

297
bin/dnssec/dnssec-cds.8 Normal file
View File

@@ -0,0 +1,297 @@
.\" Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-cds
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2017-10-02
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-CDS" "8" "2017\-10\-02" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-cds\fR\ 'u
\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
.SH "DESCRIPTION"
.PP
The
\fBdnssec\-cds\fR
command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&. This enables a child zone to inform its parent of upcoming changes to its key\-signing keys; by polling periodically with
\fBdnssec\-cds\fR, the parent can keep the DS records up to date and enable automatic rolling of KSKs\&.
.PP
Two input files are required\&. The
\fB\-f \fR\fB\fIchild\-file\fR\fR
option specifies a file containing the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The
\fB\-d \fR\fB\fIpath\fR\fR
option specifies the location of a file containing the current DS records\&. For example, this could be a
dsset\-
file generated by
\fBdnssec\-signzone\fR, or the output of
\fBdnssec\-dsfromkey\fR, or the output of a previous run of
\fBdnssec\-cds\fR\&.
.PP
The
\fBdnssec\-cds\fR
command uses special DNSSEC validation logic specified by RFC 7344\&. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records\&. This will typically be the pre\-existing key\-signing key (KSK)\&.
.PP
For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
dsset\-
file, or from the
\fB\-s\fR
option\&.
.PP
To protect against breaking the delegation,
\fBdnssec\-cds\fR
ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&.
.PP
By default, replacement DS records are written to the standard output; with the
\fB\-i\fR
option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&.
.PP
Warning: Be careful not to delete the DS records when
\fBdnssec\-cds\fR
fails!
.PP
Alternatively,
\fBdnssec\-cds \-u\fR
writes an
\fBnsupdate\fR
script to the standard output\&. You can use the
\fB\-u\fR
and
\fB\-i\fR
options together to maintain a
dsset\-
file as well as emit an
\fBnsupdate\fR
script\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zones\&.
.RE
.PP
\-D
.RS 4
Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&.
.RE
.PP
\-d \fIpath\fR
.RS 4
Location of the parent DS records\&. The
\fIpath\fR
can be the name of a file containing the DS records, or if it is a directory,
\fBdnssec\-cds\fR
looks for a
dsset\-
file for the
\fIdomain\fR
inside the directory\&.
.sp
To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the
dsset\-
file\&. This can be adjusted with the
\fB\-s\fR
option\&.
.RE
.PP
\-f \fIchild\-file\fR
.RS 4
File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&.
.sp
The EXAMPLES below describe how to generate this file\&.
.RE
.PP
\-i [\fIextension\fR]
.RS 4
Update the
dsset\-
file in place, instead of writing DS records to the standard output\&.
.sp
There must be no space between the
\fB\-i\fR
and the
\fIextension\fR\&. If you provide no
\fIextension\fR
then the old
dsset\-
is discarded\&. If an
\fIextension\fR
is present, a backup of the old
dsset\-
file is kept with the
\fIextension\fR
appended to its filename\&.
.sp
To protect against replay attacks, the modification time of the
dsset\-
file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&.
.RE
.PP
\-s \fIstart\-time\fR
.RS 4
Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the
dsset\-
file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&.
.sp
If no
\fIstart\-time\fR
is specified, the modification time of the
dsset\-
file is used\&.
.RE
.PP
\-T \fIttl\fR
.RS 4
Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&.
.RE
.PP
\-u
.RS 4
Write an
\fBnsupdate\fR
script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&.
.sp
Note: The TTL of new records needs to be specified, either in the original
dsset\-
file, or with the
\fB\-T\fR
option, or using the
\fBnsupdate\fR\fBttl\fR
command\&.
.RE
.PP
\-V
.RS 4
Print version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&.
.RE
.PP
\fIdomain\fR
.RS 4
The name of the delegation point / child zone apex\&.
.RE
.SH "EXIT STATUS"
.PP
The
\fBdnssec\-cds\fR
command exits 0 on success, or non\-zero if an error occurred\&.
.PP
In the success case, the DS records might or might not need to be changed\&.
.SH "EXAMPLES"
.PP
Before running
\fBdnssec\-signzone\fR, you can ensure that the delegations are up\-to\-date by running
\fBdnssec\-cds\fR
on every
dsset\-
file\&.
.PP
To fetch the child records required by
\fBdnssec\-cds\fR
you can invoke
\fBdig\fR
as in the script below\&. It\*(Aqs okay if the
\fBdig\fR
fails since
\fBdnssec\-cds\fR
performs all the necessary checking\&.
.sp
.if n \{\
.RS 4
.\}
.nf
for f in dsset\-*
do
d=${f#dsset\-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-i \-f /dev/stdin \-d $f $d
done
.fi
.if n \{\
.RE
.\}
.PP
When the parent zone is automatically signed by
\fBnamed\fR, you can use
\fBdnssec\-cds\fR
with
\fBnsupdate\fR
to maintain a delegation as follows\&. The
dsset\-
file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&.
.sp
.if n \{\
.RS 4
.\}
.nf
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
nsupdate \-l
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBdnssec-settime\fR(8),
\fBdnssec-signzone\fR(8),
\fBnsupdate\fR(1),
BIND 9 Administrator Reference Manual,
RFC 7344\&.
.SH "AUTHORS"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.PP
\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&>
.br
.RS 4
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2017-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -0,0 +1,390 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-cds">
<info>
<date>2017-10-02</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
<author>
<personname>Tony Finch</personname>
<email>dot@dotat.at</email>
<email>fanf2@cam.ac.uk</email>
<affiliation>Cambridge University Information Services</affiliation>
<personblurb></personblurb>
</author>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-cds</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-cds</application></refname>
<refpurpose>change DS records for a child zone based on CDS/CDNSKEY</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-cds</command>
<arg choice="opt" rep="repeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="req" rep="norepeat"><option>-d <replaceable class="parameter">dsset-file</replaceable></option></arg>
<arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">child-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option><arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">domain</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
The <command>dnssec-cds</command> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred. This enables a child zone
to inform its parent of upcoming changes to its key-signing keys;
by polling periodically with <command>dnssec-cds</command>, the
parent can keep the DS records up to date and enable automatic
rolling of KSKs.
</para>
<para>
Two input files are required. The
<option>-f <replaceable class="parameter">child-file</replaceable></option>
option specifies a file containing the child's CDS and/or CDNSKEY
records, plus RRSIG and DNSKEY records so that they can be
authenticated. The
<option>-d <replaceable class="parameter">path</replaceable></option>
option specifies the location of a file containing the current DS
records. For example, this could be a <filename>dsset-</filename>
file generated by <command>dnssec-signzone</command>, or the output of
<command>dnssec-dsfromkey</command>, or the output of a previous
run of <command>dnssec-cds</command>.
</para>
<para>
The <command>dnssec-cds</command> command uses special DNSSEC
validation logic specified by RFC 7344. It requires that the CDS
and/or CDNSKEY records are validly signed by a key represented in the
existing DS records. This will typically be the pre-existing
key-signing key (KSK).
</para>
<para>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <command>dnssec-cds</command>. This time is obtained from the
modification time of the <filename>dsset-</filename> file, or
from the <option>-s</option> option.
</para>
<para>
To protect against breaking the delegation,
<command>dnssec-cds</command> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</para>
<para>
By default, replacement DS records are written to the standard
output; with the <option>-i</option> option the input file is
overwritten in place. The replacement DS records will be the
same as the existing records when no change is required. The
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</para>
<para>
Warning: Be careful not to delete the DS records
when <command>dnssec-cds</command> fails!
</para>
<para>
Alternatively, <command>dnssec-cds -u</command> writes
an <command>nsupdate</command> script to the standard output.
You can use the <option>-u</option> and <option>-i</option>
options together to maintain a <filename>dsset-</filename> file
as well as emit an <command>nsupdate</command> script.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">path</replaceable></term>
<listitem>
<para>
Location of the parent DS records.
The <replaceable>path</replaceable> can be the name of a file
containing the DS records, or if it is a
directory, <command>dnssec-cds</command> looks for
a <filename>dsset-</filename> file for
the <replaceable>domain</replaceable> inside the directory.
</para>
<para>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <filename>dsset-</filename> file. This can be
adjusted with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">child-file</replaceable></term>
<listitem>
<para>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</para>
<para>
The EXAMPLES below describe how to generate this file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i<arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></term>
<listitem>
<para>
Update the <filename>dsset-</filename> file in place,
instead of writing DS records to the standard output.
</para>
<para>
There must be no space between the <option>-i</option> and
the <replaceable>extension</replaceable>. If you provide
no <replaceable>extension</replaceable> then the
old <filename>dsset-</filename> is discarded. If
an <replaceable>extension</replaceable> is present, a
backup of the old <filename>dsset-</filename> file is kept
with the <replaceable>extension</replaceable> appended to
its filename.
</para>
<para>
To protect against replay attacks, the modification time
of the <filename>dsset-</filename> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
UTC on August 27th, 2017. A time relative to
the <filename>dsset-</filename> file is indicated with -N,
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</para>
<para>
If no <replaceable>start-time</replaceable> is specified, the
modification time of the <filename>dsset-</filename> file
is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Write an <command>nsupdate</command> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</para>
<para>
Note: The TTL of new records needs to be specified, either
in the original <filename>dsset-</filename> file, or with
the <option>-T</option> option, or using
the <command>nsupdate</command> <command>ttl</command>
command.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Print version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>domain</replaceable></term>
<listitem>
<para>
The name of the delegation point / child zone apex.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXIT STATUS</title></info>
<para>
The <command>dnssec-cds</command> command exits 0 on success, or
non-zero if an error occurred.
</para>
<para>
In the success case, the DS records might or might not need
to be changed.
</para>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
<para>
Before running <command>dnssec-signzone</command>, you can ensure
that the delegations are up-to-date by running
<command>dnssec-cds</command> on every <filename>dsset-</filename> file.
</para>
<para>
To fetch the child records required by <command>dnssec-cds</command>
you can invoke <command>dig</command> as in the script below. It's
okay if the <command>dig</command> fails since
<command>dnssec-cds</command> performs all the necessary checking.
</para>
<programlisting>for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
</programlisting>
<para>
When the parent zone is automatically signed by
<command>named</command>, you can use <command>dnssec-cds</command>
with <command>nsupdate</command> to maintain a delegation as follows.
The <filename>dsset-</filename> file allows the script to avoid
having to fetch and validate the parent DS records, and it keeps the
replay attack protection time.
</para>
<programlisting>
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</programlisting>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 7344</citetitle>.
</para>
</refsection>
</refentry>

343
bin/dnssec/dnssec-cds.html Normal file
View File

@@ -0,0 +1,343 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-cds</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-cds"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-cds</span>
&#8212; change DS records for a child zone based on CDS/CDNSKEY
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-cds</code>
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D</code>]
{<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>}
{<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>}
[<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-u</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
{domain}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred. This enables a child zone
to inform its parent of upcoming changes to its key-signing keys;
by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
parent can keep the DS records up to date and enable automatic
rolling of KSKs.
</p>
<p>
Two input files are required. The
<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
option specifies a file containing the child's CDS and/or CDNSKEY
records, plus RRSIG and DNSKEY records so that they can be
authenticated. The
<code class="option">-d <em class="replaceable"><code>path</code></em></code>
option specifies the location of a file containing the current DS
records. For example, this could be a <code class="filename">dsset-</code>
file generated by <span class="command"><strong>dnssec-signzone</strong></span>, or the output of
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
run of <span class="command"><strong>dnssec-cds</strong></span>.
</p>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
validation logic specified by RFC 7344. It requires that the CDS
and/or CDNSKEY records are validly signed by a key represented in the
existing DS records. This will typically be the pre-existing
key-signing key (KSK).
</p>
<p>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
modification time of the <code class="filename">dsset-</code> file, or
from the <code class="option">-s</code> option.
</p>
<p>
To protect against breaking the delegation,
<span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</p>
<p>
By default, replacement DS records are written to the standard
output; with the <code class="option">-i</code> option the input file is
overwritten in place. The replacement DS records will be the
same as the existing records when no change is required. The
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</p>
<p>
Warning: Be careful not to delete the DS records
when <span class="command"><strong>dnssec-cds</strong></span> fails!
</p>
<p>
Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
You can use the <code class="option">-u</code> and <code class="option">-i</code>
options together to maintain a <code class="filename">dsset-</code> file
as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specifies the DNS class of the zones.
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd>
<p>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
<dd>
<p>
Location of the parent DS records.
The <em class="replaceable"><code>path</code></em> can be the name of a file
containing the DS records, or if it is a
directory, <span class="command"><strong>dnssec-cds</strong></span> looks for
a <code class="filename">dsset-</code> file for
the <em class="replaceable"><code>domain</code></em> inside the directory.
</p>
<p>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <code class="filename">dsset-</code> file. This can be
adjusted with the <code class="option">-s</code> option.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
<dd>
<p>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</p>
<p>
The EXAMPLES below describe how to generate this file.
</p>
</dd>
<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
<dd>
<p>
Update the <code class="filename">dsset-</code> file in place,
instead of writing DS records to the standard output.
</p>
<p>
There must be no space between the <code class="option">-i</code> and
the <em class="replaceable"><code>extension</code></em>. If you provide
no <em class="replaceable"><code>extension</code></em> then the
old <code class="filename">dsset-</code> is discarded. If
an <em class="replaceable"><code>extension</code></em> is present, a
backup of the old <code class="filename">dsset-</code> file is kept
with the <em class="replaceable"><code>extension</code></em> appended to
its filename.
</p>
<p>
To protect against replay attacks, the modification time
of the <code class="filename">dsset-</code> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd>
<p>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
UTC on August 27th, 2017. A time relative to
the <code class="filename">dsset-</code> file is indicated with -N,
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</p>
<p>
If no <em class="replaceable"><code>start-time</code></em> is specified, the
modification time of the <code class="filename">dsset-</code> file
is used.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
</p>
</dd>
<dt><span class="term">-u</span></dt>
<dd>
<p>
Write an <span class="command"><strong>nsupdate</strong></span> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</p>
<p>
Note: The TTL of new records needs to be specified, either
in the original <code class="filename">dsset-</code> file, or with
the <code class="option">-T</code> option, or using
the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
command.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Print version information.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
</p>
</dd>
<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
The name of the delegation point / child zone apex.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXIT STATUS</h2>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
non-zero if an error occurred.
</p>
<p>
In the success case, the DS records might or might not need
to be changed.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>EXAMPLES</h2>
<p>
Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
that the delegations are up-to-date by running
<span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
</p>
<p>
To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
you can invoke <span class="command"><strong>dig</strong></span> as in the script below. It's
okay if the <span class="command"><strong>dig</strong></span> fails since
<span class="command"><strong>dnssec-cds</strong></span> performs all the necessary checking.
</p>
<pre class="programlisting">for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
</pre>
<p>
When the parent zone is automatically signed by
<span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
The <code class="filename">dsset-</code> file allows the script to avoid
having to fetch and validate the parent DS records, and it keeps the
replay attack protection time.
</p>
<pre class="programlisting">
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</pre>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-settime</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 7344</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,213 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-cds:
dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
--------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i**[extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
Description
~~~~~~~~~~~
The ``dnssec-cds`` command changes DS records at a delegation point
based on CDS or CDNSKEY records published in the child zone. If both CDS
and CDNSKEY records are present in the child zone, the CDS is preferred.
This enables a child zone to inform its parent of upcoming changes to
its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the
parent can keep the DS records up-to-date and enable automatic rolling
of KSKs.
Two input files are required. The ``-f child-file`` option specifies a
file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
DNSKEY records so that they can be authenticated. The ``-d path`` option
specifies the location of a file containing the current DS records. For
example, this could be a ``dsset-`` file generated by
``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the
output of a previous run of ``dnssec-cds``.
The ``dnssec-cds`` command uses special DNSSEC validation logic
specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
be validly signed by a key represented in the existing DS records. This
is typically the pre-existing KSK.
For protection against replay attacks, the signatures on the child
records must not be older than they were on a previous run of
``dnssec-cds``. Their age is obtained from the modification time of the
``dsset-`` file, or from the ``-s`` option.
To protect against breaking the delegation, ``dnssec-cds`` ensures that
the DNSKEY RRset can be verified by every key algorithm in the new DS
RRset, and that the same set of keys are covered by every DS digest
type.
By default, replacement DS records are written to the standard output;
with the ``-i`` option the input file is overwritten in place. The
replacement DS records are the same as the existing records, when no
change is required. The output can be empty if the CDS/CDNSKEY records
specify that the child zone wants to be insecure.
.. warning::
Be careful not to delete the DS records when ``dnssec-cds`` fails!
Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
standard output. The ``-u`` and ``-i`` options can be used together to
maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
Options
~~~~~~~
``-a algorithm``
This option specifies a digest algorithm to use when converting CDNSKEY records to
DS records. This option can be repeated, so that multiple DS records
are created for each CDNSKEY record. This option has no effect when
using CDS records.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
are case-insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA-256.
``-c class``
This option specifies the DNS class of the zones.
``-D``
This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
records are present in the child zone. By default CDS records are
preferred.
``-d path``
This specifies the location of the parent DS records. The path can be the name of a file
containing the DS records; if it is a directory, ``dnssec-cds``
looks for a ``dsset-`` file for the domain inside the directory.
To protect against replay attacks, child records are rejected if they
were signed earlier than the modification time of the ``dsset-``
file. This can be adjusted with the ``-s`` option.
``-f child-file``
This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its
DNSKEY records and the covering RRSIG records, so that they can be
authenticated.
The examples below describe how to generate this file.
``-iextension``
This option updates the ``dsset-`` file in place, instead of writing DS records to
the standard output.
There must be no space between the ``-i`` and the extension. If
no extension is provided, the old ``dsset-`` is discarded. If an
extension is present, a backup of the old ``dsset-`` file is kept
with the extension appended to its filename.
To protect against replay attacks, the modification time of the
``dsset-`` file is set to match the signature inception time of the
child records, provided that it is later than the file's current
modification time.
``-s start-time``
This option specifies the date and time after which RRSIG records become
acceptable. This can be either an absolute or a relative time. An
absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
time relative to the ``dsset-`` file is indicated with ``-N``, which is N
seconds before the file modification time. A time relative to the
current time is indicated with ``now+N``.
If no start-time is specified, the modification time of the
``dsset-`` file is used.
``-T ttl``
This option specifies a TTL to be used for new DS records. If not specified, the
default is the TTL of the old DS records. If they had no explicit TTL,
the new DS records also have no explicit TTL.
``-u``
This option writes an ``nsupdate`` script to the standard output, instead of
printing the new DS reords. The output is empty if no change is
needed.
Note: The TTL of new records needs to be specified: it can be done in the
original ``dsset-`` file, with the ``-T`` option, or using the
``nsupdate`` ``ttl`` command.
``-V``
This option prints version information.
``-v level``
This option sets the debugging level. Level 1 is intended to be usefully verbose
for general users; higher levels are intended for developers.
``domain``
This indicates the name of the delegation point/child zone apex.
Exit Status
~~~~~~~~~~~
The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
occurred.
If successful, the DS records may or may not need to be
changed.
Examples
~~~~~~~~
Before running ``dnssec-signzone``, ensure that the delegations
are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
To fetch the child records required by ``dnssec-cds``, invoke
``dig`` as in the script below. It is acceptable if the ``dig`` fails, since
``dnssec-cds`` performs all the necessary checking.
::
for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
When the parent zone is automatically signed by ``named``,
``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows.
The ``dsset-`` file allows the script to avoid having to fetch and
validate the parent DS records, and it maintains the replay attack
protection time.
::
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator
Reference Manual, :rfc:`7344`.

View File

@@ -0,0 +1,226 @@
.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-05-08
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
.SH "DESCRIPTION"
.PP
The
\fBdnssec\-dsfromkey\fR
command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
\fB\-C\fR
option\&.
.PP
The input keys can be specified in a number of ways:
.PP
By default,
\fBdnssec\-dsfromkey\fR
reads a key file named like
Knnnn\&.+aaa+iiiii\&.key, as generated by
\fBdnssec\-keygen\fR\&.
.PP
With the
\fB\-f \fR\fB\fIfile\fR\fR
option,
\fBdnssec\-dsfromkey\fR
reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
.PP
With the
\fB\-s\fR
option,
\fBdnssec\-dsfromkey\fR
reads a
keyset\-
file, as generated by
\fBdnssec\-keygen\fR\fB\-C\fR\&.
.SH "OPTIONS"
.PP
\-1
.RS 4
An abbreviation for
\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-2
.RS 4
An abbreviation for
\fB\-a SHA\-256\fR\&.
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-A
.RS 4
Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
\fB\-f\fR
zone file mode\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class (default is IN)\&. Useful only in
\fB\-s\fR
keyset or
\fB\-f\fR
zone file mode\&.
.RE
.PP
\-C
.RS 4
Generate CDS records rather than DS records\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
Zone file mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name of a zone whose master file can be read from
\fBfile\fR\&. If the zone name is the same as
\fBfile\fR, then it may be omitted\&.
.sp
If
\fIfile\fR
is
"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
\fBdig\fR
command as input, as in:
.sp
\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
.RE
.PP
\-h
.RS 4
Prints usage information\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Look for key files or
keyset\-
files in
\fBdirectory\fR\&.
.RE
.PP
\-s
.RS 4
Keyset mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name used to locate a
keyset\-
file\&.
.RE
.PP
\-T \fITTL\fR
.RS 4
Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.SH "EXAMPLE"
.PP
To build the SHA\-256 DS RR from the
\fBKexample\&.com\&.+003+26160\fR
keyfile name, you can issue the following command:
.PP
\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
.PP
The command would print something like:
.PP
\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
.SH "FILES"
.PP
The keyfile can be designated by the key identification
Knnnn\&.+aaa+iiiii
or the full file name
Knnnn\&.+aaa+iiiii\&.key
as generated by
dnssec\-keygen(8)\&.
.PP
The keyset file name is built from the
\fBdirectory\fR, the string
keyset\-
and the
\fBdnsname\fR\&.
.SH "CAVEAT"
.PP
A keyfile error can give a "file not found" even if the file exists\&.
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 3658
(DS RRs),
RFC 4509
(SHA\-256 for DS RRs),
RFC 6605
(SHA\-384 for DS RRs),
RFC 7344
(CDS and CDNSKEY RRs)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -331,7 +331,7 @@ usage(void) {
fprintf(stderr, " %s [options] -f zonefile [zonename]\n\n", program);
fprintf(stderr, " %s [options] -s dnsname\n\n", program);
fprintf(stderr, " %s [-h|-V]\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n"
" -1: digest algorithm SHA-1\n"
" -2: digest algorithm SHA-256\n"

View File

@@ -0,0 +1,355 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
<info>
<date>2019-05-08</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-dsfromkey</application></refname>
<refpurpose>DNSSEC DS RR generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain"><option>-1</option></arg>
<arg choice="plain"><option>-2</option></arg>
<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
</group>
<group>
<arg choice="plain" rep="norepeat"><option>-C</option></arg>
<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain"><option>-1</option></arg>
<arg choice="plain"><option>-2</option></arg>
<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
</group>
<group>
<arg choice="plain" rep="norepeat"><option>-C</option></arg>
<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A</option></arg>
<arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat">dnsname</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain"><option>-1</option></arg>
<arg choice="plain"><option>-2</option></arg>
<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
</group>
<group>
<arg choice="plain" rep="norepeat"><option>-C</option></arg>
<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">-s</arg>
<arg choice="req" rep="norepeat">dnsname</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>dnssec-dsfromkey</command>
<group choice="opt">
<arg choice="plain" rep="norepeat"><option>-h</option></arg>
<arg choice="plain" rep="norepeat"><option>-V</option></arg>
</group>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<option>-C</option> option.
</para>
<para>
The input keys can be specified in a number of ways:
</para>
<para>
By default, <command>dnssec-dsfromkey</command> reads a key file
named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
by <command>dnssec-keygen</command>.
</para>
<para>
With the <option>-f <replaceable>file</replaceable></option>
option, <command>dnssec-dsfromkey</command> reads keys from a zone file
or partial zone file (which can contain just the DNSKEY records).
</para>
<para>
With the <option>-s</option>
option, <command>dnssec-dsfromkey</command> reads
a <filename>keyset-</filename> file, as generated
by <command>dnssec-keygen</command> <option>-C</option>.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-1</term>
<listitem>
<para>
An abbreviation for <option>-a SHA-1</option>.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-2</term>
<listitem>
<para>
An abbreviation for <option>-a SHA-256</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specify a digest algorithm to use when converting DNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each DNSKEY
record.
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
Include ZSKs when generating DS records. Without this option, only
keys which have the KSK flag set will be converted to DS records
and printed. Useful only in <option>-f</option> zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in <option>-s</option> keyset or <option>-f</option>
zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: <command>dnssec-dsfromkey</command>'s
final <replaceable>dnsname</replaceable> argument is
the DNS domain name of a zone whose master file can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <replaceable>file</replaceable> is <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints usage information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files or <filename>keyset-</filename> files in
<option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: <command>dnssec-dsfromkey</command>'s
final <replaceable>dnsname</replaceable> argument is the DNS
domain name used to locate a <filename>keyset-</filename> file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records. By default the TTL is omitted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
<para>
To build the SHA-256 DS RR from the
<userinput>Kexample.com.+003+26160</userinput>
keyfile name, you can issue the following command:
</para>
<para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print something like:
</para>
<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para>
The keyfile can be designated by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
<filename>Knnnn.+aaa+iiiii.key</filename> as generated by
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
</para>
<para>
The keyset file name is built from the <option>directory</option>,
the string <filename>keyset-</filename> and the
<option>dnsname</option>.
</para>
</refsection>
<refsection><info><title>CAVEAT</title></info>
<para>
A keyfile error can give a "file not found" even if the file exists.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle> (DS RRs),
<citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
<citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
<citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,307 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-dsfromkey</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">dnssec-dsfromkey</span>
&#8212; DNSSEC DS RR generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-1</code>
| <code class="option">-2</code>
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
]
[
<code class="option">-C</code>
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
{keyfile}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-1</code>
| <code class="option">-2</code>
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
]
[
<code class="option">-C</code>
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-A</code>]
{<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
[dnsname]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-1</code>
| <code class="option">-2</code>
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
]
[
<code class="option">-C</code>
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
{-s}
{dnsname}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[
<code class="option">-h</code>
| <code class="option">-V</code>
]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<code class="option">-C</code> option.
</p>
<p>
The input keys can be specified in a number of ways:
</p>
<p>
By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
by <span class="command"><strong>dnssec-keygen</strong></span>.
</p>
<p>
With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
or partial zone file (which can contain just the DNSKEY records).
</p>
<p>
With the <code class="option">-s</code>
option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
a <code class="filename">keyset-</code> file, as generated
by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA-1</code>.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA-256</code>.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting DNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each DNSKEY
record.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
Include ZSKs when generating DS records. Without this option, only
keys which have the KSK flag set will be converted to DS records
and printed. Useful only in <code class="option">-f</code> zone file mode.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specifies the DNS class (default is IN). Useful only
in <code class="option">-s</code> keyset or <code class="option">-f</code>
zone file mode.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Generate CDS records rather than DS records.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
final <em class="replaceable"><code>dnsname</code></em> argument is
the DNS domain name of a zone whose master file can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints usage information.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Look for key files or <code class="filename">keyset-</code> files in
<code class="option">directory</code>.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
domain name used to locate a <code class="filename">keyset-</code> file.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd>
<p>
Specifies the TTL of the DS records. By default the TTL is omitted.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
keyfile name, you can issue the following command:
</p>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
</p>
<p>
The command would print something like:
</p>
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p>
The keyfile can be designated by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
<p>
The keyset file name is built from the <code class="option">directory</code>,
the string <code class="filename">keyset-</code> and the
<code class="option">dnsname</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em> (DS RRs),
<em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
<em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
<em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
</p>
</div>
</div></body>
</html>

Some files were not shown because too many files have changed in this diff Show More