Compare commits

...

1023 Commits

Author SHA1 Message Date
Ondřej Surý
2227553b53 Merge branch 'fix-missing-prereq-net-dns' into 'master'
Fix missing prereq Net::DNS in couple of tests

See merge request ISCdotORG/bind9!18

(cherry picked from commit 3a181cfbb00d0a89c933631a1a1054969b3d5a1b)

00e6020d Fix missing Net::DNS prerequisites in tests
a5d52368 Add -f to autoreconf call from autogen.sh
2017-10-18 19:30:27 +00:00
Evan Hunt
56e30ebae6 [v9_11] require writable managed keys directory
4769.	[bug]		Enforce the requirement that the managed keys
			directory (specified by "managed-keys-directory",
			and defaulting to the working directory if not
			specified) must be writable. [RT #46077]
2017-10-17 21:26:41 -07:00
Tinderbox User
3ca1a32241 regen v9_11 2017-10-18 01:19:23 +00:00
Tinderbox User
3d5ed84c6f update copyright notice / whitespace 2017-10-17 23:49:26 +00:00
Tinderbox User
b6980a79a5 newcopyrights 2017-10-17 23:30:32 +00:00
Evan Hunt
e609b6b32b [v9_11] README and relnote fixes
(cherry picked from commit 30419509dd)
2017-10-17 13:50:49 -07:00
Michał Kępień
ad9772c559 [v9_11] Doxygen fixes and cleanups
4773.	[doc]		Fixed generating Doxygen documentation for functions
			annotated using certain macros.  Miscellaneous
			Doxygen-related cleanups. [RT #46276]

(cherry picked from commit 2361003a88)
2017-10-17 06:58:05 +02:00
Michał Kępień
394cf800c4 [v9_11] Regenerate presigned zone for the filter-aaaa system test [RT #46283]
Fix the filter-aaaa system test for builds without DNSSEC support.
2017-10-16 09:46:02 +02:00
Tinderbox User
8896e99166 update copyright notice / whitespace 2017-10-13 23:46:21 +00:00
Tinderbox User
dcf17dea53 newcopyrights 2017-10-13 23:30:16 +00:00
Evan Hunt
666af25a92 [v9_11] fix filter-aaaa test [RT #46268] 2017-10-13 10:28:34 -07:00
Evan Hunt
650e0aff5c [v9_11] use NUL instead of /dev/null for KRB5_CONFIG on windows
(cherry picked from commit 89b2fc092d)
2017-10-11 18:13:07 -07:00
Tinderbox User
b22915c279 update copyright notice / whitespace 2017-10-11 23:46:26 +00:00
Tinderbox User
a66a8912c6 newcopyrights 2017-10-11 23:30:36 +00:00
Mark Andrews
55ed351e81 reserve subscription flags
(cherry picked from commit a9a983781e)
2017-10-12 09:20:18 +11:00
Evan Hunt
5d7d67f82a [v9_11] ignore cache when sending 5011 refresh queries
4771.	[bug]		When sending RFC 5011 refresh queries, disregard
			cached DNSKEY rrsets. [RT #46251]

(cherry picked from commit b2597ce86b)
2017-10-11 14:24:52 -07:00
Evan Hunt
6216df5ccd [v9_11] reduce unnecessary priming queries
4770.	[bug]		Cache additional data from priming queries as glue.
			Previously they were ignored as unsigned
			non-answer data from a secure zone, and never
			actually got added to the cache, causing hints
			to be used frequently for root-server
			addresses, which triggered re-priming. [RT #45241]

(cherry picked from commit 5de02a075b)
2017-10-11 09:07:37 -07:00
Evan Hunt
d1aa5125a9 [v9_11] Move KRB5_CONFIG=/dev/null to conf.sh.* so the named run in the tests gets the setting
(cherry picked from commit 74f46c45b0)
2017-10-11 08:51:03 -07:00
Mark Andrews
4e191a81d9 ignore Makefile
(cherry picked from commit 9492533d46)
2017-10-11 11:00:32 +11:00
Michał Kępień
527500acb0 [v9_11] Sync draft-durand-doa-over-dns snippet in lib/dns/tests/rdata_test.c with draft version -03 2017-10-09 10:53:02 +02:00
Mark Andrews
c85920c0b4 4766. [cleanup] Addresss Coverity warnings. [RT #46150]
(cherry picked from commit 5df3f839b2)
2017-10-09 18:37:46 +11:00
Tinderbox User
193749a4f5 regen v9_11 2017-10-09 01:14:44 +00:00
Mark Andrews
654db68d60 cleanup 2017-10-09 11:13:17 +11:00
Evan Hunt
02af0069a1 [v9_11] add DOA to ARM 2017-10-07 19:34:39 -07:00
Tinderbox User
0d6a6642b2 regen v9_11 2017-10-08 01:16:06 +00:00
Tinderbox User
cd92b149b2 update copyright notice / whitespace 2017-10-07 23:46:43 +00:00
Tinderbox User
12343c067e newcopyrights 2017-10-07 23:30:36 +00:00
Mark Andrews
65d59e1418 ignore Makefile 2017-10-08 06:52:53 +11:00
Mark Andrews
514a44a2bb don't force souce port
(cherry picked from commit 02a669a9a6)
2017-10-08 06:43:21 +11:00
Mark Andrews
77db93e68c silence VC compiler warning
(cherry picked from commit e09b9e7a91)
2017-10-07 14:04:57 +11:00
Evan Hunt
0612274565 [v9_11] use mysql_config if available
4763.	[contrib]	Improve compatibility when building MySQL DLZ
			module by using mysql_config if available.
			[RT #45558]
2017-10-06 19:14:32 -07:00
Mark Andrews
c63a8763f1 map tat to trust-anchor-telemetry 2017-10-07 12:12:54 +11:00
Evan Hunt
fde1f87306 [v9_11] add missing names 2017-10-06 17:38:51 -07:00
Mark Andrews
0fb601af34 Normalize all the line endings 2017-10-07 11:23:19 +11:00
Tinderbox User
8a99b24dbe update copyright notice / whitespace 2017-10-06 23:46:41 +00:00
Tinderbox User
98240f34c3 newcopyrights 2017-10-06 23:30:42 +00:00
Evan Hunt
f592d2f76c [v9_11] further restrict update-policy local
4762.	[func]		"update-policy local" is now restricted to updates
                from local addresses. (Previously, other addresses
                were allowed so long as updates were signed by the
                local session key.) [RT #45492]
2017-10-06 15:43:18 -07:00
Michał Kępień
4ee1fbe056 [v9_11] Add support for DOA
4761.	[protocol]	Add support for DOA. [RT #45612]

(cherry picked from commit 417218837e)
2017-10-06 12:56:41 +02:00
Mark Andrews
1cd67567f7 add trust-anchor-telemetry to bring into sync with bin/named/log.c 2017-10-06 16:43:43 +11:00
Mark Andrews
bd35150bc6 add dns_name_istat to libdns.def.in 2017-10-06 14:23:47 +11:00
Mark Andrews
94deea78f4 fix merge error 2017-10-06 14:12:14 +11:00
Mark Andrews
1c8aa38b53 4759. [func] Add logging channel "trust-anchor-telementry" to
record trust-anchor-telementry in incoming requests.
                            Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
                            are logged.  [RT #46124]

    (cherry picked from commit b41c1aacbc)
2017-10-06 13:53:50 +11:00
Evan Hunt
43d53a4e4b [v9_11] fix topology doc
4758.	[doc]		Remove documentation of unimplemented "topology".
			[RT #46161]
2017-10-05 18:52:11 -07:00
Tinderbox User
a0fb6a0980 regen v9_11 2017-10-06 01:15:42 +00:00
Tinderbox User
649482995b update copyright notice / whitespace 2017-10-05 23:46:27 +00:00
Tinderbox User
c4d2e7c8c8 newcopyrights 2017-10-05 23:30:46 +00:00
Evan Hunt
197903220d [v9_11] remove no-longer-needed check for nonexistence 2017-10-05 11:35:40 -07:00
Evan Hunt
e9cb871d0b [v9_11] revise style guide information on bracing 2017-10-05 11:28:16 -07:00
Michał Kępień
b1ce9b3d54 [v9_11] Prevent dig INSIST failures and hangs in some failure modes
4756.	[bug]		Interrupting dig could lead to an INSIST failure after
			certain errors were encountered while querying a host
			whose name resolved to more than one address.  Change
			4537 increased the odds of triggering this issue by
			causing dig to hang indefinitely when certain error
			paths were evaluated.  dig now also retries TCP queries
			(once) if the server gracefully closes the connection
			before sending a response. [RT #42832, #45159]

(cherry picked from commit 14afc8425b)
2017-10-05 09:45:34 +02:00
Evan Hunt
5fa4be41a3 [v9_11] don't log when NZF file doesn't exist
4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
			exist. [RT #46186]

(cherry picked from commit d7ee3ed488)
2017-10-05 00:13:36 -07:00
Mark Andrews
2732d4922c 4754. [bug] dns_zone_setview needs a two stage commit to properly
handle errors. [RT #45841]
2017-10-05 13:41:49 +11:00
Mark Andrews
2e10e64586 cast to unsigned int
(cherry picked from commit 34efd9ad93)
2017-10-05 13:34:24 +11:00
Evan Hunt
73b52dd1f0 [v9_11] fix tag 2017-10-04 18:44:26 -07:00
Tinderbox User
aaec997e6c update copyright notice / whitespace 2017-10-04 23:46:25 +00:00
Evan Hunt
24ffba17f0 [v9_11] remove nslint, query-loc and zkt from contrib
4753.	[contrib]	Software obtainable from known upstream locations
			(i.e., zkt, nslint, query-loc) has been removed.
			Links to these and other packages can be found at
			https://www.isc.org/community/tools [RT #46182]

(cherry picked from commit 319aad330d)
2017-10-04 16:39:56 -07:00
Tinderbox User
a564a0a6d0 newcopyrights 2017-10-04 23:30:23 +00:00
Evan Hunt
e7d68fc4b6 [v9_11] copy the color-coded test functions to conf.sh.win32 2017-10-04 09:28:37 -07:00
Mark Andrews
834b5e1e7e add L for wide
(cherry picked from commit 055d310e54)
2017-10-04 20:45:00 +11:00
Mark Andrews
e77f7b404a stderr to /dev/null also
(cherry picked from commit 4615bc5408)
2017-10-04 19:26:59 +11:00
Mark Andrews
af6a526dfd test for 'printf'
(cherry picked from commit d1e823af15)
2017-10-04 19:20:01 +11:00
Mark Andrews
863cec26ca silence compiler warning 2017-10-04 18:08:10 +11:00
Mark Andrews
9678018943 #undef inet_ntop
(cherry picked from commit 396125eefe)
2017-10-04 17:50:22 +11:00
Mark Andrews
21d58795b1 4752. [test] Add unit test for isc_net_pton. [RT #46171]
(cherry picked from commit 5fcdb09126)
2017-10-04 14:11:42 +11:00
Evan Hunt
34971c7618 [v9_11] missing declaration of INSIST 2017-10-03 20:03:19 -07:00
Evan Hunt
1a35af8e47 [v9_11] remove spurious control character 2017-10-03 19:41:57 -07:00
Tinderbox User
a134177ed9 update copyright notice / whitespace 2017-10-03 23:46:31 +00:00
Tinderbox User
3fb635d1c5 newcopyrights 2017-10-03 23:30:22 +00:00
Evan Hunt
d5bd8bb71a [v9_11] de-DLV
4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			- No longer use ISC DLV by default in delv
			[RT #46155]
2017-10-03 00:43:19 -07:00
Mark Andrews
ad1317338a 4748. [cleanup] Sprintf to snprintf coversions. [RT #46132]
(cherry picked from commit a009d03a1a)
2017-10-03 14:55:33 +11:00
Tinderbox User
b725c6fc0e regen v9_11 2017-10-01 01:15:43 +00:00
Tinderbox User
f8f19158fa update copyright notice / whitespace 2017-09-30 23:49:40 +00:00
Tinderbox User
000b9bc9dc newcopyrights 2017-09-30 23:30:29 +00:00
Evan Hunt
9519bb92d7 [v9_11] add configured prefixes to summary
4746.	[cleanup]	Add configured prefixes to configure summary
			output. [RT #46153]

(cherry picked from commit c0f8a8f30a)
2017-09-30 10:03:32 -07:00
Evan Hunt
1c81aef28d [v9_11] color-coded test output
4745.	[test]		Add color-coded pass/fail messages to system
			tests when running on terminals that support them.
			[RT #45977]

(cherry picked from commit 3bb6150cae)
2017-09-30 10:02:52 -07:00
Mark Andrews
da1f585afa 4744. [bug] Suppress trust-anchor-telementry queries if
validation is disabled. [RT #46131]

(cherry picked from commit dc0a792d94)
2017-09-29 09:33:55 +10:00
Mark Andrews
1288734b53 improve forensics
(cherry picked from commit 86e5d14e82)
2017-09-28 22:15:41 +10:00
Tinderbox User
0bf752f483 update copyright notice / whitespace 2017-09-27 23:46:52 +00:00
Tinderbox User
37bf3e124e newcopyrights 2017-09-27 23:30:14 +00:00
Mark Andrews
07aa165627 switch to using snprintf from sprintf
(cherry picked from commit d386eb54c6)
2017-09-28 07:16:20 +10:00
Mukund Sivaraman
a8fa3e2d44 Make isc_refcount_current() atomically read the counter value (#46074)
(cherry picked from commit abb8813a33)
2017-09-27 15:09:42 +05:30
Mukund Sivaraman
d0d2ba9546 Use stdatomic.h in acache code (#46085)
Part of change 4728.
2017-09-27 14:58:05 +05:30
Mark Andrews
d4eaef0b87 use %u and cast to unsigned int
(cherry picked from commit 2495de04a5)
2017-09-27 17:57:22 +10:00
Mark Andrews
d71d41341d 4740. [cleanup] Avoid triggering format-truncated warnings. [RT #46107] 2017-09-27 16:20:00 +10:00
Mark Andrews
62cce53589 tcp test got reversed
(cherry picked from commit b4c31c8795)
2017-09-27 15:20:16 +10:00
Mark Andrews
d72952cf25 4739. [cleanup] Address clang static analysis warnings. [RT #45952]
(cherry picked from commit f9f3f20d2d)
2017-09-27 10:58:44 +10:00
Evan Hunt
68d7ff133c [v9_11] backport rpz tweaks
4713.	[cleanup]	Minor revisions to RPZ code to reduce
			differences with the development branch. [RT #46037]
2017-09-26 11:02:59 -07:00
Mark Andrews
aae171c542 4738. [port] win32: strftime mishandles %Z. [RT #46039]
(cherry picked from commit 744061a03b)
2017-09-26 23:33:26 +10:00
Mark Andrews
6b183c64a3 4737. [cleanup] Address Coverity warnings. [RT #46012]
(cherry picked from commit 08151d7fce)
2017-09-26 23:24:37 +10:00
Michał Kępień
5a8f2f0cd6 [v9_11] Comment NSEC3-related code and fix a few minor issues
4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
			code.  (c) Minor tweaks to lock and result handling.
			[RT #46053]

(cherry picked from commit acc3728c47)
2017-09-26 11:28:38 +02:00
Tinderbox User
ea9558dc72 update copyright notice / whitespace 2017-09-23 23:46:33 +00:00
Tinderbox User
ace0869e25 newcopyrights 2017-09-23 23:30:10 +00:00
Mark Andrews
e2cc7418bf 4735. [bug] Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
(cherry picked from commit 2919a6d34b)
2017-09-23 14:58:21 +10:00
Evan Hunt
36ec0d3748 [v9_11] contrib: dns-over-tls sample configurations
4734.	[contrib]	Added sample configuration for DNS-over-TLS in
			contrib/dnspriv.

(cherry picked from commit e02abf7ed8)
2017-09-22 15:14:09 -07:00
Mukund Sivaraman
dc0d95a23d Use stdint.h only when stdatomic.h is in use (stdint.h isn't available everywhere)
(cherry picked from commit fb9712f639)
2017-09-22 15:15:34 +05:30
Mark Andrews
7f8ccd62f2 #include <isc/string.h> as it includes both <string.h> and <strings.h> if they both exist
(cherry picked from commit 6138c5a5e4)
2017-09-22 18:09:50 +10:00
Tinderbox User
81aae25057 regen v9_11 2017-09-22 01:15:14 +00:00
Tinderbox User
c05cfdba6a update copyright notice / whitespace 2017-09-21 23:50:32 +00:00
Tinderbox User
d0d09653dd newcopyrights 2017-09-21 23:30:35 +00:00
Evan Hunt
71f3cd81dd [v9_11] fix typos 2017-09-21 10:13:19 -07:00
Mark Andrews
07b1de86e1 alphabetise 2017-09-21 18:06:34 +10:00
Tinderbox User
731c2e5f0f regen v9_11 2017-09-21 07:30:52 +00:00
Mark Andrews
d037e4dbbe #include <stdint.h> 2017-09-21 14:20:53 +10:00
Tinderbox User
28a3d74227 regen v9_11 2017-09-21 03:48:24 +00:00
Mark Andrews
c0d6d4e2f2 atomic_compare_exchange_strong_explicit's second argument should not be atomic_* 2017-09-21 13:41:43 +10:00
Mark Andrews
e24ec1cb12 explicitly list test programs 2017-09-21 13:06:26 +10:00
Evan Hunt
751b32e344 [v9_11] Merge branch 'v9_11' of ssh://repo.isc.org/proj/git/prod/bind9 into v9_11 2017-09-20 12:00:57 -07:00
Tinderbox User
e9777ae6f9 regen v9_11 2017-09-20 01:17:06 +00:00
Tinderbox User
8688e7005a update copyright notice / whitespace 2017-09-19 23:47:50 +00:00
Tinderbox User
40e10611ee newcopyrights 2017-09-19 23:30:36 +00:00
Evan Hunt
4100890e5a [v9_11] specify correct license 2017-09-19 12:59:26 -07:00
Mukund Sivaraman
e446fd29b9 Fix changeset numbers 2017-09-19 19:52:47 +05:30
Mukund Sivaraman
f896f7c8be Fix use after free when closing an LMDB (#46000)
(cherry picked from commit e2ed24aa4d)
2017-09-19 19:43:22 +05:30
Mukund Sivaraman
027a4a5b5d Fix out of bounds access in DHCID totext() method (#46001)
(cherry picked from commit 98998f3ddd)
2017-09-19 19:34:13 +05:30
Mukund Sivaraman
b5252fcde5 Don't use memset() to wipe memory (#45947)
(cherry picked from commit d5707676e4)
2017-09-19 17:00:37 +05:30
Mukund Sivaraman
9905606390 Use C11's stdatomic.h instead of isc_atomic where available
(cherry picked from commit 404c9b1c53)
2017-09-19 15:49:21 +05:30
Mark Andrews
4ae32a6f72 remove unimplement rate-limit option [RT #46030]
(cherry picked from commit fb088a00cf)
2017-09-19 13:15:53 +10:00
Tinderbox User
3d202a0d60 regen v9_11 2017-09-19 01:15:53 +00:00
Tinderbox User
acce4b333d update copyright notice / whitespace 2017-09-18 23:52:43 +00:00
Tinderbox User
81573f7b11 newcopyrights 2017-09-18 23:31:09 +00:00
Evan Hunt
fd8d52fbdd [v9_11] add I: when echoing information about failed tests
(cherry picked from commit 49740fb0f2)
2017-09-18 14:15:55 -07:00
Michał Kępień
62f2fefaec [v9_11] Prevent possible infinite signing loop after retransferring an inline-signed slave using NSEC3
4727.	[bug]		Retransferring an inline-signed slave using NSEC3
			around the time its NSEC3 salt was changed could result
			in an infinite signing loop. [RT #45080]

(cherry picked from commit f665c724e4)
2017-09-18 09:23:18 +02:00
Michał Kępień
b351a58647 [v9_11] Improve handling of TCP_FASTOPEN on FreeBSD
4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
			from being logged on FreeBSD if the kernel does not
			support it.  Notify the user when the kernel does
			support TCP_FASTOPEN, but it is disabled by sysctl.
			Add a new configure option, --disable-tcp-fastopen, to
			disable use of TCP_FASTOPEN altogether. [RT #44754]

(cherry picked from commit c2179857de)
2017-09-18 08:34:53 +02:00
Mark Andrews
8008de0b11 4725. [bug] Nsupdate: "recvsoa" was incorrectly reported for
failures in sending the update message.  The correct
                        location to be reported is "update_completed".
                        [RT #46014]

(cherry picked from commit 0bcb8b0b7c)
2017-09-18 14:29:40 +10:00
Tinderbox User
b815731d05 update copyright notice / whitespace 2017-09-15 23:47:07 +00:00
Mark Andrews
2832654236 don't use strlcat with non NUL terminated strings rt45981_stage3
(cherry picked from commit dc71aa898a)
2017-09-15 13:14:40 +10:00
Mark Andrews
7b4bfc0201 4723. [bug] Statistics counter DNSTAPdropped was misidentified
as DNSSECdropped. [RT #46002]

(cherry picked from commit 3128cd21e3)
2017-09-14 23:53:07 +00:00
Tinderbox User
7c38d4781f update copyright notice / whitespace 2017-09-14 23:48:31 +00:00
Tinderbox User
8ac5ddf659 newcopyrights 2017-09-14 23:30:39 +00:00
Evan Hunt
a3b6dcd418 [v9_11] revert dlzexternal changes for portability 2017-09-14 11:33:36 -07:00
Mark Andrews
2b5e8ac281 silence warning
(cherry picked from commit c59bf663e8)
2017-09-14 19:02:45 +10:00
Mark Andrews
cd320a8d23 #include <isc/string.h>
(cherry picked from commit 7eb73f6288)
2017-09-14 18:58:52 +10:00
Mark Andrews
4f851656c4 #include <isc/string.h>
(cherry picked from commit 5fb0c09a5e)
2017-09-14 18:55:15 +10:00
Mark Andrews
5a93d3be4e more str{n}{cat,cpy} corrections rt45981_stage2
(cherry picked from commit cb629cdeda)
2017-09-14 18:33:02 +10:00
Mukund Sivaraman
e05b7dc69a Link dlzexternal system test's driver against libisc
(cherry picked from commit bbe9f1dd95)
2017-09-14 13:37:22 +05:30
Evan Hunt
41621724af [v9_11] cast char * 2017-09-13 22:04:08 -07:00
Evan Hunt
4c2dd50d64 [v9_11] clean up bufsize errors
(cherry picked from commit 9b729a06b0)
2017-09-13 21:19:11 -07:00
Tinderbox User
bd911976d5 update copyright notice / whitespace 2017-09-13 23:52:25 +00:00
Tinderbox User
2b7254075b newcopyrights 2017-09-13 23:31:46 +00:00
Mark Andrews
d8402e191a fix filenamelen so it has the buffer length rather than buffer length - 1
(cherry picked from commit 21c12d0107)
2017-09-14 09:30:03 +10:00
Evan Hunt
7df17e0de2 [v9_11] fix incorrect comment 2017-09-13 13:53:57 -07:00
Mukund Sivaraman
d45eddf28f Fix output string size in GOST unittest
(cherry picked from commit e5eca6eebb)
2017-09-14 01:36:37 +05:30
Mukund Sivaraman
e004f87b71 Fix gost unittest failure
(cherry picked from commit 93f7384928)
2017-09-14 00:29:53 +05:30
Mark Andrews
28a55095f7 add #include <isc/string.h>
(cherry picked from commit 4c9ba9ded8)
2017-09-13 19:51:49 +05:30
Mukund Sivaraman
a13e9f894c Add missing <isc/print.h>
(cherry picked from commit 188fa6ea68)
2017-09-13 19:48:20 +05:30
Mukund Sivaraman
fc7ed600ae Tweak hash_test.c further, passing sizeof(str)
(cherry picked from commit 8997fc0a3f)
2017-09-13 19:32:57 +05:30
Mukund Sivaraman
4baac8b9f3 Tweak
(cherry picked from commit a2873eabf6)
2017-09-13 19:32:56 +05:30
Mukund Sivaraman
3dc00443bb Fix size of output string in hash tests
(cherry picked from commit bc5e0a6868)
2017-09-13 19:32:54 +05:30
Francis Dupont
1cc250f9af Added isc/string.h to shutdown_test which got strlcpy
(cherry picked from commit 804ca1d926)
2017-09-13 23:00:42 +10:00
Evan Hunt
7cd594b842 [master] cleanup strcat/strcpy
4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
			strlcpy() and strlcat() for safety. [RT #45981]

(cherry picked from commit 114f95089c)
2017-09-13 00:17:16 -07:00
Mark Andrews
a27226b849 give more time for the initial signing of bits in the inline signing test to complete
(cherry picked from commit e930487ce7)
2017-09-13 12:19:42 +10:00
Mark Andrews
3f932812d7 fix first if test in setoption
(cherry picked from commit abda73147d)
2017-09-13 11:58:52 +10:00
Mark Andrews
c76e8412f4 4719. [bug] Address PVS static analyzer warnings. [RT #45946]
(cherry picked from commit 34130ee25a)
2017-09-13 09:51:39 +10:00
Tinderbox User
c40e033d21 update copyright notice / whitespace 2017-09-12 23:47:30 +00:00
Tinderbox User
16afb24a00 newcopyrights 2017-09-12 23:31:54 +00:00
Evan Hunt
a2a0100e0f [v9_11] improve handling of qcount=0 replies
4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
			FORMERR if TC=0, and log the error correctly.
			[RT #45836]

(cherry picked from commit 25b33bede4)
2017-09-12 15:27:06 -07:00
Mark Andrews
1feffc6fdb 4715. [bug] TreeMemMax was mis-identified as a second HeapMemMax
in the Json cache statistics. [RT #45980]

(cherry picked from commit 0a1359034d)
2017-09-12 14:55:40 +10:00
Mark Andrews
22bed621ef 4714. [port] openbsd/libressl: add support for building with
--enable-openssl-hash. [RT #45982]

(cherry picked from commit c75e9c7630)
2017-09-12 14:20:13 +10:00
Mark Andrews
f39894c0b1 update 2017-09-12 12:50:28 +10:00
Evan Hunt
e5f5675b1d [v9_11] dig: retain domain when retrying with tcp
4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
			search domain when retrying with TCP. [RT #45547]

(cherry picked from commit 8e014c45ae)
2017-09-11 10:10:38 -07:00
Evan Hunt
29f0ced781 [v9_11] add missing rrtypes to genzones
4711.	[test]		Some RR types were missing from genzones.sh.
			[RT #45782]

(cherry picked from commit 3e66721b35)
2017-09-11 09:35:03 -07:00
Evan Hunt
8452718133 [v9_11] removed outdated library reference 2017-09-09 11:49:41 -07:00
Evan Hunt
b9fd54f8d4 [v9_11] change hash function for RRL
4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
			[RT #45435]

(cherry picked from commit f13385770e)
2017-09-08 15:46:55 -07:00
Tinderbox User
2f0eac53a9 update copyright notice / whitespace 2017-09-07 23:48:25 +00:00
Tinderbox User
3524df526a newcopyrights 2017-09-07 23:30:41 +00:00
Mark Andrews
fcb5e646e4 4703. [bug] BINDInstall.exe was missing some buffer length checks.
[RT #45898]

(cherry picked from commit 7e40d6274e)
2017-09-07 12:59:22 +10:00
Mark Andrews
7dfd012873 sync option order with master 2017-09-06 15:26:38 +10:00
Mark Andrews
9ecd39b2ca add PYTHON_INSTALL_DIR 2017-09-06 13:24:13 +10:00
Tinderbox User
5f2a1507e0 regen v9_11 2017-09-05 01:20:07 +00:00
Tinderbox User
a450a32be2 update copyright notice / whitespace 2017-09-04 23:47:14 +00:00
Tinderbox User
9b0a4470f9 newcopyrights 2017-09-04 23:30:59 +00:00
Michał Kępień
a22c3cf515 [v9_11] Add --with-python-install-dir configure option
4698.	[port]		Add --with-python-install-dir configure option to allow
			specifying a nonstandard installation directory for
			Python modules. [RT #45407]

(cherry picked from commit a5dc1bc395)
2017-09-04 08:44:40 +02:00
Tinderbox User
772bc9542d update copyright notice / whitespace 2017-09-01 23:46:54 +00:00
Mukund Sivaraman
836601ccc5 Tweak code (reviewed by Mark)
(cherry picked from commit cdabd36dc7)
2017-09-01 12:42:12 +05:30
Mark Andrews
b301c4293c 4697. [bug] Restore workaround for Microsoft Windows TSIG hash
computation bug. [RT #45854]

(cherry picked from commit a8a20462b5)
2017-09-01 11:23:40 +10:00
Mark Andrews
6eb9141841 update 2017-09-01 09:46:48 +10:00
Mark Andrews
5c4e0c7800 4696. [port] Enable filter-aaaa support by default on Windows
builds. [RT #45883]

(cherry picked from commit b4eb8b9656)
2017-08-31 13:38:01 +10:00
Mark Andrews
6e1f755f19 4695. [bug] cookie-secrets were not being properly checked by
named-checkconf. [RT #45886]
(cherry picked from commit 2e743d9bdc)
2017-08-31 13:28:59 +10:00
Mark Andrews
95ed40ff9a sort view_clauses 2017-08-31 08:10:44 +10:00
Mark Andrews
435a7cd229 4692. [bug] Fix build failures with libressl introduced in 4676.
[RT #45879]

(cherry picked from commit c26370fc69)
2017-08-30 18:22:25 +10:00
Tinderbox User
9700e6d72c regen v9_11 2017-08-30 01:21:44 +00:00
Tinderbox User
36d3f6b40f update copyright notice / whitespace 2017-08-29 23:47:49 +00:00
Tinderbox User
e5c7ef08d1 newcopyrights 2017-08-29 23:30:30 +00:00
Michał Kępień
b7a823a402 [v9_11] Ensure consistent handling of -4/-6 command line options in all tools
4690.	[bug]		Command line options -4/-6 were handled inconsistently
			between tools. [RT #45632]

(cherry picked from commit d6814700de)
2017-08-29 10:22:10 +02:00
Mark Andrews
c46c8e5c56 fix changes number
(cherry picked from commit 503223b800)
2017-08-26 13:26:37 +10:00
Evan Hunt
031bc55634 [v9_11] turn on minimal responses for CDS/CDNSKEY
4678.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
			addition to DNSKEY and DS. Thanks to Tony Finch.
			[RT #45690]

(cherry picked from commit 391a3a2f20)
2017-08-25 13:32:18 -07:00
Tinderbox User
dfae459e8c regen v9_11 2017-08-25 01:20:31 +00:00
Tinderbox User
4ffac123a0 update copyright notice / whitespace 2017-08-24 23:48:46 +00:00
Tinderbox User
bd49a41f96 newcopyrights 2017-08-24 23:30:31 +00:00
Mark Andrews
a64daf673d 4688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in
messages. [RT #44804]

(cherry picked from commit 07741d43c8)
2017-08-25 08:47:19 +10:00
Tinderbox User
3b0259a957 regen v9_11 2017-08-22 01:20:35 +00:00
Tinderbox User
6f25333e73 update copyright notice / whitespace 2017-08-21 23:50:38 +00:00
Tinderbox User
b378314925 newcopyrights 2017-08-21 23:30:34 +00:00
Michał Kępień
0aadc6dd7b [v9_11] Prevent dnssec-settime from printing a bogus warning
4686.	[bug]		dnssec-settime -p could print a bogus warning about
			key deletion scheduled before its inactivation when a
			key had an inactivation date set but no deletion date
			set. [RT #45807]

(cherry picked from commit 330365566d)
2017-08-21 10:21:58 +02:00
Michał Kępień
f20ff8b74d [v9_11] Fix calculation of dates for a successor key
4685.	[bug]		dnssec-settime incorrectly calculated publication and
			activation dates for a successor key. [RT #45806]

(cherry picked from commit 5201b96d03)
2017-08-21 10:00:21 +02:00
Michał Kępień
7ff682f3c6 [v9_11] Prevent delv from sending bogus queries for provided server address
4684.	[bug]		delv could send bogus DNS queries when an explicit
			server address was specified on the command line along
			with -4/-6. [RT #45804]

(cherry picked from commit 367fcd7454)
2017-08-21 09:18:54 +02:00
Tinderbox User
e57ec8c501 regen v9_11 2017-08-18 01:20:17 +00:00
Tinderbox User
2dc5db0eb0 update copyright notice / whitespace 2017-08-17 23:47:47 +00:00
Tinderbox User
5e145d3125 newcopyrights 2017-08-17 23:30:56 +00:00
Michał Kępień
e02fa56849 [v9_11] Prevent nsupdate from immediately exiting on invalid user input in interactive mode
4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
			user input in interactive mode. [RT #28194]

(cherry picked from commit 1aa583b5a5)
2017-08-17 08:32:44 +02:00
Mark Andrews
abcea74291 4682. [bug] Don't report errors on records below a DNAME.
[RT #44880]

(cherry picked from commit 615b961e02)
2017-08-17 15:51:22 +10:00
Tinderbox User
f3df966b81 update copyright notice / whitespace 2017-08-15 23:49:26 +00:00
Tinderbox User
4674e9e023 newcopyrights 2017-08-15 23:30:23 +00:00
Mark Andrews
079c9e6939 'uname -o' is not portable, suppress error message; remove spurious cat tmp.out; provide forensics for failure analysis
(cherry picked from commit e85a2c5624)
2017-08-15 18:02:55 +10:00
Tinderbox User
7db794030a regen v9_11 2017-08-15 01:21:22 +00:00
Tinderbox User
296f5969a8 update copyright notice / whitespace 2017-08-14 23:49:57 +00:00
Tinderbox User
b625bdae12 newcopyrights 2017-08-14 23:30:34 +00:00
Mark Andrews
b5fb3f8722 request-nsid/request-sit out of order
(cherry picked from commit bf1ab06a48)
2017-08-14 23:51:56 +10:00
Michał Kępień
d748d8a4af [v9_11] Fix master address failover when GSS-API is used
4680.	[bug]		Fix failing over to another master server address when
			nsupdate is used with GSS-API. [RT #45380]

(cherry picked from commit b55ec74eaa)
2017-08-14 15:00:49 +02:00
Michał Kępień
cbb33c87f4 [v9_11] Make dnssec-verify suggest using -o when appropriate
4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
			not at top of zone and -o is not used. [RT #45519]

(cherry picked from commit 877c264edc)
2017-08-14 14:02:20 +02:00
Mark Andrews
a6a3a81e36 sort options
(cherry picked from commit 00f067539a)
2017-08-14 21:42:25 +10:00
Mark Andrews
8026cf5768 alphabetize options_clauses
(cherry picked from commit 60fd71ec66)
2017-08-14 07:27:21 +00:00
Mark Andrews
afb3bcade3 tcp-only and tcp-keepalive where out of alphabetical order
(cherry picked from commit 9697129ae2)
2017-08-14 07:02:36 +00:00
Mark Andrews
76e878e109 sit-secret was out of alphabetical order
(cherry picked from commit fa7bacca7d)
2017-08-14 06:50:49 +00:00
Mark Andrews
324b00ad49 4678. [bug] geoip-use-ecs has the wrong type when geoip support
is disabled at configure time. [RT #45763]

(cherry picked from commit cc88df4f01)
2017-08-14 06:18:50 +00:00
Mark Andrews
d91a7418ed use isc_thread_self instead of pthread_self
(cherry picked from commit 5e9d9aa9d0)
2017-08-14 13:54:36 +10:00
Tinderbox User
3d09597bc1 update copyright notice / whitespace 2017-08-11 23:48:33 +00:00
Evan Hunt
4dc6fa1e92 [v9_11] fix CHANGES note 2017-08-10 22:53:19 -07:00
Evan Hunt
2b0060b8ff [v9_11] split up main and add callback function pointers to support iOS
4677.	[port]		Split up the main function in dig to better support
			the iOS app version. [RT #45508]
2017-08-10 22:24:44 -07:00
Tinderbox User
61ceead03b regen v9_11 2017-08-10 01:21:31 +00:00
Mark Andrews
b81b178ab9 4676. [cleanup] Allow BIND to be built using OpenSSL 1.0.X with
deprecated functions removed. [RT #45706]

(cherry picked from commit cbc80a42d3)
2017-08-10 10:17:02 +10:00
Tinderbox User
3523e19da2 update copyright notice / whitespace 2017-08-09 23:49:39 +00:00
Tinderbox User
33b0d10552 newcopyrights 2017-08-09 23:30:33 +00:00
Mark Andrews
bf216589c1 4675. [cleanup] Don't use C++ keyword class. [RT #45726] 2017-08-10 08:44:23 +10:00
Evan Hunt
5007b353e4 [v9_11] grammar error and missing reference to filter-aaaa-on-v6
(cherry picked from commit b2a5df8d4b)
2017-08-09 15:05:36 -07:00
Evan Hunt
7dbeb5e7f0 [v9_11] silence gcc 7 warnings
4673.	[port]		Silence GCC 7 warnings. [RT #45592]

(cherry picked from commit cdacec1dcb)
2017-08-09 00:24:16 -07:00
Mark Andrews
93049edb81 add comment 2017-08-09 10:48:33 +05:30
Evan Hunt
72f91848ef style 2017-08-09 10:48:29 +05:30
Tinderbox User
36babd3e63 update copyright notice / whitespace 2017-08-09 01:01:24 +00:00
Tinderbox User
c4a3562395 newcopyrights 2017-08-09 00:38:03 +00:00
Mark Andrews
a5f6549534 style changes from [RT #45321]
(cherry picked from commit bcb2df226f)
2017-08-09 07:49:38 +10:00
Mark Andrews
c80cbf4eed remove placeholder 2017-08-09 07:36:36 +10:00
Mukund Sivaraman
8ecd1dc557 Fix tsig_test.c unittest (OK'd by Mark on Jabber)
(cherry picked from commit f2b6eef899)
2017-08-08 21:56:25 +05:30
Mukund Sivaraman
b5dc708403 Add placeholder
(cherry picked from commit a6ed0b587b)
2017-08-08 20:49:05 +05:30
Mukund Sivaraman
6e10f87913 Fix a race in resume_dslookup() (#45168)
(cherry picked from commit c88efb83b3)
2017-08-08 13:11:11 +05:30
Evan Hunt
37f6466aa3 [v9_11] ensure verified_sig
4670.	[cleanup]	Ensure that a request MAC is never sent back
			in an XFR response unless the signature was
                        verified. [RT #45494]

(cherry picked from commit 0ad72b96d2)
2017-08-07 18:54:54 -07:00
Evan Hunt
5832599943 [v9_11] add missing eddsa files 2017-08-07 14:23:01 -07:00
Tinderbox User
95098d55d2 regen v9_11 2017-08-04 01:15:29 +00:00
Curtis Blackburn
93f0e3d747 fix pthread_np.h detection
[rt45680]
2017-08-03 18:04:44 -07:00
Tinderbox User
81baaebbc7 update copyright notice / whitespace 2017-08-02 23:57:18 +00:00
Tinderbox User
5835beb229 newcopyrights 2017-08-02 23:48:54 +00:00
Mark Andrews
4162d3b36d 4668. [bug] Use localtime_r and gmtime_r for thread safety.
[RT #45664]

(cherry picked from commit 2019cf29e2)
2017-08-03 08:45:37 +10:00
Mark Andrews
3925b3c74b remove bin/tests/rdata_test.c 2017-08-02 12:43:33 +10:00
Tinderbox User
46bb3884a0 regen v9_11 2017-08-02 01:17:06 +00:00
Tinderbox User
bc6f4c1c4c update copyright notice / whitespace 2017-08-01 23:47:30 +00:00
Tinderbox User
97f57cf534 newcopyrights 2017-08-01 23:30:58 +00:00
Michał Kępień
ce6f0c1221 [v9_11] Refactor RDATA unit tests
4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]

(cherry picked from commit 712825d755)
2017-08-01 12:16:14 +02:00
Mark Andrews
baeaed1834 copyrights 2017-08-01 12:26:10 +10:00
Mukund Sivaraman
be2de707ec Add missing file 2017-08-01 07:48:09 +05:30
Mark Andrews
2c4c405aeb handle .key and .private files
(cherry picked from commit 3c4dffefe8)
2017-08-01 12:09:57 +10:00
Tinderbox User
bfb7b680bf regen v9_11 2017-08-01 01:16:08 +00:00
Tinderbox User
15f02725a8 sync 2017-08-01 01:09:50 +00:00
Evan Hunt
f72f587942 [v9_11] parse numeric domain names correctly
4666.	[bug]		dnssec-keymgr: Domain names beginning with digits (0-9)
			could cause a parser error when reading the policy
			file. This now works correctly so long as the domain
			name is quoted. [RT #45641]
2017-07-31 10:44:26 -07:00
Evan Hunt
1073e2001c [v9_11] revise CHANGES note and add release note 2017-07-31 10:36:00 -07:00
Francis Dupont
78608b0a45 Added Ed25519 support (#44696) 2017-07-31 15:45:32 +02:00
Tinderbox User
d95b19f839 regen v9_11 2017-07-29 01:18:02 +00:00
Tinderbox User
66e599a004 update copyright notice / whitespace 2017-07-28 23:47:00 +00:00
Tinderbox User
ebe53509ca newcopyrights 2017-07-28 23:30:58 +00:00
Evan Hunt
d1c18780d3 [v9_11] remove unnecessary acronym expansions 2017-07-28 12:23:40 -07:00
Michał Kępień
11c4e6d8fc [v9_11] Clarify error message printed by dnssec-dsfromkey
4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
			[RT #21731]

(cherry picked from commit c150f68609)
2017-07-28 10:29:54 +02:00
Evan Hunt
59122481b2 [v9_11] Maintain ZEROTTL cache entries at the tail of the LRU lists
4662.	[performance]	Improve cache memory cleanup of zero TTL records
			by putting them at the tail of LRU header lists.
			[RT #45274]

(cherry picked from commit e924155211)
2017-07-28 00:13:37 -07:00
Evan Hunt
fe6d2fd833 [v9_11] race condition when reloading while resigning
4661.	[bug]		A race condition could occur if a zone was reloaded
			while resigning, triggering a crash in
			rbtdb.c:closeversion(). [RT #45276]

(cherry picked from commit 036305f00d)
2017-07-28 00:02:47 -07:00
Mark Andrews
05a456499a 4660. [bug] Remove spurious "peer" from Windows socket log
messages. [RT #45617]

(cherry picked from commit 5140501a0b)
2017-07-28 16:07:12 +10:00
Mark Andrews
cb4e0ef4e2 4659. [bug] Remove spurious log message about lmdb-mapsize
not being supported when parsing builtin
                        configuration file. [RT #45618]

(cherry picked from commit 71cd6910ba)
2017-07-28 16:03:24 +10:00
Mark Andrews
9f5909ed8c add semicolon 2017-07-28 15:59:14 +10:00
Mark Andrews
e3efc855f9 4658. [bug] Clean up build directory created by "setup.py install"
immediately.  [RT #45628]

(cherry picked from commit e54f256bb4)
2017-07-28 15:57:00 +10:00
Tinderbox User
fc42a7d4d9 update copyright notice / whitespace 2017-07-27 23:52:09 +00:00
Tinderbox User
ab0417b81b newcopyrights 2017-07-27 23:40:11 +00:00
Evan Hunt
709ea21068 [v9_11] fix typo in BADCDS
(cherry picked from commit 7ff9d3a962)
2017-07-27 15:42:12 -07:00
Tinderbox User
dd050664bb update copyright notice / whitespace 2017-07-26 23:47:23 +00:00
Tinderbox User
8f977d4d64 newcopyrights 2017-07-26 23:31:07 +00:00
Michał Kępień
e56c085458 [v9_11] Properly handle errors in rrchecker system test
4657.	[bug]		rrchecker system test result could be improperly
			determined. [RT #45602]

(cherry picked from commit 984a28c771)
2017-07-26 10:41:07 +02:00
Evan Hunt
6e9b764f99 [v9_11] add print.h 2017-07-26 01:24:31 -07:00
Michał Kępień
6727802528 [v9_11] Process "port" and "dscp" for "default-masters"
4656.	[bug]		Apply "port" and "dscp" values specified in catalog
			zone's "default-masters" option to the generated
			configuration of its member zones. [RT #45545]

(cherry picked from commit 383240d572)
2017-07-26 09:29:38 +02:00
Mark Andrews
3d0f9f8cca fix RT number
(cherry picked from commit cdc5e0cea0)
2017-07-26 16:40:38 +10:00
Mark Andrews
72b322cde0 9.11.2 2017-07-24 17:26:26 +10:00
Mark Andrews
4d41be5f9e 4655. [bug] Lack of seccomp could be falsely reported. [RT #45599]
(cherry picked from commit 4f4b94a042)
2017-07-23 07:14:35 +10:00
Tinderbox User
6fb9b25791 update copyright notice / whitespace 2017-07-21 23:46:43 +00:00
Tinderbox User
51aeb0ae19 newcopyrights 2017-07-21 23:30:39 +00:00
Mark Andrews
bfde61d519 4654. [cleanup] Don't use C++ keywords delete, new and namespace.
[RT #45538]

(cherry picked from commit 4bf32aa587)
2017-07-21 12:28:58 +10:00
Tinderbox User
2cda87d34f update copyright notice / whitespace 2017-07-20 23:45:50 +00:00
Tinderbox User
3ccf87473f newcopyrights 2017-07-20 23:30:16 +00:00
Mark Andrews
28ea558bc8 9.11.2rc2 2017-07-20 13:12:16 +10:00
Mark Andrews
8ed6c49f1a 4653. [bug] Reorder includes to move @DST_OPENSSL_INC@ and
@ISC_OPENSSL_INC@ after shipped include directories.
                        [RT #45581]

(cherry picked from commit 124712666e)
2017-07-20 11:52:29 +10:00
Tinderbox User
ab8823e535 update copyright notice / whitespace 2017-07-19 23:45:44 +00:00
Mark Andrews
447dfe4f11 4653. [bug] Reorder includes in bin/nsupdate/Makefile.in.
[RT #45581]

(cherry picked from commit a5a4cf96c6)
2017-07-20 09:38:01 +10:00
Tinderbox User
4b14dedee8 newcopyrights 2017-07-19 23:30:21 +00:00
Mark Andrews
42ae02626d correct for missing placeholder 2017-07-19 16:14:21 +10:00
Mark Andrews
8e8ccd0139 use 'test "constant" <condition> "$variable"' [RT #45486]
(cherry picked from commit aed501fb88)
2017-07-19 15:53:34 +10:00
Mark Andrews
a60831febf 4651. [bug] Nsupdate could attempt to use a zeroed address on
server timeout. [RT #45417]

(cherry picked from commit dac36869f3)
2017-07-19 15:36:55 +10:00
Mark Andrews
6b56350522 4651. [bug] Nsupdate could attempt to use a zeroed address on
server timeout. [RT #45417]

(cherry picked from commit 38edf586f9)
2017-07-19 15:36:55 +10:00
Mark Andrews
41caed6e2d 4650. [test] Silence coverity warnings in tsig_test.c. [RT #45528]
(cherry picked from commit c0ac259940)
2017-07-19 14:35:51 +10:00
Mark Andrews
1a9d96524f silence coverity warnings in tsig_test.c. [RT #45528]
(cherry picked from commit 469ba6daffe6dcc5bd4a77c333c939de1ddb2263)
2017-07-19 14:31:43 +10:00
Tinderbox User
a9ea295696 regenerate 2017-07-16 22:28:27 +00:00
Tinderbox User
0b89eee616 regen v9_11 2017-07-16 21:23:32 +00:00
Evan Hunt
f2720d2436 [v9_11] update api ranges 2017-07-16 13:57:09 -07:00
Evan Hunt
565535d182 [v9_11] prep 9.11.2 2017-07-16 13:44:23 -07:00
Tinderbox User
363b21045b regen v9_11 2017-07-16 01:14:20 +00:00
Evan Hunt
d4098be27b [v9_11] update relnotes to mention termination of windows XP support 2017-07-15 13:56:54 -07:00
Tinderbox User
8c72455146 regen v9_11 2017-07-15 01:18:18 +00:00
Evan Hunt
3ba9f5804c [v9_11] add a release note for TSIG regression 2017-07-14 14:52:29 -07:00
Tinderbox User
c48fdfda7a regen v9_11 2017-07-11 03:49:36 +00:00
Mark Andrews
e55c767c89 note change in AD setting on some truncated answers
(cherry picked from commit 56d8312a48)
2017-07-11 13:29:33 +10:00
Mark Andrews
66afb7c86a add note about .local
(cherry picked from commit 9987992232)
2017-07-11 12:45:02 +10:00
Tinderbox User
c956167155 regen v9_11 2017-07-10 07:35:15 +00:00
Tinderbox User
38a5df33f4 regen v9_11 2017-07-10 06:24:26 +00:00
Mark Andrews
6045abbc9a update for 9.11.2rc1 2017-07-10 15:19:34 +10:00
Mark Andrews
f7d148398c 4649. [bug] The wrong zone was logged when a catalog zone is added.
[RT #45520]

(cherry picked from commit abe5cf42b3)
2017-07-10 10:37:25 +10:00
Tinderbox User
4ef21d0f93 update copyright notice / whitespace 2017-07-09 23:46:10 +00:00
Tinderbox User
c3bf582eed newcopyrights 2017-07-09 23:30:17 +00:00
Mark Andrews
3a84275b10 4648. [bug] "rndc reconfig" on a slave no longer causes all member
zones of configured catalog zones to be removed from
                        configuration. [RT #45310]

(cherry picked from commit 1e9b39fe26)
2017-07-10 09:07:29 +10:00
Tinderbox User
e466abceb5 regen v9_11 2017-07-08 01:23:42 +00:00
Tinderbox User
951e10294c update copyright notice / whitespace 2017-07-07 23:46:16 +00:00
Tinderbox User
048b775e5c newcopyrights 2017-07-07 23:30:21 +00:00
Mark Andrews
bf97ea8fb4 add #include <isc/print.h>
(cherry picked from commit 00a235c8e6)
2017-07-08 00:48:16 +10:00
Mark Andrews
398834f755 4647. [bug] Change 4643 broke verification of TSIG signed TCP
message sequences where not all the messages contain
                        TSIG records.  These may be used in AXFR and IXFR
                        responses.  [RT #45509]
2017-07-07 23:43:20 +10:00
Mukund Sivaraman
5eceaccb00 Fix typo in configure output
(cherry picked from commit 5f88472fd1)
2017-07-07 17:33:23 +05:30
Ray Bellis
0359dfcf63 fixed new warning with previous iOS patch
(cherry picked from commit 70676a01eb)
2017-07-04 12:12:41 +01:00
Ray Bellis
4f1073e7b2 fix warnings from iOS build of dig
(cherry picked from commit 03a4e4381e)
2017-07-04 11:54:54 +01:00
Mark Andrews
250d96dd31 loop waiting for ns4/managed-keys.bind to be written
(cherry picked from commit f7a22ae512)
2017-07-04 15:53:45 +10:00
Tinderbox User
02e1a5b3ae update copyright notice / whitespace 2017-06-30 23:46:05 +00:00
Tinderbox User
2128e98a14 newcopyrights 2017-06-30 23:30:17 +00:00
Evan Hunt
28061f80b6 [v9_11] fix RSA parsing when md5 disabled
4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
			[RT #45300]

(cherry picked from commit b05b3fab3c)
2017-06-29 15:54:35 -07:00
Tinderbox User
35255451d4 regen v9_11 2017-06-29 00:33:13 +00:00
Evan Hunt
68bdc7fbc4 [v9_11] complete change #4643 2017-06-28 09:11:59 -07:00
Tinderbox User
550d3276d0 regen v9_11 2017-06-28 01:17:23 +00:00
Tinderbox User
710a238dfe update copyright notice / whitespace 2017-06-27 23:46:13 +00:00
Tinderbox User
384e37a497 newcopyrights 2017-06-27 23:30:15 +00:00
Evan Hunt
52f38b35e7 [v9_11] fix API ranges (170-179 was used for two branches) 2017-06-27 12:21:30 -07:00
Evan Hunt
a03f4b1ea4 [v9_11] address TSIG bypass/forgery vulnerabilities
4643.	[security]	An error in TSIG handling could permit unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]

(cherry picked from commit 581c1526ab)
2017-06-27 11:39:33 -07:00
Evan Hunt
d315545e6d [v9_11] enhanced rfc 5011 logging
4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
			status of managed keys: newly observed keys,
			deletion of revoked keys, etc. [RT #45354]

(cherry picked from commit 0d90835d2a)
2017-06-27 10:50:29 -07:00
Tinderbox User
ba9e87b35e newcopyrights 2017-06-26 23:30:18 +00:00
Mark Andrews
f8ceab59ea add EXCLUDED 2017-06-26 15:45:55 +10:00
Tinderbox User
8008316c9f regen v9_11 2017-06-26 03:15:58 +00:00
Mark Andrews
613fa3ce9d copyrights 2017-06-26 12:15:40 +10:00
Mark Andrews
ccf9f42c76 copyrights 2017-06-26 12:14:02 +10:00
Mark Andrews
a7af229766 bump api values for 9.11.2b1 as required 2017-06-26 12:09:43 +10:00
Mark Andrews
15471a63a2 'name' should be on isc_thread_setname argument not isc_thread_create 2017-06-26 12:05:35 +10:00
Mark Andrews
a785bf2c39 add release marker 9.11.2b1 2017-06-26 11:48:13 +10:00
Mark Andrews
00f1312935 4641. [cleanup] Parallel builds (make -j) could fail with --with-atf /
--enable-developer. [RT #45373]

(cherry picked from commit 1be7580be7)
2017-06-26 10:01:52 +10:00
Mark Andrews
b2e7185306 4640. [bug] If query_findversion failed in query_getdb due to
memory failure the error status was incorrectly
                        discarded. [RT #45331]

(cherry picked from commit b551ee14bd)
2017-06-23 17:18:23 +10:00
Michał Kępień
42c1acfa47 4639. [bug] Fix a regression in --with-tuning reporting introduced
by change 4488. [RT #45396]
2017-06-23 08:18:20 +02:00
Tinderbox User
236a983ca3 update copyright notice / whitespace 2017-06-20 23:45:53 +00:00
Tinderbox User
0c71e48c9c newcopyrights 2017-06-20 23:30:15 +00:00
Mark Andrews
0d2c3b6048 fix attribute name in DNS_NAME_INITABSOLUTE [RT #45409]
(cherry picked from commit da0df9367d)
2017-06-20 12:39:27 +10:00
Tinderbox User
421ba11f3f regen v9_11 2017-06-14 01:15:32 +00:00
Tinderbox User
6431922cb2 update copyright notice / whitespace 2017-06-13 23:46:02 +00:00
Tinderbox User
076e51f1ff newcopyrights 2017-06-13 23:30:24 +00:00
Evan Hunt
503809a8e1 [v9_11] put in a missing #ifdef section
(cherry picked from commit 19a72397da)
2017-06-13 14:51:09 -07:00
Evan Hunt
214b53880b [v9_11] prevent reload failure due to LMDB database perms
4638.	[bug]		Reloading or reconfiguring named could fail on
			some platforms when LMDB was in use. [RT #45203]

(cherry picked from commit bf05e66bb3)
2017-06-13 12:01:29 -07:00
Mark Andrews
dd5375de0a 4636. [bug] Normalize rpz policy zone names when checking for
existence. [RT #45358]

(cherry picked from commit e85e95c19e)
2017-06-13 13:07:23 +10:00
Mukund Sivaraman
3a58e1fefb Don't log NSDNAME failures as NSIP (#45052)
(cherry picked from commit 2c11da8441)
2017-06-12 14:11:32 +05:30
Tinderbox User
55affca0c4 newcopyrights 2017-06-11 23:30:13 +00:00
Mark Andrews
7c67b8c2b0 4634. [contrib] check5011.pl needs to handle optional space before
semi-colon in +multi-line output. [RT #45352]

(cherry picked from commit ed2659c974)
2017-06-11 22:05:13 +10:00
Tinderbox User
fa0173af87 update copyright notice / whitespace 2017-06-02 23:45:40 +00:00
Tinderbox User
83a7197872 newcopyrights 2017-06-02 23:30:11 +00:00
Mark Andrews
5aed5dc329 4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
(cherry picked from commit 9c179a5607)
2017-06-02 11:48:54 +10:00
Mark Andrews
387f5e872d fix changes numbers
(cherry picked from commit 5e1cedb130)
2017-05-31 11:50:41 +10:00
Tinderbox User
51da15c886 regen v9_11 2017-05-31 01:15:21 +00:00
Tinderbox User
8664a1bd40 update copyright notice / whitespace 2017-05-30 23:46:05 +00:00
Tinderbox User
80eaeb6c6f newcopyrights 2017-05-30 23:30:12 +00:00
Evan Hunt
c28e44f3f8 [v9_11] quote service registry paths
4532.	[security]	The BIND installer on Windows used an unquoted
                        service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]

(cherry picked from commit 967a3b9419)
2017-05-30 13:38:22 -07:00
Evan Hunt
3440cf9c60 [v9_11] fix rpz formerr loop
4531.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]
2017-05-30 12:35:06 -07:00
Mark Andrews
9270a14461 4530. [bug] "dyndb" is dependent on dlopen existing / being
enabled. [RT #45291]

(cherry picked from commit aa3a8979bc)
2017-05-30 11:35:05 +10:00
Mark Andrews
541ce84ff2 4530. [bug] "dyndb" is dependent on dlopen existing / being
enabled. [RT #45291]

(cherry picked from commit ae903759c2)
2017-05-30 11:32:06 +10:00
Mark Andrews
032d2134a4 4629. [bug] dns_client_startupdate could not be called with a
running client. [RT #45277]

(cherry picked from commit e51d62ecae)
2017-05-30 09:52:45 +10:00
Tinderbox User
29656aa09c update copyright notice / whitespace 2017-05-28 23:46:19 +00:00
Tinderbox User
127d2b350e newcopyrights 2017-05-28 23:30:14 +00:00
Evan Hunt
fb9ef31fed [v9_11] Add DLZ db version to activeversions
4628.	[bug]		Fixed a potential reference leak in query_getdb().
			[RT #45247]

(cherry picked from commit 594eadcc34)
2017-05-28 14:29:58 -07:00
Evan Hunt
ab44851860 [v9_11] Use 127.0.0.1 as interface for rndc in logfileconfig test 2017-05-28 14:23:32 -07:00
Mark Andrews
62323c1ba2 test crypto support
(cherry picked from commit 0a78894304)
2017-05-26 16:04:18 +10:00
Tinderbox User
2c893f16d8 update copyright notice / whitespace 2017-05-24 23:45:56 +00:00
Tinderbox User
efdfbc256c newcopyrights 2017-05-24 23:30:13 +00:00
Mark Andrews
5228a39457 make chain system test work with python 3
(cherry picked from commit b9c5b37e0c)
2017-05-24 21:45:16 +10:00
Mark Andrews
6f1632aedf use 'python -u' to run python scripts
(cherry picked from commit a5dc0d5066)
2017-05-24 15:16:41 +10:00
Evan Hunt
d786bb0f8b [v9_11] copyrights 2017-05-23 16:44:42 -07:00
Evan Hunt
823ccd1f02 [v9_11] add chain ordering tests
4626.	[test]		Added more tests for handling of different record
			ordering in CNAME and DNAME responses. [QA #430]
2017-05-22 17:09:31 -07:00
Tinderbox User
c15e906adf update copyright notice / whitespace 2017-05-21 23:46:06 +00:00
Tinderbox User
39c56dd2b8 newcopyrights 2017-05-21 23:30:12 +00:00
Evan Hunt
adedbbbcfb [v9_11] corrected a possible crash in isc_test_end()
(cherry picked from commit 9e44639ae0)
2017-05-21 15:44:28 -07:00
Tinderbox User
f00c53aafe regen v9_11 2017-05-19 01:17:52 +00:00
Evan Hunt
0725e28e47 [v9_11] remove outdated reference to libbind
(cherry picked from commit ef9ab10ce0)
2017-05-18 15:35:30 -07:00
Tinderbox User
abe69df9a7 regen v9_11 2017-05-17 01:17:01 +00:00
Tinderbox User
4745777284 update copyright notice / whitespace 2017-05-16 23:45:57 +00:00
Tinderbox User
4cd01ec68f newcopyrights 2017-05-16 23:30:09 +00:00
Evan Hunt
403e7b4512 [v9_11] symbolic option names for dig +ednsopt
4555.	[func]		dig +ednsopt: EDNS options can now be specified by
			name in addition to numeric value. [RT #44461]

(cherry picked from commit 25a9b90369)
2017-05-16 10:08:17 -07:00
Evan Hunt
b6fa637fc8 [v9_11] don't keep an LMDB transaction open across an exclusive section
4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
			to the same time could trigger a deadlock if using
			LMDB. [RT #45209]

(cherry picked from commit 03a7a952c0)
2017-05-16 08:48:21 -07:00
Tinderbox User
74e2f78492 update copyright notice / whitespace 2017-05-11 23:46:03 +00:00
Tinderbox User
1ddabe157c newcopyrights 2017-05-11 23:30:13 +00:00
Mark Andrews
ace5680c12 4623. [bug] Use --with-protobuf-c and --with-libfstrm to find
protoc-c and fstrm_capture. [RT #45187]

(cherry picked from commit 366cff85a9)
2017-05-11 18:30:41 +10:00
Tinderbox User
99b30e26a6 regen v9_11 2017-05-11 01:17:38 +00:00
Mark Andrews
613cdc91fe add warning about semicolon no longer being escaped
(cherry picked from commit d4d73bca79)
2017-05-11 11:03:06 +10:00
Mark Andrews
59d940391c 4622. [bug] Remove unnecessary escaping of semicolon in CAA and
URI records. [RT #45216]

(cherry picked from commit 1611ceb8b2)
2017-05-11 10:58:03 +10:00
Tinderbox User
9a006fe9a0 update copyright notice / whitespace 2017-05-10 23:45:58 +00:00
Tinderbox User
f549a65f4c newcopyrights 2017-05-10 23:30:13 +00:00
Mark Andrews
6b432e1149 4621. [port] Force alignment of oid arrays to silence loader
warnings. [RT #45131]

(cherry picked from commit 2fb1a0bdef)
2017-05-11 09:25:00 +10:00
Mark Andrews
cb9345c996 4620. [port] Handle EPFNOSUPPORT being returned when probing
to see if a socket type is supported. [RT #45214]

(cherry picked from commit d352a9db95)
2017-05-11 07:58:44 +10:00
Mark Andrews
c935952ede 4619. [bug] Call isc_mem_put instead of isc_mem_free in
bin/named/server.c:setup_newzones. [RT #45202]

(cherry picked from commit 0c18eb4783)
2017-05-10 11:11:09 +10:00
Mark Andrews
9604a49da0 4618. [bug] Check isc_mem_strdup results in dns_view_setnewzones.
Add logging for lmdb call failures. [RT #45204]

(cherry picked from commit d242bf393c)
2017-05-10 10:51:48 +10:00
Mark Andrews
638068f7e7 be consistent with master 2017-05-09 11:27:07 +10:00
Tinderbox User
4cf9718549 update copyright notice / whitespace 2017-05-08 23:46:00 +00:00
Tinderbox User
9ff905d267 newcopyrights 2017-05-08 23:30:10 +00:00
Mark Andrews
da5b569ddb 4617. [test] Update rndc system test to be more delay tolerant.
[RT #45177]

(cherry picked from commit 31f4fb98e2)
2017-05-09 04:10:49 +10:00
Tinderbox User
3b15473ced regen v9_11 2017-05-05 01:15:31 +00:00
Tinderbox User
14f4347139 update copyright notice / whitespace 2017-05-04 23:46:00 +00:00
Tinderbox User
662620c15c newcopyrights 2017-05-04 23:30:08 +00:00
Evan Hunt
c83a306155 [v9_11] fix lmdb delzone
4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
			were not correctly removed from the new-zone
			database. [RT #45185]

(cherry picked from commit 3a554a444c)
2017-05-04 12:32:47 -07:00
Francis Dupont
75713d8c37 Added lmdb in WIN32 Configure (as not supported) 2017-05-03 14:09:56 +02:00
Tinderbox User
c88b4680d9 update copyright notice / whitespace 2017-05-02 23:46:05 +00:00
Tinderbox User
632a81d453 newcopyrights 2017-05-02 23:30:14 +00:00
Mark Andrews
ac9072210c 4615. [bug] AD could be set on truncated answer with no records
present in the answer and authority sections.
                        [RT #45140]

(cherry picked from commit 33e94f501f)
2017-05-03 07:52:02 +10:00
Mark Andrews
0b18154e45 remove unused assignments [RT #45147]
(cherry picked from commit 78551a3f2c)
2017-05-03 07:46:21 +10:00
Evan Hunt
512765ba1e [v9_11] error in sockaddr unit test
4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]

(cherry picked from commit d73c32c17f)
2017-05-02 13:41:12 -07:00
Tinderbox User
a24c7e850d update copyright notice / whitespace 2017-05-01 23:46:02 +00:00
Tinderbox User
35eb1a5f07 newcopyrights 2017-05-01 23:30:22 +00:00
Mark Andrews
27a262bc4d 4612. [bug] Silence 'may be use uninitalised' warning and simplify
the code in lwres/getaddinfo:process_answer.
                        [RT #45158]

(cherry picked from commit b09eb48f8a)
2017-05-02 09:24:13 +10:00
Evan Hunt
6cb8389877 [v9_11] add util.h
(cherry picked from commit 532a001001)
2017-05-01 13:28:53 -07:00
Mark Andrews
9b84e4edd6 complete comment marker change
(cherry picked from commit c8abbc4312)
2017-04-30 20:55:31 +10:00
Tinderbox User
43d2e7a905 update copyright notice / whitespace 2017-04-28 23:45:57 +00:00
Tinderbox User
adeafa4320 newcopyrights 2017-04-28 23:30:12 +00:00
Evan Hunt
59663800d2 [v9_11] change markdown comment style for pandoc 2017-04-27 23:44:00 -07:00
Tinderbox User
d079dc1d27 regen v9_11 2017-04-28 01:16:08 +00:00
Mark Andrews
9df7c100a7 silence 'may be used uninitialized' warning. [RT #45139]
(cherry picked from commit d1554926d0)
2017-04-28 11:02:10 +10:00
Tinderbox User
e5f454626c update copyright notice / whitespace 2017-04-27 23:45:57 +00:00
Mark Andrews
3a015a84bc add mark_stale_header define 2017-04-27 13:02:42 +10:00
Mark Andrews
790345ffa3 add rbtdb_zero_header define 2017-04-27 12:49:55 +10:00
Tinderbox User
32098293b7 regen v9_11 2017-04-27 00:50:42 +00:00
Mark Andrews
91ccb395a9 silence unused-parameter warning
(cherry picked from commit cc3ebbfd91)
2017-04-27 09:50:36 +10:00
Tinderbox User
af0d9b7705 update copyright notice / whitespace 2017-04-26 23:46:00 +00:00
Tinderbox User
5b3dd19d81 newcopyrights 2017-04-26 23:30:36 +00:00
Tinderbox User
0fc4b96b2b regen v9_11 2017-04-26 23:29:27 +00:00
Evan Hunt
f7d2161e55 [v9_11] fix building of markdown output on docs 2017-04-26 16:20:23 -07:00
Mukund Sivaraman
3b38e4b834 Set a LMDB mapsize and also provide a config option to control it (#44954)
(cherry picked from commit 241b49e611)
2017-04-26 23:55:27 +05:30
Tinderbox User
b5f1f8f06e regen v9_11 2017-04-26 01:10:34 +00:00
Tinderbox User
40f40073d3 update copyright notice / whitespace 2017-04-25 23:45:59 +00:00
Tinderbox User
b06265857b regen v9_11 2017-04-25 01:10:35 +00:00
Tinderbox User
5d52a1fe1b update copyright notice / whitespace 2017-04-24 23:46:02 +00:00
Tinderbox User
20648865f1 newcopyrights 2017-04-24 23:30:15 +00:00
Evan Hunt
0d24df5c0b [v9_11] allow parallel make
4609.	[cleanup]	Rearrange makefiles to enable parallel execution
			(i.e. "make -j"). [RT #45078]
2017-04-23 23:04:34 -07:00
Mark Andrews
7c1c9b4dcd 4608. [func] DiG now warns about .local queries which are reserved
for Multicast DNS. [RT #44783]

(cherry picked from commit 7ef453bf43)
2017-04-24 11:57:23 +10:00
Mark Andrews
9689922a0d 4606. [port] Stop using experimental "Experimental keys on scalar"
feature of perl as it has been removed. [RT #45012]

(cherry picked from commit a14562e120)
2017-04-24 11:18:11 +10:00
Tinderbox User
9b9b0d5962 regen v9_11 2017-04-24 01:10:30 +00:00
Evan Hunt
1ca2cf0243 [v9_11] update copyrights that had been missed recently 2017-04-23 17:07:59 -07:00
Evan Hunt
8d59536d7c [v9_11] recent_changes script could terminate too early
(cherry picked from commit 58502352f2)
2017-04-23 17:06:46 -07:00
Mark Andrews
1f9754245c update 2017-04-24 09:43:08 +10:00
Tinderbox User
164ade1482 regen v9_11 2017-04-23 01:10:00 +00:00
Mukund Sivaraman
5fb7dd046e Add missing types for non-threaded build
(cherry picked from commit b1568eeedc)
2017-04-22 19:59:59 +05:30
Evan Hunt
02989eceef [v9_11] openssl backward compatibility fix
4604.	[bug]		Don't use ERR_load_crypto_strings() when building
			with OpenSSL 1.1.0. [RT #45117]

(cherry picked from commit 4c31eda5e1)
2017-04-21 18:56:28 -07:00
Evan Hunt
0532602218 [v9_11] fix portability issue
(cherry picked from commit 8ee6a6afd8)
2017-04-21 18:16:16 -07:00
Tinderbox User
d0c3b241e5 update copyright notice / whitespace 2017-04-21 23:46:11 +00:00
Evan Hunt
34f649fa22 [v9_11] auto-generate named.conf.docbook
4603.	[doc]		Automatically generate named.conf(5) man page
			from doc/misc/options. Thanks to Tony Finch.
			[RT #43525]
2017-04-21 16:30:51 -07:00
Evan Hunt
8b9c4592ed [v9_11] give threads unique names to assist debugging
4602.	[func]		Threads are now set to human-readable
			names to assist debugging, when supported by
			the OS. [RT #43234]

(cherry picked from commit d26ae7fc08)
2017-04-21 14:00:15 -07:00
Evan Hunt
c03cca4629 [v9_11] clear out relnotes 2017-04-21 13:37:32 -07:00
Evan Hunt
32ceffe2d8 [v9_11] typo in rndc doc
(cherry picked from commit b9e736f4f6)
2017-04-21 13:16:51 -07:00
Mukund Sivaraman
264e17e739 Reject incorrect RSA key lengths during key generation and and sign/verify context creation (#45043)
(cherry picked from commit 239e9dc81c)
2017-04-21 19:04:50 +05:30
Mukund Sivaraman
9a8b2b3ab3 Adjust RPZ trigger counts only when the entry being deleted exists (#43386)
(cherry picked from commit f23c10f925)
2017-04-21 17:13:45 +05:30
Mukund Sivaraman
eeb16584fb Fix inconsistencies in inline signing time comparisons (#42112)
(cherry picked from commit 4176d278e2)
2017-04-21 16:44:51 +05:30
Mukund Sivaraman
9540b42695 Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017)
(cherry picked from commit 5d01eab088)
2017-04-21 16:20:57 +05:30
Mukund Sivaraman
fec9247b8f Validate glue before adding it to the additional section (#45062)
(cherry picked from commit b0dbcba2d2)
2017-04-21 15:46:07 +05:30
Evan Hunt
0d7548ee34 [v9_11] update README, remove FAQ
4593.	[doc]		Update README using markdown, remove outdated FAQ
			file in favor of the knowledge base.
2017-04-20 19:30:41 -07:00
Tinderbox User
c32570b319 regen v9_11 2017-04-21 01:09:10 +00:00
Evan Hunt
2883bbaef3 [v9_11] fix change number 2017-04-20 17:43:25 -07:00
Evan Hunt
527163f0e5 [v9_11] fix dispatch.c shutdown race
4952.	[bug]		A race condition on shutdown could trigger an
			assertion failure in dispatch.c. [RT #43822]

(cherry picked from commit 019132b70c)
2017-04-20 17:41:58 -07:00
Evan Hunt
62a6147e51 [v9_11] python 3 compatibility
4591.	[port]		Addressed some python 3 compatibility issues.
			Thanks to Ville Skytta. [RT #44955] [RT #44956]

(cherry picked from commit 6d19d975c6)
2017-04-20 17:30:58 -07:00
Mark Andrews
4c432aae90 4590. [bug] Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
properly detected. [RT #44871]

(cherry picked from commit 88740c7fce)
2017-04-21 10:03:50 +10:00
Tinderbox User
d63ae51ba3 update copyright notice / whitespace 2017-04-20 23:46:08 +00:00
Tinderbox User
9218b940fe newcopyrights 2017-04-20 23:30:24 +00:00
Evan Hunt
bf053e878c [v9_11] correct a mistake in nsupdate help
(cherry picked from commit bdbdc69a75)
2017-04-20 16:17:36 -07:00
Evan Hunt
3195754154 [v9_11] some output was not silenced with configure -q
4589.	[cleanup]	"configure -q" is now silent. [RT #44829]

(cherry picked from commit 897049d129)
2017-04-20 15:09:54 -07:00
Evan Hunt
9115769563 [v9_11] nsupdate: send tkey queries to the right server
4588.	[bug]		nsupdate could send queries for TKEY to the wrong
			server when using GSSAPI. Thanks to Tomas Hozza.
			[RT #39893]

(cherry picked from commit 66b71679b7)
2017-04-20 09:29:33 -07:00
Mark Andrews
7863128078 fix 'minimal-any yes;' to force TCP / UDP
(cherry picked from commit 706c6ac5e2)
2017-04-20 21:06:02 +10:00
Mark Andrews
fd0d60b3a0 4587. [bug] named-checkzone failed to handle occulted data below
DNAMEs correctly. [RT #44877]

(cherry picked from commit 600b027731)
2017-04-20 13:29:53 +10:00
Mark Andrews
3001a1b4e6 4586. [func] dig, host and nslookup now use TCP for ANY queries.
[RT #44687]

(cherry picked from commit 033a59090c)
2017-04-20 13:24:26 +10:00
Mark Andrews
1bce43adcc 4585. [port] win32: Set CompileAS value. [RT #42474]
(cherry picked from commit 3742338a7b)
2017-04-20 12:42:39 +10:00
Mark Andrews
52cae869e0 4574. [bug] Dig leaked memory with multiple +subnet options.
[RT #44683]

(cherry picked from commit af2b20ee3f)
2017-04-20 10:29:25 +10:00
Mark Andrews
da4823c08a 4584. [bug] A number of memory usage statistics were not properly
reported when they exceeded 4G.  [RT #44750]

(cherry picked from commit ddac00e3e0)
2017-04-20 10:22:26 +10:00
Evan Hunt
d15af1c3c2 [v9_11] README was missing CVE-2016-9444 2017-04-17 21:05:47 -07:00
Tinderbox User
dc524b82fc update copyright notice / whitespace 2017-04-17 23:46:03 +00:00
Tinderbox User
5aebd7e7af newcopyrights 2017-04-17 23:30:15 +00:00
Evan Hunt
e2ab8249c4 [v9_11] fix out of tree build error
(cherry picked from commit 28cff4f924)
2017-04-17 14:31:50 -07:00
Tinderbox User
e3dc2e7b99 regenerate 2017-04-14 03:58:25 +00:00
Tinderbox User
67794b68b2 regen v9_11 2017-04-14 03:58:23 +00:00
Evan Hunt
62b5dd5b09 [v9_11] prep 9.11.1 2017-04-13 20:41:42 -07:00
Tinderbox User
90d71c30af regen v9_11 2017-04-12 21:29:38 +00:00
Evan Hunt
869cb92bab [v9_11] formatting
(cherry picked from commit 52e398c0af)
2017-04-12 14:06:04 -07:00
Tinderbox User
c52dde9229 regen v9_11 2017-04-12 01:09:13 +00:00
Tinderbox User
5a0fe4f483 update copyright notice / whitespace 2017-04-11 23:46:04 +00:00
Tinderbox User
66317da170 newcopyrights 2017-04-11 23:30:14 +00:00
Evan Hunt
672c06580e [v9_11] correct -M in synopsis
(cherry picked from commit a477a025d5)
2017-04-11 12:24:36 -07:00
Tinderbox User
f2c50d7dd2 regenerate 2017-03-29 22:07:27 +00:00
Tinderbox User
19a1241d2f regen v9_11 2017-03-29 22:07:25 +00:00
Mark Andrews
33cc2edb8e add CVE-2017-3138
(cherry picked from commit fe1ad70e51)
2017-03-30 02:57:02 +11:00
Tinderbox User
48900a8f62 regen v9_11 2017-03-26 01:09:12 +00:00
Tinderbox User
7d169212b4 update copyright notice / whitespace 2017-03-25 23:46:04 +00:00
Tinderbox User
551e6d2414 newcopyrights 2017-03-25 23:30:13 +00:00
Evan Hunt
cf710c81ae [v9_11] document that delv should be used instead of sigchase
(cherry picked from commit db93f3d4b3)
2017-03-25 12:23:14 -07:00
Tinderbox User
003e956a96 update copyright notice / whitespace 2017-03-24 23:46:02 +00:00
Tinderbox User
3718b6ecfc newcopyrights 2017-03-24 23:30:15 +00:00
Mark Andrews
8c31a25f3f 4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]

(cherry picked from commit 8e8dfc5941)
2017-03-25 02:01:10 +11:00
Tinderbox User
3be4330b77 update copyright notice / whitespace 2017-03-16 23:47:44 +00:00
Tinderbox User
c317b09bf1 newcopyrights 2017-03-16 23:30:23 +00:00
Mark Andrews
8bcd80824c 4581. [port] Linux: Add getpid and getrandom to the list of system
calls named uses for seccomp. [RT #44883]

(cherry picked from commit f94f3e2791)
2017-03-16 11:23:36 +11:00
Tinderbox User
975ff35d85 regen v9_11 2017-03-15 01:10:42 +00:00
Mark Andrews
7fcbbd6fa9 4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]

(cherry picked from commit 638c7c635d)
2017-03-14 15:12:03 +11:00
Francis Dupont
457de041a9 Visual Studio 2017 was published 2017-03-10 08:00:36 +01:00
Mark Andrews
d81a3ca82c adjust range
(cherry picked from commit 9301c35ae6)
2017-03-02 12:34:17 +11:00
Mark Andrews
0e5fbd523a allow more time for the IPv6 transfer attemt to timeout and fall over to IPv4
(cherry picked from commit d411448ceb)
2017-03-02 12:19:55 +11:00
Tinderbox User
f9ecaf8a4a regen v9_11 2017-03-01 02:43:28 +00:00
Tinderbox User
d1bc66f4df update copyright notice / whitespace 2017-03-01 01:54:03 +00:00
Tinderbox User
eab4f224b5 newcopyrights 2017-03-01 01:51:21 +00:00
Mark Andrews
c006cfc5a2 Reimplement:
4578.   [security]      Some chaining (CNAME or DNAME) responses to upstream
                        queries could trigger assertion failures.
                        (CVE-2017-3137) [RT #44734]

(cherry picked from commit f240f4a5de)
2017-03-01 12:02:39 +11:00
Tinderbox User
cb9582623e update copyright notice / whitespace 2017-02-28 23:45:56 +00:00
Tinderbox User
32eb4cec6f newcopyrights 2017-02-28 23:30:10 +00:00
Mark Andrews
cfeb569d54 fix nsupdate reference
(cherry picked from commit 02fa49a4d8)
2017-03-01 08:34:26 +11:00
Tinderbox User
168c82cb5d regenerate 2017-02-24 02:40:06 +00:00
Tinderbox User
8dcec3cf25 regen v9_11 2017-02-24 01:08:12 +00:00
Evan Hunt
559cbe04e7 [v9_11] remove unnecessary INSIST and prep 9.11.1rc2
4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042)
2017-02-23 14:55:10 -08:00
Mark Andrews
fd71f5a87f dns_master_styleflags returns dns_masterstyle_flags_t 2017-02-20 17:38:56 +11:00
Mark Andrews
4acedf9e13 explicitly cast to (unsigned int) 2017-02-20 17:29:18 +11:00
Tinderbox User
0f863f054c regen v9_11 2017-02-16 01:53:58 +00:00
Mark Andrews
1d0815a2b5 remove redundant $Id 2017-02-16 12:33:08 +11:00
Mark Andrews
c75bf330fc update copyrights 2017-02-16 12:30:34 +11:00
Mark Andrews
6ef61e7645 9.11.1 2017-02-16 12:27:40 +11:00
Mark Andrews
ab92948efa record ranges; account for -P's 2017-02-16 12:20:59 +11:00
Tinderbox User
6afd7f9c56 regen v9_11 2017-02-16 01:08:56 +00:00
Mark Andrews
42f4ea6317 add CVE-2017-3136 note
(cherry picked from commit d77eadc261)
2017-02-15 12:45:30 +11:00
Mark Andrews
94a94fca24 update description 2017-02-15 12:38:01 +11:00
Mark Andrews
b81977ae70 4575. [security] Dns64 with break-dnssec yes; can result in a
assertion failure. (CVE-2017-3136) [RT #44653]

(cherry picked from commit 3bce12e4b6)
2017-02-15 12:22:53 +11:00
Tinderbox User
4d4242b744 regen v9_11 2017-02-08 01:08:12 +00:00
Evan Hunt
6043c4453d [v9_11] doc style 2017-02-07 08:18:55 -08:00
Tinderbox User
d64eb56a2d regen v9_11 2017-02-07 01:07:48 +00:00
Evan Hunt
8e69860942 [v9_11] removed extra note about bind.keys update 2017-02-06 14:18:37 -08:00
Evan Hunt
ece26dd7d7 [v9_11] fix build errors from inline macros (change 4565) 2017-02-06 10:42:31 -08:00
Mark Andrews
9ecedaea58 4571. [bug] Out-of-tree builds of backtrace_test failed.
(cherry picked from commit 3e48466e0a)
2017-02-06 13:46:30 +11:00
Tinderbox User
0726d872f6 newcopyrights 2017-02-05 23:30:07 +00:00
Tinderbox User
105a34268c regenerate 2017-02-05 07:00:20 +00:00
Tinderbox User
33c9436ef1 regen v9_11 2017-02-05 06:45:22 +00:00
Evan Hunt
43769594c0 [v9_11] prep 9.11.1rc1 2017-02-04 22:30:16 -08:00
Evan Hunt
59f34c1fc7 [v9_11] release note about new root key 2017-02-04 22:15:30 -08:00
Tinderbox User
1a6f02ce4a regen v9_11 2017-02-05 01:08:44 +00:00
Tinderbox User
1617002c78 update copyright notice / whitespace 2017-02-04 23:46:08 +00:00
Tinderbox User
dc7e5458bb newcopyrights 2017-02-04 23:30:11 +00:00
Evan Hunt
fc8c8966c9 [v9_11] fall back to builtin keys if bind.keys is empty
4570.	[cleanup]	named did not correctly fall back to the built-in
			initializing keys if the bind.keys file was present
			but empty. [RT #44531]
2017-02-04 00:43:32 -08:00
Evan Hunt
f3497a3cb4 [v9_11] revised comment 2017-02-04 00:24:14 -08:00
Evan Hunt
07b7a3eade [v9_11] store local and remote addresses in dnstap
4569.	[func]		Store both local and remote addresses in dnstap
			logging, and modify dnstap-read output format to
			print them. [RT #43595]

(cherry picked from commit 650b5e7592)
2017-02-03 17:11:06 -08:00
Tinderbox User
8c22550776 regen v9_11 2017-02-04 01:09:25 +00:00
Evan Hunt
85a26f938e [v9_11] add "configure --with-bind" option to dnsperf
4568.	[contrib]	Added a --with-bind option to the dnsperf configure
			script to specify BIND prefix path.

(cherry picked from commit adcdff94d9)
2017-02-03 16:29:08 -08:00
Tinderbox User
48ba8af30c update copyright notice / whitespace 2017-02-03 23:46:00 +00:00
Tinderbox User
4e40289129 newcopyrights 2017-02-03 23:30:09 +00:00
Evan Hunt
a09e49f3f4 [v9_11] silence "unused value" warning
(cherry picked from commit f4d20b15a2)
2017-02-03 11:27:00 -08:00
Mark Andrews
a4240242cd remove outdated cvs $Id strings 2017-02-03 18:39:57 +11:00
Mark Andrews
4ed920490a wait longer for the transfer to complete
(cherry picked from commit 04ed4dd4db)
2017-02-03 17:52:05 +11:00
Mark Andrews
4901f2c10b 4567. [port] Call getprotobyname and getservbyname prior to calling
chroot so that shared libraries get loaded. [RT #44537]

(cherry picked from commit c550e75ade)
2017-02-03 14:23:01 +11:00
Tinderbox User
0ce865f8b2 regen v9_11 2017-02-03 01:08:36 +00:00
Tinderbox User
e2ec0753ce update copyright notice / whitespace 2017-02-02 23:46:34 +00:00
Tinderbox User
edd791fb53 newcopyrights 2017-02-02 23:30:31 +00:00
Evan Hunt
8e9dbb6222 [v9_11] support autore in inline macro buffer functions
4565.	[cleanup]	The inline macro versions of isc_buffer_put*()
			did not implement automatic buffer reallocation.
			[RT #44216]

(cherry picked from commit 7769c92946)
2017-02-02 11:33:04 -08:00
Evan Hunt
6ec6741fe7 [v9_11] Revert "fixed build failure when building without LMDB"
This reverts commit d9788e03ad.
2017-02-02 11:28:53 -08:00
Evan Hunt
d9788e03ad [v9_11] fixed build failure when building without LMDB
(cherry picked from commit 8acbf7e4de99bbc4867b02ed87dbbc3761a57ca5)
2017-02-02 11:24:57 -08:00
Evan Hunt
c4cd9250fe [v9_11] Remove obsolete Id lines that showed old date on generated bind.keys.h 2017-02-02 11:16:30 -08:00
Mark Andrews
51b0319696 new root KSK 2017-02-02 18:30:00 +11:00
Mark Andrews
b04e009f8b 9.11.1rc1 2017-02-02 18:16:04 +11:00
Mark Andrews
b5ad091624 4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]

(cherry picked from commit 00a83c64d7)
2017-02-02 17:36:17 +11:00
Mark Andrews
da23e32e41 4563. [bug] Modified zones would occasionally fail to reload.
[RT #39424]

(cherry picked from commit dfe3068ef3)
2017-02-02 17:14:09 +11:00
Evan Hunt
486f8e6644 [v9_11] Merge branch 'v9_11' of ssh://repo.isc.org/proj/git/prod/bind9 into v9_11 2017-02-01 17:53:35 -08:00
Evan Hunt
18ab9a0a34 [v9_11] Squashed commit of the following:
4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]

(cherry picked from commit 6cb5e36ca3)
2017-02-01 17:31:22 -08:00
Tinderbox User
217ccfa85b regen v9_11 2017-02-02 01:08:17 +00:00
Evan Hunt
f3a6bb528f [v9_11] clarify client logging doc 2017-02-01 14:51:14 -08:00
Tinderbox User
4269c36906 update copyright notice / whitespace 2017-01-31 23:46:16 +00:00
Tinderbox User
11ebeaa09e newcopyrights 2017-01-31 23:30:21 +00:00
Tinderbox User
2acf9aa8ff regen v9_11 2017-01-31 01:09:23 +00:00
Evan Hunt
05fce8cfff [v9_11] address portability issues
(cherry picked from commit a2bd99a959)
2017-01-30 16:52:32 -08:00
Mark Andrews
c2c386119e add a REQUIRE to catch the NULL pointer dereference that triggered CVE-2017-3135
(cherry picked from commit 1d8995d226)
2017-01-31 11:21:09 +11:00
Evan Hunt
781f6daa74 [v9_11] change 4558 was incomplete
(cherry picked from commit cd668ea57f)
2017-01-30 14:11:17 -08:00
Tinderbox User
1520c6474f newcopyrights 2017-01-25 23:30:05 +00:00
Tinderbox User
adabefa84c regen v9_11 2017-01-25 01:08:40 +00:00
Tinderbox User
5688a47c15 update copyright notice / whitespace 2017-01-24 23:45:58 +00:00
Tinderbox User
abe52cd988 newcopyrights 2017-01-24 23:30:10 +00:00
Evan Hunt
c742ef745e [v9_11] CHANGES typo 2017-01-24 13:09:55 -08:00
Mark Andrews
8ce73e5c8c fix changes note 2017-01-24 17:53:30 +11:00
Mark Andrews
832f5803f6 4560. [bug] mdig: add -m option to enable memory debugging rather
than have in on all the time. [RT #44509]

4559.   [bug]           Openssl_link.c didn't compile if ISC_MEM_TRACKLINES
                        was turned off.  [RT #44509]

(cherry picked from commit 25da687db7)
2017-01-24 17:49:08 +11:00
Mark Andrews
4441328a1d 4558. [bug] Synthesised CNAME before matching DNAME was still
being cached when it should have been.  [RT #44318]

(cherry picked from commit 9f4bf43b79)
2017-01-24 17:41:17 +11:00
Evan Hunt
2f70ce448a [v9_11] expand relnote
(cherry picked from commit afa0ff0cbb)
2017-01-23 20:04:30 -08:00
Mark Andrews
f2e8131f50 fix changes number 2017-01-24 12:39:17 +11:00
Tinderbox User
801d3c8888 regen v9_11 2017-01-24 01:08:44 +00:00
Mark Andrews
22e3ffcf2c 4556. [security] Combining dns64 and rpz can result in dereferencing
a NULL pointer (read).  (CVE-2017-3135) [RT#44434]

(cherry picked from commit 5abe80ef13)
2017-01-24 09:54:54 +11:00
Tinderbox User
2f4e3e45d6 update copyright notice / whitespace 2017-01-19 23:46:07 +00:00
Tinderbox User
2ca9cf1582 newcopyrights 2017-01-19 23:30:10 +00:00
Mark Andrews
eb032a17ef whitespace
(cherry picked from commit bf0b649993)
2017-01-19 13:16:35 +11:00
Tinderbox User
9b2743294c update copyright notice / whitespace 2017-01-14 23:46:06 +00:00
Tinderbox User
a778b94bdb newcopyrights 2017-01-14 23:30:09 +00:00
Mark Andrews
7bcba68b95 4554. [bug] Remove double unlock in dns_dispatchmgr_setudp.
[RT #44336]

(cherry picked from commit 5dfa5221d5)
2017-01-14 13:14:25 +11:00
Tinderbox User
00860eece0 update copyright notice / whitespace 2017-01-13 23:46:05 +00:00
Tinderbox User
08b7d06946 newcopyrights 2017-01-13 23:30:10 +00:00
Mark Andrews
1de3115e8c make e's declaration unconditional. [RT #44324]
(cherry picked from commit b8eee0f48d)
2017-01-13 16:10:39 +11:00
Mark Andrews
88840c01be remove false negatives (add eol to grep patterns; add missing ret=0)
(cherry picked from commit bcfaac260a)
2017-01-13 16:00:17 +11:00
Tinderbox User
fb2e132c5c regen v9_11 2017-01-13 01:08:50 +00:00
Tinderbox User
f6b9092741 update copyright notice / whitespace 2017-01-12 23:46:13 +00:00
Tinderbox User
e1ebc476b0 newcopyrights 2017-01-12 23:30:29 +00:00
Mark Andrews
c2687b0594 address shadow warning 2017-01-13 09:13:57 +11:00
Evan Hunt
445b0e72d7 [v9_11] more specific date for DLV shutdown warning 2017-01-12 09:11:17 -08:00
Mark Andrews
2cee8eadec 4553. [bug] Named could deadlock there were multiple changes to
NSEC/NSEC3 parameters for a zone being processed at
                        the same time. [RT #42770]

(cherry picked from commit d2e1b47d4f)
2017-01-12 14:26:06 +11:00
Mark Andrews
9e4e871392 4552. [bug] Named could trigger a assertion when sending notify
messages. [RT #44019]

(cherry picked from commit 42924b40af)
2017-01-12 14:18:01 +11:00
Mark Andrews
81df1363fb 4552. [bug] Named could trigger a assertion when sending notify
messages. [RT #44019]

(cherry picked from commit 7b9e28f1a5)
2017-01-12 14:12:38 +11:00
Mark Andrews
800cfc8a5c --enable-developer now compiles bin/tests's XTARGETS [RT #44205]
(cherry picked from commit 434477aa02)
2017-01-12 14:03:05 +11:00
Mark Andrews
0de20c29f3 remove false positives due to bad grep [RT #44178]
(cherry picked from commit 0c43d50368)
2017-01-12 13:59:24 +11:00
Mark Andrews
3b6e750bb7 win2utils/Configure report modify file list [RT #43994]
(cherry picked from commit 260ca42f96)
2017-01-12 13:47:38 +11:00
Mark Andrews
08397f5b6c 4551. [test] Add system tests for integrity checks of MX and
SRV records. [RT #43953]

(cherry picked from commit 750619b7a8)
2017-01-12 13:34:16 +11:00
Tinderbox User
3b7f610bec update copyright notice / whitespace 2017-01-11 23:45:54 +00:00
Tinderbox User
4c721f0e45 newcopyrights 2017-01-11 23:30:06 +00:00
Evan Hunt
e63d63dc85 [v9_11] expand the flags field in dns_master_style
4550.	[cleanup]	Increased the number of available master file
			output style flags from 32 to 64. [RT #44043]

(cherry picked from commit 2e703d7b61)
2017-01-11 12:01:06 -08:00
Tinderbox User
de2cc8b872 newcopyrights 2017-01-05 23:30:09 +00:00
Tinderbox User
36b7137e99 regen v9_11 2017-01-05 01:08:54 +00:00
Tinderbox User
231d6c83c3 sync 2017-01-05 01:05:25 +00:00
Tinderbox User
2728d0618e update copyright notice / whitespace 2017-01-04 23:45:48 +00:00
Tinderbox User
c7fd128f8e newcopyrights 2017-01-04 23:30:35 +00:00
Tinderbox User
5e013c280f regen v9_11 2017-01-04 01:08:57 +00:00
Evan Hunt
f5c17a057f [v9_11] add support for native pkcs11 on keyper
4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
			Keyper HSM. [RT #42463]
2017-01-03 16:42:07 -08:00
Evan Hunt
e7f06a8535 [v9_11] don't use binmode when setting up files for VS2005 (XP build) 2016-12-29 14:22:26 -08:00
Mark Andrews
4266303103 remove #!/usr/bin/python
(cherry picked from commit 813ff2d277)
2016-12-29 23:38:33 +11:00
Mark Andrews
5f135a3198 add copyright notice
(cherry picked from commit da40ddaeca)
2016-12-29 23:12:33 +11:00
Mark Andrews
1992e14919 fix ProjectGuid 2016-12-29 19:37:39 +11:00
Mark Andrews
b3d1215c49 fix ProjectGuid 2016-12-29 19:35:20 +11:00
Mark Andrews
f7f5220b95 fix ProjectGuid 2016-12-29 19:32:30 +11:00
Tinderbox User
d6b834c98c regenerate 2016-12-29 05:23:33 +00:00
Tinderbox User
0da02c26a6 regen v9_11 2016-12-29 05:02:27 +00:00
Evan Hunt
971d346eae [v9_11] README 2016-12-28 20:39:00 -08:00
Evan Hunt
ac424b61bb [v9_11] release notes 2016-12-28 20:19:10 -08:00
Evan Hunt
7fa388dac3 [v9_11] silence warning
(cherry picked from commit b3aebb5890)
2016-12-28 17:54:39 -08:00
Mark Andrews
d6080de9be 9.11.1b1 2016-12-29 12:26:27 +11:00
Mark Andrews
b1ab6766f7 spelling 2016-12-29 12:07:23 +11:00
Mark Andrews
701aa95d96 4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
                        resulting in a assertion failure. (CVE-2016-9147)
                        [RT #43548]

(cherry picked from commit 6adf421e7e)
2016-12-29 11:49:06 +11:00
Mark Andrews
b243aa40f9 4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
                            a class mismatch. (CVE-2016-9131) [RT #43522]

(cherry picked from commit 2c1c4b99a1)
2016-12-29 11:17:14 +11:00
Tinderbox User
2a2618356e update copyright notice / whitespace 2016-12-28 23:50:44 +00:00
Mark Andrews
2595d1da35 4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
                        (CVE-2016-9444) [RT # 43632]

(cherry picked from commit 1df30cfd27c5a3c57fce357c54aaf6c702227d51)
2016-12-29 10:41:06 +11:00
Tinderbox User
bf19cffa72 newcopyrights 2016-12-28 23:30:54 +00:00
Mark Andrews
9609899255 4531. [security] 'is_zone' was not being properly updated by redirect2
and subsequently preserved leading to an assertion
                        failure. (CVE-2016-9778) [RT #43837]

(cherry picked from commit d376792dae)
2016-12-29 10:27:21 +11:00
Evan Hunt
58f15381f7 [v9_11] expand intro 2016-12-28 13:20:44 -08:00
Evan Hunt
544e2b48ec [v9_11] release notes 2016-12-28 11:51:06 -08:00
Evan Hunt
6649db1ca4 [v9_11] release note 2016-12-28 11:09:12 -08:00
wpk
397b24d008 [master] Remove spurious entry in lib/dns/win32/libdns.def.in 2016-12-28 19:22:13 +01:00
wpk
b1866070ef 4545. [func] Make dnstap-read output more functionally usable.
[RT #43642]

4544.	[func]		Add message/payload size to dnstap-read YAML output.
			[RT #43622]
2016-12-28 11:58:08 +01:00
Mark Andrews
6b45fd062b 4543. [bug] dns_client_startupdate now delays sending the update
request until isc_app_ctxrun has been called.
                        [RT #43976]

(cherry picked from commit 6f94747270)
2016-12-28 15:51:47 +11:00
Mark Andrews
72cae054ad 4541. [bug] rndc addzone should properly reject non master/slave
zones. [RT #43665]

(cherry picked from commit e20db12918)
2016-12-28 10:28:54 +11:00
Tinderbox User
ffe29868b4 regen v9_11 2016-12-27 01:11:28 +00:00
Evan Hunt
d438157f7e [v9_11] clarify auth ECS is not meant for production use 2016-12-26 16:52:14 -08:00
Tinderbox User
cec9fddbaf update copyright notice / whitespace 2016-12-26 23:47:35 +00:00
Tinderbox User
4b568c8873 newcopyrights 2016-12-26 23:30:52 +00:00
Mark Andrews
f1e3dd087b 4540. [bug] Correctly handle ecs entries in dns_acl_isinsecure.
[RT #43601]

(cherry picked from commit 8e333f42ef)
2016-12-27 09:50:08 +11:00
Mark Andrews
23ac7e6634 4539. [bug] Referencing a nonexistant zone with rpz could lead
to a assertion failure when configuring. [RT #43787]

(cherry picked from commit 762c4fc5a8)
2016-12-27 09:13:40 +11:00
Mark Andrews
458e816ed0 4538. [bug] Call dns_client_startresolve from client->task.
[RT #43896]

(cherry picked from commit aceabacdb8)
2016-12-27 07:02:58 +11:00
Mark Andrews
641dede12a if gen fails remove the file [RT #43949]
(cherry picked from commit e17d2f98be)
2016-12-23 09:20:48 +11:00
Mark Andrews
b8e7abc50e freeaddrinfo is called too early.
(cherry picked from commit c1870d0e44)
2016-12-15 09:39:51 +11:00
Mark Andrews
d84a356d4b 4537. [bug] Handle timouts better in dig/host/nslookup. [RT #43576]
(cherry picked from commit 6089c8df71)
2016-12-14 15:44:02 +11:00
Tinderbox User
8852646542 update copyright notice / whitespace 2016-12-13 23:47:43 +00:00
Mark Andrews
bc2510a6a5 4536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
when reusing the event structure. [RT #43885]

(cherry picked from commit a678e70481)
2016-12-14 10:43:24 +11:00
Mark Andrews
1160ea4c28 4535. [bug] Address race condition in setting / testing of
DNS_REQUEST_F_SENDING. [RT #43889]

(cherry picked from commit 37a8db0ba4)
2016-12-14 10:33:04 +11:00
Tinderbox User
edfc6f05ea newcopyrights 2016-12-13 23:30:46 +00:00
Mark Andrews
348d80fb84 4534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879]
(cherry picked from commit def6b33bad)
2016-12-13 16:27:49 +11:00
Mark Andrews
47071b7310 spelling 2016-12-13 16:19:20 +11:00
Mark Andrews
45f206e6c1 4533. [bug] dns_client_update should terminate on prerequiste
failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
                        and also on BADZONE.  [RT #43865]

(cherry picked from commit 8ca45ba01a)
2016-12-13 15:48:20 +11:00
Mark Andrews
3bab13a6df number all resolver tests
(cherry picked from commit 4914e3ddc6)
2016-12-13 15:05:31 +11:00
Tinderbox User
dfc3a0fffd newcopyrights 2016-12-12 23:30:34 +00:00
Evan Hunt
1b63e3c2fd [v9_11] tweak logfileconfig test so it can pass on slower machines
(cherry picked from commit 76a26842a9)
2016-12-12 12:13:10 -08:00
Mark Andrews
f6f3264d8c 4532. [contrib] Make gen-data-queryperf.py python 3 compatible.
[RT #43836]

(cherry picked from commit 043ae106d2)
2016-12-12 17:47:18 +11:00
Mark Andrews
d77cab69bf 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
                        [RT #43779]

(cherry picked from commit 60cb462c56)
2016-12-09 12:51:09 +11:00
Evan Hunt
f1b29d8428 [v9_11] silence DSCP probing error
4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
			due to firewall rules. [RT #43847]

(cherry picked from commit f2c7ae114a)
2016-12-08 08:44:44 -08:00
Mark Andrews
d0c5ff7f65 4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]

(cherry picked from commit c1619b8420)
2016-12-08 17:00:37 +11:00
Tinderbox User
7911e6f9de regen v9_11 2016-12-07 01:09:50 +00:00
Mark Andrews
83a28ca274 4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
(cherry picked from commit 1b8ce3b330)
2016-12-07 10:50:50 +11:00
Tinderbox User
9a4743fca8 update copyright notice / whitespace 2016-12-05 23:47:38 +00:00
Tinderbox User
65a8034126 newcopyrights 2016-12-05 23:30:55 +00:00
Tinderbox User
d983757c61 regenerate 2016-12-05 19:19:10 +00:00
Tinderbox User
a9ba09c109 regen v9_11 2016-12-05 18:28:40 +00:00
Evan Hunt
1585a9f239 [v9_11] fixed ARM grammars
4526.	[doc]		Corrected errors and improved formatting of
			grammar defintiions in the ARM. [RT #43739]
2016-12-05 00:43:37 -08:00
Mark Andrews
b00d77e4f2 look $UNLIMITEDFILE.4 as $UNLIMITEDFILE.5 may not exist yet 2016-12-05 18:20:18 +11:00
Evan Hunt
2fb4184d9d [v9_11] fix managed-keys doc
4525.	[doc]		Fixed outdated documentation on managed-keys.
			[RT #43810]

(cherry picked from commit e1ba21bd58)
2016-12-04 20:22:38 -08:00
Mark Andrews
5be93f5dff 4524. [bug] The net zero test was broken causing IPv4 servers
with addresses ending in .0 to be rejected. [RT #43776]

(cherry picked from commit df372d967e)
2016-12-05 10:47:38 +11:00
Mark Andrews
52254f7526 added -T keepstderr to keep stderr open when daemonizing [RT #43736]
(cherry picked from commit c9ee977f31)
2016-12-05 10:38:50 +11:00
Mukund Sivaraman
6ae22c4119 Add doc function for cfg_type_querysource4 and cfg_type_querysource6 (#43768)
(cherry picked from commit 5c843b384d)
2016-12-02 11:17:14 +05:30
Mark Andrews
0d22fc8758 update 2016-12-01 10:39:25 +11:00
Tinderbox User
ac946c1f16 regen v9_11 2016-11-30 01:10:50 +00:00
Mark Andrews
74d98566ed 4522. [bug] Handle big gaps in log file version numbers better.
[RT #38688]

(cherry picked from commit cab871f1bc)
2016-11-30 11:00:49 +11:00
Tinderbox User
2a2335a013 update copyright notice / whitespace 2016-11-29 23:47:26 +00:00
Evan Hunt
1c89e89eaf [v9_11] log as error if entropy unavailable
4521.	[cleanup]	Log it as an error if an entropy source is not
			found and there is no fallback available. [RT #43659]

(cherry picked from commit 6bdb70057d)
2016-11-29 11:30:47 -08:00
Mark Andrews
0c2d891abe 4520. [cleanup] Alphabetise more of the grammar when printing it
out. Fix unbalanced indenting. [RT #43755]

(cherry picked from commit 4352551d23)
2016-11-29 15:33:37 +11:00
Mark Andrews
fd017eea63 4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
(cherry picked from commit a611e44f9a)
2016-11-29 11:29:23 +11:00
Tinderbox User
f0aad53417 regen v9_11 2016-11-25 21:04:54 +00:00
Mark Andrews
ae07f624ff automate insertion of copyright year list into Bv9ARM-book.xml
(cherry picked from commit e527dcdb00)
2016-11-26 07:50:06 +11:00
Francis Dupont
50cdb3af69 Added VS 2017 RC 2016-11-24 17:20:44 +01:00
Mark Andrews
6ef1cdec9a 4516. [bug] isc_socketmgr_renderjson was missing from the
windows build. [RT #43602]

(cherry picked from commit 358c6ecd26)
2016-11-22 12:08:26 +11:00
Tinderbox User
1008577c67 update copyright notice / whitespace 2016-11-19 23:47:47 +00:00
Curtis Blackburn
294ef74e5a 4515. [port] FreeBSD: Find readline headers when they are in
edit/readline/ instead of readline/. [RT #43658]
2016-11-18 11:12:28 -08:00
Tinderbox User
e3db607c92 sync 2016-11-17 01:06:34 +00:00
Mark Andrews
42a79fde4c check the value of s
(cherry picked from commit 28f344c18a)
2016-11-15 16:52:31 +11:00
Mukund Sivaraman
32f4f500a5 Update CHANGES entry to match KB article
(cherry picked from commit ea3c3afadc)
2016-11-14 14:24:19 +09:00
Mark Andrews
0bd3042bb3 add --ipv6only=no test
(cherry picked from commit 415eeebda4)
2016-11-11 10:00:33 +11:00
Mark Andrews
fe6557e590 4514. [port] NetBSD: strip -WL, from ld command line. [RT #43204]
(cherry picked from commit 69e77384fa)
2016-11-10 11:34:01 +11:00
Mark Andrews
21e5f9c5cd 4513. [cleanup] Minimum Python versions are now 2.7 and 3.2.
[RT #43566]

(cherry picked from commit 472e99cfa6)
2016-11-10 09:51:19 +11:00
Mark Andrews
9eb4bce9e1 don't call dst_lib_destroy in t2_vfy
(cherry picked from commit 1106845b4e)
2016-11-09 17:04:34 +11:00
Mark Andrews
e0f1907562 locks are only need in OpenSSL < 1.1 2016-11-09 10:06:34 +11:00
Mark Andrews
704f73353d only call dns_test_begin once
(cherry picked from commit f13c7b01746a07bef87a386ceff93ccb2a7488a9)
(cherry picked from commit 56c6fc0dac)
2016-11-09 10:03:47 +11:00
Mark Andrews
a135cb62d3 remove spurious newline [RT #43585]
(cherry picked from commit fed2f7e4c1)
2016-11-09 08:27:27 +11:00
Evan Hunt
0fdb1e5cb7 [v9_11] typo in comment 2016-11-08 09:06:30 -08:00
Mark Andrews
4df43743ab 4512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in.
[RT #43556]

(cherry picked from commit 084d88f67b)
2016-11-07 10:04:30 +11:00
Mark Andrews
60c47284e4 4511. [bug] win32: mdig.exe-BNFT was missing Configure. [RT #43554] 2016-11-07 09:55:16 +11:00
Francis Dupont
fb87feb6e7 Fixed filter-aaaa prereq.sh 2016-11-04 14:56:48 +01:00
Mark Andrews
34996e0aa5 cleanup 2016-11-03 15:25:23 +11:00
Evan Hunt
7a3d063847 [v9_11] make rrl system test more robust
4509.	[test]		Make the rrl system test more reliable on slower
			machines by using mdig instead of dig. [RT #43280]

(cherry picked from commit 1e2aca8d90)
2016-11-02 20:56:27 -07:00
Evan Hunt
7802f7d3a9 [v9_11] corrected typo in nsupdate test (DIG-->$DIG) 2016-11-02 19:34:49 -07:00
Tinderbox User
45571e7374 regen v9_11 2016-11-03 01:12:32 +00:00
Tinderbox User
9ab989b88c update copyright notice / whitespace 2016-11-02 23:48:10 +00:00
Tinderbox User
5382b244c3 newcopyrights 2016-11-02 23:31:13 +00:00
Mark Andrews
68770381db add dns_db_getsize, dns_rdataslab_count, dns_zone_getmaxrecords, dns_zone_setmaxrecords
(cherry picked from commit aee76db9e3)
2016-11-03 09:48:40 +11:00
Mark Andrews
744c1db635 4504. [security] Allow the maximum number of records in a zone to
be specified.  This provides a control for issues
                        raised in CVE-2016-6170. [RT #42143]

(cherry picked from commit 5f8412a4cb)
2016-11-03 09:48:26 +11:00
Evan Hunt
b7ae121eff [v9_11] typo 2016-11-02 09:43:01 -07:00
Francis Dupont
2b8679cf0f Name -> Named 2016-11-02 09:27:48 +01:00
Francis Dupont
66f169daf5 Fixed IP_PMTUDISC_OMIT typos 2016-11-02 09:19:45 +01:00
Mark Andrews
2ea4ed1726 remove review fprintf
(cherry picked from commit a0caf66c97)
2016-11-02 18:04:20 +11:00
Mark Andrews
6db55b4ff9 4507. [bug] Name could incorrectly log 'allows updates by IP
address, which is insecure' [RT #43432]

(cherry picked from commit 2b2b85c897)
2016-11-02 17:54:37 +11:00
Mark Andrews
2ac8829a8a 4505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494]
(cherry picked from commit a61f252391)
2016-11-02 17:40:27 +11:00
Evan Hunt
e1477f467f [v9_11] restore dropped #else block 2016-11-01 22:34:45 -07:00
Evan Hunt
d9b96d0a42 [v9_11] typo 2016-11-01 20:31:12 -07:00
Evan Hunt
8a5809527e [v9_11] make uninstall
4503.	[cleanup]	"make uninstall" now removes file installed by
			BIND. (This currently excludes Python files
			due to lack of support in setup.py.) [RT #42912]

(cherry picked from commit 6087f87afb)
2016-11-01 19:17:23 -07:00
Mark Andrews
bd19cef223 4502. [func] Report multiple and experimental options when printing
grammar. [RT #43134]

(cherry picked from commit 89286906dc)
2016-11-02 12:50:39 +11:00
Tinderbox User
8d72b87657 regen v9_11 2016-11-02 01:11:47 +00:00
Tinderbox User
31ad8218cc update copyright notice / whitespace 2016-11-01 23:47:34 +00:00
Tinderbox User
620745a4c7 newcopyrights 2016-11-01 23:31:46 +00:00
Mark Andrews
2c629a1b84 'I:exit status: <value>' should be outsied of if
(cherry picked from commit e1c93a0f58)
2016-11-02 09:12:02 +11:00
Mark Andrews
a0e34c90ea 4500. [bug] Support modifier I64 in isc__print_printf. [RT #43526]
(cherry picked from commit e200da5044)
2016-11-02 08:46:39 +11:00
Evan Hunt
669e108d67 [v9_11] use arc4random_stir() when available
4499.	[port]		MacOSX: silence deprecated function warning
			by using arc4random_stir() when available
			instead of arc4random_addrandom(). [RT #43503]

(cherry picked from commit 3fb62a5a4e)
2016-11-01 14:00:54 -07:00
Evan Hunt
4b48e6a89e [v9_11] clean up reporting of R:FAIL so it can't spuriously appear mid-test
(cherry picked from commit 7960fc596b)
2016-11-01 13:47:24 -07:00
Evan Hunt
0b0c74d199 [v9_11] fix backport error 2016-10-31 22:47:57 -07:00
Evan Hunt
6552f33198 [v9_11] 4496. [func] dig: add +idnout to control whether labels are
display in punycode or not.  Requires idn support
                        to be enabled at compile time. [RT #43398]

(cherry picked from commit 42470b0b87)
2016-10-31 20:17:28 -07:00
Mark Andrews
fd44151797 check for LIBRESSL_VERSION_NUMBER
(cherry picked from commit b2c1d6f0a2)
2016-11-01 12:49:13 +11:00
Mark Andrews
880fce6a74 add more LIBRESSL_VERSION_NUMBER checks
(cherry picked from commit 429b543086)
2016-11-01 12:37:29 +11:00
Mark Andrews
395fe33465 add more LIBRESSL_VERSION_NUMBER checks
(cherry picked from commit 3d38cfaf8a)
2016-11-01 12:25:03 +11:00
Mark Andrews
48e1d4823c check for LIBRESSL_VERSION_NUMBER
(cherry picked from commit f53fc4540a)
2016-11-01 12:07:30 +11:00
Evan Hunt
45fd95544c [v9_11] simplify prereq checks by using feature-test.c
4498.	[test]		Simplify prerequisite checks in system tests.
			[RT #43516]

(cherry picked from commit 5480a74b70)
2016-10-31 17:47:42 -07:00
Mark Andrews
83baacd8ff update spelling in comment
(cherry picked from commit ace79092b3)
2016-11-01 10:51:53 +11:00
Tinderbox User
e356a7622a update copyright notice / whitespace 2016-10-30 23:47:21 +00:00
Mark Andrews
76af83c9ad 4497. [port] Add support for OpenSSL 1.1.0. [RT #41284]
(cherry picked from commit 1fce0951ed)
2016-10-31 10:05:55 +11:00
Mark Andrews
9e0cd8be9a s/it/not/
(cherry picked from commit bdd2066846)
2016-10-28 15:09:06 +11:00
Mark Andrews
c29c3e51b1 update copyrights 2016-10-28 11:28:44 +11:00
Mark Andrews
fb9cdee4af 4495. [bug] A isc_mutex_init call was it being checked. [RT #43391]
(cherry picked from commit f21645e137)
2016-10-28 11:15:18 +11:00
Francis Dupont
afa016c3c1 Merged rt43345 libisccfg spuriously depended on libisccc 2016-10-27 14:08:10 +02:00
Mark Andrews
2a1860ad83 4494. [bug] Look for <editline/readline.h>. [RT #43429]
(cherry picked from commit 6fbb2b51d8)
2016-10-27 15:49:11 +11:00
Mark Andrews
de6469b663 4493. [bug] bin/tests/system/dyndb/driver/Makefile.in should use
SO_TARGETS. [RT# 43336]

(cherry picked from commit c910fc24ce)
2016-10-27 15:38:25 +11:00
Mark Andrews
d389069a39 4492. [bug] irs_resconf_load failed to initialise sortlistnxt
causing bad writes if resolv.conf contained a
                        sortlist directive. [RT #43459]

(cherry picked from commit 55b78fff62)
2016-10-27 13:18:47 +11:00
Mark Andrews
fd2f4551d9 4491. [bug] Improve message emitted when testing whether sendmsg
works with TOS/TCLASS fails. [RT #43483]

(cherry picked from commit 8eaf918adf)
2016-10-27 09:02:36 +11:00
Mark Andrews
8d0f8e8c2e change 4487 broke the cacheclean test with old version of perl. [RT #43476]
(cherry picked from commit ecd8e95bb5)
2016-10-27 00:09:41 +11:00
Mark Andrews
54ee0b0eef s/,/;/
(cherry picked from commit 856c77cc40)
2016-10-26 22:38:50 +11:00
Mark Andrews
c5e8808e35 4490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
(cherry picked from commit 3b7cb2c5b1)
2016-10-21 22:44:42 +11:00
Mark Andrews
7c66fc9700 4489. [security] It was possible to trigger assertions when processing
a response. (CVE-2016-8864) [RT #43465]

(cherry picked from commit bd6f27f5c3)
2016-10-21 14:56:20 +11:00
Mark Andrews
415d630b63 copyrights 2016-10-21 14:25:50 +11:00
Mark Andrews
2a80bc0153 4488. [port] Darwin: use -framework for Kerberos. [RT #43418]
(cherry picked from commit 8d6fefac31)
2016-10-20 10:26:46 +11:00
Witold Krecicki
cc51cd2d20 4487. [test] Make system tests work on Windows. [RT #42931] 2016-10-19 17:21:13 +02:00
Tinderbox User
17697000bc regen v9_11 2016-10-16 01:10:31 +00:00
Mark Andrews
2e0d02503c add managed keys to view section
(cherry picked from commit 7551ec1ebe)
2016-10-16 08:15:36 +11:00
Mark Andrews
3fe7c625ff fix changes numbers
(cherry picked from commit b1b595617b)
2016-10-12 12:34:58 +11:00
Mark Andrews
01387de5a7 further readline changes [RT #43139]
(cherry picked from commit 09f914d2d4)
2016-10-12 11:57:38 +11:00
Tinderbox User
452a97a23d update copyright notice / whitespace 2016-10-11 23:47:26 +00:00
Tinderbox User
bd7a552249 newcopyrights 2016-10-11 23:30:35 +00:00
Mark Andrews
a7dff3d9b0 don't clobber readline
(cherry picked from commit ccf0bea98a)
2016-10-11 17:32:05 +11:00
Mark Andrews
d2605df7e9 fix typo
(cherry picked from commit 6bb84df34d)
2016-10-11 17:05:57 +11:00
Mark Andrews
321f87f8ea don't require lctx to be non NULL
(cherry picked from commit 3793d848bd)
2016-10-11 17:03:16 +11:00
Mark Andrews
2bbab60f50 4485. [bug] Look in $prefix/lib/pythonX.Y/site-packages for
the python modules we install. [RT #43330]

(cherry picked from commit 01862dfaa5)
2016-10-11 15:21:48 +11:00
Mark Andrews
0b612b420d 4484. [bug] Failure to find readline when requested should be
fatal to configure. [RT #43328]

(cherry picked from commit 6caac8d9a9)
2016-10-11 15:16:20 +11:00
Mark Andrews
802e0662ef 4483. [func] Check prefixes in acls to make sure the address and
prefix lengths are consistent.  Warn only in
                        BIND 9.11 and earlier. [RT #43367]
2016-10-11 15:03:24 +11:00
Mark Andrews
af9b975ccc 4482. [bug] Address use before require check and remove extraneous
dns_message_gettsigkey call in dns_tsig_sign.
                        [RT #43374]

(cherry picked from commit 61463ab7a4)
2016-10-11 14:41:01 +11:00
Evan Hunt
94694e720a [v9_11] add cfg_parse_buffer3() function with linenum parameter
4482.	[cleanup]	Change #4455 was incomplete. [RT #43252]

(cherry picked from commit 676ac3cc82)
2016-10-10 17:12:30 -07:00
Mark Andrews
99811850b4 sleep 2 to let in progress lookups complete
(cherry picked from commit d3f29e7a4f)
2016-10-10 14:36:02 +11:00
Evan Hunt
67a42ef55c [v9_11] reset ret between NTA tests
(cherry picked from commit af05768c0e)
2016-10-05 21:07:18 -07:00
Mark Andrews
538c6bd3f1 fix long line
(cherry picked from commit 26d21e2e25)
2016-10-06 14:23:55 +11:00
Tinderbox User
ea640e04ea regen v9_11 2016-10-06 01:09:07 +00:00
Tinderbox User
b9e0ed731a update copyright notice / whitespace 2016-10-05 23:46:11 +00:00
Witold Krecicki
ef1e2f7906 4478. [func] Add +continue option to mdig, allow continue on socket errors. [RT #43281] 2016-10-05 13:51:30 +02:00
Witold Krecicki
e8fab79146 4477. [test] Fix mkeys test timing issues. [RT #41028] 2016-10-05 13:45:37 +02:00
Witold Krecicki
c034b72ba1 4476. [test] Fix reclimit test on slower machines. [RT #43283] 2016-10-05 13:22:22 +02:00
Mark Andrews
7d238ed0c7 4475. [doc] Update named-checkconf documentation. [RT #43153]
(cherry picked from commit 67cdd2d3a4)
2016-10-05 14:22:19 +11:00
Mark Andrews
82a50a619a 4474. [bug] win32: call WSAStartup in fromtext_in_wks so that
getprotobyname and getservbyname work.  [RT #43197]
2016-10-05 12:29:00 +11:00
Mark Andrews
2f1c460bea 4473. [bug] Only call fsync / _commit on regular files. [RT #43196]
(cherry picked from commit fe4d0fbc7c)
2016-10-05 12:20:46 +11:00
Mark Andrews
9ee66e3a5b 4472. [bug] Named could fail to find the correct NSEC3 records when
a zone was update between looking for the answer and
                        looking for the NSEC3 records proving non-existance
                        of the answer. [RT #43247]
2016-10-05 10:37:17 +11:00
Witold Krecicki
62f3453730 [master] Fix a minor bug in isc_netaddr_masktoprefixlen
(cherry picked from commit f78603b534)
2016-10-05 09:07:17 +11:00
Mukund Sivaraman
6f2752da7a Typo
(cherry picked from commit b7d07b861b)
2016-10-01 11:35:38 +05:30
Witold Krecicki
b4e6d4c724 [master] Disable dig IPv4-to-IPv6 mapping system test on OpenBSD 2016-09-30 12:20:55 +02:00
Mark Andrews
1477c19dd9 make statschannel version number agnostic 2016-09-29 17:01:06 +10:00
Tinderbox User
1ca759b3f5 regen v9_11 2016-09-28 23:05:58 +00:00
Mark Andrews
8b2b41ba4f 9.11.0 2016-09-29 09:00:27 +10:00
Evan Hunt
19977879ca [v9_11] minor cleanup/clarification in dnstap documentation
Patch submitted by Tony Finch (dot@dotat.at).

(cherry picked from commit e9917a51d3)
2016-09-27 20:46:54 -07:00
Mark Andrews
11d37bfa8d use repo.isc.org rt43254
(cherry picked from commit ea23a4868c)
2016-09-26 15:25:37 +10:00
Tinderbox User
c54d7ba815 regenerate 2016-09-23 03:50:44 +00:00
Tinderbox User
3cdd0f1bc9 regen v9_11 2016-09-23 01:09:59 +00:00
Evan Hunt
fcadf0b320 [v9_11] render querylog format consistent, and add a release note
4471.	[cleanup]	Render client/query logging format consistent for
			ease of log file parsing. (Note that this affects
			"querylog" format: there is now an additional field
			indicating the client object address.) [RT #43238]

(cherry picked from commit c4b7db4932)
2016-09-22 14:49:26 -07:00
Tinderbox User
6d631f32e2 regen v9_11 2016-09-20 12:05:51 +00:00
Tinderbox User
e21a6f5ec6 regen v9_11 2016-09-20 12:01:36 +00:00
Mark Andrews
47f8b47b8d 9.11.0rc3 2016-09-20 21:19:46 +10:00
Mark Andrews
d9a7138196 whitespace 2016-09-20 21:00:24 +10:00
Mark Andrews
31c7bf574e move release tag 2016-09-14 12:53:36 +10:00
Tinderbox User
c5eabd6d9e 9.11.0rc2 regen 2016-09-14 01:19:28 +00:00
Tinderbox User
cfbd5fb444 regen v9_11 2016-09-14 01:08:07 +00:00
Mark Andrews
db9781d4a2 4468. [bug] Address ECS option handling issues. [RT #43191]
(cherry picked from commit df17290113)
2016-09-14 08:23:07 +10:00
Tinderbox User
9035967309 regen v9_11 2016-09-09 05:42:31 +00:00
Mark Andrews
8269f06a0f 9.11.0rc2 2016-09-09 15:38:24 +10:00
Tinderbox User
c4626e20fd regen v9_11 2016-09-09 02:56:03 +00:00
Tinderbox User
63d4f7ac56 regen v9_11 2016-09-09 02:21:56 +00:00
Mark Andrews
61349d96c0 reorder
(cherry picked from commit 9ffbc3f9b3)
2016-09-09 11:54:34 +10:00
Mark Andrews
cdf97b41dc add CVE-2016-2776
(cherry picked from commit d4c8a622c0)
2016-09-09 11:50:38 +10:00
Mark Andrews
97222baa4e add CVE-2016-2776
(cherry picked from commit 1090e198c4)
2016-09-09 11:39:47 +10:00
Mark Andrews
6cc63451da add CVE-2016-2776
(cherry picked from commit 9872e3fbd9)
2016-09-09 11:37:05 +10:00
Mark Andrews
700d3cb789 4467. [security] It was possible to trigger a assertion when rendering
a message. [RT #43139]

(cherry picked from commit 2bd0922cf9)
2016-09-09 11:31:59 +10:00
Mark Andrews
f024476161 4466. [bug] Interface scanning didn't work on a Windows system
without a non local IPv6 addresses. [RT #43130]

(cherry picked from commit 61ca100b80)
2016-09-08 14:26:09 +10:00
Mark Andrews
48ec547968 4465. [bug] Don't use "%z" as Windows doesn't support it.
[RT #43131]

(cherry picked from commit f1977af0d3)
2016-09-08 14:17:32 +10:00
Mark Andrews
095c47be54 4464. [bug] Fix windows python support. [RT #43173]
(cherry picked from commit 85468d4c81)
2016-09-08 13:55:48 +10:00
Mark Andrews
178dc0e1d6 4463. [bug] The dnstap system test failed on some systems.
[RT #43129]

(cherry picked from commit ed7097fc00)
2016-09-08 11:40:47 +10:00
Mark Andrews
6aaf3d01a1 4462. [bug] Don't describe a returned EDNS COOKIE as "good"
when there isn't a valid server cookie. [RT #43167]

(cherry picked from commit 58d622d96d)
2016-09-08 11:35:11 +10:00
Francis Dupont
086454217d Fixed obvious typo in t_atomic 2016-09-08 01:56:47 +02:00
Tinderbox User
cb5446c260 newcopyrights 2016-09-07 23:30:10 +00:00
Mark Andrews
143526179e restore release marker
(cherry picked from commit 5125df6753)
2016-09-07 14:14:42 +10:00
Mark Andrews
e51ba26500 4461. [bug] win32: not all external data was properly marked
as external data for windows dll. [RT #43161]

(cherry picked from commit 8eceb0bffe)
2016-09-07 14:14:40 +10:00
Tinderbox User
f71fa687c4 regen v9_11 2016-09-02 01:08:19 +00:00
Mark Andrews
98546bb432 s/secret_string/algorithm_id/ for cookie-algorithm
(cherry picked from commit fe09d4b609)
2016-09-01 12:05:33 +10:00
Tinderbox User
637cef10a9 regen v9_11 2016-09-01 01:08:33 +00:00
Evan Hunt
e615ecb7a5 [v9_11] correct default value of tcp-clients
(cherry picked from commit b46760b373)
2016-08-30 23:02:39 -07:00
Tinderbox User
3711866d8b update copyright notice / whitespace 2016-08-30 23:45:56 +00:00
Tinderbox User
052969f1f1 newcopyrights 2016-08-30 23:30:19 +00:00
Tinderbox User
e0815f8120 regenerate 2016-08-30 11:01:49 +00:00
Mark Andrews
f51c0bba70 silence unused variable 'pollstate' warning [RT #43109]
(cherry picked from commit 9d11e46714)
2016-08-30 14:26:17 +10:00
Mark Andrews
15bee593e7 4460. [test] Add system test for dnstap using unix domain sockets.
[RT #42926]

(cherry picked from commit 3e1fa8411b)
2016-08-30 11:21:33 +10:00
Mark Andrews
7100602261 spelling
(cherry picked from commit dc449c999c)
2016-08-30 09:55:08 +10:00
Mark Andrews
4d506ae0d1 whitespace 2016-08-30 09:42:33 +10:00
Evan Hunt
af326c2e3f [v9_11] fix tcp client memory leak
4459.	[bug]		TCP client objects created to handle pipeline queries
			were not cleaned up correctly, causing uncontrolled
			memory growth. [RT #43106]

(cherry picked from commit a26a62cef2)
2016-08-29 11:56:56 -07:00
Mukund Sivaraman
ce78690029 Update assertions to be more correct, and also remove use of a reserved word (#43090)
Note: this doesn't actually fix #43090.
(cherry picked from commit becac651e8)
2016-08-29 18:54:02 +05:30
Mark Andrews
301458d3d5 make depend needs to decend into lib/*/test [rt #43105]
(cherry picked from commit 5336feefb0)
2016-08-29 10:20:22 +10:00
Mark Andrews
d102ab1b84 4457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
(cherry picked from commit c55b572ccf)
2016-08-29 10:16:30 +10:00
Mark Andrews
d6fa26d0ad 4456. [doc] Add DOCTYPE and lang attribute to <html> tags.
[RT #42587]

(cherry picked from commit 63fe88e8d8)
2016-08-26 15:14:32 +10:00
Mark Andrews
1ea64ac3e5 remove spurious 'i'
(cherry picked from commit e1f590a59a)
2016-08-26 13:43:18 +10:00
Mark Andrews
1f65db3778 add isc_lex_setsourceline 2016-08-26 03:16:08 +00:00
Evan Hunt
f503aa345b [v9_11] pass source file and line to dyndb load function
4455.	[cleanup]	Allow dyndb modules to correctly log the filename
			and line number when processing configuration text
			from named.conf. [RT #43050]

(cherry picked from commit 02fb764681)
2016-08-25 18:09:45 -07:00
Tinderbox User
d3e2a34ffb regen v9_11 2016-08-26 01:08:09 +00:00
Tinderbox User
a3253fb44c update copyright notice / whitespace 2016-08-25 23:46:16 +00:00
Tinderbox User
6b9225c4be newcopyrights 2016-08-25 23:30:19 +00:00
Jeremy C. Reed
6dd849c866 fix the 8K number
from the upstream source:
/** Default `buffer_hint` value. */
2016-08-25 13:56:57 -04:00
Evan Hunt
99e64ce41f [v9_11] fix dnssec-policy.conf in notes
(cherry picked from commit bfb479d5e3)
2016-08-25 08:19:16 -07:00
Mark Andrews
6f36f2f7b8 rename ioqversion -> generation; move increment before fstrm_iothr_destroy
(cherry picked from commit 7535dd93a1)
2016-08-25 12:07:34 +10:00
Tinderbox User
7e71f05d86 regen v9_11 2016-08-25 01:08:27 +00:00
Mark Andrews
7df3f06c0b 4454. [bug] 'rndc dnstap -reopen' had a race issue. [RT #43089]
(cherry picked from commit 726cddb564)
2016-08-25 10:05:07 +10:00
Mark Andrews
d1cacbb374 4453. [bug] Prefetching of DS records failed to update their
RRSIGs. [RT #42865]

(cherry picked from commit f431bf02a6)
2016-08-25 09:53:50 +10:00
Mark Andrews
2be9d18ee9 4452. [bug] The default key manager policy file is now
<sysdir>/dnssec-policy.conf (usually
                        /etc/dnssec-policy.conf). [RT #43064]

(cherry picked from commit e09f18e349)
2016-08-25 09:53:33 +10:00
Tinderbox User
65a3f63297 update copyright notice / whitespace 2016-08-24 23:46:02 +00:00
Tinderbox User
de2c04f82e newcopyrights 2016-08-24 23:30:19 +00:00
Evan Hunt
756b54c8ff [v9_11] add missing release notes and fix other doc nits
(cherry picked from commit 864dc79dce)
2016-08-24 16:25:51 -07:00
Evan Hunt
8b82b4982c [v9_11] 43076 was missed from CHANGES
(cherry picked from commit 9d990968ad)
2016-08-24 14:09:48 -07:00
Evan Hunt
28a4d32b05 [v9_11] add dnssec-keygen and nslookup man page links to ARM
(cherry picked from commit 1e50c0d857)
2016-08-24 20:39:52 +00:00
Tinderbox User
cb927f08d9 regenerate 2016-08-23 05:27:13 +00:00
Mark Andrews
fdcfc6bae7 add signing -serial to rndc usage
(cherry picked from commit 7bb9972a1f)
2016-08-23 13:42:25 +10:00
Mark Andrews
a8cfd15880 update copyrights / whitespace 2016-08-23 09:50:22 +10:00
Evan Hunt
0b756d60e5 [v9_11] Added print.h include
(cherry picked from commit 76a3f42977)
2016-08-22 09:07:56 -07:00
Evan Hunt
22913d088f [v9_11] Merged rt43077 (new RSA verify unit test)
(cherry picked from commit fc41d120f0)
2016-08-22 09:07:52 -07:00
Evan Hunt
5026ac37c1 [v9_11] Merged rt43076 (log PKCS#11 provider load failure)
(cherry picked from commit 2f08617da9)
2016-08-22 09:07:45 -07:00
Evan Hunt
50a8f5f9b8 [v9_11] regen configure (cannot wait for cron)
(cherry picked from commit 228a095c29)
2016-08-22 09:07:32 -07:00
Tinderbox User
5cde7b189e regenerate 2016-08-19 09:59:00 +00:00
Witold Krecicki
892f238ace Prep for 9.11.0rc1 2016-08-19 11:34:11 +02:00
Tinderbox User
c2258eedf2 regen v9_11 2016-08-19 01:56:34 +00:00
Francis Dupont
7e89f3c9f8 Updated WIN32 part of TCP_FASTOPEN doc
(cherry picked from commit f4288bafe9)
2016-08-19 11:47:16 +10:00
Francis Dupont
12b4d2a75e _MSV_VER -> _MSC_VER 2016-08-19 11:46:28 +10:00
Francis Dupont
8425f3717a Fixed trivial typo
(cherry picked from commit fcb2309a9a)
2016-08-19 11:43:27 +10:00
Evan Hunt
32431c79c7 [master] fix dnstap query/response selectors
4427.	[bug]		The "query" and "response" parameters to the
			"dnstap" option had their functions reversed.

(cherry picked from commit e9bd1496ed)
2016-08-19 11:41:07 +10:00
Tinderbox User
7e09576b77 update copyright notice / whitespace 2016-08-19 01:23:39 +00:00
Mark Andrews
5c80172c5f 9.11.0rc1 2016-08-19 11:21:36 +10:00
Evan Hunt
428fc1a50e [v9_11] document power of 2 requirement for fstrm-set-input-queue-size
(cherry picked from commit dd666442d3)
2016-08-18 18:10:49 -07:00
Evan Hunt
d4bcb6ee58 [v9_11] missed renaming SIT to COOKIE
(cherry picked from commit b715ad3cdb)
2016-08-18 18:09:02 -07:00
Tinderbox User
281ed127e3 regen v9_11 2016-08-19 01:08:24 +00:00
Mark Andrews
77997fab4b update copyright list 2016-08-19 11:00:37 +10:00
Evan Hunt
11435e83c6 [v9_11] clarify README.site
(cherry picked from commit 6d2963e4d4)
2016-08-18 17:52:56 -07:00
Mark Andrews
c40906dfad 4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]

(cherry picked from commit 8ee6f289d8)
2016-08-19 08:05:47 +10:00
Witold Krecicki
f9e49fd80e 4449. [test] Fix catalog zones test on slower systems. [RT #42997] 2016-08-18 18:17:17 +02:00
Mark Andrews
0350f56110 install isc/errno.h
(cherry picked from commit dec17fb662)
2016-08-18 22:12:49 +10:00
Mark Andrews
e8c70b0c35 4448. [bug] win32: ::1 was not being found when iterating
interfaces. [RT #42993]

(cherry picked from commit 6e4788dd12)
2016-08-18 21:59:45 +10:00
Mark Andrews
e722a7f2eb add dns_dt_getstats
(cherry picked from commit 81ace51190)
2016-08-18 12:22:14 +10:00
Mark Andrews
7204d08a31 4447. [tuning] Allow the fstrm_iothr_init() options to be set using
named.conf to control how dnstap manages the data
                        flow. [RT #42974]

(cherry picked from commit 934837913f)
2016-08-18 11:16:58 +10:00
Tinderbox User
a0c1ad17ab update copyright notice / whitespace 2016-08-17 23:46:03 +00:00
Tinderbox User
903fcd6a60 newcopyrights 2016-08-17 23:30:22 +00:00
Evan Hunt
6ce5279d0f [v9_11] check for STALE rdatasets in cache search
4446.	[bug]		The cache_find() and _findrdataset() functions
			could find rdatasets that had been marked stale.
			[RT #42853]

(cherry picked from commit 46e7763d19)
2016-08-17 11:44:41 -07:00
Evan Hunt
f5898cf348 [v9_11] fix dyndb issues; isc_errno_toresult()
4445.	[cleanup]	isc_errno_toresult() can now be used to call the
			formerly private function isc__errno2result().
			[RT #43050]

4444.	[bug]		Fixed some issues related to dyndb: A bug caused
			braces to be omitted when passing configuration text
			from named.conf to a dyndb driver, and there was a
			use-after-free in the sample dyndb driver. [RT #43050]

Patch for dyndb driver submitted by Petr Spacek at Red Hat.

(cherry picked from commit 3390d74e33)
2016-08-17 11:39:42 -07:00
Mark Andrews
ab598428c8 update dyndb_init inline documentationi [RT #43050]
(cherry picked from commit 8c2c6b8b42)
2016-08-17 14:12:54 +10:00
Mark Andrews
a5c76d926c use explict casts to silence truncation warnings
(cherry picked from commit 4cb2ad343f)
2016-08-16 12:29:32 +10:00
Tinderbox User
d621f10ebe update copyright notice / whitespace 2016-08-15 23:45:57 +00:00
Mark Andrews
f4e993861d update 2016-08-16 09:45:02 +10:00
Mark Andrews
c27c710939 4443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
TCP sockets. [RT #42864]

(cherry picked from commit 7872d4d1c0)
2016-08-16 07:42:53 +10:00
Mark Andrews
4d09627fde don't return void
(cherry picked from commit 42a14518ac)
2016-08-16 07:37:10 +10:00
Mukund Sivaraman
4e9a1ad226 Fix RPZ CIDR tree insertion bug (#43035)
(cherry picked from commit 131307a70e)
2016-08-15 17:07:50 +05:30
Mark Andrews
d6a0e00dc3 add dnstap to help. [RT #42928]
(cherry picked from commit f814343d1b)
2016-08-15 11:56:37 +10:00
Mark Andrews
555469af35 4441. [cleanup] Alphabetize host's help output. [RT #43031]
(cherry picked from commit 8a98ea9e94)
2016-08-15 11:22:08 +10:00
Mark Andrews
dde130e859 update 2016-08-13 12:44:07 +10:00
Tinderbox User
911c11bf4b update copyright notice / whitespace 2016-08-12 23:45:53 +00:00
Mark Andrews
c5342425ea 4440. [func] Enable TCP fast open support when available on the
server side. [RT #42866]

(cherry picked from commit a977bc4c8e)
2016-08-12 15:32:00 +10:00
Mark Andrews
b4bbf49418 4439. [bug] Address race conditions getting ownernames of nodes.
[RT #43005]

(cherry picked from commit c7e021e2e6)
2016-08-12 14:09:34 +10:00
Mark Andrews
bd01b96d11 add isc_ratelimiter_setpushpop
(cherry picked from commit d260d5ef4c)
2016-08-12 12:40:02 +10:00
Mark Andrews
f3a4a5f8db 4438. [func] Use LIFO rather than FIFO when processing startup
notify and refresh queries. [RT #42825]

(cherry picked from commit 5734cd3943)
2016-08-12 11:34:29 +10:00
Tinderbox User
0cfa9af7ed regen v9_11 2016-08-12 01:08:44 +00:00
Mark Andrews
2fb6d3782b 4437. [func] Minimal-responses now has two additional modes
no-auth and no-auth-recursive which suppress
                        adding the NS records to the authority section
                        as well as the associated address records for the
                        nameservers. [RT #42005]

(cherry picked from commit 78e31dd187)
2016-08-12 10:49:57 +10:00
Mark Andrews
bc09fd1365 4436. [func] Return TLSA records as additional data for MX and SRV
lookups. [RT #42894]

(cherry picked from commit bb900e62bf)
2016-08-12 10:10:30 +10:00
Tinderbox User
ecd229e44c update copyright notice / whitespace 2016-08-11 23:45:54 +00:00
Mark Andrews
36be0aad8e 4435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message
will not fit into a single IPv4 encapsulated IPv6
                        UDP packet when transmitted over a Ethernet link.
                        [RT #42871]

(cherry picked from commit 31ffec1541)
2016-08-12 09:43:55 +10:00
Mark Andrews
33f91e248b 4434. [protocol] Return EDNS EXPIRE option for master zones in addition
to slave zones. [RT #43008]

(cherry picked from commit bf2238b064)
2016-08-12 09:32:29 +10:00
Evan Hunt
51227d6f16 [v9_11] error on bad parameter to 'rndc dumpdb'
4433.	[cleanup]	Report an error when passing an invalid option or
			view name to "rndc dumpdb". [RT #42958]

(cherry picked from commit c38d989fdd)
2016-08-11 16:04:38 -07:00
Evan Hunt
175a8414a7 [v9_11] correct [testing] tags to [test] 2016-08-10 09:28:08 -07:00
Evan Hunt
770fe3dcab [v9_11] remove spurious newline in EDNS EXPIRE logging
Patch submitted by Tony Finch (dot@dotat.at).
2016-08-10 09:26:40 -07:00
Mark Andrews
9e4811dc90 4432. [testing] Hide rndc output on expected failures in logfileconfig
system test. [RT #27996]

(cherry picked from commit 12895c8d6f)
2016-08-10 13:07:05 +10:00
Tinderbox User
b0cd1a7a63 update copyright notice / whitespace 2016-08-09 00:25:59 +00:00
Mark Andrews
4c3d55cb2d update 2016-08-09 10:20:21 +10:00
Mark Andrews
12b791ae20 4431. [bug] named-checkconf now checks the rate-limit clause.
[RT #42970]
2016-08-08 23:54:15 +10:00
Mark Andrews
080582dc47 4430. [bug] Lwresd died if a search list was not defined.
Found by 0x710DDDD At Alibaba Security. [RT #42895]

(cherry picked from commit 3146be6fd6)
2016-08-08 10:23:22 +10:00
Mark Andrews
3a71cd8ca3 4429. [bug] Address potential use after free on fclose() error.
[RT #42976]

(cherry picked from commit c1915935cf)
2016-08-08 09:51:13 +10:00
Mark Andrews
02ceed9f83 4428. [bug] The "test dispatch getnext" unit test could fail
in a threaded build. [RT #42979]

(cherry picked from commit c4153b554d)
2016-08-08 09:39:47 +10:00
Mark Andrews
ba800567a3 regen 2016-07-30 07:45:54 +10:00
Mark Andrews
9bff99379e remove spurious breaks
(cherry picked from commit e95391abd4)
2016-07-29 23:56:59 +10:00
Witold Krecicki
a23f742c3d Remove spurious isc_stdio_open 2016-07-28 14:26:36 +02:00
Tinderbox User
e381c9c48e newcopyrights 2016-07-27 23:32:00 +00:00
Tinderbox User
3f72dac411 regenerate 2016-07-27 13:54:22 +00:00
Witold Krecicki
8db83c1e90 Move 9.11.0b3 marker in CHANGES (respin) 2016-07-27 15:46:59 +02:00
Witold Krecicki
ba340e4469 4426. [bug] Addressed Coverity warnings. [RT #42908] 2016-07-27 15:45:58 +02:00
Tinderbox User
1e9517ea21 regen v9_11 2016-07-27 01:12:35 +00:00
Witold Krecicki
bd9e956e03 Fix typos in nzd2nzf test 2016-07-26 21:16:15 +02:00
Mark Andrews
b8f9413618 add mdig, named-nzd2nzf, pkcs11-destroy, pkcs11-list, pkcs11-keygen and pkcs11-tokens manpages
(cherry picked from commit 915544f389)
2016-07-27 05:00:49 +10:00
Witold Krecicki
3783f45e68 Fix merge error in bin/tests/system/conf.sh.in, add missing cleanups in tests 2016-07-26 20:33:06 +02:00
Mark Andrews
c70fb599b9 add space in #error message 2016-07-26 11:28:29 +10:00
Mark Andrews
17d4581ce9 remove comma
(cherry picked from commit 0ac94b80e8)
2016-07-26 11:17:52 +10:00
Tinderbox User
0ff8d59a07 regen v9_11 2016-07-26 01:11:57 +00:00
Mark Andrews
b62db16a58 named-rrchecker is also in ${prefix}/bin 2016-07-26 07:12:00 +10:00
Mark Andrews
72cc860dd2 4425. [bug] arpaname and dnstap-read were not being installed
into ${prefix}/bin.  Tidy up installation issues
                        with CHANGE 4421. [RT #42910]

(cherry picked from commit 711aff9fa7)
2016-07-26 06:54:19 +10:00
Tinderbox User
52d94378a0 regenerate 2016-07-25 12:08:48 +00:00
Tinderbox User
5f0c46ca5f regen v9_11 2016-07-25 12:05:14 +00:00
Witold Krecicki
4a6f729845 Update API versions for release 9.11.0b3 2016-07-25 14:00:17 +02:00
Witold Krecicki
a6d873b8bc Fix merge error in bin/tools/Makefile.in 2016-07-25 13:15:27 +02:00
Tinderbox User
a548226d23 regen v9_11 2016-07-23 01:14:40 +00:00
Tinderbox User
14d7597167 update copyright notice / whitespace 2016-07-22 23:48:02 +00:00
Tinderbox User
c42fe4bf07 newcopyrights 2016-07-22 23:30:57 +00:00
Mark Andrews
3953cc1d49 add dns_keytable_forall
(cherry picked from commit 6655b7db13)
2016-07-22 20:34:14 +10:00
Mark Andrews
b7161f9898 4424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries
to provide feedback to the trust-anchor administrators
                        about how key rollovers are progressing as per
                        draft-ietf-dnsop-edns-key-tag-02.  This can be
                        disabled using 'trust-anchor-telemetry no;'.
                        [RT #40583]

(cherry picked from commit f20179857a)
2016-07-22 20:03:06 +10:00
Evan Hunt
2fee8782a6 [v9_11] copyrights 2016-07-21 20:06:52 -07:00
Evan Hunt
6d609c3cbe [v9_11] add aaaa for b.root-servers.net
4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
			B.ROOT-SERVERS.NET. [RT #42898]

Patch submitted by Xoze Vazquez Perez (xose.vazquez@gmail.com).
2016-07-21 20:02:49 -07:00
Tinderbox User
eb2a5f51bd regen v9_11 2016-07-22 01:10:34 +00:00
Tinderbox User
adb0ac475d update copyright notice / whitespace 2016-07-21 23:46:46 +00:00
Evan Hunt
b83e886b30 [v9_11] silence clang warnings
4422.	[port]		Silence clang warnings in dig.c and dighost.c.
			[RT #42451]
2016-07-21 15:54:00 -07:00
Evan Hunt
2c9f6f236f [v9_11] add release note 2016-07-21 13:36:36 -07:00
Evan Hunt
ee9982dbd9 [v9_11] add missing file 2016-07-21 12:45:39 -07:00
Evan Hunt
12c8dec44b [v9_11] print.h 2016-07-21 11:25:26 -07:00
Evan Hunt
801707fe19 [v9_11] store "addzone" zone config in a NZD database
4421.	[func]		When built with LMDB (Lightning Memory-mapped
			Database), named will now use a database to store
			the configuration for zones added by "rndc addzone"
			instead of using a flat NZF file. This improves
			performance of "rndc delzone" and "rndc modzone"
			significantly. Existing NZF files will
			automatically by converted to NZD databases.
			To view the contents of an NZD or to roll back to
			NZF format, use "named-nzd2nzf". To disable
                        this feature, use "configure --without-lmdb".
                        [RT #39837]
2016-07-21 11:14:16 -07:00
Mark Andrews
529d8a7cf1 4420. [func] nslookup now looks for AAAA as well as A by default.
[RT #40420]

(cherry picked from commit e7e7efe901)
2016-07-22 03:28:28 +10:00
Witold Krecicki
d9d7b2657e 4419. [bug] Don't cause undefined result if the label of an
entry in catalog zone is changed. [RT #42708]
2016-07-21 13:07:56 +02:00
Witold Krecicki
1fe29e5d65 4418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879] 2016-07-21 12:16:13 +02:00
Mark Andrews
02d54949f0 copyright
(cherry picked from commit e3d74bdd7f)
2016-07-21 19:39:25 +10:00
Mark Andrews
a1ddbcb37a more copyright cleanups
(cherry picked from commit 592127b7fa)
2016-07-21 19:16:24 +10:00
Mark Andrews
e79ed99510 update example copyright notice
(cherry picked from commit ed1a24cc86)
2016-07-21 19:09:34 +10:00
Mark Andrews
cb1d847607 update example copyright notice
(cherry picked from commit ba99d845a2)
2016-07-21 19:05:36 +10:00
Tinderbox User
5347c0fcb0 regen v9_11 2016-07-21 07:53:18 +00:00
Mark Andrews
194e2dfffa consolidate copyrights 2016-07-21 17:26:05 +10:00
Mark Andrews
a809c57ab2 consolidate copyrights 2016-07-21 17:25:39 +10:00
Mark Andrews
704e6c8876 copyright
(cherry picked from commit 813e9f7ee2)
2016-07-21 17:02:22 +10:00
Mark Andrews
bd5040035c regen 2016-07-21 17:02:06 +10:00
Evan Hunt
b05ccd39b3 [v9_11] remove SIT doc 2016-07-20 21:36:30 -07:00
Tinderbox User
6ce3705502 update copyright notice / whitespace 2016-07-20 23:48:08 +00:00
Evan Hunt
d907426f0f [v9_11] fix keymgr with low prepublication interval
4417.	[bug]		dnssec-keymgr could fail to create successor keys
			if the prepublication interval was set to a value
			smaller than the default. [RT #42820]

Patch submitted by Nis Wechselberg (enbewe@enbewe.de).
2016-07-20 15:14:20 -07:00
Evan Hunt
f0fe1930a2 [v9_11] normalize domain names for trailing dots
4416.	[bug]		dnssec-keymgr: Domain names in policy files could
			fail to match due to trailing dots. [RT #42807]

Patch submitted by Armin Pech (mail@arminpech.de).
2016-07-20 14:36:12 -07:00
Evan Hunt
a78396e652 [v9_11] deleted keys not correctly excluded
4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
			excluded. [RT #42884]

Patch submitted by Nis Wechselberg (enewe@enbewe.de).
2016-07-20 14:29:01 -07:00
Tinderbox User
181125e682 update copyright notice / whitespace 2016-07-19 23:46:49 +00:00
Evan Hunt
7bc7cdd947 [v9_11] fix isc_atomic_xadd() on MIPS
4414.	[bug]		Corrected a bug in the MIPS implementation of
			isc_atomic_xadd(). [RT #41965]

Submitted by Lamont Jones (lamont@debian.org). Closes Debian issue #406409.
2016-07-19 11:12:09 -07:00
Mark Andrews
55d61515ec 4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
was returned. [RT #42733]

(cherry picked from commit 63e58ad048)
2016-07-14 15:08:15 +10:00
Mark Andrews
111ec860a8 Visual Studio 2005 doesn't like named elements, construct addr using isc_netaddr_fromin6
(cherry picked from commit d937f8e999)
2016-07-14 11:31:01 +10:00
Mark Andrews
1ac74a984d Windows doesn't like LLU use ULL instead
(cherry picked from commit 6b5d6472cdbdb57ee7d8247d85f07c42fb347663)
2016-07-14 11:13:56 +10:00
Tinderbox User
1700442a77 regen v9_11 2016-07-14 00:01:54 +00:00
Mark Andrews
1ddde9710e 9.11.0b2 2016-07-14 09:54:08 +10:00
Tinderbox User
a217937e59 update copyright notice / whitespace 2016-07-13 23:46:23 +00:00
Mark Andrews
0ad430bda9 grammar
(cherry picked from commit 8f7881684b)
2016-07-14 09:42:51 +10:00
Mark Andrews
61b1075ddb bug -> security 2016-07-14 09:35:14 +10:00
Mukund Sivaraman
47ed813864 Some general cleanup (#42827)
(cherry picked from commit e65cd99461)
2016-07-13 14:31:48 +05:30
Mukund Sivaraman
2d5581de6e Make fixes for GCC 6 (#42721)
(cherry picked from commit 4116177ac4)
2016-07-13 13:56:22 +05:30
Evan Hunt
3525200d9f [v9_11] rndc dnstap -roll
4411.	[func]		"rndc dnstap -roll" automatically rolls the
			dnstap output file; the previous version is
			saved with ".0" suffix, and earlier versions
			with ".1" and so on. An optional numeric argument
			indicates how many prior files to save. [RT #42830]
2016-07-13 01:18:41 -07:00
Mark Andrews
28303a06ce 4410. [bug] Address use after free and memory leak with dnstap.
[RT #42746]

(cherry picked from commit a2101037d9)
2016-07-13 16:56:53 +10:00
Tinderbox User
576bce9d73 regen v9_11 2016-07-13 04:49:09 +00:00
Mark Andrews
d23a531fde add [RT #42694] 2016-07-13 11:36:52 +10:00
Mark Andrews
967c2a93ac issue -> flaw
(cherry picked from commit 268f9e6832)
2016-07-13 11:23:36 +10:00
Mark Andrews
64196d78c8 add more DNS64 default exclude acl tests
(cherry picked from commit d147d56227)
2016-07-13 10:58:46 +10:00
Mark Andrews
8a659aae94 spelling/grammar
(cherry picked from commit 1256b0c344)
2016-07-13 10:27:12 +10:00
Mark Andrews
f8ef82e475 sync 2016-07-12 11:34:50 +10:00
Mark Andrews
35c014cb1d 4408. [func] Continue waiting for expected response when we the
response we get does not match the request. [RT #41026]

(cherry picked from commit ec5e01747a)
2016-07-12 11:33:49 +10:00
Tinderbox User
e191be096c regen v9_11 2016-07-12 01:09:40 +00:00
Tinderbox User
ebb8a69f33 update copyright notice / whitespace 2016-07-11 23:47:19 +00:00
Mark Andrews
b740318a42 add CVE-2016-2775
(cherry picked from commit 909d442cc0)
2016-07-12 01:09:37 +10:00
Mukund Sivaraman
a16f42441a Use GCC builtin for clz in RPZ lookup code (#42818)
(cherry picked from commit 27038b159b)
2016-07-11 10:05:06 +05:30
Mark Andrews
4d8940486c 4409. [bug] DNS64 should exlude mapped addresses by default when
a exclude acl is not defined. [RT #42810]

(cherry picked from commit 557c7221fd)
2016-07-11 14:12:42 +10:00
Tinderbox User
e2f974003e regen v9_11 2016-07-08 01:09:30 +00:00
Tinderbox User
8760668acc newcopyrights 2016-07-07 04:18:11 +00:00
Mark Andrews
da984e8fc5 add note for rt42694
(cherry picked from commit 429701008e)
2016-07-07 13:50:56 +10:00
Mark Andrews
f555b59e36 4406. [bug] getrrsetbyname with a non absolute name could
trigger a infinite recursion bug in lwresd
                        and named with lwres configured if when combined
                        with a search list entry the resulting name is
                        too long. [RT #42694]

(cherry picked from commit 38cc2d14e2)
2016-07-07 13:50:38 +10:00
Tinderbox User
8a48b6b9b6 regen v9_11 2016-07-07 01:09:16 +00:00
Mark Andrews
2be74962e4 ignore bin/tests/system/rndc/ns4/named.conf
(cherry picked from commit 3c88f741c6)
2016-07-07 09:57:01 +10:00
Tinderbox User
1105cecdc2 update copyright notice / whitespace 2016-07-06 23:47:18 +00:00
Tinderbox User
1e07acce90 newcopyrights 2016-07-06 23:31:15 +00:00
Mark Andrews
d2647cd5fd license section is no longer a list 2016-07-06 13:01:40 +10:00
Mark Andrews
988c13928a spelling 2016-07-06 12:57:34 +10:00
Tinderbox User
6af971acc0 regen v9_11 2016-07-06 01:09:13 +00:00
Mark Andrews
8d9a134fe7 4405. [bug] Change 4342 introduced a regression where you could
not remove a delegation in a NSEC3 signed zone using
                        OPTOUT via nsupdate. [RT #42702]

(cherry picked from commit d811a7d9ef)
2016-07-06 10:14:01 +10:00
Evan Hunt
4695e981ba [v9_11] remove spurious license text 2016-07-05 15:42:38 -07:00
Mark Andrews
f2af4484a8 one -f the -D sync's should have been just -D
(cherry picked from commit 27505a932f)
2016-07-06 08:33:31 +10:00
Evan Hunt
0c9a909262 [v9_11] clarify some comments 2016-07-05 10:53:17 -07:00
Mark Andrews
c2a6e9d347 4404. [misc] Allow krb5-config to be used when configuring gssapi.
[RT #42580]

(cherry picked from commit c8fb7e488a)
2016-07-04 15:47:27 +10:00
Tinderbox User
1ffe3f29e3 regen v9_11 2016-07-03 01:09:09 +00:00
Evan Hunt
f0e7471845 [v9_11] notes formatting, fix a CHANGES tag 2016-07-02 14:06:27 -07:00
Tinderbox User
bcfc5188be newcopyrights 2016-06-29 23:30:11 +00:00
Mark Andrews
680c1ba73d ignore configure generated files
(cherry picked from commit 0dacb6efdf)
2016-06-29 23:32:27 +10:00
Mark Andrews
e96a2a2b89 ignore configure generated files
(cherry picked from commit cd734243d4)
2016-06-29 23:27:51 +10:00
Mark Andrews
27330b0e55 #include <stdlib.h>
(cherry picked from commit 700e08fcc4)
2016-06-29 11:39:14 +10:00
Mark Andrews
cccfafa311 4403. [bug] Rename variables and arguments that shadow: basename,
clone and gai_error.

(cherry picked from commit ecfa005085)
2016-06-29 11:26:49 +10:00
Mark Andrews
e8555412f1 4402. [bug] protoc-c is now a hard requirement for --enable-dnstap.
(cherry picked from commit d75bbd0d98)
2016-06-29 09:31:15 +10:00
Mark Andrews
9904949098 fix typo
(cherry picked from commit 273549a13584f21438a0065d4803d84129e5c8e2)
2016-06-28 12:09:09 +10:00
Tinderbox User
dca6957b62 regenerate 2016-06-27 17:38:13 +00:00
Tinderbox User
a1ff871f78 regen v9_11 2016-06-27 17:36:43 +00:00
Witold Krecicki
4ab08a8117 Fix a typo and missing link in notes.xml 2016-06-27 19:33:10 +02:00
Curtis Blackburn
448e23ed61 cleanup of notes.xml
added better text to describe the license change

    added information about the following changes to notes.xml

    +4396. [func] dnssec-keymgr now takes a '-r randomfile' option.
    + [RT #42455]
    +4392. [func] Collect statistics for RSSAC02v3 traffic-volume,
    + traffic-sizes and rcode-volume reporting. [RT #41475]
    +4388. [func] Support for master entries with TSIG keys in catalog
    + zones. [RT #42577]
    +4385. [func] Add support for allow-query and allow-transfer ACLs
    + to catalog zones. [RT #42578]
2016-06-27 10:01:58 -07:00
Witold Krecicki
a77f86b6ca Fix keymgr test for change 4400 [RT #42718] 2016-06-27 12:22:01 +02:00
Witold Krecicki
f5b0ad3c8d Prep 9.11.0b1 2016-06-27 11:38:59 +02:00
1519 changed files with 75161 additions and 90045 deletions

1
.gitattributes vendored
View File

@@ -1,2 +1,3 @@
*.sln.in eol=crlf
*.vcxproj.in eol=crlf
*.vcxproj.filters.in eol=crlf

1052
CHANGES

File diff suppressed because it is too large Load Diff

View File

@@ -1,4 +1,4 @@
Copyright (C) 1996-2016 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2017 Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this

18
EXCLUDED Normal file
View File

@@ -0,0 +1,18 @@
4607. [bug] The memory context's malloced and maxmalloced counters
were being updated without the appropriate lock being
held. [RT #44869]
4605. [performance] Improve performance for delegation heavy answers
and also general query performance. Removes the
acache feature that didn't significantly improve
performance. Adds a glue cache. Removes
additional-from-cache and additional-from-auth
features. Enables minimal-responses by
default. Improves performance of compression
code, owner case restoration, hash function,
etc. Uses inline buffer implementation by
default. Many other performance changes and fixes.
[RT #44029]
4556. [bug] Sending an EDNS Padding option using "dig
+ednsopt" could cause a crash in dig. [RT #44462]

892
FAQ
View File

@@ -1,892 +0,0 @@
Copyright ? 2004-2010, 2013, 2014 Internet Systems Consortium, Inc.
("ISC")
Copyright ? 2000-2003 Internet Software Consortium.
-----------------------------------------------------------------------
1. Compilation and Installation Questions
Q: I'm trying to compile BIND 9, and "make" is failing due to files not
being found. Why?
A: Using a parallel or distributed "make" to build BIND 9 is not
supported, and doesn't work. If you are using one of these, use normal
make or gmake instead.
Q: Isn't "make install" supposed to generate a default named.conf?
A: Short Answer: No.
Long Answer: There really isn't a default configuration which fits any
site perfectly. There are lots of decisions that need to be made and
there is no consensus on what the defaults should be. For example
FreeBSD uses /etc/namedb as the location where the configuration files
for named are stored. Others use /var/named.
What addresses to listen on? For a laptop on the move a lot you may
only want to listen on the loop back interfaces.
To whom do you offer recursive service? Is there a firewall to
consider? If so, is it stateless or stateful? Are you directly on the
Internet? Are you on a private network? Are you on a NAT'd network? The
answers to all these questions change how you configure even a caching
name server.
2. Configuration and Setup Questions
Q: Why does named log the warning message "no TTL specified - using SOA
MINTTL instead"?
A: Your zone file is illegal according to RFC1035. It must either have a
line like:
$TTL 86400
at the beginning, or the first record in it must have a TTL field, like
the "84600" in this example:
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
file bar: ran out of space"?
A: This is often caused by TXT records with missing close quotes. Check
that all TXT records containing quoted strings have both open and close
quotes.
Q: How do I restrict people from looking up the server version?
A: Put a "version" option containing something other than the real version
in the "options" section of named.conf. Note doing this will not
prevent attacks and may impede people trying to diagnose problems with
your server. Also it is possible to "fingerprint" nameservers to
determine their version.
Q: How do I restrict only remote users from looking up the server version?
A: The following view statement will intercept lookups as the internal
view that holds the version information will be matched last. The
caveats of the previous answer still apply, of course.
view "chaos" chaos {
match-clients { <those to be refused>; };
allow-query { none; };
zone "." {
type hint;
file "/dev/null"; // or any empty file
};
};
Q: What do "no source of entropy found" or "could not open entropy source
foo" mean?
A: The server requires a source of entropy to perform certain operations,
mostly DNSSEC related. These messages indicate that you have no source
of entropy. On systems with /dev/random or an equivalent, it is used by
default. A source of entropy can also be defined using the
random-device option in named.conf.
Q: I'm trying to use TSIG to authenticate dynamic updates or zone
transfers. I'm sure I have the keys set up correctly, but the server is
rejecting the TSIG. Why?
A: This may be a clock skew problem. Check that the the clocks on the
client and server are properly synchronized (e.g., using ntp).
Q: I see a log message like the following. Why?
couldn't open pid file '/var/run/named.pid': Permission denied
A: You are most likely running named as a non-root user, and that user
does not have permission to write in /var/run. The common ways of
fixing this are to create a /var/run/named directory owned by the named
user and set pid-file to "/var/run/named/named.pid", or set pid-file to
"named.pid", which will put the file in the directory specified by the
directory option (which, in this case, must be writable by the user
named is running as).
Q: I can query the nameserver from the nameserver but not from other
machines. Why?
A: This is usually the result of the firewall configuration stopping the
queries and / or the replies.
Q: How can I make a server a slave for both an internal and an external
view at the same time? When I tried, both views on the slave were
transferred from the same view on the master.
A: You will need to give the master and slave multiple IP addresses and
use those to make sure you reach the correct view on the other machine.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.1;
transfer-source 10.0.1.1;
query-source address 10.0.1.1;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.2;
transfer-source 10.0.1.2;
query-source address 10.0.1.2;
Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.3;
transfer-source 10.0.1.3;
query-source address 10.0.1.3;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.4;
transfer-source 10.0.1.4;
query-source address 10.0.1.4;
You put the external address on the alias so that all the other dns
clients on these boxes see the internal view by default.
A: BIND 9.3 and later: Use TSIG to select the appropriate view.
Master 10.0.1.1:
key "external" {
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; // reject message ment for the
// external view.
10.0.1/24; }; // accept from these addresses.
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.2 { keys external; }; // tag messages from the
// external view to the
// other servers for the
// view.
recursion no;
...
};
Slave 10.0.1.2:
key "external" {
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.1 { keys external; };
recursion no;
...
};
Q: I get error messages like "multiple RRs of singleton type" and "CNAME
and other data" when transferring a zone. What does this mean?
A: These indicate a malformed master zone. You can identify the exact
records involved by transferring the zone using dig then running
named-checkzone on it.
dig axfr example.com @master-server > tmp
named-checkzone example.com tmp
A CNAME record cannot exist with the same name as another record except
for the DNSSEC records which prove its existence (NSEC).
RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
data should be present; this ensures that the data for a canonical name
and its aliases cannot be different. This rule also insures that a
cached CNAME can be used without checking with an authoritative server
for other RR types."
Q: I get error messages like "named.conf:99: unexpected end of input"
where 99 is the last line of named.conf.
A: There are unbalanced quotes in named.conf.
A: Some text editors (notepad and wordpad) fail to put a line title
indication (e.g. CR/LF) on the last line of a text file. This can be
fixed by "adding" a blank line to the end of the file. Named expects to
see EOF immediately after EOL and treats text files where this is not
met as truncated.
Q: How do I share a dynamic zone between multiple views?
A: You choose one view to be master and the second a slave and transfer
the zone between views.
Master 10.0.1.1:
key "external" {
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
key "mykey" {
algorithm hmac-sha256;
secret "yyyyyyyyyyyyyyyyyyyyyyyy";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
server 10.0.1.1 {
/* Deliver notify messages to external view. */
keys { external; };
};
zone "example.com" {
type master;
file "internal/example.db";
allow-update { key mykey; };
also-notify { 10.0.1.1; };
};
};
view "external" {
match-clients { key external; any; };
zone "example.com" {
type slave;
file "external/example.db";
masters { 10.0.1.1; };
transfer-source 10.0.1.1;
// allow-update-forwarding { any; };
// allow-notify { ... };
};
};
Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
master file primaries/wireless.ietf56.ietf.org: no owner".
A: This error is produced when a line in the master file contains leading
white space (tab/space) but there is no current record owner name to
inherit the name from. Usually this is the result of putting white
space before a comment, forgetting the "@" for the SOA record, or
indenting the master file.
Q: Why are my logs in GMT (UTC).
A: You are running chrooted (-t) and have not supplied local timezone
information in the chroot area.
FreeBSD: /etc/localtime
Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
OSF: /etc/zoneinfo/localtime
See also tzset(3) and zic(8).
Q: I get "rndc: connect failed: connection refused" when I try to run
rndc.
A: This is usually a configuration error.
First ensure that named is running and no errors are being reported at
startup (/var/log/messages or equivalent). Running "named -g <usual
arguments>" from a title can help at this point.
Secondly ensure that named is configured to use rndc either by
"rndc-confgen -a", rndc-confgen or manually. The Administrators
Reference manual has details on how to do this.
Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
etc/rndc.conf for the default server. Update /etc/rndc.conf if
necessary so that the default server listed in /etc/rndc.conf matches
the addresses used in named.conf. "localhost" has two address
(127.0.0.1 and ::1).
If you use "rndc-confgen -a" and named is running with -t or -u ensure
that /etc/rndc.conf has the correct ownership and that a copy is in the
chroot area. You can do this by re-running "rndc-confgen -a" with
appropriate -t and -u arguments.
Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
receiving responses: permission denied" error messages.
A: These indicate a filesystem permission error preventing named creating
/ renaming the temporary file. These will usually also have other
associated error messages like
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
Named needs write permission on the directory containing the file.
Named writes the new cache file to a temporary file then renames it to
the name specified in named.conf to ensure that the contents are always
complete. This is to prevent named loading a partial zone in the event
of power failure or similar interrupting the write of the master file.
Note file names are relative to the directory specified in options and
any chroot directory ([<chroot dir>/][<options dir>]).
If named is invoked as "named -t /chroot/DNS" with the following
named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
user named is running as.
options {
directory "/var/named";
};
zone "example.net" {
type slave;
file "sl/example.net";
masters { 192.168.4.12; };
};
Q: I want to forward all DNS queries from my caching nameserver to another
server. But there are some domains which have to be served locally, via
rbldnsd.
How do I achieve this ?
A: options {
forward only;
forwarders { <ip.of.primary.nameserver>; };
};
zone "sbl-xbl.spamhaus.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
zone "list.dsbl.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
Some times it seems to take several times the amount of memory it needs
to store the zone.
A: When reloading a zone named my have multiple copies of the zone in
memory at one time. The zone it is serving and the one it is loading.
If reloads are ultra fast it can have more still.
e.g. Ones that are transferring out, the one that it is serving and the
one that is loading.
BIND 8 destroyed the zone before loading and also killed off outgoing
transfers of the zone.
The new strategy allows slaves to get copies of the new zone regardless
of how often the master is loaded compared to the transfer time. The
slave might skip some intermediate versions but the transfers will
complete and it will keep reasonably in sync with the master.
The new strategy also allows the master to recover from syntax and
other errors in the master file as it still has an in-core copy of the
old contents.
Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
External lookups are slow.
A: You can use server clauses to stop named making external lookups over
IPv6.
server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
server ::/0 { bogus yes; };
3. Operations Questions
Q: How to change the nameservers for a zone?
A: Step 1: Ensure all nameservers, new and old, are serving the same zone
content.
Step 2: Work out the maximum TTL of the NS RRset in the parent and
child zones. This is the time it will take caches to be clear of a
particular version of the NS RRset. If you are just removing
nameservers you can skip to Step 6.
Step 3: Add new nameservers to the NS RRset for the zone and wait until
all the servers for the zone are answering with this new NS RRset.
Step 4: Inform the parent zone of the new NS RRset then wait for all
the parent servers to be answering with the new NS RRset.
Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
how long. If you are just adding nameservers you are done.
Step 6: Remove any old nameservers from the zones NS RRset and wait for
all the servers for the zone to be serving the new NS RRset.
Step 7: Inform the parent zone of the new NS RRset then wait for all
the parent servers to be answering with the new NS RRset.
Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
how long.
Step 9: Turn off the old nameservers or remove the zone entry from the
configuration of the old nameservers.
Step 10: Increment the serial number and wait for the change to be
visible in all nameservers for the zone. This ensures that zone
transfers are still working after the old servers are decommissioned.
Note: the above procedure is designed to be transparent to dns clients.
Decommissioning the old servers too early will result in some clients
not being able to look up answers in the zone.
Note: while it is possible to run the addition and removal stages
together it is not recommended.
4. General Questions
Q: I keep getting log messages like the following. Why?
Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
update failed: 'RRset exists (value dependent)' prerequisite not
satisfied (NXRRSET)
A: DNS updates allow the update request to test to see if certain
conditions are met prior to proceeding with the update. The message
above is saying that conditions were not met and the update is not
proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
Q: I keep getting log messages like the following. Why?
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
A: Someone is trying to update your DNS data using the RFC2136 Dynamic
Update protocol. Windows 2000 machines have a habit of sending dynamic
update requests to DNS servers without being specifically configured to
do so. If the update requests are coming from a Windows 2000 machine,
see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
for information about how to turn them off.
Q: When I do a "dig . ns", many of the A records for the root servers are
missing. Why?
A: This is normal and harmless. It is a somewhat confusing side effect of
the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
makes to avoid promoting glue into answers.
When BIND 9 first starts up and primes its cache, it receives the root
server addresses as additional data in an authoritative response from a
root server, and these records are eligible for inclusion as additional
data in responses. Subsequently it receives a subset of the root server
addresses as additional data in a non-authoritative (referral) response
from a root server. This causes the addresses to now be considered
non-authoritative (glue) data, which is not eligible for inclusion in
responses.
The server does have a complete set of root server addresses cached at
all times, it just may not include all of them as additional data,
depending on whether they were last received as answers or as glue. You
can always look up the addresses with explicit queries like "dig
a.root-servers.net A".
Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
A: A zone can be updated either by editing zone files and reloading the
server or by dynamic update, but not both. If you have enabled dynamic
update for a zone using the "allow-update" option, you are not supposed
to edit the zone file by hand, and the server will not attempt to
reload it.
Q: Why is named listening on UDP port other than 53?
A: Named uses a system selected port to make queries of other nameservers.
This behaviour can be overridden by using query-source to lock down the
port and/or address. See also notify-source and transfer-source.
Q: I get warning messages like "zone example.com/IN: refresh: failure
trying master 1.2.3.4#53: timed out".
A: Check that you can make UDP queries from the slave to the master
dig +norec example.com soa @1.2.3.4
You could be generating queries faster than the slave can cope with.
Lower the serial query rate.
serial-query-rate 5; // default 20
Q: I don't get RRSIG's returned when I use "dig +dnssec".
A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
Q: Can a NS record refer to a CNAME.
A: No. The rules for glue (copies of the *address* records in the parent
zones) and additional section processing do not allow it to work.
You would have to add both the CNAME and address records (A/AAAA) as
glue to the parent zone and have CNAMEs be followed when doing
additional section processing to make it work. No nameserver
implementation supports either of these requirements.
Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
mean?
A: If the IN-ADDR.ARPA name covered refers to a internal address space you
are using then you have failed to follow RFC 1918 usage rules and are
leaking queries to the Internet. You should establish your own zones
for these addresses to prevent you querying the Internet's name servers
for these addresses. Please see <http://as112.net/> for details of the
problems you are causing and the counter measures that have had to be
deployed.
If you are not using these private addresses then a client has queried
for them. You can just ignore the messages, get the offending client to
stop sending you these messages as they are most probably leaking them
or setup your own zones empty zones to serve answers to these queries.
zone "10.IN-ADDR.ARPA" {
type master;
file "empty";
};
zone "16.172.IN-ADDR.ARPA" {
type master;
file "empty";
};
...
zone "31.172.IN-ADDR.ARPA" {
type master;
file "empty";
};
zone "168.192.IN-ADDR.ARPA" {
type master;
file "empty";
};
empty:
@ 10800 IN SOA <name-of-server>. <contact-email>. (
1 3600 1200 604800 10800 )
@ 10800 IN NS <name-of-server>.
Note
Future versions of named are likely to do this automatically.
Q: Will named be affected by the 2007 changes to daylight savings rules in
the US.
A: No, so long as the machines internal clock (as reported by "date -u")
remains at UTC. The only visible change if you fail to upgrade your OS,
if you are in a affected area, will be that log messages will be a hour
out during the period where the old rules do not match the new rules.
For most OS's this change just means that you need to update the
conversion rules from UTC to local time. Normally this involves
updating a file in /etc (which sets the default timezone for the
machine) and possibly a directory which has all the conversion rules
for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
forget to update any chroot areas as well. See your OS's documentation
for more details.
The local timezone conversion rules can also be done on a individual
basis by setting the TZ environment variable appropriately. See your
OS's documentation for more details.
Q: Is there a bugzilla (or other tool) database that mere mortals can have
(read-only) access to for bind?
A: No. The BIND 9 bug database is kept closed for a number of reasons.
These include, but are not limited to, that the database contains
proprietory information from people reporting bugs. The database has in
the past and may in future contain unfixed bugs which are capable of
bringing down most of the Internet's DNS infrastructure.
The release pages for each version contain up to date lists of bugs
that have been fixed post release. That is as close as we can get to
providing a bug database.
Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
A: NSEC3 records are strictly meta data and can only be returned in the
authority section. This is done so that signing the zone using NSEC3
records does not bring names into existence that do not exist in the
unsigned version of the zone.
5. Operating-System Specific Questions
5.1. HPUX
Q: I get the following error trying to configure BIND:
checking if unistd.h or sys/types.h defines fd_set... no
configure: error: need either working unistd.h or sys/select.h
A: You have attempted to configure BIND with the bundled C compiler. This
compiler does not meet the minimum compiler requirements to for
building BIND. You need to install a ANSI C compiler and / or teach
configure how to find the ANSI C compiler. The later can be done by
adjusting the PATH environment variable and / or specifying the
compiler via CC.
./configure CC=<compiler> ...
5.2. Linux
Q: Why do I get the following errors:
general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error: unexpected error
A: This is the result of a Linux kernel bug.
See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
2>
Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
A: This is due to a kernel bug where the fact that a socket is marked
non-blocking is ignored. It is reported that setting xfrm_larval_drop
to 1 helps but this may have negative side effects. See: <https://
bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
2007/12/4/260>.
xfrm_larval_drop can be set to 1 by the following procedure:
echo "1" > proc/sys/net/core/xfrm_larval_drop
Q: Why do I see 5 (or more) copies of named on Linux?
A: Linux threads each show up as a process under ps. The approximate
number of threads running is n+4, where n is the number of CPUs. Note
that the amount of memory used is not cumulative; if each process is
using 10M of memory, only a total of 10M is used.
Newer versions of Linux's ps command hide the individual threads and
require -L to display them.
Q: Why does BIND 9 log "permission denied" errors accessing its
configuration files or zones on my Linux system even though it is
running as root?
A: On Linux, BIND 9 drops most of its root privileges on startup. This
including the privilege to open files owned by other users. Therefore,
if the server is running as root, the configuration files and zone
files should also be owned by root.
Q: I get the error message "named: capset failed: Operation not permitted"
when starting named.
A: The capability module, part of "Linux Security Modules/LSM", has not
been loaded into the kernel. See insmod(8), modprobe(8).
The relevant modules can be loaded by running:
modprobe commoncap
modprobe capability
Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
Why can't named update slave zone database files?
Why can't named create DDNS journal files or update the master zones
from journals?
Why can't named create custom log files?
A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
Red Hat have adopted the National Security Agency's SELinux security
policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
security , which are more secure than running named in a chroot and
make use of the bind-chroot environment unnecessary .
By default, named is not allowed by the SELinux policy to write, create
or delete any files EXCEPT in these directories:
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
installed.
The SELinux policy particularly does NOT allow named to modify the
$ROOTDIR/var/named directory, the default location for master zone
database files.
SELinux policy overrules file access permissions - so even if all the
files under /var/named have ownership named:named and mode rw-rw-r--,
named will still not be able to write or create files except in the
directories above, with SELinux in Enforcing mode.
So, to allow named to update slave or DDNS zone files, it is best to
locate them in $ROOTDIR/var/named/slaves, with named.conf zone
statements such as:
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
To allow named to create its cache dump and statistics files, for
example, you could use named.conf options statements such as:
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
You can also tell SELinux to allow named to update any zone database
files, by setting the SELinux tunable boolean parameter
'named_write_master_zones=1', using the system-config-securitylevel
GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
booleans.
You can disable SELinux protection for named entirely by setting the
'named_disable_trans=1' SELinux tunable boolean parameter.
The SELinux named policy defines these SELinux contexts for named:
named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
If you want to retain use of the SELinux policy for named, and put
named files in different locations, you can do so by changing the
context of the custom file locations .
To create a custom configuration file location, e.g. '/root/
named.conf', to use with the 'named -c' option, do:
# chcon system_u:object_r:named_conf_t /root/named.conf
To create a custom modifiable named data location, e.g. '/var/log/
named' for a log file, do:
# chcon system_u:object_r:named_cache_t /var/log/named
To create a custom zone file location, e.g. /root/zones/, do:
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
See these man-pages for more information : selinux(8), named_selinux
(8), chcon(1), setsebool(8)
Q: I'm running BIND on Ubuntu -
Why can't named update slave zone database files?
Why can't named create DDNS journal files or update the master zones
from journals?
Why can't named create custom log files?
A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
addition to normal file system permissions to protect the system.
Adjust the paths to use those specified in /etc/apparmor.d/
usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
to write at the location specified in named.conf.
Q: Listening on individual IPv6 interfaces does not work.
A: This is usually due to "/proc/net/if_inet6" not being available in the
chroot file system. Mount another instance of "proc" in the chroot file
system.
This can be be made permanent by adding a second instance to /etc/
fstab.
proc /proc proc defaults 0 0
proc /var/named/proc proc defaults 0 0
5.3. Windows
Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
Why?
A: This may be caused by a bug in the Windows 2000 DNS server where DNS
messages larger than 16K are not handled properly. This can be worked
around by setting the option "transfer-format one-answer;". Also check
whether your zone contains domain names with embedded spaces or other
special characters, like "John\032Doe\213s\032Computer", since such
names have been known to cause Windows 2000 slaves to incorrectly
reject the zone.
Q: I get "Error 1067" when starting named under Windows.
A: This is the service manager saying that named exited. You need to
examine the Application log in the EventViewer to find out why.
Common causes are that you failed to create "named.conf" (usually "C:\
windows\dns\etc\named.conf") or failed to specify the directory in
named.conf.
options {
Directory "C:\windows\dns\etc";
};
5.4. FreeBSD
Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
use certain interrupts as a source of random events. You can make this
permanent by setting rand_irqs in /etc/rc.conf.
rand_irqs="3 14 15"
See also <http://people.freebsd.org/~dougb/randomness.html>.
5.5. Solaris
Q: How do I integrate BIND 9 and Solaris SMF
A: Sun has a blog entry describing how to do this.
<http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
5.6. Apple Mac OS X
Q: How do I run BIND 9 on Apple Mac OS X?
A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
% sudo rndc-confgen > /etc/rndc.conf
Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
key "rndc-key" {
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};
Then start the relevant service:
% sudo service org.isc.named start
This is persistent upon a reboot, so you will have to do it only once.
A: Alternatively you can just generate /etc/rndc.key by running:
% sudo rndc-confgen -a
Then start the relevant service:
% sudo service org.isc.named start
Named will look for /etc/rndc.key when it starts if it doesn't have a
controls section or the existing controls are missing keys sub-clauses.
This is persistent upon a reboot, so you will have to do it only once.

1599
FAQ.xml

File diff suppressed because it is too large Load Diff

873
HISTORY
View File

@@ -1,540 +1,397 @@
Summary of functional enhancements from prior major releases of BIND 9:
Functional enhancements from prior major releases of BIND 9
BIND 9.10.0
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
- DNS Response-rate limiting (DNS RRL), which blunts the
impact of reflection and amplification attacks, is always
compiled in and no longer requires a compile-time option
to enable it.
- An experimental "Source Identity Token" (SIT) EDNS option
is now available. Similar to DNS Cookies as invented by
Donald Eastlake 3rd, these are designed to enable clients
to detect off-path spoofed responses, and to enable servers
to detect spoofed-source queries. Servers can be configured
to send smaller responses to clients that have not identified
themselves using a SIT option, reducing the effectiveness of
amplification attacks. RRL processing has also been updated;
clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this
feature in BIND.
- A new zone file format, "map", stores zone data in a
format that can be mapped directly into memory, allowing
significantly faster zone loading.
- "delv" (domain entity lookup and validation) is a new tool
with dig-like semantics for looking up DNS data and performing
internal DNSSEC validation. This allows easy validation in
environments where the resolver may not be trustworthy, and
assists with troubleshooting of DNSSEC problems. (NOTE:
In previous development releases of BIND 9.10, this utility
was called "delve". The spelling has been changed to avoid
confusion with the "delve" utility included with the Xapian
search engine.)
- Improved EDNS(0) processing for better resolver performance
and reliability over slow or lossy connections.
- A new "configure --with-tuning=large" option tunes certain
compiled-in constants and default settings to values better
suited to large servers with abundant memory. This can
improve performance on such servers, but will consume more
memory and may degrade performance on smaller systems.
- Substantial improvement in response-policy zone (RPZ)
performance. Up to 32 response-policy zones can be
configured with minimal performance loss.
- To improve recursive resolver performance, cache records
which are still being requested by clients can now be
automatically refreshed from the authoritative server
before they expire, reducing or eliminating the time
window in which no answer is available in the cache.
- New "rpz-client-ip" triggers and drop policies allowing
response policies based on the IP address of the client.
- ACLs can now be specified based on geographic location
using the MaxMind GeoIP databases. Use "configure
--with-geoip" to enable.
- Zone data can now be shared between views, allowing
multiple views to serve the same zones authoritatively
without storing multiple copies in memory.
- New XML schema (version 3) for the statistics channel
includes many new statistics and uses a flattened XML tree
for faster parsing. The older schema is now deprecated.
- A new stylesheet, based on the Google Charts API, displays
XML statistics in charts and graphs on javascript-enabled
browsers.
- The statistics channel can now provide data in JSON
format as well as XML.
- New stats counters track TCP and UDP queries received
per zone, and EDNS options received in total.
- The internal and export versions of the BIND libraries
(libisc, libdns, etc) have been unified so that external
library clients can use the same libraries as BIND itself.
- A new compile-time option, "configure --enable-native-pkcs11",
allows BIND 9 cryptography functions to use the PKCS#11 API
natively, so that BIND can drive a cryptographic hardware
service module (HSM) directly instead of using a modified
OpenSSL as an intermediary. (Note: This feature requires an
HSM to have a full implementation of the PKCS#11 API; many
current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness.
Native PKCS#11 is known to work with the Thales nShield HSM
and with SoftHSM version 2 from the Open DNSSEC project.)
- The new "max-zone-ttl" option enforces maximum TTLs for
zones. This can simplify the process of rolling DNSSEC keys
by guaranteeing that cached signatures will have expired
within the specified amount of time.
- "dig +subnet" sends an EDNS CLIENT-SUBNET option when
querying.
- "dig +expire" sends an EDNS EXPIRE option when querying.
When this option is sent with an SOA query to a server
that supports it, it will report the expiry time of
a slave zone.
- New "dnssec-coverage" tool to check DNSSEC key coverage
for a zone and report if a lapse in signing coverage has
been inadvertently scheduled.
- Signing algorithm flexibility and other improvements
for the "rndc" control channel.
- "named-checkzone" and "named-compilezone" can now read
journal files, allowing them to process dynamic zones.
- Multiple DLZ databases can now be configured. Individual
zones can be configured to be served from a specific DLZ
database. DLZ databases now serve zones of type "master"
and "redirect".
- "rndc zonestatus" reports information about a specified zone.
- "named" now listens on IPv6 as well as IPv4 interfaces
by default.
- "named" now preserves the capitalization of names
when responding to queries: for instance, a query for
"example.com" may be answered with "example.COM" if the
name was configured that way in the zone file. Some
clients have a bug causing them to depend on the older
behavior, in which the case of the answer always matched
the case of the query, rather than the case of the name
configured in the DNS. Such clients can now be specified
in the new "no-case-compress" ACL; this will restore the
older behavior of "named" for those clients only.
- new "dnssec-importkey" command allows the use of offline
DNSSEC keys with automatic DNSKEY management.
- New "named-rrchecker" tool to verify the syntactic
correctness of individual resource records.
- When re-signing a zone, the new "dnssec-signzone -Q" option
drops signatures from keys that are still published but are
no longer active.
- "named-checkconf -px" will print the contents of configuration
files with the shared secrets obscured, making it easier to
share configuration (e.g. when submitting a bug report)
without revealing private information.
- "rndc scan" causes named to re-scan network interfaces for
changes in local addresses.
- On operating systems with support for routing sockets,
network interfaces are re-scanned automatically whenever
they change.
- "tsig-keygen" is now available as an alternate command
name to use for "ddns-confgen".
* DNS Response-rate limiting (DNS RRL), which blunts the impact of
reflection and amplification attacks, is always compiled in and no
longer requires a compile-time option to enable it.
* An experimental "Source Identity Token" (SIT) EDNS option is now
available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
these are designed to enable clients to detect off-path spoofed
responses, and to enable servers to detect spoofed-source queries.
Servers can be configured to send smaller responses to clients that
have not identified themselves using a SIT option, reducing the
effectiveness of amplification attacks. RRL processing has also been
updated; clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this feature in
BIND.
* A new zone file format, "map", stores zone data in a format that can
be mapped directly into memory, allowing significantly faster zone
loading.
* "delv" (domain entity lookup and validation) is a new tool with
dig-like semantics for looking up DNS data and performing internal
DNSSEC validation. This allows easy validation in environments where
the resolver may not be trustworthy, and assists with troubleshooting
of DNSSEC problems. (NOTE: In previous development releases of BIND
9.10, this utility was called "delve". The spelling has been changed
to avoid confusion with the "delve" utility included with the Xapian
search engine.)
* Improved EDNS(0) processing for better resolver performance and
reliability over slow or lossy connections.
* A new "configure --with-tuning=large" option tunes certain compiled-in
constants and default settings to values better suited to large
servers with abundant memory. This can improve performance on such
servers, but will consume more memory and may degrade performance on
smaller systems.
* Substantial improvement in response-policy zone (RPZ) performance. Up
to 32 response-policy zones can be configured with minimal performance
loss.
* To improve recursive resolver performance, cache records which are
still being requested by clients can now be automatically refreshed
from the authoritative server before they expire, reducing or
eliminating the time window in which no answer is available in the
cache.
* New "rpz-client-ip" triggers and drop policies allowing response
policies based on the IP address of the client.
* ACLs can now be specified based on geographic location using the
MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
* Zone data can now be shared between views, allowing multiple views to
serve the same zones authoritatively without storing multiple copies
in memory.
* New XML schema (version 3) for the statistics channel includes many
new statistics and uses a flattened XML tree for faster parsing. The
older schema is now deprecated.
* A new stylesheet, based on the Google Charts API, displays XML
statistics in charts and graphs on javascript-enabled browsers.
* The statistics channel can now provide data in JSON format as well as
XML.
* New stats counters track TCP and UDP queries received per zone, and
EDNS options received in total.
* The internal and export versions of the BIND libraries (libisc,
libdns, etc) have been unified so that external library clients can
use the same libraries as BIND itself.
* A new compile-time option, "configure --enable-native-pkcs11", allows
BIND 9 cryptography functions to use the PKCS#11 API natively, so that
BIND can drive a cryptographic hardware service module (HSM) directly
instead of using a modified OpenSSL as an intermediary. (Note: This
feature requires an HSM to have a full implementation of the PKCS#11
API; many current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness. Native
PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
version 2 from the Open DNSSEC project.)
* The new "max-zone-ttl" option enforces maximum TTLs for zones. This
can simplify the process of rolling DNSSEC keys by guaranteeing that
cached signatures will have expired within the specified amount of
time.
* "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
* "dig +expire" sends an EDNS EXPIRE option when querying. When this
option is sent with an SOA query to a server that supports it, it will
report the expiry time of a slave zone.
* New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
report if a lapse in signing coverage has been inadvertently
scheduled.
* Signing algorithm flexibility and other improvements for the "rndc"
control channel.
* "named-checkzone" and "named-compilezone" can now read journal files,
allowing them to process dynamic zones.
* Multiple DLZ databases can now be configured. Individual zones can be
configured to be served from a specific DLZ database. DLZ databases
now serve zones of type "master" and "redirect".
* "rndc zonestatus" reports information about a specified zone.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* "named" now preserves the capitalization of names when responding to
queries: for instance, a query for "example.com" may be answered with
"example.COM" if the name was configured that way in the zone file.
Some clients have a bug causing them to depend on the older behavior,
in which the case of the answer always matched the case of the query,
rather than the case of the name configured in the DNS. Such clients
can now be specified in the new "no-case-compress" ACL; this will
restore the older behavior of "named" for those clients only.
* new "dnssec-importkey" command allows the use of offline DNSSEC keys
with automatic DNSKEY management.
* New "named-rrchecker" tool to verify the syntactic correctness of
individual resource records.
* When re-signing a zone, the new "dnssec-signzone -Q" option drops
signatures from keys that are still published but are no longer
active.
* "named-checkconf -px" will print the contents of configuration files
with the shared secrets obscured, making it easier to share
configuration (e.g. when submitting a bug report) without revealing
private information.
* "rndc scan" causes named to re-scan network interfaces for changes in
local addresses.
* On operating systems with support for routing sockets, network
interfaces are re-scanned automatically whenever they change.
* "tsig-keygen" is now available as an alternate command name to use for
"ddns-confgen".
BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:
- Inline signing, allowing automatic DNSSEC signing of
master zones without modification of the zonefile, or
"bump in the wire" signing in slaves.
- NXDOMAIN redirection.
- New 'rndc flushtree' command clears all data under a given
name from the DNS cache.
- New 'rndc sync' command dumps pending changes in a dynamic
zone to disk without a freeze/thaw cycle.
- New 'rndc signing' command displays or clears signing status
records in 'auto-dnssec' zones.
- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
to signing, eliminating the need to initially sign with NSEC.
- Startup time improvements on large authoritative servers.
- Slave zones are now saved in raw format by default.
- Several improvements to response policy zones (RPZ).
- Improved hardware scalability by using multiple threads
to listen for queries and using finer-grained client locking
- The 'also-notify' option now takes the same syntax as
'masters', so it can used named masterlists and TSIG keys.
- 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
- 'dnssec-signzone -R' forces removal of signatures that are
not expired but were created by a key which no longer exists.
- 'dnssec-signzone -X' allows a separate expiration date to
be specified for DNSKEY signatures from other signatures.
- New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
- dnssec-dsfromkey now supports reading from standard input,
to make it easier to convert DNSKEY to DS.
- RFC 1918 reverse zones have been added to the empty-zones
table per RFC 6303.
- Dynamic updates can now optionally set the zone's SOA serial
number to the current UNIX time.
- DLZ modules can now retrieve the source IP address of
the querying client.
- 'request-ixfr' option can now be set at the per-zone level.
- 'dig +rrcomments' turns on comments about DNSKEY records,
indicating their key ID, algorithm and function
- Simplified nsupdate syntax and added readline support
* Inline signing, allowing automatic DNSSEC signing of master zones
without modification of the zonefile, or "bump in the wire" signing in
slaves.
* NXDOMAIN redirection.
* New 'rndc flushtree' command clears all data under a given name from
the DNS cache.
* New 'rndc sync' command dumps pending changes in a dynamic zone to
disk without a freeze/thaw cycle.
* New 'rndc signing' command displays or clears signing status records
in 'auto-dnssec' zones.
* NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
signing, eliminating the need to initially sign with NSEC.
* Startup time improvements on large authoritative servers.
* Slave zones are now saved in raw format by default.
* Several improvements to response policy zones (RPZ).
* Improved hardware scalability by using multiple threads to listen for
queries and using finer-grained client locking
* The 'also-notify' option now takes the same syntax as 'masters', so it
can used named masterlists and TSIG keys.
* 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
* 'dnssec-signzone -R' forces removal of signatures that are not expired
but were created by a key which no longer exists.
* 'dnssec-signzone -X' allows a separate expiration date to be specified
for DNSKEY signatures from other signatures.
* New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
* dnssec-dsfromkey now supports reading from standard input, to make it
easier to convert DNSKEY to DS.
* RFC 1918 reverse zones have been added to the empty-zones table per
RFC 6303.
* Dynamic updates can now optionally set the zone's SOA serial number to
the current UNIX time.
* DLZ modules can now retrieve the source IP address of the querying
client.
* 'request-ixfr' option can now be set at the per-zone level.
* 'dig +rrcomments' turns on comments about DNSKEY records, indicating
their key ID, algorithm and function
* Simplified nsupdate syntax and added readline support
BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
- Built-in trust anchor for the root zone, which can be
switched on via "dnssec-validation auto;"
- Support for DNS64.
- Support for response policy zones (RPZ).
- Support for writable DLZ zones.
- Improved ease of configuration of GSS/TSIG for
interoperability with Active Directory
- Support for GOST signing algorithm for DNSSEC.
- Removed RTT Banding from server selection algorithm.
- New "static-stub" zone type.
- Allow configuration of resolver timeouts via
"resolver-query-timeout" option.
- The DLZ "dlopen" driver is now built by default.
- Added a new include file with function typedefs
for the DLZ "dlopen" driver.
- Made "--with-gssapi" default.
- More verbose error reporting from DLZ LDAP.
* Built-in trust anchor for the root zone, which can be switched on via
"dnssec-validation auto;"
* Support for DNS64.
* Support for response policy zones (RPZ).
* Support for writable DLZ zones.
* Improved ease of configuration of GSS/TSIG for interoperability with
Active Directory
* Support for GOST signing algorithm for DNSSEC.
* Removed RTT Banding from server selection algorithm.
* New "static-stub" zone type.
* Allow configuration of resolver timeouts via "resolver-query-timeout"
option.
* The DLZ "dlopen" driver is now built by default.
* Added a new include file with function typedefs for the DLZ "dlopen"
driver.
* Made "--with-gssapi" default.
* More verbose error reporting from DLZ LDAP.
BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration.
New features include:
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration. New features
include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
* Fully automatic signing of zones by "named".
* Simplified configuration of DNSSEC Lookaside Validation (DLV).
* Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
* New named option "attach-cache" that allows multiple views to share a
single cache.
* DNS rebinding attack prevention.
* New default values for dnssec-keygen parameters.
* Support for RFC 5011 automated trust anchor maintenance
* Smart signing: simplified tools for zone signing and key maintenance.
* The "statistics-channels" option is now available on Windows.
* A new DNSSEC-aware libdns API for use by non-BIND9 applications
* On some platforms, named and other binaries can now print out a stack
backtrace on assertion failure, to aid in debugging.
* A "tools only" installation mode on Windows, which only installs dig,
host, nslookup and nsupdate.
* Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
BIND 9.6.0
Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
The BIND 8 resolver library, libbind, has been removed from the
BIND 9 distribution and is now available as a separate download.
Change the default pid file location from /var/run to
/var/run/{named,lwresd} for improved chroot/setuid support.
* Full NSEC3 support
* Automatic zone re-signing
* New update-policy methods tcp-self and 6to4-self
* The BIND 8 resolver library, libbind, has been removed from the BIND 9
distribution and is now available as a separate download.
* Change the default pid file location from /var/run to /var/run/
{named,lwresd} for improved chroot/setuid support.
BIND 9.5.0
GSS-TSIG support (RFC 3645).
DHCID support.
Experimental http server and statistics support for named via xml.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Use Doxygen to generate internal documentation.
Efficient LRU cache-cleaning mechanism.
NSID support.
* GSS-TSIG support (RFC 3645).
* DHCID support.
* Experimental http server and statistics support for named via xml.
* More detailed statistics counters including those supported in BIND 8.
* Faster ACL processing.
* Use Doxygen to generate internal documentation.
* Efficient LRU cache-cleaning mechanism.
* NSID support.
BIND 9.4.0
Implemented "additional section caching (or acache)", an
internal cache framework for additional section content to
improve response performance. Several configuration options
were provided to control the behavior.
New notify type 'master-only'. Enable notify for master
zones only.
Accept 'notify-source' style syntax for query-source.
rndc now allows addresses to be set in the server clauses.
New option "allow-query-cache". This lets "allow-query"
be used to specify the default zone access level rather
than having to have every zone override the global value.
"allow-query-cache" can be set at both the options and view
levels. If "allow-query-cache" is not set then "allow-recursion"
is used if set, otherwise "allow-query" is used if set
unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
rndc: the source address can now be specified.
ixfr-from-differences now takes master and slave in addition
to yes and no at the options and view levels.
Allow the journal's name to be changed via named.conf.
'rndc notify zone [class [view]]' resend the NOTIFY messages
for the specified zone.
'dig +trace' now randomly selects the next servers to try.
Report if there is a bad delegation.
Improve check-names error messages.
Make public the function to read a key file, dst_key_read_public().
dig now returns the byte count for axfr/ixfr.
allow-update is now settable at the options / view level.
named-checkconf now checks the logging configuration.
host now can turn on memory debugging flags with '-m'.
Don't send notify messages to self.
Perform sanity checks on NS records which refer to 'in zone' names.
New zone option "notify-delay". Specify a minimum delay
between sets of NOTIFY messages.
Extend adjusting TTL warning messages.
Named and named-checkzone can now both check for non-terminal
wildcard records.
"rndc freeze/thaw" now freezes/thaws all zones.
named-checkconf now check acls to verify that they only
refer to existing acls.
The server syntax has been extended to support a range of
servers.
Report differences between hints and real NS rrset and
associated address records.
Preserve the case of domain names in rdata during zone
transfers.
Restructured the data locking framework using architecture
dependent atomic operations (when available), improving
response performance on multi-processor machines significantly.
x86, x86_64, alpha, powerpc, and mips are currently supported.
UNIX domain controls are now supported.
Add support for additional zone file formats for improving
loading performance. The masterfile-format option in
named.conf can be used to specify a non-default format. A
separate command named-compilezone was provided to generate
zone files in the new format. Additionally, the -I and -O
options for dnssec-signzone specify the input and output
formats.
dnssec-signzone can now randomize signature end times
(dnssec-signzone -j jitter).
Add support for CH A record.
Add additional zone data constancy checks. named-checkzone
has extended checking of NS, MX and SRV record and the hosts
they reference. named has extended post zone load checks.
New zone options: check-mx and integrity-check.
edns-udp-size can now be overridden on a per server basis.
dig can now specify the EDNS version when making a query.
Added framework for handling multiple EDNS versions.
Additional memory debugging support to track size and mctx
arguments.
Detect duplicates of UDP queries we are recursing on and
drop them. New stats category "duplicates".
"USE INTERNAL MALLOC" is now runtime selectable.
The lame cache is now done on a <qname,qclass,qtype> basis
as some servers only appear to be lame for certain query
types.
Limit the number of recursive clients that can be waiting
for a single query (<qname,qtype,qclass>) to resolve. New
options clients-per-query and max-clients-per-query.
dig: report the number of extra bytes still left in the
packet after processing all the records.
Support for IPSECKEY rdata type.
Raise the UDP recieve buffer size to 32k if it is less than 32k.
x86 and x86_64 now have seperate atomic locking implementations.
named-checkconf now validates update-policy entries.
Attempt to make the amount of work performed in a iteration
self tuning. The covers nodes clean from the cache per
iteration, nodes written to disk when rewriting a master
file and nodes destroyed per iteration when destroying a
zone or a cache.
ISC string copy API.
Automatic empty zone creation for D.F.IP6.ARPA and friends.
Note: RFC 1918 zones are not yet covered by this but are
likely to be in a future release.
New options: empty-server, empty-contact, empty-zones-enable
and disable-empty-zone.
dig now has a '-q queryname' and '+showsearch' options.
host/nslookup now continue (default)/fail on SERVFAIL.
dig now warns if 'RA' is not set in the answer when 'RD'
was set in the query. host/nslookup skip servers that fail
to set 'RA' when 'RD' is set unless a server is explicitly
set.
Integrate contibuted DLZ code into named.
Integrate contibuted IDN code from JPNIC.
libbind: corresponds to that from BIND 8.4.7.
* Implemented "additional section caching (or acache)", an internal
cache framework for additional section content to improve response
performance. Several configuration options were provided to control
the behavior.
* New notify type 'master-only'. Enable notify for master zones only.
* Accept 'notify-source' style syntax for query-source.
* rndc now allows addresses to be set in the server clauses.
* New option "allow-query-cache". This lets "allow-query" be used to
specify the default zone access level rather than having to have every
zone override the global value. "allow-query-cache" can be set at both
the options and view levels. If "allow-query-cache" is not set then
"allow-recursion" is used if set, otherwise "allow-query" is used if
set unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
* rndc: the source address can now be specified.
* ixfr-from-differences now takes master and slave in addition to yes
and no at the options and view levels.
* Allow the journal's name to be changed via named.conf.
* 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
specified zone.
* 'dig +trace' now randomly selects the next servers to try. Report if
there is a bad delegation.
* Improve check-names error messages.
* Make public the function to read a key file, dst_key_read_public().
* dig now returns the byte count for axfr/ixfr.
* allow-update is now settable at the options / view level.
* named-checkconf now checks the logging configuration.
* host now can turn on memory debugging flags with '-m'.
* Don't send notify messages to self.
* Perform sanity checks on NS records which refer to 'in zone' names.
* New zone option "notify-delay". Specify a minimum delay between sets
of NOTIFY messages.
* Extend adjusting TTL warning messages.
* Named and named-checkzone can now both check for non-terminal wildcard
records.
* "rndc freeze/thaw" now freezes/thaws all zones.
* named-checkconf now check acls to verify that they only refer to
existing acls.
* The server syntax has been extended to support a range of servers.
* Report differences between hints and real NS rrset and associated
address records.
* Preserve the case of domain names in rdata during zone transfers.
* Restructured the data locking framework using architecture dependent
atomic operations (when available), improving response performance on
multi-processor machines significantly. x86, x86_64, alpha, powerpc,
and mips are currently supported.
* UNIX domain controls are now supported.
* Add support for additional zone file formats for improving loading
performance. The masterfile-format option in named.conf can be used to
specify a non-default format. A separate command named-compilezone was
provided to generate zone files in the new format. Additionally, the
-I and -O options for dnssec-signzone specify the input and output
formats.
* dnssec-signzone can now randomize signature end times (dnssec-signzone
-j jitter).
* Add support for CH A record.
* Add additional zone data constancy checks. named-checkzone has
extended checking of NS, MX and SRV record and the hosts they
reference. named has extended post zone load checks. New zone options:
check-mx and integrity-check.
* edns-udp-size can now be overridden on a per server basis.
* dig can now specify the EDNS version when making a query.
* Added framework for handling multiple EDNS versions.
* Additional memory debugging support to track size and mctx arguments.
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a basis as some servers only appear to
be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
query () to resolve. New options clients-per-query and
max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.
* Raise the UDP recieve buffer size to 32k if it is less than 32k.
* x86 and x86_64 now have seperate atomic locking implementations.
* named-checkconf now validates update-policy entries.
* Attempt to make the amount of work performed in a iteration self
tuning. The covers nodes clean from the cache per iteration, nodes
written to disk when rewriting a master file and nodes destroyed per
iteration when destroying a zone or a cache.
* ISC string copy API.
* Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
1918 zones are not yet covered by this but are likely to be in a
future release.
* New options: empty-server, empty-contact, empty-zones-enable and
disable-empty-zone.
* dig now has a '-q queryname' and '+showsearch' options.
* host/nslookup now continue (default)/fail on SERVFAIL.
* dig now warns if 'RA' is not set in the answer when 'RD' was set in
the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
is set unless a server is explicitly set.
* Integrate contibuted DLZ code into named.
* Integrate contibuted IDN code from JPNIC.
* libbind: corresponds to that from BIND 8.4.7.
BIND 9.3.0
DNSSEC is now DS based (RFC 3658).
See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
DNSSEC lookaside validation.
check-names is now implemented.
rrset-order in more complete.
IPv4/IPv6 transition support, dual-stack-servers.
IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
It is now possible to specify the size of a journal, max-journal-size.
It is now possible to define a named set of master servers to be
used in masters clause, masters.
The advertised EDNS UDP size can now be set, edns-udp-size.
allow-v6-synthesis has been obsoleted.
NOTE:
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as
NOTIMP rather than NOTIMPL. This will have impact on scripts
that are looking for NOTIMPL.
libbind: corresponds to that from BIND 8.4.5.
* DNSSEC is now DS based (RFC 3658).
* DNSSEC lookaside validation.
* check-names is now implemented.
* rrset-order is more complete.
* IPv4/IPv6 transition support, dual-stack-servers.
* IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
* It is now possible to specify the size of a journal, max-journal-size.
* It is now possible to define a named set of master servers to be used
in masters clause, masters.
* The advertised EDNS UDP size can now be set, edns-udp-size.
* allow-v6-synthesis has been obsoleted.
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
NOTIMPL. This will have impact on scripts that are looking for
NOTIMPL.
* libbind: corresponds to that from BIND 8.4.5.
BIND 9.2.0
The size of the cache can now be limited using the
"max-cache-size" option.
* The size of the cache can now be limited using the "max-cache-size"
option.
* The server can now automatically convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when enabled using the new
option "allow-v6-synthesis". This allows stub resolvers that support
AAAA records but not A6 record chains or binary labels to perform
lookups in domains that make use of these IPv6 DNS features.
* Performance has been improved.
* The man pages now use the more portable "man" macros rather than the
"mandoc" macros, and are installed by "make install".
* The named.conf parser has been completely rewritten. It now supports
"include" directives in more places such as inside "view" statements,
and it no longer has any reserved words.
* The "rndc status" command is now implemented.
* rndc can now be configured automatically.
* A BIND 8 compatible stub resolver library is now included in lib/bind.
* OpenSSL has been removed from the distribution. This means that to use
DNSSEC, OpenSSL must be installed and the --with-openssl option must
be supplied to configure. This does not apply to the use of TSIG,
which does not require OpenSSL.
* The source distribution now builds on Windows. See win32utils/
readme1.txt and win32utils/win32-build.txt for details.
* This distribution also includes a new lightweight stub resolver
library and associated resolver daemon that fully support forward and
reverse lookups of both IPv4 and IPv6 addresses. This library is
considered experimental and is not a complete replacement for the BIND
8 resolver library. Applications that use the BIND 8 res_* functions
to perform DNS lookups or dynamic updates still need to be linked
against the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
* BIND 9.2 is capable of acting as an authoritative server for DNSSEC
secured zones. This functionality is believed to be stable and
complete except for lacking support for verifications involving
wildcard records in secure zones.
* When acting as a caching server, BIND 9.2 can be configured to perform
DNSSEC secure resolution on behalf of its clients. This part of the
DNSSEC implementation is still considered experimental. For detailed
information about the state of the DNSSEC implementation, see the file
doc/misc/dnssec.
The server can now automatically convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when enabled using the
new option "allow-v6-synthesis". This allows stub resolvers that
support AAAA records but not A6 record chains or binary labels to
perform lookups in domains that make use of these IPv6 DNS
features.
Performance has been improved.
The man pages now use the more portable "man" macros rather than
the "mandoc" macros, and are installed by "make install".
The named.conf parser has been completely rewritten. It now
supports "include" directives in more places such as inside "view"
statements, and it no longer has any reserved words.
The "rndc status" command is now implemented.
rndc can now be configured automatically.
A BIND 8 compatible stub resolver library is now included in
lib/bind.
OpenSSL has been removed from the distribution. This means that to
use DNSSEC, OpenSSL must be installed and the --with-openssl option
must be supplied to configure. This does not apply to the use of
TSIG, which does not require OpenSSL.
The source distribution now builds on Windows. See
win32utils/readme1.txt and win32utils/win32-build.txt for details.
This distribution also includes a new lightweight stub
resolver library and associated resolver daemon that fully
support forward and reverse lookups of both IPv4 and IPv6
addresses. This library is considered experimental and
is not a complete replacement for the BIND 8 resolver library.
Applications that use the BIND 8 res_* functions to perform
DNS lookups or dynamic updates still need to be linked against
the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
BIND 9.2 is capable of acting as an authoritative server
for DNSSEC secured zones. This functionality is believed to
be stable and complete except for lacking support for
verifications involving wildcard records in secure zones.
When acting as a caching server, BIND 9.2 can be configured
to perform DNSSEC secure resolution on behalf of its clients.
This part of the DNSSEC implementation is still considered
experimental. For detailed information about the state of the
DNSSEC implementation, see the file doc/misc/dnssec.
There are a few known bugs:
On some systems, IPv6 and IPv4 sockets interact in
unexpected ways. For details, see doc/misc/ipv6.
To reduce the impact of these problems, the server
no longer listens for requests on IPv6 addresses
by default. If you need to accept DNS queries over
IPv6, you must specify "listen-on-v6 { any; };"
in the named.conf options statement.
FreeBSD prior to 4.2 (and 4.2 if running as non-root)
and OpenBSD prior to 2.8 log messages like
"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
OS X 10.2 (Darwin 6.0) reports errors like
"fcntl(3, F_SETFL, 4): Operation not supported by device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
--with-libtool does not work on AIX.
A bug in some versions of the Microsoft DNS server can cause zone
transfers from a BIND 9 server to a W2K server to fail. For details,
see the "Zone Transfers" section in doc/misc/migration.

414
HISTORY.md Normal file
View File

@@ -0,0 +1,414 @@
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
### Functional enhancements from prior major releases of BIND 9
#### BIND 9.10.0
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
- DNS Response-rate limiting (DNS RRL), which blunts the
impact of reflection and amplification attacks, is always
compiled in and no longer requires a compile-time option
to enable it.
- An experimental "Source Identity Token" (SIT) EDNS option
is now available. Similar to DNS Cookies as invented by
Donald Eastlake 3rd, these are designed to enable clients
to detect off-path spoofed responses, and to enable servers
to detect spoofed-source queries. Servers can be configured
to send smaller responses to clients that have not identified
themselves using a SIT option, reducing the effectiveness of
amplification attacks. RRL processing has also been updated;
clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this
feature in BIND.
- A new zone file format, "map", stores zone data in a
format that can be mapped directly into memory, allowing
significantly faster zone loading.
- "delv" (domain entity lookup and validation) is a new tool
with dig-like semantics for looking up DNS data and performing
internal DNSSEC validation. This allows easy validation in
environments where the resolver may not be trustworthy, and
assists with troubleshooting of DNSSEC problems. (NOTE:
In previous development releases of BIND 9.10, this utility
was called "delve". The spelling has been changed to avoid
confusion with the "delve" utility included with the Xapian
search engine.)
- Improved EDNS(0) processing for better resolver performance
and reliability over slow or lossy connections.
- A new "configure --with-tuning=large" option tunes certain
compiled-in constants and default settings to values better
suited to large servers with abundant memory. This can
improve performance on such servers, but will consume more
memory and may degrade performance on smaller systems.
- Substantial improvement in response-policy zone (RPZ)
performance. Up to 32 response-policy zones can be
configured with minimal performance loss.
- To improve recursive resolver performance, cache records
which are still being requested by clients can now be
automatically refreshed from the authoritative server
before they expire, reducing or eliminating the time
window in which no answer is available in the cache.
- New "rpz-client-ip" triggers and drop policies allowing
response policies based on the IP address of the client.
- ACLs can now be specified based on geographic location
using the MaxMind GeoIP databases. Use "configure
--with-geoip" to enable.
- Zone data can now be shared between views, allowing
multiple views to serve the same zones authoritatively
without storing multiple copies in memory.
- New XML schema (version 3) for the statistics channel
includes many new statistics and uses a flattened XML tree
for faster parsing. The older schema is now deprecated.
- A new stylesheet, based on the Google Charts API, displays
XML statistics in charts and graphs on javascript-enabled
browsers.
- The statistics channel can now provide data in JSON
format as well as XML.
- New stats counters track TCP and UDP queries received
per zone, and EDNS options received in total.
- The internal and export versions of the BIND libraries
(libisc, libdns, etc) have been unified so that external
library clients can use the same libraries as BIND itself.
- A new compile-time option, "configure --enable-native-pkcs11",
allows BIND 9 cryptography functions to use the PKCS#11 API
natively, so that BIND can drive a cryptographic hardware
service module (HSM) directly instead of using a modified
OpenSSL as an intermediary. (Note: This feature requires an
HSM to have a full implementation of the PKCS#11 API; many
current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness.
Native PKCS#11 is known to work with the Thales nShield HSM
and with SoftHSM version 2 from the Open DNSSEC project.)
- The new "max-zone-ttl" option enforces maximum TTLs for
zones. This can simplify the process of rolling DNSSEC keys
by guaranteeing that cached signatures will have expired
within the specified amount of time.
- "dig +subnet" sends an EDNS CLIENT-SUBNET option when
querying.
- "dig +expire" sends an EDNS EXPIRE option when querying.
When this option is sent with an SOA query to a server
that supports it, it will report the expiry time of
a slave zone.
- New "dnssec-coverage" tool to check DNSSEC key coverage
for a zone and report if a lapse in signing coverage has
been inadvertently scheduled.
- Signing algorithm flexibility and other improvements
for the "rndc" control channel.
- "named-checkzone" and "named-compilezone" can now read
journal files, allowing them to process dynamic zones.
- Multiple DLZ databases can now be configured. Individual
zones can be configured to be served from a specific DLZ
database. DLZ databases now serve zones of type "master"
and "redirect".
- "rndc zonestatus" reports information about a specified zone.
- "named" now listens on IPv6 as well as IPv4 interfaces
by default.
- "named" now preserves the capitalization of names
when responding to queries: for instance, a query for
"example.com" may be answered with "example.COM" if the
name was configured that way in the zone file. Some
clients have a bug causing them to depend on the older
behavior, in which the case of the answer always matched
the case of the query, rather than the case of the name
configured in the DNS. Such clients can now be specified
in the new "no-case-compress" ACL; this will restore the
older behavior of "named" for those clients only.
- new "dnssec-importkey" command allows the use of offline
DNSSEC keys with automatic DNSKEY management.
- New "named-rrchecker" tool to verify the syntactic
correctness of individual resource records.
- When re-signing a zone, the new "dnssec-signzone -Q" option
drops signatures from keys that are still published but are
no longer active.
- "named-checkconf -px" will print the contents of configuration
files with the shared secrets obscured, making it easier to
share configuration (e.g. when submitting a bug report)
without revealing private information.
- "rndc scan" causes named to re-scan network interfaces for
changes in local addresses.
- On operating systems with support for routing sockets,
network interfaces are re-scanned automatically whenever
they change.
- "tsig-keygen" is now available as an alternate command
name to use for "ddns-confgen".
#### BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:
- Inline signing, allowing automatic DNSSEC signing of
master zones without modification of the zonefile, or
"bump in the wire" signing in slaves.
- NXDOMAIN redirection.
- New 'rndc flushtree' command clears all data under a given
name from the DNS cache.
- New 'rndc sync' command dumps pending changes in a dynamic
zone to disk without a freeze/thaw cycle.
- New 'rndc signing' command displays or clears signing status
records in 'auto-dnssec' zones.
- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
to signing, eliminating the need to initially sign with NSEC.
- Startup time improvements on large authoritative servers.
- Slave zones are now saved in raw format by default.
- Several improvements to response policy zones (RPZ).
- Improved hardware scalability by using multiple threads
to listen for queries and using finer-grained client locking
- The 'also-notify' option now takes the same syntax as
'masters', so it can used named masterlists and TSIG keys.
- 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
- 'dnssec-signzone -R' forces removal of signatures that are
not expired but were created by a key which no longer exists.
- 'dnssec-signzone -X' allows a separate expiration date to
be specified for DNSKEY signatures from other signatures.
- New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
- dnssec-dsfromkey now supports reading from standard input,
to make it easier to convert DNSKEY to DS.
- RFC 1918 reverse zones have been added to the empty-zones
table per RFC 6303.
- Dynamic updates can now optionally set the zone's SOA serial
number to the current UNIX time.
- DLZ modules can now retrieve the source IP address of
the querying client.
- 'request-ixfr' option can now be set at the per-zone level.
- 'dig +rrcomments' turns on comments about DNSKEY records,
indicating their key ID, algorithm and function
- Simplified nsupdate syntax and added readline support
#### BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
- Built-in trust anchor for the root zone, which can be
switched on via "dnssec-validation auto;"
- Support for DNS64.
- Support for response policy zones (RPZ).
- Support for writable DLZ zones.
- Improved ease of configuration of GSS/TSIG for
interoperability with Active Directory
- Support for GOST signing algorithm for DNSSEC.
- Removed RTT Banding from server selection algorithm.
- New "static-stub" zone type.
- Allow configuration of resolver timeouts via
"resolver-query-timeout" option.
- The DLZ "dlopen" driver is now built by default.
- Added a new include file with function typedefs
for the DLZ "dlopen" driver.
- Made "--with-gssapi" default.
- More verbose error reporting from DLZ LDAP.
#### BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration.
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
#### BIND 9.6.0
- Full NSEC3 support
- Automatic zone re-signing
- New update-policy methods tcp-self and 6to4-self
- The BIND 8 resolver library, libbind, has been removed from the BIND 9
distribution and is now available as a separate download.
- Change the default pid file location from /var/run to
/var/run/{named,lwresd} for improved chroot/setuid support.
#### BIND 9.5.0
- GSS-TSIG support (RFC 3645).
- DHCID support.
- Experimental http server and statistics support for named via xml.
- More detailed statistics counters including those supported in BIND 8.
- Faster ACL processing.
- Use Doxygen to generate internal documentation.
- Efficient LRU cache-cleaning mechanism.
- NSID support.
BIND 9.4.0
- Implemented "additional section caching (or acache)", an internal cache
framework for additional section content to improve response performance.
Several configuration options were provided to control the behavior.
- New notify type 'master-only'. Enable notify for master zones only.
- Accept 'notify-source' style syntax for query-source.
- rndc now allows addresses to be set in the server clauses.
- New option "allow-query-cache". This lets "allow-query" be used to
specify the default zone access level rather than having to have every
zone override the global value. "allow-query-cache" can be set at both
the options and view levels. If "allow-query-cache" is not set then
"allow-recursion" is used if set, otherwise "allow-query" is used if set
unless "recursion no;" is set in which case "none;" is used, otherwise
the default (localhost; localnets;) is used.
- rndc: the source address can now be specified.
- ixfr-from-differences now takes master and slave in addition to yes and
no at the options and view levels.
- Allow the journal's name to be changed via named.conf.
- 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
specified zone.
- 'dig +trace' now randomly selects the next servers to try. Report if
there is a bad delegation.
- Improve check-names error messages.
- Make public the function to read a key file, dst_key_read_public().
- dig now returns the byte count for axfr/ixfr.
- allow-update is now settable at the options / view level.
- named-checkconf now checks the logging configuration.
- host now can turn on memory debugging flags with '-m'.
- Don't send notify messages to self.
- Perform sanity checks on NS records which refer to 'in zone' names.
- New zone option "notify-delay". Specify a minimum delay between sets of
NOTIFY messages.
- Extend adjusting TTL warning messages.
- Named and named-checkzone can now both check for non-terminal wildcard
records.
- "rndc freeze/thaw" now freezes/thaws all zones.
- named-checkconf now check acls to verify that they only refer to existing
acls.
- The server syntax has been extended to support a range of servers.
- Report differences between hints and real NS rrset and associated address
records.
- Preserve the case of domain names in rdata during zone transfers.
- Restructured the data locking framework using architecture dependent
atomic operations (when available), improving response performance on
multi-processor machines significantly. x86, x86_64, alpha, powerpc, and
mips are currently supported.
- UNIX domain controls are now supported.
- Add support for additional zone file formats for improving loading
performance. The masterfile-format option in named.conf can be used to
specify a non-default format. A separate command named-compilezone was
provided to generate zone files in the new format. Additionally, the -I
and -O options for dnssec-signzone specify the input and output formats.
- dnssec-signzone can now randomize signature end times (dnssec-signzone -j
jitter).
- Add support for CH A record.
- Add additional zone data constancy checks. named-checkzone has extended
checking of NS, MX and SRV record and the hosts they reference. named
has extended post zone load checks. New zone options: check-mx and
integrity-check.
- edns-udp-size can now be overridden on a per server basis.
- dig can now specify the EDNS version when making a query.
- Added framework for handling multiple EDNS versions.
- Additional memory debugging support to track size and mctx arguments.
- Detect duplicates of UDP queries we are recursing on and drop them. New
stats category "duplicates".
- "USE INTERNAL MALLOC" is now runtime selectable.
- The lame cache is now done on a <qname,qclass,qtype> basis as some
servers only appear to be lame for certain query types.
- Limit the number of recursive clients that can be waiting for a single
query (<qname,qtype,qclass>) to resolve. New options clients-per-query
and max-clients-per-query.
- dig: report the number of extra bytes still left in the packet after
processing all the records.
- Support for IPSECKEY rdata type.
- Raise the UDP recieve buffer size to 32k if it is less than 32k.
- x86 and x86_64 now have seperate atomic locking implementations.
- named-checkconf now validates update-policy entries.
- Attempt to make the amount of work performed in a iteration self tuning.
The covers nodes clean from the cache per iteration, nodes written to
disk when rewriting a master file and nodes destroyed per iteration when
destroying a zone or a cache.
- ISC string copy API.
- Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
1918 zones are not yet covered by this but are likely to be in a future
release.
- New options: empty-server, empty-contact, empty-zones-enable and
disable-empty-zone.
- dig now has a '-q queryname' and '+showsearch' options.
- host/nslookup now continue (default)/fail on SERVFAIL.
- dig now warns if 'RA' is not set in the answer when 'RD' was set in the
query. host/nslookup skip servers that fail to set 'RA' when 'RD' is set
unless a server is explicitly set.
- Integrate contibuted DLZ code into named.
- Integrate contibuted IDN code from JPNIC.
- libbind: corresponds to that from BIND 8.4.7.
#### BIND 9.3.0
- DNSSEC is now DS based (RFC 3658).
- DNSSEC lookaside validation.
- check-names is now implemented.
- rrset-order is more complete.
- IPv4/IPv6 transition support, dual-stack-servers.
- IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
- It is now possible to specify the size of a journal, max-journal-size.
- It is now possible to define a named set of master servers to be used in
masters clause, masters.
- The advertised EDNS UDP size can now be set, edns-udp-size.
- allow-v6-synthesis has been obsoleted.
- Zones containing MD and MF will now be rejected.
- dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
NOTIMPL. This will have impact on scripts that are looking for NOTIMPL.
- libbind: corresponds to that from BIND 8.4.5.
#### BIND 9.2.0
- The size of the cache can now be limited using the "max-cache-size"
option.
- The server can now automatically convert RFC1886-style recursive lookup
requests into RFC2874-style lookups, when enabled using the new option
"allow-v6-synthesis". This allows stub resolvers that support AAAA
records but not A6 record chains or binary labels to perform lookups in
domains that make use of these IPv6 DNS features.
- Performance has been improved.
- The man pages now use the more portable "man" macros rather than the
"mandoc" macros, and are installed by "make install".
- The named.conf parser has been completely rewritten. It now supports
"include" directives in more places such as inside "view" statements, and
it no longer has any reserved words.
- The "rndc status" command is now implemented.
- rndc can now be configured automatically.
- A BIND 8 compatible stub resolver library is now included in lib/bind.
- OpenSSL has been removed from the distribution. This means that to use
DNSSEC, OpenSSL must be installed and the --with-openssl option must be
supplied to configure. This does not apply to the use of TSIG, which
does not require OpenSSL.
- The source distribution now builds on Windows. See
win32utils/readme1.txt and win32utils/win32-build.txt for details.
- This distribution also includes a new lightweight stub resolver library
and associated resolver daemon that fully support forward and reverse
lookups of both IPv4 and IPv6 addresses. This library is considered
experimental and is not a complete replacement for the BIND 8 resolver
library. Applications that use the BIND 8 `res_*` functions to perform
DNS lookups or dynamic updates still need to be linked against the BIND 8
libraries. For DNS lookups, they can also use the new "getrrsetbyname()"
API.
- BIND 9.2 is capable of acting as an authoritative server for DNSSEC
secured zones. This functionality is believed to be stable and complete
except for lacking support for verifications involving wildcard records
in secure zones.
- When acting as a caching server, BIND 9.2 can be configured to perform
DNSSEC secure resolution on behalf of its clients. This part of the
DNSSEC implementation is still considered experimental. For detailed
information about the state of the DNSSEC implementation, see the file
doc/misc/dnssec.

View File

@@ -1,11 +1,9 @@
# Copyright (C) 1998-2002, 2004-2009, 2011-2016 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002, 2004-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# $Id: Makefile.in,v 1.62 2011/09/06 04:06:37 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@@ -20,7 +18,7 @@ MANPAGES = isc-config.sh.1
HTMLPAGES = isc-config.sh.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
MANOBJS = README HISTORY OPTIONS ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@@ -60,6 +58,13 @@ install:: isc-config.sh installdirs
@LN@ ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
uninstall::
rm -f ${DESTDIR}${sysconfdir}/bind.keys
rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
rm -f ${DESTDIR}${bindir}/bind9-config
rm -f ${DESTDIR}${bindir}/isc-config.sh
tags:
rm -f TAGS
find lib bin -name "*.[ch]" -print | @ETAGS@ -
@@ -84,13 +89,19 @@ test-force:
(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \
exit $$status
FAQ: FAQ.xml
${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
LC_ALL=C ${W3M} -T text/html -dump -cols 72 >$@.tmp
mv $@.tmp $@
README: README.md
${PANDOC} --email-obfuscation=none -s -t html README.md | \
${W3M} -dump -cols 75 -O ascii -T text/html > $@
HISTORY: HISTORY.md
${PANDOC} --email-obfuscation=none -s -t html HISTORY.md | \
${W3M} -dump -cols 75 -O ascii -T text/html > $@
OPTIONS: OPTIONS.md
${PANDOC} --email-obfuscation=none -s -t html OPTIONS.md | \
${W3M} -dump -cols 75 -O ascii -T text/html > $@
unit::
sh ${top_srcdir}/unit/unittest.sh
clean::
rm -f FAQ.tmp

25
OPTIONS Normal file
View File

@@ -0,0 +1,25 @@
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
Setting Description
Don't ovewrite memory when allocating or freeing
-DISC_MEM_FILL=0 it; this improves performance but makes
debugging more difficult.
Don't track memory allocations by file and line
-DISC_MEM_TRACKLINES=0 number; this improves performance but makes
debugging more difficult.
-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
-DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular
well-known ports:
-DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone
-DCHECK_LOCAL=0 Don't check out-of-zone addresses in
named-checkzone
-DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run
rather than ${localstatedir}/run/{named,lwresd}/
Enable DNSSEC signature chasing support in dig.
-DDIG_SIGCHASE=1 (Note: This feature is deprecated. Use delv
instead.)

24
OPTIONS.md Normal file
View File

@@ -0,0 +1,24 @@
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
Setting the `STD_CDEFINES` environment variable before running `configure`
can be used to enable certain compile-time options that are not explicitly
defined in `configure`.
Some of these settings are:
|Setting |Description |
|-----------------------------------|----------------------------------------|
|`-DISC_MEM_FILL=0`|Don't ovewrite memory when allocating or freeing it; this improves performance but makes debugging more difficult.|
|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/{named,lwresd}/`|
|`-DDIG_SIGCHASE=1`|Enable DNSSEC signature chasing support in `dig`. (Note: This feature is deprecated. Use `delv` instead.)|

823
README
View File

@@ -1,511 +1,454 @@
BIND 9
BIND version 9 is a major rewrite of nearly all aspects of the
underlying BIND architecture. Some of the important features of
BIND 9 are:
Contents
- DNS Security
DNSSEC (signed zones)
TSIG (signed DNS requests)
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
4. BIND 9.11 features
5. Building BIND
6. Compile-time options
7. Automated testing
8. Documentation
9. Change log
10. Acknowledgments
- IP version 6
Answers DNS queries on IPv6 sockets
IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
Introduction
- DNS Protocol Enhancements
IXFR, DDNS, Notify, EDNS0
Improved standards conformance
BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the DNS (Domain Name System) protocol.
- Views
One server process can provide multiple "views" of
the DNS namespace, e.g. an "inside" view to certain
clients, and an "outside" view to others.
The BIND name server, named, is able to serve as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
implements views for split-horizon DNS, automatic DNSSEC zone signing and
key management, catalog zones to facilitate provisioning of zone data
throughout a name server constellation, response policy zones (RPZ) to
protect clients from malicious data, response rate limiting (RRL) and
recursive query limits to reduce distributed denial of service attacks,
and many other advanced DNS features. BIND also includes a suite of
administrative tools, including the dig and delv DNS lookup tools,
nsupdate for dynamic DNS zone updates, rndc for remote name server
administration, and more.
- Multiprocessor Support
BIND 9 is a complete re-write of the BIND architecture that was used in
versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
(c)(3) public benefit corporation dedicated to providing software and
services in support of the Internet infrastructure, developed BIND 9 and
is responsible for its ongoing maintenance and improvement. BIND is open
source software licenced under the terms of ISC License for all versions
up to and including BIND 9.10, and the Mozilla Public License version 2.0
for all subsequent verisons.
- Improved Portability Architecture
For a summary of features introduced in past major releases of BIND, see
the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
BIND version 9 development has been underwritten by the following
organizations:
For up-to-date release notes and errata, see http://www.isc.org/software/
bind9/releasenotes
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
Reporting bugs and getting help
For a summary of functional enhancements in previous
releases, see the HISTORY file.
Please report assertion failure errors and suspected security issues to
security-officer@isc.org.
For a detailed list of user-visible changes from
previous releases, see the CHANGES file.
General bug reports can be sent to bind9-bugs@isc.org.
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
Feature requests can be sent to bind-suggest@isc.org.
BIND 9.11.0
Please note that, while tickets submitted to ISC's ticketing system are
not initially publicly readable by default, they can be made publicly
acessible afterward. Please do not include information in bug reports that
you consider to be confidential. In particular, when sending the contents
of your configuration file, it is advisable to obscure key secrets: this
can be done automatically by using named-checkconf -px.
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
Professional support and training for BIND are available from ISC at
https://www.isc.org/support.
- Added support for Catalog Zones, a new method for provisioning
servers: a list of zones to be served is stored in a DNS zone,
along with their configuration parameters. Changes to the
catalog zone are propagated to slaves via normal AXFR/IXFR,
whereupon the zones that are listed in it are automatically
added, deleted or reconfigured.
- Added support for "dnstap", a fast and flexible method of
capturing and logging DNS traffic.
- Added support for "dyndb", a new API for loading zone data
from an external database, developed by Red Hat for the FreeIPA
project.
- New "fetchlimit" quotas are now available for the use of
recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the "fetch-quota-params" option.
+ "fetches-per-zone" limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
+ New stats counters have been added to count
queries spilled due to these quotas.
- Added a new "dnssec-keymgr" key mainenance utility, which can
generate or update keys as needed to ensure that a zone's
keys match a defined DNSSEC policy.
- The experimental "SIT" feature in BIND 9.10 has been renamed
"COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
enabling clients to detect off-path spoofed responses, and
servers to detect spoofed-source queries. Clients that identify
themselves using COOKIE options are not subject to response rate
limiting (RRL) and can receive larger UDP responses.
- SERVFAIL responses can now be cached for a limited time
(defaulting to 1 second, with an upper limit of 30).
This can reduce the frequency of retries when a query is
persistently failing.
- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP
rules to be skipped if a name server IP address isn't in the
cache yet; the address will be looked up and the rule will be
applied on future queries.
- Added a Python RNDC module. This allows multiple commands to
sent over a persistent RNDC channel, which saves time.
- The "controls" block in named.conf can now grant read-only
"rndc" access to specified clients or keys. Read-only clients
could, for example, check "rndc status" but could not
reconfigure or shut down the server.
- "rndc" commands can now return arbitrarily large amounts of
text to the caller.
- The zone serial number of a dynamically updatable zone
can now be set via "rndc signing -serial <number> <zonename>".
This allows inline-signing zones to be set to a specific
serial number.
- The new "rndc nta" command can be used to set a Negative
Trust Anchor (NTA), disabling DNSSEC validation for a
specific domain; this can be used when responses from a
domain are known to be failing validation due to administrative
error rather than because of a spoofing attack. Negative
trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
- "rndc delzone" can now be used on zones that were not originally
created by "rndc addzone".
- "rndc modzone" reconfigures a single zone, without requiring
the entire server to be reconfigured.
- "rndc showzone" displays the current configuration of a zone.
- "rndc managed-keys" can be used to check the status of RFC 5001
managed trust anchors, or to force trust anchors to be refreshed.
- "max-cache-size" can now be set to a percentage of available
memory. The default is 90%.
- Update forwarding performance has been improved by allowing
a single TCP connection to be shared by multiple updates.
- The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option
then ACLs containing "geoip" or "ecs" elements can match
against the the address encoded in the option. This can be
used to select a view for a query, so that different answers
can be provided depending on the client network.
- The EDNS EXPIRE option has been implemented on the client
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
server.
- The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
take "-Psync" and "-Dsync" options to set the publication
and deletion times of CDS and CDNSKEY parent-synchronization
records. Both named and dnssec-signzone can now publish and
remove these records at the scheduled times.
- A new "minimal-any" option reduces the size of UDP responses
for query type ANY by returning a single arbitrarily selected
RRset instead of all RRsets.
- A new "masterfile-style" zone option controls the formatting
of text zone files: When set to "full", a zone file is dumped
in single-line-per-record format.
- "serial-update-method" can now be set to "date". On update,
the serial number will be set to the current date in YYYYMMDDNN
format.
- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- "named -L <filename>" causes named to send log messages to
the specified file by default instead of to the system log.
- "dig +ttlunits" prints TTL values with time-unit suffixes:
w, d, h, m, s for weeks, days, hours, minutes, and seconds.
- "dig +unknownformat" prints dig output in RFC 3597 "unknown
record" presentation format.
- "dig +ednsopt" allows dig to set arbitrary EDNS options on
requests.
- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
flags on requests.
- "mdig" is an alternate version of dig which sends multiple
pipelined TCP queries to a server. Instead of waiting for a
response after sending a query, it sends all queries
immediately and displays responses in the order received.
- "serial-query-rate" no longer controls NOTIFY messages.
These are separately controlled by "notify-rate" and
"startup-notify-rate".
- "nsupdate" now performs "check-names" processing by default
on records to be added. This can be disabled with
"check-names no".
- The statistics channel now supports DEFLATE compression,
reducing the size of the data sent over the network when
querying statistics.
- New counters have been added to the statistics channel
to track the sizes of incoming queries and outgoing responses in
histogram buckets, as specified in RSSAC002.
- A new NXDOMAIN redirect method (option "nxdomain-redirect")
has been added, allowing redirection to a specified DNS
namespace instead of a single redirect zone.
- When starting up, named now ensures that no other named
process is already running.
- Files created by named to store information, including "mkeys"
and "nzf" files, are now named after their corresponding views
unless the view name contains characters incompatible with use
as a filename. Old style filenames (based on the hash of the
view name) will still work.
To join the BIND Users mailing list, or view the archives, visit https://
lists.isc.org/mailman/listinfo/bind-users.
This release addresses the security flaws described in
CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986,
CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
CVE-2016-1286 and CVE-2016-2088.
If you're planning on making changes to the BIND 9 source code, you may
also want to join the BIND Workers mailing list, at https://lists.isc.org/
mailman/listinfo/bind-workers.
Building
Contributing to BIND
BIND 9 currently requires a UNIX system with an ANSI C compiler,
basic POSIX support, and a 64 bit integer type.
ISC maintains a public git repository for BIND; details can be found at
http://www.isc.org/git/, and also on Github at https://github.com/
isc-projects.
We've had successful builds and tests on the following systems:
Information for BIND contributors can be found in the following files: -
General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
style.md - BIND architecture and developer guide: doc/dev/dev.md
COMPAQ Tru64 UNIX 5.1B
Fedora Core 6
FreeBSD 4.10, 5.2.1, 6.2
HP-UX 11.11
Mac OS X 10.5
NetBSD 3.x, 4.0-beta, 5.0-beta
OpenBSD 3.3 and up
Solaris 8, 9, 9 (x86), 10
Ubuntu 7.04, 7.10
Windows XP/2003/2008
Patches for BIND may be submitted either as Github pull requests or via
email. When submitting a patch via email, please prepend the subject
header with "[PATCH]" so it will be easier for us to find. If your patch
introduces a new feature in BIND, please submit it to bind-suggest@isc.org
; if it fixes a bug, please submit it to bind9-bugs@isc.org.
NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
Windows, including Windows NT and Windows 2000, are no longer
supported.
BIND 9.11 features
We have recent reports from the user community that a supported
version of BIND will build and run on the following systems:
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
AIX 4.3, 5L
CentOS 4, 4.5, 5
Darwin 9.0.0d1/ARM
Debian 4, 5, 6
Fedora Core 5, 7, 8
FreeBSD 6, 7, 8
HP-UX 11.23 PA
MacOS X 10.5, 10.6, 10.7
Red Hat Enterprise Linux 4, 5, 6
SCO OpenServer 5.0.6
Slackware 9, 10
SuSE 9, 10
* Added support for Catalog Zones, a new method for provisioning
servers: a list of zones to be served is stored in a DNS zone, along
with their configuration parameters. Changes to the catalog zone are
propagated to slaves via normal AXFR/IXFR, whereupon the zones that
are listed in it are automatically added, deleted or reconfigured.
* Added support for "dnstap", a fast and flexible method of capturing
and logging DNS traffic.
* Added support for "dyndb", a new API for loading zone data from an
external database, developed by Red Hat for the FreeIPA project.
* "fetchlimit" quotas are now compiled in by default. These are for the
use of recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
experiencing a denial of service attack:
+ fetches-per-server limits the number of simultaneous queries that
can be sent to any single authoritative server. The configured
value is a starting point; it is automatically adjusted downward
if the server is partially or completely non-responsive. The
algorithm used to adjust the quota can be configured via the
"fetch-quota-params" option.
+ fetches-per-zone limits the number of simultaneous queries that
can be sent for names within a single domain. (Note: Unlike
fetches-per-server, this value is not self-tuning.)
+ New stats counters have been added to count queries spilled due to
these quotas.
* Added a new dnssec-keymgr key mainenance utility, which can generate
or update keys as needed to ensure that a zone's keys match a defined
DNSSEC policy.
* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
and is no longer optional. EDNS COOKIE is a mechanism enabling clients
to detect off-path spoofed responses, and servers to detect
spoofed-source queries. Clients that identify themselves using COOKIE
options are not subject to response rate limiting (RRL) and can
receive larger UDP responses.
* SERVFAIL responses can now be cached for a limited time (defaulting to
1 second, with an upper limit of 30). This can reduce the frequency of
retries when a query is persistently failing.
* Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
skipped if a name server IP address isn't in the cache yet; the
address will be looked up and the rule will be applied on future
queries.
* Added a Python RNDC module. This allows multiple commands to sent over
a persistent RNDC channel, which saves time.
* The controls block in named.conf can now grant read-only rndc access
to specified clients or keys. Read-only clients could, for example,
check rndc status but could not reconfigure or shut down the server.
* rndc commands can now return arbitrarily large amounts of text to the
caller.
* The zone serial number of a dynamically updatable zone can now be set
via rndc signing -serial <number> <zonename>. This allows
inline-signing zones to be set to a specific serial number.
* The new rndc nta command can be used to set a Negative Trust Anchor
(NTA), disabling DNSSEC validation for a specific domain; this can be
used when responses from a domain are known to be failing validation
due to administrative error rather than because of a spoofing attack.
Negative trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
* rndc delzone can now be used on zones that were not originally created
by "rndc addzone".
* rndc modzone reconfigures a single zone, without requiring the entire
server to be reconfigured.
* rndc showzone displays the current configuration of a zone.
* rndc managed-keys can be used to check the status of RFC 5001 managed
trust anchors, or to force trust anchors to be refreshed.
* max-cache-size can now be set to a percentage of available memory. The
default is 90%.
* Update forwarding performance has been improved by allowing a single
TCP connection to be shared by multiple updates.
* The EDNS Client Subnet (ECS) option is now supported for authoritative
servers; if a query contains an ECS option then ACLs containing geoip
or ecs elements can match against the the address encoded in the
option. This can be used to select a view for a query, so that
different answers can be provided depending on the client network.
* The EDNS EXPIRE option has been implemented on the client side,
allowing a slave server to set the expiration timer correctly when
transferring zone data from another slave server.
* The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take -Psync
and -Dsync options to set the publication and deletion times of CDS
and CDNSKEY parent-synchronization records. Both named and
dnssec-signzone can now publish and remove these records at the
scheduled times.
* A new minimal-any option reduces the size of UDP responses for query
type ANY by returning a single arbitrarily selected RRset instead of
all RRsets.
* A new masterfile-style zone option controls the formatting of text
zone files: When set to full, a zone file is dumped in
single-line-per-record format.
* serial-update-method can now be set to date. On update, the serial
number will be set to the current date in YYYYMMDDNN format.
* dnssec-signzone -N date sets the serial number to YYYYMMDDNN.
* named -L <filename> causes named to send log messages to the specified
file by default instead of to the system log.
* dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s
for weeks, days, hours, minutes, and seconds.
* dig +unknownformat prints dig output in RFC 3597 "unknown record"
presentation format.
* dig +ednsopt allows dig to set arbitrary EDNS options on requests.
* dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on
requests.
* mdig is an alternate version of dig which sends multiple pipelined TCP
queries to a server. Instead of waiting for a response after sending a
query, it sends all queries immediately and displays responses in the
order received.
* serial-query-rate no longer controls NOTIFY messages. These are
separately controlled by notify-rate and startup-notify-rate.
* nsupdate now performs check-names processing by default on records to
be added. This can be disabled with check-names no.
* The statistics channel now supports DEFLATE compression, reducing the
size of the data sent over the network when querying statistics.
* New counters have been added to the statistics channel to track the
sizes of incoming queries and outgoing responses in histogram buckets,
as specified in RSSAC002.
* A new NXDOMAIN redirect method (option nxdomain-redirect) has been
added, allowing redirection to a specified DNS namespace instead of a
single redirect zone.
* When starting up, named now ensures that no other named process is
already running.
* Files created by named to store information, including mkeys and nzf
files, are now named after their corresponding views unless the view
name contains characters incompatible with use as a filename. Old
style filenames (based on the hash of the view name) will still work.
To build, just
BIND 9.11.1
./configure
make
BIND 9.11.1 is a maintenance release, and addresses the security flaws
disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147,
CVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137
and CVE-2017-3138.
Do not use a parallel "make".
BIND 9.11.2
Several environment variables that can be set before running
configure will affect compilation:
BIND 9.11.2 is a maintenance release, and addresses the security flaws
disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and
CVE-2017-3143. It also addresses several bugs related to the use of an
LMDB database to store data related to zones added via rndc addzone or
catalog zones.
CC
The C compiler to use. configure tries to figure
out the right one for supported systems.
Building BIND
CFLAGS
C compiler flags. Defaults to include -g and/or -O2
as supported by the compiler. Please include '-g'
if you need to set CFLAGS.
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
support, and a 64-bit integer type. Successful builds have been observed
on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
HP-UX, AIX, SCO OpenServer, and OpenWRT.
STD_CINCLUDES
System header file directories. Can be used to specify
where add-on thread or IPv6 support is, for example.
Defaults to empty string.
BIND is also available for Windows XP, 2003, 2008, and higher. See
win32utils/readme1st.txt for details on building for Windows systems.
STD_CDEFINES
Any additional preprocessor symbols you want defined.
Defaults to empty string.
To build on a UNIX or Linux system, use:
Possible settings:
Change the default syslog facility of named/lwresd.
-DISC_FACILITY=LOG_LOCAL0
Enable DNSSEC signature chasing support in dig.
-DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
-DDIG_SIGCHASE_BU=1)
Disable dropping queries from particular well known ports.
-DNS_CLIENT_DROPPORT=0
Sibling glue checking in named-checkzone is enabled by default.
To disable the default check set. -DCHECK_SIBLING=0
named-checkzone checks out-of-zone addresses by default.
To disable this default set. -DCHECK_LOCAL=0
To create the default pid files in ${localstatedir}/run rather
than ${localstatedir}/run/{named,lwresd}/ set.
-DNS_RUN_PID_DIR=0
Enable workaround for Solaris kernel bug about /dev/poll
-DISC_SOCKET_USE_POLLWATCH=1
The watch timeout is also configurable, e.g.,
-DISC_SOCKET_POLLWATCH_TIMEOUT=20
$ ./configure
$ make
LDFLAGS
Linker flags. Defaults to empty string.
If you're planning on making changes to the BIND 9 source, you should run
make depend. If you're using Emacs, you might find make tags helpful.
The following need to be set when cross compiling.
Several environment variables that can be set before running configure
will affect compilation:
BUILD_CC
The native C compiler.
BUILD_CFLAGS (optional)
BUILD_CPPFLAGS (optional)
Possible Settings:
-DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
BUILD_LDFLAGS (optional)
BUILD_LIBS (optional)
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
CFLAGS supported by the compiler. Please include '-g' if you need
to set CFLAGS.
System header file directories. Can be used to specify
STD_CINCLUDES where add-on thread or IPv6 support is, for example.
Defaults to empty string.
Any additional preprocessor symbols you want defined.
STD_CDEFINES Defaults to empty string. For a list of possible settings,
see the file OPTIONS.
LDFLAGS Linker flags. Defaults to empty string.
BUILD_CC Needed when cross-compiling: the native C compiler to use
when building for the target system.
BUILD_CFLAGS Optional, used for cross-compiling
BUILD_CPPFLAGS
BUILD_LDFLAGS
BUILD_LIBS
On most platforms, BIND 9 is built with multithreading
support, allowing it to take advantage of multiple CPUs.
You can configure this by specifying "--enable-threads" or
"--disable-threads" on the configure command line. The default
is to enable threads, except on some older operating systems
on which threads are known to have had problems in the past.
(Note: Prior to BIND 9.10, the default was to disable threads on
Linux systems; this has been reversed. On Linux systems, the
threaded build is known to change BIND's behavior with respect
to file permissions; it may be necessary to specify a user with
the -u option when running named.)
Compile-time options
To build shared libraries, specify "--with-libtool" on the
configure command line.
To see a full list of configuration options, run configure --help.
Certain compiled-in constants and default settings can be
increased to values better suited to large servers with abundant
memory resources (e.g, 64-bit servers with 12G or more of memory)
by specifying "--with-tuning=large" on the configure command
line. This can improve performance on big servers, but will
consume more memory and may degrade performance on smaller
systems.
On most platforms, BIND 9 is built with multithreading support, allowing
it to take advantage of multiple CPUs. You can configure this by
specifying --enable-threads or --disable-threads on the configure command
line. The default is to enable threads, except on some older operating
systems on which threads are known to have had problems in the past.
(Note: Prior to BIND 9.10, the default was to disable threads on Linux
systems; this has now been reversed. On Linux systems, the threaded build
is known to change BIND's behavior with respect to file permissions; it
may be necessary to specify a user with the -u option when running named.)
For the server to support DNSSEC, you need to build it
with crypto support. You must have OpenSSL 0.9.5a
or newer installed and specify "--with-openssl" on the
configure command line. If OpenSSL is installed under
a nonstandard prefix, you can tell configure where to
look for it using "--with-openssl=/prefix".
To build shared libraries, specify --with-libtool on the configure command
line.
To support the HTTP statistics channel, the server must
be linked with at least one of the following: libxml2
(http://xmlsoft.org) or json-c (https://github.com/json-c).
If these are installed at a nonstandard prefix, use
"--with-libxml2=/prefix" or "--with-libjson=/prefix".
Certain compiled-in constants and default settings can be increased to
values better suited to large servers with abundant memory resources (e.g,
64-bit servers with 12G or more of memory) by specifying --with-tuning=
large on the configure command line. This can improve performance on big
servers, but will consume more memory and may degrade performance on
smaller systems.
To support compression on the HTTP statistics channel, the
server must be linked against libzlib (--with-zlib=/prefix).
For the server to support DNSSEC, you need to build it with crypto
support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
installed. If the OpenSSL library is installed in a nonstandard location,
specify the prefix using "--with-openssl=<PREFIX>" on the configure
command line. To use a PKCS#11 hardware service module for cryptographic
operations, specify the path to the PKCS#11 provider library using
"--with-pkcs11=<PREFIX>", and configure BIND with
"--enable-native-pkcs11".
Python requires 'argparse' and 'ply' to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2.
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https://
github.com/json-c. If these are installed at a nonstandard location,
specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
On some platforms it is necessary to explicitly request large
file support to handle files bigger than 2GB. This can be
done by "--enable-largefile" on the configure command line.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
specify the prefix using --with-zlib=/prefix.
Support for the "fixed" rrset-order option can be enabled
or disabled by specifying "--enable-fixed-rrset" or
"--disable-fixed-rrset" on the configure command line.
The default is "disabled", to reduce memory footprint.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in
a nonstandard location, specify the prefix using "with-lmdb=/prefix".
If your operating system has integrated support for IPv6, it
will be used automatically. If you have installed KAME IPv6
separately, use "--with-kame[=PATH]" to specify its location.
To support GeoIP location-based ACLs, the server must be linked with
libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix".
"make install" will install "named" and the various BIND 9 libraries.
By default, installation is into /usr/local, but this can be changed
with the "--prefix" option when running "configure".
For DNSTAP packet logging, you must have installed libfstrm https://
github.com/farsightsec/fstrm and libprotobuf-c https://
developers.google.com/protocol-buffers, and BIND must be configured with
"--enable-dnstap".
You may specify the option "--sysconfdir" to set the directory
where configuration files like "named.conf" go by default,
and "--localstatedir" to set the default parent directory
of "run/named.pid". For backwards compatibility with BIND 8,
--sysconfdir defaults to "/etc" and --localstatedir defaults to
"/var" if no --prefix option is given. If there is a --prefix
option, sysconfdir defaults to "$prefix/etc" and localstatedir
defaults to "$prefix/var".
Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the
'argparse' and 'ply' modules to be available. 'argparse' is a standard
module as of Python 2.7 and Python 3.2. 'ply' is available from https://
pypi.python.org/pypi/ply.
To see additional configure options, run "configure --help".
Note that the help message does not reflect the BIND 8
compatibility defaults for sysconfdir and localstatedir.
On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using
--enable-largefile on the configure command line.
If you're planning on making changes to the BIND 9 source, you
should also "make depend". If you're using Emacs, you might find
"make tags" helpful.
Support for the "fixed" rrset-order option can be enabled or disabled by
specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
command line. By default, fixed rrset-order is disabled to reduce memory
footprint.
If you need to re-run configure please run "make distclean" first.
This will ensure that all the option changes take.
If your operating system has integrated support for IPv6, it will be used
automatically. If you have installed KAME IPv6 separately, use --with-kame
[=PATH] to specify its location.
Building with gcc is not supported, unless gcc is the vendor's usual
compiler (e.g. the various BSD systems, Linux).
make install will install named and the various BIND 9 libraries. By
default, installation is into /usr/local, but this can be changed with the
--prefix option when running configure.
Known compiler issues:
* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
* gcc-3.3.5 powerpc generates incorrect code at -02.
* Irix, MipsPRO 7.4.1m is known to cause problems.
You may specify the option --sysconfdir to set the directory where
configuration files like named.conf go by default, and --localstatedir to
set the default parent directory of run/named.pid. For backwards
compatibility with BIND 8, --sysconfdir defaults to /etc and
--localstatedir defaults to /var if no --prefix option is given. If there
is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
defaults to $prefix/var.
A limited test suite can be run with "make test". Many of
the tests require you to configure a set of virtual IP addresses
on your system, and some require Perl; see bin/tests/system/README
for details.
Automated testing
SunOS 4 requires "printf" to be installed to make the shared
libraries. sh-utils-1.16 provides a "printf" which compiles
on SunOS 4.
A system test suite can be run with make test. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command bin/tests/system/
ifconfig.sh up as root.
Known limitations
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
and will be skipped if these are not available. Some tests require Python
and the 'dnspython' module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Linux requires kernel build 2.6.39 or later to get the
performance benefits from using multiple sockets.
Unit tests are implemented using Automated Testing Framework (ATF). To run
them, use configure --with-atf, then run make test or make unit.
Documentation
The BIND 9 Administrator Reference Manual is included with the
source distribution in DocBook XML and HTML format, in the
doc/arm directory.
The BIND 9 Administrator Reference Manual is included with the source
distribution, in DocBook XML, HTML and PDF format, in the doc/arm
directory.
Some of the programs in the BIND 9 distribution have man pages
in their directories. In particular, the command line
options of "named" are documented in /bin/named/named.8.
There is now also a set of man pages for the lwres library.
Some of the programs in the BIND 9 distribution have man pages in their
directories. In particular, the command line options of named are
documented in bin/named/named.8.
If you are upgrading from BIND 8, please read the migration
notes in doc/misc/migration. If you are upgrading from
BIND 4, read doc/misc/migration-4to9.
Frequently (and not-so-frequently) asked questions and their answers can
be found in the ISC Knowledge Base at https://kb.isc.org.
Frequently asked questions and their answers can be found in
FAQ.
Additional information on various subjects can be found in other README
files throughout the source tree.
Additional information on various subjects can be found
in the other README files.
Change log
A detailed list of all changes that have been made throughout the
development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Change Log
A detailed list of all changes to BIND 9 is included in the
file CHANGES, with the most recent changes listed first.
Change notes include tags indicating the category of the
change that was made; these categories are:
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
[experimental] Used for new features when the syntax
or other aspects of the design are still
in flux and may change
[port] Portability enhancement
[maint] Updates to built-in data such as root
server addresses and keys
[tuning] Changes to built-in configuration defaults
and constants to improve performance
[performance] Other changes to improve server performance
[protocol] Updates to the DNS protocol such as new
RR types
[test] Changes to the automatic tests, not
affecting server functionality
[cleanup] Minor corrections and refactoring
[doc] Documentation
[contrib] Changes to the contributed tools and
libraries in the 'contrib' subdirectory
[placeholder] Used in the master development branch to
reserve change numbers for use in other
branches, e.g. when fixing a bug that only
exists in older releases
In general, [func] and [experimental] tags will only appear
in new-feature releases (i.e., those with version numbers
ending in zero). Some new functionality may be backported to
older releases on a case-by-case basis. All other change
types may be applied to all currently-supported releases.
Bug Reports and Mailing Lists
Bug reports should be sent to:
bind9-bugs@isc.org
Feature requests can be sent to:
bind-suggest@isc.org
To join or view the archives of the BIND Users mailing list,
visit:
https://lists.isc.org/mailman/listinfo/bind-users
If you're planning on making changes to the BIND 9 source
code, you may also want to join the BIND Workers mailing
list:
https://lists.isc.org/mailman/listinfo/bind-workers
Information on read-only Git access, coding style and developer
guidelines can be found at:
http://www.isc.org/git/
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
[experimental] Used for new features when the syntax or other aspects of
the design are still in flux and may change
[port] Portability enhancement
[maint] Updates to built-in data such as root server addresses and
keys
[tuning] Changes to built-in configuration defaults and constants to
improve performance
[performance] Other changes to improve server performance
[protocol] Updates to the DNS protocol such as new RR types
[test] Changes to the automatic tests, not affecting server
functionality
[cleanup] Minor corrections and refactoring
[doc] Documentation
[contrib] Changes to the contributed tools and libraries in the
'contrib' subdirectory
Used in the master development branch to reserve change
[placeholder] numbers for use in other branches, e.g. when fixing a bug
that only exists in older releases
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
Acknowledgments
- This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).
- This product includes cryptographic software written by Eric
Young (eay@cryptsoft.com).
- This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)

455
README.md Normal file
View File

@@ -0,0 +1,455 @@
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
# BIND 9
### Contents
1. [Introduction](#intro)
1. [Reporting bugs and getting help](#help)
1. [Contributing to BIND](#contrib)
1. [BIND 9.11 features](#features)
1. [Building BIND](#build)
1. [Compile-time options](#opts)
1. [Automated testing](#testing)
1. [Documentation](#doc)
1. [Change log](#changes)
1. [Acknowledgments](#ack)
### <a name="intro"/> Introduction
BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the DNS (Domain Name System) protocol.
The BIND name server, `named`, is able to serve as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
implements views for split-horizon DNS, automatic DNSSEC zone signing and
key management, catalog zones to facilitate provisioning of zone data
throughout a name server constellation, response policy zones (RPZ) to
protect clients from malicious data, response rate limiting (RRL) and
recursive query limits to reduce distributed denial of service attacks,
and many other advanced DNS features. BIND also includes a suite of
administrative tools, including the `dig` and `delv` DNS lookup tools,
`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
administration, and more.
BIND 9 is a complete re-write of the BIND architecture that was used in
versions 4 and 8. Internet Systems Consortium
([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
corporation dedicated to providing software and services in support of the
Internet infrastructure, developed BIND 9 and is responsible for its
ongoing maintenance and improvement. BIND is open source software
licenced under the terms of ISC License for all versions up to and
including BIND 9.10, and the Mozilla Public License version 2.0 for all
subsequent verisons.
For a summary of features introduced in past major releases of BIND,
see the file [HISTORY](HISTORY.md).
For a detailed list of changes made throughout the history of BIND 9, see
the file [CHANGES](CHANGES). See [below](#changes) for details on the
CHANGES file format.
For up-to-date release notes and errata, see
[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
### <a name="help"/> Reporting bugs and getting help
Please report assertion failure errors and suspected security issues to
[security-officer@isc.org](mailto:security-officer@isc.org).
General bug reports can be sent to
[bind9-bugs@isc.org](mailto:bind9-bugs@isc.org).
Feature requests can be sent to
[bind-suggest@isc.org](mailto:bind-suggest@isc.org).
Please note that, while tickets submitted to ISC's ticketing system
are not initially publicly readable by default, they can be made publicly
acessible afterward. Please do not include information in bug reports that
you consider to be confidential. In particular, when sending the contents of
your configuration file, it is advisable to obscure key secrets: this can
be done automatically by using `named-checkconf -px`.
Professional support and training for BIND are available from
ISC at [https://www.isc.org/support](https://www.isc.org/support).
To join the __BIND Users__ mailing list, or view the archives, visit
[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
If you're planning on making changes to the BIND 9 source code, you
may also want to join the __BIND Workers__ mailing list, at
[https://lists.isc.org/mailman/listinfo/bind-workers](https://lists.isc.org/mailman/listinfo/bind-workers).
### <a name="contrib"/> Contributing to BIND
ISC maintains a public git repository for BIND; details can be found
at [http://www.isc.org/git/](http://www.isc.org/git/), and also on Github
at [https://github.com/isc-projects](https://github.com/isc-projects).
Information for BIND contributors can be found in the following files:
- General information: [doc/dev/contrib.md](doc/dev/contrib.md)
- BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
Patches for BIND may be submitted either as Github pull requests
or via email. When submitting a patch via email, please prepend the
subject header with "`[PATCH]`" so it will be easier for us to find.
If your patch introduces a new feature in BIND, please submit it to
[bind-suggest@isc.org](mailto:bind-suggest@isc.org); if it fixes a bug,
please submit it to [bind9-bugs@isc.org](mailto:bind9-bugs@isc.org).
### <a name="features"/> BIND 9.11 features
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
* Added support for Catalog Zones, a new method for provisioning servers: a
list of zones to be served is stored in a DNS zone, along with their
configuration parameters. Changes to the catalog zone are propagated to
slaves via normal AXFR/IXFR, whereupon the zones that are listed in it
are automatically added, deleted or reconfigured.
* Added support for "dnstap", a fast and flexible method of capturing and
logging DNS traffic.
* Added support for "dyndb", a new API for loading zone data from an
external database, developed by Red Hat for the FreeIPA project.
* "fetchlimit" quotas are now compiled in by default. These are for the
use of recursive resolvers that are are under high query load for domains
whose authoritative servers are nonresponsive or are experiencing a
denial of service attack:
* `fetches-per-server` limits the number of simultaneous queries that
can be sent to any single authoritative server. The configured value
is a starting point; it is automatically adjusted downward if the
server is partially or completely non-responsive. The algorithm used
to adjust the quota can be configured via the "fetch-quota-params"
option.
* `fetches-per-zone` limits the number of simultaneous queries that can
be sent for names within a single domain. (Note: Unlike
`fetches-per-server`, this value is not self-tuning.)
* New stats counters have been added to count queries spilled due to
these quotas.
* Added a new `dnssec-keymgr` key mainenance utility, which can generate or
update keys as needed to ensure that a zone's keys match a defined DNSSEC
policy.
* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and
is no longer optional. EDNS COOKIE is a mechanism enabling clients to
detect off-path spoofed responses, and servers to detect spoofed-source
queries. Clients that identify themselves using COOKIE options are not
subject to response rate limiting (RRL) and can receive larger UDP
responses.
* SERVFAIL responses can now be cached for a limited time (defaulting to 1
second, with an upper limit of 30). This can reduce the frequency of
retries when a query is persistently failing.
* Added an `nsip-wait-recurse` switch to RPZ. This causes NSIP rules to be
skipped if a name server IP address isn't in the cache yet; the address
will be looked up and the rule will be applied on future queries.
* Added a Python RNDC module. This allows multiple commands to sent over a
persistent RNDC channel, which saves time.
* The `controls` block in named.conf can now grant read-only `rndc` access
to specified clients or keys. Read-only clients could, for example, check
`rndc status` but could not reconfigure or shut down the server.
* `rndc` commands can now return arbitrarily large amounts of text to the
caller.
* The zone serial number of a dynamically updatable zone can now be set via
`rndc signing -serial <number> <zonename>`. This allows inline-signing
zones to be set to a specific serial number.
* The new `rndc nta` command can be used to set a Negative Trust Anchor
(NTA), disabling DNSSEC validation for a specific domain; this can be
used when responses from a domain are known to be failing validation due
to administrative error rather than because of a spoofing attack.
Negative trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
* `rndc delzone` can now be used on zones that were not originally created
by "rndc addzone".
* `rndc modzone` reconfigures a single zone, without requiring the entire
server to be reconfigured.
* `rndc showzone` displays the current configuration of a zone.
* `rndc managed-keys` can be used to check the status of RFC 5001 managed
trust anchors, or to force trust anchors to be refreshed.
* `max-cache-size` can now be set to a percentage of available memory. The
default is 90%.
* Update forwarding performance has been improved by allowing a single TCP
connection to be shared by multiple updates.
* The EDNS Client Subnet (ECS) option is now supported for authoritative
servers; if a query contains an ECS option then ACLs containing `geoip`
or `ecs` elements can match against the the address encoded in the
option. This can be used to select a view for a query, so that different
answers can be provided depending on the client network.
* The EDNS EXPIRE option has been implemented on the client side, allowing
a slave server to set the expiration timer correctly when transferring
zone data from another slave server.
* The key generation and manipulation tools (`dnssec-keygen`,
`dnssec-settime`, `dnssec-importkey`, `dnssec-keyfromlabel`) now take
`-Psync` and `-Dsync` options to set the publication and deletion times
of CDS and CDNSKEY parent-synchronization records. Both `named` and
`dnssec-signzone` can now publish and remove these records at the
scheduled times.
* A new `minimal-any` option reduces the size of UDP responses for query
type ANY by returning a single arbitrarily selected RRset instead of all
RRsets.
* A new `masterfile-style` zone option controls the formatting of text zone
files: When set to `full`, a zone file is dumped in
single-line-per-record format.
* `serial-update-method` can now be set to `date`. On update, the serial
number will be set to the current date in YYYYMMDDNN format.
* `dnssec-signzone -N date` sets the serial number to YYYYMMDDNN.
* `named -L <filename>` causes named to send log messages to the specified
file by default instead of to the system log.
* `dig +ttlunits` prints TTL values with time-unit suffixes: w, d, h, m, s
for weeks, days, hours, minutes, and seconds.
* `dig +unknownformat` prints dig output in RFC 3597 "unknown record"
presentation format.
* `dig +ednsopt` allows dig to set arbitrary EDNS options on requests.
* `dig +ednsflags` allows dig to set yet-to-be-defined EDNS flags on
requests.
* `mdig` is an alternate version of dig which sends multiple pipelined TCP
queries to a server. Instead of waiting for a response after sending a
query, it sends all queries immediately and displays responses in the
order received.
* `serial-query-rate` no longer controls NOTIFY messages. These are
separately controlled by `notify-rate` and `startup-notify-rate`.
* `nsupdate` now performs `check-names` processing by default on records to
be added. This can be disabled with `check-names no`.
* The statistics channel now supports DEFLATE compression, reducing the
size of the data sent over the network when querying statistics.
* New counters have been added to the statistics channel to track the sizes
of incoming queries and outgoing responses in histogram buckets, as
specified in RSSAC002.
* A new NXDOMAIN redirect method (option `nxdomain-redirect`) has been
added, allowing redirection to a specified DNS namespace instead of a
single redirect zone.
* When starting up, named now ensures that no other named process is
already running.
* Files created by named to store information, including `mkeys` and `nzf`
files, are now named after their corresponding views unless the view name
contains characters incompatible with use as a filename. Old style
filenames (based on the hash of the view name) will still work.
#### BIND 9.11.1
BIND 9.11.1 is a maintenance release, and addresses the security
flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135,
CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138.
#### BIND 9.11.2
BIND 9.11.2 is a maintenance release, and addresses the security flaws
disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and CVE-2017-3143.
It also addresses several bugs related to the use of an LMDB database to
store data related to zones added via `rndc addzone` or catalog zones.
### <a name="build"/> Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
support, and a 64-bit integer type. Successful builds have been observed on
many versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu,
SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX,
SCO OpenServer, and OpenWRT.
BIND is also available for Windows XP, 2003, 2008, and higher. See
`win32utils/readme1st.txt` for details on building for Windows systems.
To build on a UNIX or Linux system, use:
$ ./configure
$ make
If you're planning on making changes to the BIND 9 source, you should run
`make depend`. If you're using Emacs, you might find `make tags` helpful.
Several environment variables that can be set before running `configure` will
affect compilation:
|Variable|Description |
|--------------------|-----------------------------------------------|
|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
|`LDFLAGS`|Linker flags. Defaults to empty string.|
|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
|`BUILD_CFLAGS`|Optional, used for cross-compiling|
|`BUILD_CPPFLAGS`||
|`BUILD_LDFLAGS`||
|`BUILD_LIBS`||
#### <a name="opts"/> Compile-time options
To see a full list of configuration options, run `configure --help`.
On most platforms, BIND 9 is built with multithreading support, allowing it
to take advantage of multiple CPUs. You can configure this by specifying
`--enable-threads` or `--disable-threads` on the `configure` command line.
The default is to enable threads, except on some older operating systems on
which threads are known to have had problems in the past. (Note: Prior to
BIND 9.10, the default was to disable threads on Linux systems; this has
now been reversed. On Linux systems, the threaded build is known to change
BIND's behavior with respect to file permissions; it may be necessary to
specify a user with the -u option when running `named`.)
To build shared libraries, specify `--with-libtool` on the `configure`
command line.
Certain compiled-in constants and default settings can be increased to
values better suited to large servers with abundant memory resources (e.g,
64-bit servers with 12G or more of memory) by specifying
`--with-tuning=large` on the `configure` command line. This can improve
performance on big servers, but will consume more memory and may degrade
performance on smaller systems.
For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix
using "--with-openssl=&lt;PREFIX&gt;" on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the
path to the PKCS#11 provider library using "--with-pkcs11=&lt;PREFIX&gt;", and
configure BIND with "--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2
[http://xmlsoft.org](http://xmlsoft.org) or json-c
[https://github.com/json-c](https://github.com/json-c). If these are
installed at a nonstandard location, specify the prefix using
`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
specify the prefix using `--with-zlib=/prefix`.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in a
nonstandard location, specify the prefix using "with-lmdb=/prefix".
To support GeoIP location-based ACLs, the server must be linked with
libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix".
For DNSTAP packet logging, you must have installed libfstrm
[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
and libprotobuf-c
[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
and BIND must be configured with "--enable-dnstap".
Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
system tests, require the 'argparse' and 'ply' modules to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2.
'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using
`--enable-largefile` on the `configure` command line.
Support for the "fixed" rrset-order option can be enabled or disabled by
specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
configure command line. By default, fixed rrset-order is disabled to
reduce memory footprint.
If your operating system has integrated support for IPv6, it will be used
automatically. If you have installed KAME IPv6 separately, use
`--with-kame[=PATH]` to specify its location.
`make install` will install `named` and the various BIND 9 libraries. By
default, installation is into /usr/local, but this can be changed with the
`--prefix` option when running `configure`.
You may specify the option `--sysconfdir` to set the directory where
configuration files like `named.conf` go by default, and `--localstatedir`
to set the default parent directory of `run/named.pid`. For backwards
compatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
`--localstatedir` defaults to `/var` if no `--prefix` option is given. If
there is a `--prefix` option, sysconfdir defaults to `$prefix/etc` and
localstatedir defaults to `$prefix/var`.
### <a name="testing"/> Automated testing
A system test suite can be run with `make test`. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command
`bin/tests/system/ifconfig.sh up` as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
and will be skipped if these are not available. Some tests require Python
and the 'dnspython' module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using Automated Testing Framework (ATF).
To run them, use `configure --with-atf`, then run `make test` or
`make unit`.
### <a name="doc"/> Documentation
The *BIND 9 Administrator Reference Manual* is included with the source
distribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
directory.
Some of the programs in the BIND 9 distribution have man pages in their
directories. In particular, the command line options of `named` are
documented in `bin/named/named.8`.
Frequently (and not-so-frequently) asked questions and their answers
can be found in the ISC Knowledge Base at
[https://kb.isc.org](https://kb.isc.org).
Additional information on various subjects can be found in other
`README` files throughout the source tree.
### <a name="changes"/> Change log
A detailed list of all changes that have been made throughout the
development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
|Category |Description |
|-------------- |-----------------------------------------------|
| [func] | New feature |
| [bug] | General bug fix |
| [security] | Fix for a significant security flaw |
| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
| [port] | Portability enhancement |
| [maint] | Updates to built-in data such as root server addresses and keys |
| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
| [performance] | Other changes to improve server performance |
| [protocol] | Updates to the DNS protocol such as new RR types |
| [test] | Changes to the automatic tests, not affecting server functionality |
| [cleanup] | Minor corrections and refactoring |
| [doc] | Documentation |
| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
### <a name="ack"/> Acknowledgments
* The original development of BIND 9 was underwritten by the
following organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit.
[http://www.OpenSSL.org/](http://www.OpenSSL.org/)
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson (tjh@cryptsoft.com)

View File

@@ -61,12 +61,6 @@
/** define if gai_strerror() exists */
#undef HAVE_GAISTRERROR
/** define if arc4random() exists */
#undef HAVE_ARC4RANDOM
/** define if arc4random_addrandom() exists */
#undef HAVE_ARC4RANDOM_ADDRANDOM
/**
* define if pthread_setconcurrency() should be called to tell the
* OS how many threads we might want to run.

View File

@@ -7,4 +7,4 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Run this script after modifying configure.in to generate configure
autoreconf -i
autoreconf -fi

View File

@@ -11,7 +11,7 @@ VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
@BIND9_MAKE_RULES@

View File

@@ -15,9 +15,9 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
${ISC_INCLUDES}
${ISC_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CDEFINES = @CRYPTO@ -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
@@ -87,5 +87,12 @@ install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@
clean distclean::
rm -f ${TARGETS} r1.htm

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2000-2002, 2004-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002, 2004-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -119,6 +119,7 @@ static isc_logcategory_t categories[] = {
{ "unmatched", 0 },
{ "update-security", 0 },
{ "query-errors", 0 },
{ "trust-anchor-telemetry", 0 },
{ NULL, 0 }
};
@@ -209,8 +210,9 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U)
strcat(namebuf, ".");
if (dns_name_countlabels(name) > 1U) {
strlcat(namebuf, ".", sizeof(namebuf));
}
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
@@ -398,8 +400,9 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U)
strcat(namebuf, ".");
if (dns_name_countlabels(name) > 1U) {
strlcat(namebuf, ".", sizeof(namebuf));
}
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
@@ -483,8 +486,9 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U)
strcat(namebuf, ".");
if (dns_name_countlabels(name) > 1U) {
strlcat(namebuf, ".", sizeof(namebuf));
}
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);

View File

@@ -1,17 +1,8 @@
.\" Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -48,7 +39,7 @@
named-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkconf\fR\ 'u
\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-x\fR] [\fB\-z\fR]
\fBnamed\-checkconf\fR [\fB\-hjvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
@@ -78,6 +69,20 @@ can be run on these files explicitly, however\&.
Print the usage summary and exit\&.
.RE
.PP
\-j
.RS 4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
\-p
.RS 4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&. See also the
\fB\-x\fR
option\&.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
@@ -93,13 +98,6 @@ Print the version of the
program and exit\&.
.RE
.PP
\-p
.RS 4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&.
.RE
.PP
\-x
.RS 4
When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
@@ -114,11 +112,6 @@ Perform a test load of all master zones found in
named\&.conf\&.
.RE
.PP
\-j
.RS 4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
filename
.RS 4
The name of the configuration file to be checked\&. If not specified, it defaults to
@@ -138,7 +131,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000-2002 Internet Software Consortium.
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -59,7 +59,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "usage: %s [-h] [-j] [-p [-x]] [-v] [-z] [-t directory] "
fprintf(stderr, "usage: %s [-hjvz] [-p [-x]] [-t directory] "
"[named.conf]\n", program);
exit(1);
}

View File

@@ -9,7 +9,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
<info>
<date>2014-01-10</date>
</info>
@@ -26,6 +26,9 @@
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
@@ -35,12 +38,6 @@
<year>2016</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refnamediv>
@@ -51,14 +48,12 @@
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named-checkconf</command>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-hjvz</option></arg>
<arg choice="opt" rep="norepeat"><option>-p</option>
<arg choice="opt" rep="norepeat"><option>-x</option>
</arg></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">filename</arg>
<arg choice="opt" rep="norepeat"><option>-p</option></arg>
<arg choice="opt" rep="norepeat"><option>-x</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -85,7 +80,6 @@
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-h</term>
@@ -96,6 +90,26 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zonefile read the journal if it exists.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Print out the <filename>named.conf</filename> and included files
in canonical form if no errors were detected.
See also the <option>-x</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
@@ -117,16 +131,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Print out the <filename>named.conf</filename> and included files
in canonical form if no errors were detected.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
@@ -152,15 +156,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zonefile read the journal if it exists.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>

View File

@@ -1,20 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkconf</title>
@@ -22,24 +14,45 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkconf"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
<p>
<span class="application">named-checkconf</span>
&#8212; named configuration file syntax checking tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">named-checkconf</code>
[<code class="option">-hjvz</code>]
[<code class="option">-p</code>
[<code class="option">-x</code>
]]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
<p><span class="command"><strong>named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span class="command"><strong>named</strong></span> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <code class="filename">/etc/named.conf</code> is read
by default.
</p>
<p>
<p>
Note: files that <span class="command"><strong>named</strong></span> reads in separate
parser contexts, such as <code class="filename">rndc.key</code> and
<code class="filename">bind.keys</code>, are not automatically read
@@ -49,32 +62,50 @@
successful. <span class="command"><strong>named-checkconf</strong></span> can be run
on these files explicitly, however.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Print the usage summary and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd>
<p>
When loading a zonefile read the journal if it exists.
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
See also the <code class="option">-x</code> option.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkconf</strong></span>
program and exit.
</p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
</p></dd>
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd><p>
<dd>
<p>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
@@ -82,36 +113,46 @@
files to be shared &#8212; for example, when submitting
bug reports &#8212; without compromising private data.
This option cannot be used without <code class="option">-p</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd><p>
<dd>
<p>
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p></dd>
<dt><span class="term">-j</span></dt>
<dd><p>
When loading a zonefile read the journal if it exists.
</p></dd>
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd><p>
<dd>
<p>
The name of the configuration file to be checked. If not
specified, it defaults to <code class="filename">/etc/named.conf</code>.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
<p><span class="command"><strong>named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -1,17 +1,8 @@
.\" Copyright (C) 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -334,7 +325,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000-2002 Internet Software Consortium.
Copyright \(co 2000-2002, 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
<info>
<date>2014-02-19</date>
</info>
@@ -24,6 +24,9 @@
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
@@ -38,12 +41,6 @@
<year>2016</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refnamediv>

View File

@@ -1,20 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
- Copyright (C) 2000-2002, 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkzone</title>
@@ -22,24 +14,94 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
<p>
<span class="application">named-checkzone</span>,
<span class="application">named-compilezone</span>
&#8212; zone file validity checking or converting tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">named-checkzone</code>
[<code class="option">-d</code>]
[<code class="option">-h</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{zonename}
{filename}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">named-compilezone</code>
[<code class="option">-d</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
{zonename}
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
<p><span class="command"><strong>named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span class="command"><strong>named</strong></span> does when loading a
zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for
checking zone files before configuring them into a name server.
</p>
<p>
<p>
<span class="command"><strong>named-compilezone</strong></span> is similar to
<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
zone contents to a specified file in a specified format.
@@ -50,45 +112,62 @@
least be as strict as those specified in the
<span class="command"><strong>named</strong></span> configuration file.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-d</span></dt>
<dd><p>
<dd>
<p>
Enable debugging.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Print the usage summary and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd><p>
<dd>
<p>
Quiet mode - exit code only.
</p></dd>
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkzone</strong></span>
program and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd><p>
<dd>
<p>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <code class="filename">.jnl</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
<dd><p>
<dd>
<p>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the class of the zone. If not specified, "IN" is assumed.
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
<p>
Perform post-load zone integrity checks. Possible modes are
<span class="command"><strong>"full"</strong></span> (default),
<span class="command"><strong>"full-sibling"</strong></span>,
@@ -96,19 +175,19 @@
<span class="command"><strong>"local-sibling"</strong></span> and
<span class="command"><strong>"none"</strong></span>.
</p>
<p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks MX records which refer to in-zone hostnames.
</p>
<p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks SRV records which refer to in-zone hostnames.
</p>
<p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
@@ -117,31 +196,33 @@
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</p>
<p>
<p>
Mode <span class="command"><strong>"full-sibling"</strong></span> and
<span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
and <span class="command"><strong>"local"</strong></span> respectively.
</p>
<p>
<p>
Mode <span class="command"><strong>"none"</strong></span> disables the checks.
</p>
</dd>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the format of the zone file.
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
<p>
Specify the format of the output file specified.
For <span class="command"><strong>named-checkzone</strong></span>,
this does not cause any effects unless it dumps the zone
contents.
</p>
<p>
<p>
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
which is the standard textual representation of the zone,
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
@@ -152,9 +233,10 @@
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</p>
</dd>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Perform <span class="command"><strong>"check-names"</strong></span> checks with the
specified failure mode.
Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -162,38 +244,48 @@
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<span class="command"><strong>max-zone-ttl</strong></span> option in
<code class="filename">named.conf</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd><p>
<dd>
<p>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</p></dd>
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check if a MX record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -201,24 +293,30 @@
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
<dd><p>
<dd>
<p>
Write zone output to <code class="filename">filename</code>.
If <code class="filename">filename</code> is <code class="filename">-</code> then
write to standard out.
This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify the style of the dumped zone file.
Possible styles are <span class="command"><strong>"full"</strong></span> (default)
and <span class="command"><strong>"relative"</strong></span>.
@@ -231,74 +329,101 @@
contents.
It also does not have any meaning if the output format
is not text.
</p></dd>
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check if a SRV record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <span class="command"><strong>"warn"</strong></span>
(default), <span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
chdir to <code class="filename">directory</code> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<code class="filename">named.conf</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd><p>
<dd>
<p>
Dump zone file in canonical format.
This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
<dd>
<p>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
and
<span class="command"><strong>"ignore"</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">zonename</span></dt>
<dd><p>
<dd>
<p>
The domain name of the zone being checked.
</p></dd>
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd><p>
<dd>
<p>
The name of the zone file.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
<p><span class="command"><strong>named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>(8)
</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -42,7 +42,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR @COPTY@ /FD /c
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# SUBTRACT CPP /X @COPTY@
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"

View File

@@ -138,7 +138,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\checkconf.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\checkconf.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\checkconf.bsc"
BSC32_SBRS= \
@@ -203,7 +203,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\checkconf.bsc"
BSC32_SBRS= \

View File

@@ -55,7 +55,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -63,6 +63,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -80,7 +81,7 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -89,6 +90,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -110,4 +112,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -43,7 +43,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fdchecktool
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fdchecktool
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fdchecktool
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fdchecktool
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

View File

@@ -58,7 +58,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -66,6 +66,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Lib>
<OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
@@ -79,7 +80,7 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -88,6 +89,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Lib>
<OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
@@ -96,4 +98,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -42,7 +42,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" @COPTY@ /FD /c
# SUBTRACT CPP /Fr
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
@@ -67,7 +67,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# SUBTRACT CPP /X @COPTY@
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"

View File

@@ -130,7 +130,7 @@ CLEAN :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP=cl.exe
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\checkzone.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\checkzone.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
.c{$(INTDIR)}.obj::
$(CPP) @<<
@@ -221,7 +221,7 @@ CLEAN :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP=cl.exe
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" @CRYPTO@ /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
.c{$(INTDIR)}.obj::
$(CPP) @<<

View File

@@ -55,7 +55,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -63,6 +63,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -86,7 +87,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -95,6 +96,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -121,4 +123,4 @@ copy /Y named-checkzone.exe named-compilezone.exe
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -96,5 +96,13 @@ install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
rm -f ${DESTDIR}${mandir}/man8/ddns-confgen.8
rm -f ${DESTDIR}${mandir}/man8/rndc-confgen.8
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
clean distclean maintainer-clean::
rm -f ${TARGETS}

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l

View File

@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
<info>
<date>2014-03-06</date>
</info>

View File

@@ -1,19 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
@@ -21,31 +14,63 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">tsig-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [name]</p></div>
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ]</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="application">ddns-confgen</span>
&#8212; ddns key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">tsig-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[name]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">ddns-confgen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[
-s <em class="replaceable"><code>name</code></em>
| -z <em class="replaceable"><code>zone</code></em>
]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<span class="command"><strong>rndc</strong></span> command channel.
</p>
<p>
<p>
When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <code class="constant">tsig-key</code>.
</p>
<p>
<p>
When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
key is accompanied by configuration text and instructions
that can be used with <span class="command"><strong>nsupdate</strong></span> and
@@ -55,7 +80,8 @@
<span class="command"><strong>rndc-confgen</strong></span> command for setting
up command channel security.)
</p>
<p>
<p>
Note that <span class="command"><strong>named</strong></span> itself can configure a
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with
@@ -65,24 +91,32 @@
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of options and arguments.
</p></dd>
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code> when neither
the <code class="option">-s</code> nor <code class="option">-z</code> option is
@@ -92,15 +126,19 @@
<code class="constant">ddns-key.example.com.</code>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p></dd>
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd><p>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<code class="filename">/dev/random</code> or equivalent device, the
@@ -110,9 +148,11 @@
instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard input
should be used.
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <span class="command"><strong>named.conf</strong></span>
@@ -123,9 +163,11 @@
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <code class="option">-z</code> option.
</p></dd>
</p>
</dd>
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
<dd><p>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <span class="command"><strong>named.conf</strong></span> text
@@ -135,16 +177,26 @@
all subdomain names within that
<em class="replaceable"><code>zone</code></em>.
This option cannot be used with the <code class="option">-s</code> option.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -25,6 +25,8 @@
#include <isc/result.h>
#include <isc/string.h>
#include <pk11/site.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
@@ -40,8 +42,10 @@
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return "hmac-md5";
#endif
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
@@ -66,8 +70,10 @@ alg_fromtext(const char *name) {
if (strncasecmp(p, "hmac-", 5) == 0)
p = &name[5];
#ifndef PK11_MD5_DISABLE
if (strcasecmp(p, "md5") == 0)
return DST_ALG_HMACMD5;
#endif
if (strcasecmp(p, "sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcasecmp(p, "sha224") == 0)
@@ -122,7 +128,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
dst_key_t *key = NULL;
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:

View File

@@ -1,17 +1,8 @@
.\" Copyright (C) 2004, 2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -120,7 +111,7 @@ as directed\&.
.PP
\-A \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5\&.
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5 or if MD5 was disabled hmac\-sha256\&.
.RE
.PP
\-b \fIkeysize\fR
@@ -226,7 +217,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004, 2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2001, 2003 Internet Software Consortium.
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -39,6 +39,8 @@
#include <isc/time.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
@@ -65,6 +67,7 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
@@ -80,6 +83,23 @@ Usage:\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
#else
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-A alg: algorithm (default hmac-sha256)\n\
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
#endif
exit (status);
}
@@ -115,7 +135,11 @@ main(int argc, char **argv) {
progname = program;
keyname = DEFAULT_KEYNAME;
#ifndef PK11_MD5_DISABLE
alg = DST_ALG_HMACMD5;
#else
alg = DST_ALG_HMACSHA256;
#endif
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;

View File

@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
<info>
<date>2013-03-14</date>
</info>
@@ -29,6 +29,8 @@
<docinfo>
<copyright>
<year>2001</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
@@ -39,11 +41,6 @@
<year>2016</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2001</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
@@ -131,7 +128,8 @@
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-md5.
hmac-sha384 and hmac-sha512. The default is hmac-md5 or
if MD5 was disabled hmac-sha256.
</para>
</listitem>
</varlistentry>

View File

@@ -1,20 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004, 2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
@@ -22,17 +14,43 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
<p>
<span class="application">rndc-confgen</span>
&#8212; rndc key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">rndc-confgen</code>
[<code class="option">-a</code>]
[<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>rndc-confgen</strong></span>
<p><span class="command"><strong>rndc-confgen</strong></span>
generates configuration files
for <span class="command"><strong>rndc</strong></span>. It can be used as a
convenient alternative to writing the
@@ -45,13 +63,17 @@
avoid the need for a <code class="filename">rndc.conf</code> file
and a <span class="command"><strong>controls</strong></span> statement altogether.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a</span></dt>
<dd>
<p>
<p>
Do automatic <span class="command"><strong>rndc</strong></span> configuration.
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
@@ -66,7 +88,7 @@
<span class="command"><strong>named</strong></span> on the local host
with no further configuration.
</p>
<p>
<p>
Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
drop-in
@@ -74,7 +96,7 @@
with no changes to the existing BIND 8
<code class="filename">named.conf</code> file.
</p>
<p>
<p>
If a more elaborate configuration than that
generated by <span class="command"><strong>rndc-confgen -a</strong></span>
is required, for example if rndc is to be used remotely,
@@ -85,43 +107,57 @@
<code class="filename">named.conf</code>
as directed.
</p>
</dd>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-md5.
</p></dd>
hmac-sha384 and hmac-sha512. The default is hmac-md5 or
if MD5 was disabled hmac-sha256.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd><p>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
an alternate location for <code class="filename">rndc.key</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>rndc-confgen</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <code class="constant">rndc-key</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the command channel port where <span class="command"><strong>named</strong></span>
listens for connections from <span class="command"><strong>rndc</strong></span>.
The default is 953.
</p></dd>
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a source of random data for generating the
authorization. If the operating
system does not provide a <code class="filename">/dev/random</code>
@@ -132,24 +168,30 @@
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the IP address where <span class="command"><strong>named</strong></span>
listens for command channel connections from
<span class="command"><strong>rndc</strong></span>. The default is the loopback
address 127.0.0.1.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
<dd><p>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
a directory where <span class="command"><strong>named</strong></span> will run
chrooted. An additional copy of the <code class="filename">rndc.key</code>
will be written relative to this directory so that
it will be found by the chrooted <span class="command"><strong>named</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd><p>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to set the
owner
of the <code class="filename">rndc.key</code> file generated.
@@ -157,33 +199,45 @@
<span class="command"><strong>-t</strong></span> is also specified only the file
in
the chroot area has its owner changed.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLES</h2>
<p>
<p>
To allow <span class="command"><strong>rndc</strong></span> to be used with
no manual configuration, run
</p>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
</p>
<p>
<p>
To print a sample <code class="filename">rndc.conf</code> file and
corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
statements to be manually inserted into <code class="filename">named.conf</code>,
run
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -61,6 +61,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -84,6 +85,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -106,4 +108,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -63,6 +63,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -95,6 +96,7 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>

View File

@@ -63,6 +63,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -89,6 +90,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -107,4 +109,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -1,4 +1,4 @@
# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -13,9 +13,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES}
${IRS_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = -DVERSION=\"${VERSION}\" -DSYSCONFDIR=\"${sysconfdir}\"
CDEFINES = @CRYPTO@ -DVERSION=\"${VERSION}\" \
-DSYSCONFDIR=\"${sysconfdir}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
@@ -64,6 +65,10 @@ install:: delv@EXEEXT@ installdirs
delv@EXEEXT@ ${DESTDIR}${bindir}
${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/delv@EXEEXT@
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -47,7 +39,7 @@
delv \- DNS lookup and validation utility
.SH "SYNOPSIS"
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [@server] [\fB\-4\fR] [\fB\-6\fR] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
\fBdelv\fR [@server] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [\fB\-h\fR]
.HP \w'\fBdelv\fR\ 'u
@@ -57,13 +49,13 @@ delv \- DNS lookup and validation utility
.SH "DESCRIPTION"
.PP
\fBdelv\fR
(Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
\fBnamed\fR\&.
.PP
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&. Records returned by
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
@@ -143,13 +135,13 @@ will perform a lookup for an A record\&.
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
9 and contains trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&.
9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
\fB+dlv=NAME\fR
or
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&.
options\&. DNSSEC Lookaside Validation can also be turned on by using the
\fB+dlv=NAME\fR
to specify the name of a zone containing DLV records\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
@@ -412,9 +404,9 @@ must be used to specify a file containing the key\&.
.PP
\fB+[no]dlv[=DLV]\fR
.RS 4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The default is to perform lookaside validation using a trust anchor of "dlv\&.isc\&.org", for which there is a built\-in key\&. If specifying a different name, then
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
\fB\-a\fR
must be used to specify a file containing the DLV key\&.
option must also be used to specify a file containing the DLV key\&.
.RE
.PP
\fB+[no]tcp\fR
@@ -445,5 +437,5 @@ RFC5155\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -574,7 +574,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
isc_boolean_t match_root, match_dlv;
isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
@@ -582,8 +582,10 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
if (!root_validation && !dlv_validation)
return (ISC_R_SUCCESS);
match_root = dns_name_equal(keyname, anchor_name);
match_dlv = dns_name_equal(keyname, dlv_name);
if (anchor_name)
match_root = dns_name_equal(keyname, anchor_name);
if (dlv_name)
match_dlv = dns_name_equal(keyname, dlv_name);
if (!match_root && !match_dlv)
return (ISC_R_SUCCESS);
@@ -713,14 +715,10 @@ setup_dnsseckeys(dns_client_t *client) {
fatal("out of memory");
}
if (dlv_anchor == NULL) {
dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
if (dlv_anchor == NULL)
fatal("out of memory");
}
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
if (trust_anchor != NULL)
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
if (dlv_anchor != NULL)
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
@@ -773,7 +771,7 @@ setup_dnsseckeys(dns_client_t *client) {
static isc_result_t
addserver(dns_client_t *client) {
struct addrinfo hints, *res, *cur;
int gai_error;
int gaierror;
struct in_addr in4;
struct in6_addr in6;
isc_sockaddr_t *sa;
@@ -788,14 +786,20 @@ addserver(dns_client_t *client) {
ISC_LIST_INIT(servers);
if (use_ipv4 && inet_pton(AF_INET, server, &in4) == 1) {
if (inet_pton(AF_INET, server, &in4) == 1) {
if (!use_ipv4) {
fatal("Use of IPv4 disabled by -6");
}
sa = isc_mem_get(mctx, sizeof(*sa));
if (sa == NULL)
return (ISC_R_NOMEMORY);
ISC_LINK_INIT(sa, link);
isc_sockaddr_fromin(sa, &in4, destport);
ISC_LIST_APPEND(servers, sa, link);
} else if (use_ipv6 && inet_pton(AF_INET6, server, &in6) == 1) {
} else if (inet_pton(AF_INET6, server, &in6) == 1) {
if (!use_ipv6) {
fatal("Use of IPv6 disabled by -4");
}
sa = isc_mem_get(mctx, sizeof(*sa));
if (sa == NULL)
return (ISC_R_NOMEMORY);
@@ -812,11 +816,11 @@ addserver(dns_client_t *client) {
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_protocol = IPPROTO_UDP;
gai_error = getaddrinfo(server, port, &hints, &res);
if (gai_error != 0) {
gaierror = getaddrinfo(server, port, &hints, &res);
if (gaierror != 0) {
delv_log(ISC_LOG_ERROR,
"getaddrinfo failed: %s",
gai_strerror(gai_error));
gai_strerror(gaierror));
return (ISC_R_FAILURE);
}
@@ -972,8 +976,7 @@ plus_option(char *option) {
char *cmd, *value, *ptr;
isc_boolean_t state = ISC_TRUE;
strncpy(option_store, option, sizeof(option_store));
option_store[sizeof(option_store)-1]=0;
strlcpy(option_store, option, sizeof(option_store));
ptr = option_store;
cmd = next_token(&ptr,"=");
if (cmd == NULL) {
@@ -1368,6 +1371,7 @@ dash_option(char *option, char *next, isc_boolean_t *open_type_class) {
*/
static void
preparse_args(int argc, char **argv) {
isc_boolean_t ipv4only = ISC_FALSE, ipv6only = ISC_FALSE;
char *option;
for (argc--, argv++; argc > 0; argc--, argv++) {
@@ -1375,10 +1379,23 @@ preparse_args(int argc, char **argv) {
continue;
option = &argv[0][1];
while (strpbrk(option, single_dash_opts) == &option[0]) {
if (option[0] == 'm') {
switch (option[0]) {
case 'm':
isc_mem_debugging = ISC_MEM_DEBUGTRACE |
ISC_MEM_DEBUGRECORD;
return;
break;
case '4':
if (ipv6only) {
fatal("only one of -4 and -6 allowed");
}
ipv4only = ISC_TRUE;
break;
case '6':
if (ipv4only) {
fatal("only one of -4 and -6 allowed");
}
ipv6only = ISC_TRUE;
break;
}
option = &option[1];
}
@@ -1566,8 +1583,8 @@ main(int argc, char *argv[]) {
struct sigaction sa;
#endif
preparse_args(argc, argv);
progname = argv[0];
preparse_args(argc, argv);
argc--;
argv++;

View File

@@ -1,7 +1,7 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
<info>
<date>2014-04-23</date>
</info>
@@ -34,6 +34,7 @@
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -42,8 +43,10 @@
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat">@server</arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
@@ -80,7 +83,7 @@
<refsection><info><title>DESCRIPTION</title></info>
<para><command>delv</command>
(Domain Entity Lookup &amp; Validation) is a tool for sending
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <command>named</command>.
</para>
@@ -96,8 +99,7 @@
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
anchor for the root zone ("."). Records returned by
<command>delv</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
@@ -199,14 +201,15 @@
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
one or more trust anchors for the root zone (".").
</para>
<para>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <option>+dlv=NAME</option> or
<option>+root=NAME</option> options.
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options. DNSSEC Lookaside
Validation can also be turned on by using the
<option>+dlv=NAME</option> to specify the name of a
zone containing DLV records.
</para>
<para>
Note: When reading the trust anchor file,
@@ -636,11 +639,8 @@
<para>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<option>-a</option> must be used to specify a file
containing the DLV key.
The <option>-a</option> option must also be used to specify
a file containing the DLV key.
</para>
</listitem>
</varlistentry>

View File

@@ -1,19 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>delv</title>
@@ -21,25 +14,72 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.delv"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p>delv &#8212; DNS lookup and validation utility</p>
<p>
delv
&#8212; DNS lookup and validation utility
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">delv</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-h</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-v</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[@server]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-i</code>]
[<code class="option">-m</code>]
[<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
[<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
[name]
[type]
[class]
[queryopt...]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-h</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-v</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[queryopt...]
[query...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>delv</strong></span>
(Domain Entity Lookup &amp; Validation) is a tool for sending
<p><span class="command"><strong>delv</strong></span>
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <span class="command"><strong>named</strong></span>.
</p>
<p>
<p>
<span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
@@ -49,10 +89,9 @@
behavior of a name server configured for DNSSEC validating and
forwarding.
</p>
<p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
anchor for the root zone ("."). Records returned by
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
@@ -61,7 +100,7 @@
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</p>
<p>
<p>
Unless it is told to query a specific name server,
<span class="command"><strong>delv</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server
@@ -69,15 +108,18 @@
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</p>
<p>
<p>
When no command line arguments or options are given,
<span class="command"><strong>delv</strong></span> will perform an NS query for "."
(the root zone).
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
<p>
<p>
A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
</p>
<pre class="programlisting"> delv @server name type </pre>
@@ -88,7 +130,7 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
@@ -98,7 +140,7 @@
initial lookup is <span class="emphasis"><em>not</em></span> validated
by DNSSEC).
</p>
<p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span class="command"><strong>delv</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
@@ -111,13 +153,16 @@
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</p>
</dd>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd><p>
<dd>
<p>
is the domain name to be looked up.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd><p>
<dd>
<p>
indicates what type of query is required &#8212;
ANY, A, MX, etc.
<em class="parameter"><code>type</code></em> can be any valid query
@@ -125,30 +170,35 @@
<em class="parameter"><code>type</code></em> argument is supplied,
<span class="command"><strong>delv</strong></span> will perform a lookup for an
A record.
</p></dd>
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
<dd>
<p>
<p>
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
one or more trust anchors for the root zone (".").
</p>
<p>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <code class="option">+dlv=NAME</code> or
<code class="option">+root=NAME</code> options.
<p>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<code class="option">+root=NAME</code> options. DNSSEC Lookaside
Validation can also be turned on by using the
<code class="option">+dlv=NAME</code> to specify the name of a
zone containing DLV records.
</p>
<p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
statements and <code class="option">trusted-keys</code> statements
@@ -162,23 +212,28 @@
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
</p>
</dd>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the source IP address of the query to
<em class="parameter"><code>address</code></em>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <span class="command"><strong>delv</strong></span>
and any other value is ignored.
</p></dd>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the systemwide debug level to <code class="option">level</code>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
@@ -187,13 +242,17 @@
See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
and <code class="option">+vtrace</code> options below for additional
debugging details.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd><p>
<dd>
<p>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
@@ -201,30 +260,37 @@
can cause <span class="command"><strong>delv</strong></span> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <span class="command"><strong>dig +cd</strong></span>.)
</p></dd>
</p>
</dd>
<dt><span class="term">-m</span></dt>
<dd><p>
<dd>
<p>
Enables memory usage debugging.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</p></dd>
</p>
</dd>
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the query name to <em class="parameter"><code>name</code></em>.
While the query name can be specified without using the
<code class="option">-q</code>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
<p>
Sets the query type to <em class="parameter"><code>type</code></em>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
@@ -232,18 +298,21 @@
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</p>
<p>
<p>
The default query type is "A", unless the <code class="option">-x</code>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</p>
</dd>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
<dd>
<p>
Print the <span class="command"><strong>delv</strong></span> version and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
<dd><p>
<dd>
<p>
Performs a reverse lookup, mapping an addresses to
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
@@ -253,24 +322,33 @@
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</p></dd>
</p>
</dd>
<dt><span class="term">-4</span></dt>
<dd><p>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
</p></dd>
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd><p>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
<p><span class="command"><strong>delv</strong></span>
<p><span class="command"><strong>delv</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
<p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded by the string
@@ -282,7 +360,8 @@
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to set the CD (checking disabled) bit in
queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
@@ -291,20 +370,25 @@
the CD flag on queries will cause the resolver to return
invalid responses, which <span class="command"><strong>delv</strong></span> can then
validate internally and report the errors in detail.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
<p>
<p>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <span class="command"><strong>delv</strong></span>
in the process of carrying out the resolution and validation
@@ -312,62 +396,69 @@
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</p>
<p>
<p>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <code class="option">-d</code> option will
product the same output (but will affect other logging
categories as well).
</p>
</dd>
</dd>
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
<p>
<p>
Toggle message logging. This produces a detailed dump of
the responses received by <span class="command"><strong>delv</strong></span> in the
process of carrying out the resolution and validation process.
</p>
<p>
<p>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
</dd>
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
<p>
<p>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</p>
<p>
<p>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd><p>
<dd>
<p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd><p>
<dd>
<p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd><p>
<dd>
<p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
<dd><p>
<dd>
<p>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
@@ -375,14 +466,18 @@
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
<dd><p>
<dd>
<p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
@@ -391,24 +486,30 @@
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd><p>
<dd>
<p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd><p>
<dd>
<p>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
output.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd><p>
<dd>
<p>
Indicates whether to display RRSIG records in the
<span class="command"><strong>delv</strong></span> output. The default is to
do so. Note that (unlike in <span class="command"><strong>dig</strong></span>)
@@ -418,9 +519,11 @@
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code> and
<code class="option">+nodlv</code>.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd><p>
<dd>
<p>
Indicates whether to perform conventional (non-lookaside)
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
@@ -428,49 +531,62 @@
a built-in key. If specifying a different trust anchor,
then <code class="option">-a</code> must be used to specify a file
containing the key.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
<dd><p>
<dd>
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<code class="option">-a</code> must be used to specify a file
containing the DLV key.
</p></dd>
The <code class="option">-a</code> option must also be used to specify
a file containing the DLV key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd><p>
<dd>
<p>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
<dd><p>
<dd>
<p>
Print all RDATA in unknown RR type presentation format
(RFC 3597). The default is to print RDATA for known types
in the type's presentation format.
</p></dd>
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsection">
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">RFC4034</em>,
<em class="citetitle">RFC4035</em>,
<em class="citetitle">RFC4431</em>,
<em class="citetitle">RFC5074</em>,
<em class="citetitle">RFC5155</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -42,7 +42,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# SUBTRACT CPP /X @COPTY@
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"

View File

@@ -118,7 +118,7 @@ CLEAN :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP=cl.exe
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\delv.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\delv.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
.c{$(INTDIR)}.obj::
$(CPP) @<<
@@ -192,7 +192,7 @@ CLEAN :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP=cl.exe
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/irs/win32/include" /I "../../../lib/irs/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
.c{$(INTDIR)}.obj::
$(CPP) @<<

View File

@@ -53,14 +53,15 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -78,7 +79,7 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -86,7 +87,8 @@
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>

View File

@@ -1,4 +1,4 @@
# Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2012-2016 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2012-2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -14,8 +14,9 @@ VERSION=@BIND9_VERSION@
READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISC_INCLUDES} \
${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = -DVERSION=\"${VERSION}\" @CRYPTO@
CWARNINGS =
@@ -97,3 +98,11 @@ install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
for m in ${MANPAGES}; do \
${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
done
uninstall::
for m in ${MANPAGES}; do \
rm -f ${DESTDIR}${mandir}/man1/$$m ; \
done
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/dig@EXEEXT@

View File

@@ -1,17 +1,8 @@
.\" Copyright (C) 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\" Copyright (C) 2000-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -48,7 +39,7 @@
dig \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [\fB\-h\fR]
.HP \w'\fBdig\fR\ 'u
@@ -56,7 +47,7 @@ dig \- DNS lookup utility
.SH "DESCRIPTION"
.PP
\fBdig\fR
(domain information groper) is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
\fBdig\fR
to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
\fBdig\fR\&.
@@ -270,7 +261,9 @@ hmac\-sha384, or
hmac\-sha512\&. If
\fIhmac\fR
is not specified, the default is
hmac\-md5\&.
hmac\-md5
or if MD5 was disabled
hmac\-sha256\&.
.sp
NOTE: You should use the
\fB\-k\fR
@@ -435,6 +428,11 @@ Specify EDNS option with code point
and optionally payload of
\fBvalue\fR
as a hexadecimal string\&.
\fBcode\fR
can be either an EDNS option name (for example,
NSID
or
ECS), or an arbitrary numeric value\&.
\fB+noednsopt\fR
clears the EDNS options to be sent\&.
.RE
@@ -461,6 +459,11 @@ Show [or do not show] the IP address and port number that supplied the answer wh
option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
.RE
.PP
\fB+[no]ignore\fR
.RS 4
Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
@@ -590,7 +593,9 @@ Perform [do not perform] a search showing intermediate results\&.
.PP
\fB+[no]sigchase\fR
.RS 4
Chase DNSSEC signature chains\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
Chase DNSSEC signature chains\&. Requires dig be compiled with \-DDIG_SIGCHASE\&. This feature is deprecated\&. Use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+split=W\fR
@@ -617,14 +622,16 @@ Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address
.sp
\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
\fBdig +subnet=0\fR
for short, sends an EDNS client\-subnet option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
\fInot\fR
be used when resolving this query\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless an
Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless a type
any
or
ixfr=N
query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
.RE
@@ -640,7 +647,9 @@ to less than 1 will result in a query timeout of 1 second being applied\&.
.PP
\fB+[no]topdown\fR
.RS 4
When chasing DNSSEC signature chains perform a top\-down validation\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
When chasing DNSSEC signature chains perform a top\-down validation\&. Requires dig be compiled with \-DDIG_SIGCHASE\&. This feature is deprecated\&. Use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]trace\fR
@@ -677,7 +686,9 @@ then
trusted\-key\&.key
in the current directory\&.
.sp
Requires dig be compiled with \-DDIG_SIGCHASE\&.
Requires dig be compiled with \-DDIG_SIGCHASE\&. This feature is deprecated\&. Use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]ttlid\fR
@@ -764,6 +775,7 @@ runs\&.
${HOME}/\&.digrc
.SH "SEE ALSO"
.PP
\fBdelv\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8),
\fBdnssec-keygen\fR(8),
@@ -776,7 +788,5 @@ There are probably too many query options\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000-2003 Internet Software Consortium.
Copyright \(co 2000-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -16,11 +16,14 @@
#include <isc/app.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/masterdump.h>
@@ -184,6 +187,7 @@ help(void) {
" +[no]fail (Don't try next server on SERVFAIL)\n"
" +[no]header-only (Send query without a question section)\n"
" +[no]identify (ID responders in short answers)\n"
" +[no]idnout (convert IDN response)\n"
" +[no]ignore (Don't revert to TCP for TC responses.)\n"
" +[no]keepopen (Keep the TCP socket open between queries)\n"
" +[no]mapped (Allow mapped IPv4 over IPv6)\n"
@@ -235,12 +239,16 @@ help(void) {
/*%
* Callback from dighost.c to print the received message.
*/
void
static void
received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
isc_uint64_t diff;
time_t tnow;
struct tm tmnow;
#ifdef WIN32
wchar_t time_str[100];
#else
char time_str[100];
#endif
char fromtext[ISC_SOCKADDR_FORMATSIZE];
isc_sockaddr_format(from, fromtext, sizeof(fromtext));
@@ -253,10 +261,25 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
printf(";; Query time: %ld msec\n", (long) diff / 1000);
printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
time(&tnow);
#if defined(ISC_PLATFORM_USETHREADS) && !defined(WIN32)
(void)localtime_r(&tnow, &tmnow);
#else
tmnow = *localtime(&tnow);
#endif
#ifdef WIN32
/*
* On Windows, time zone name ("%Z") may be a localized
* wide-character string, which strftime() handles incorrectly.
*/
if (wcsftime(time_str, sizeof(time_str)/sizeof(time_str[0]),
L"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
printf(";; WHEN: %ls\n", time_str);
#else
if (strftime(time_str, sizeof(time_str),
"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
printf(";; WHEN: %s\n", time_str);
#endif
if (query->lookup->doing_xfr) {
printf(";; XFR size: %u records (messages %u, "
"bytes %" ISC_PRINT_QUADFORMAT "u)\n",
@@ -298,7 +321,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
* Not used in dig.
* XXX print_trying
*/
void
static void
trying(char *frm, dig_lookup_t *lookup) {
UNUSED(frm);
UNUSED(lookup);
@@ -311,7 +334,7 @@ static isc_result_t
say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
isc_result_t result;
isc_uint64_t diff;
char store[sizeof("12345678901234567890")];
char store[sizeof(" in 18446744073709551616 us.")];
unsigned int styleflags = 0;
if (query->lookup->trace || query->lookup->ns_search_only) {
@@ -334,13 +357,14 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
return (result);
check_result(result, "dns_rdata_totext");
if (query->lookup->identify) {
diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
ADD_STRING(buf, " from server ");
ADD_STRING(buf, query->servname);
if (use_usec)
snprintf(store, 19, " in %ld us.", (long) diff);
snprintf(store, sizeof(store), " in %" ISC_PLATFORM_QUADFORMAT "u us.", diff);
else
snprintf(store, 19, " in %ld ms.", (long) diff / 1000);
snprintf(store, sizeof(store), " in %" ISC_PLATFORM_QUADFORMAT "u ms.", diff / 1000);
ADD_STRING(buf, store);
}
ADD_STRING(buf, "\n");
@@ -398,7 +422,7 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
return (ISC_R_SUCCESS);
}
#ifdef DIG_SIGCHASE
isc_result_t
static isc_result_t
printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
isc_buffer_t *target)
{
@@ -457,10 +481,36 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
}
#endif
static isc_boolean_t
isdotlocal(dns_message_t *msg) {
isc_result_t result;
static unsigned char local_ndata[] = { "\005local\0" };
static unsigned char local_offsets[] = { 0, 6 };
static dns_name_t local = {
DNS_NAME_MAGIC,
local_ndata, 7, 2,
DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
local_offsets, NULL,
{(void *)-1, (void *)-1},
{NULL, NULL}
};
for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
result == ISC_R_SUCCESS;
result = dns_message_nextname(msg, DNS_SECTION_QUESTION))
{
dns_name_t *name = NULL;
dns_message_currentname(msg, DNS_SECTION_QUESTION, &name);
if (dns_name_issubdomain(name, &local))
return (ISC_TRUE);
}
return (ISC_FALSE);
}
/*
* Callback from dighost.c to print the reply from a server
*/
isc_result_t
static isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
isc_result_t result;
dns_messagetextflag_t flags;
@@ -542,6 +592,12 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
printf(";; Got answer:\n");
if (headers) {
if (isdotlocal(msg)) {
printf(";; WARNING: .local is reserved for "
"Multicast DNS\n;; You are currently "
"testing what happens when an mDNS "
"query is leaked to DNS\n");
}
printf(";; ->>HEADER<<- opcode: %s, status: %s, "
"id: %u\n",
opcodetext[msg->opcode],
@@ -697,33 +753,27 @@ cleanup:
static void
printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
int i;
int remaining;
static isc_boolean_t first = ISC_TRUE;
char append[MXNAME];
if (printcmd) {
lookup->cmdline[sizeof(lookup->cmdline) - 1] = 0;
snprintf(lookup->cmdline, sizeof(lookup->cmdline),
"%s; <<>> DiG " VERSION " <<>>",
first?"\n":"");
i = 1;
while (i < argc) {
snprintf(append, sizeof(append), " %s", argv[i++]);
remaining = sizeof(lookup->cmdline) -
strlen(lookup->cmdline) - 1;
strncat(lookup->cmdline, append, remaining);
strlcat(lookup->cmdline, append,
sizeof(lookup->cmdline));
}
remaining = sizeof(lookup->cmdline) -
strlen(lookup->cmdline) - 1;
strncat(lookup->cmdline, "\n", remaining);
strlcat(lookup->cmdline, "\n", sizeof(lookup->cmdline));
if (first && addresscount != 0) {
snprintf(append, sizeof(append),
"; (%d server%s found)\n",
addresscount,
addresscount > 1 ? "s" : "");
remaining = sizeof(lookup->cmdline) -
strlen(lookup->cmdline) - 1;
strncat(lookup->cmdline, append, remaining);
strlcat(lookup->cmdline, append,
sizeof(lookup->cmdline));
}
if (first) {
snprintf(append, sizeof(append),
@@ -731,9 +781,8 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
short_form ? " +short" : "",
printcmd ? " +cmd" : "");
first = ISC_FALSE;
remaining = sizeof(lookup->cmdline) -
strlen(lookup->cmdline) - 1;
strncat(lookup->cmdline, append, remaining);
strlcat(lookup->cmdline, append,
sizeof(lookup->cmdline));
}
}
}
@@ -756,8 +805,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
isc_boolean_t state = ISC_TRUE;
size_t n;
strncpy(option_store, option, sizeof(option_store));
option_store[sizeof(option_store)-1]=0;
strlcpy(option_store, option, sizeof(option_store));
ptr = option_store;
cmd = next_token(&ptr, "=");
if (cmd == NULL) {
@@ -930,8 +978,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
strncpy(domainopt, value, sizeof(domainopt));
domainopt[sizeof(domainopt)-1] = '\0';
strlcpy(domainopt, value, sizeof(domainopt));
break;
case 's': /* dscp */
FULLCHECK("dscp");
@@ -1044,8 +1091,22 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
case 'i':
switch (cmd[1]) {
case 'd': /* identify */
FULLCHECK("identify");
lookup->identify = state;
switch (cmd[2]) {
case 'e':
FULLCHECK("identify");
lookup->identify = state;
break;
case 'n':
FULLCHECK("idnout");
#ifndef WITH_IDN
fprintf(stderr, ";; IDN support not enabled\n");
#else
lookup->idnout = state;
#endif
break;
default:
goto invalid_option;
}
break;
case 'g': /* ignore */
default: /*
@@ -1297,7 +1358,10 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
}
if (lookup->edns == -1)
lookup->edns = 0;
if (lookup->ecs_addr != NULL) {
isc_mem_free(mctx, lookup->ecs_addr);
lookup->ecs_addr = NULL;
}
result = parse_netprefix(&lookup->ecs_addr, value);
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse client");
@@ -1566,7 +1630,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
}
*open_type_class = ISC_FALSE;
tr.base = value;
tr.length = strlen(value);
tr.length = (unsigned int) strlen(value);
result = dns_rdataclass_fromtext(&rdclass,
(isc_textregion_t *)&tr);
if (result == ISC_R_SUCCESS) {
@@ -1581,8 +1645,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
batchname = value;
return (value_from_next);
case 'k':
strncpy(keyfile, value, sizeof(keyfile));
keyfile[sizeof(keyfile)-1]=0;
strlcpy(keyfile, value, sizeof(keyfile));
return (value_from_next);
case 'p':
result = parse_uint(&num, value, MAXPORT, "port number");
@@ -1596,9 +1659,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
(*lookup) = clone_lookup(default_lookup,
ISC_TRUE);
*need_clone = ISC_TRUE;
strncpy((*lookup)->textname, value,
strlcpy((*lookup)->textname, value,
sizeof((*lookup)->textname));
(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
(*lookup)->trace_root = ISC_TF((*lookup)->trace ||
(*lookup)->ns_search_only);
(*lookup)->new_search = ISC_TRUE;
@@ -1617,7 +1679,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
result = ISC_R_SUCCESS;
} else {
tr.base = value;
tr.length = strlen(value);
tr.length = (unsigned int) strlen(value);
result = dns_rdatatype_fromtext(&rdtype,
(isc_textregion_t *)&tr);
if (result == ISC_R_SUCCESS &&
@@ -1650,6 +1712,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
if (rdtype == dns_rdatatype_axfr) {
(*lookup)->section_question = plusquest;
(*lookup)->comments = pluscomm;
} else if (rdtype == dns_rdatatype_any) {
if (!(*lookup)->tcp_mode_set)
(*lookup)->tcp_mode = ISC_TRUE;
}
(*lookup)->ixfr_serial = ISC_FALSE;
}
@@ -1672,13 +1737,15 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ptr = ptr2;
ptr2 = ptr3;
} else {
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
digestbits = 0;
}
strncpy(keynametext, ptr, sizeof(keynametext));
keynametext[sizeof(keynametext)-1]=0;
strncpy(keysecret, ptr2, sizeof(keysecret));
keysecret[sizeof(keysecret)-1]=0;
strlcpy(keynametext, ptr, sizeof(keynametext));
strlcpy(keysecret, ptr2, sizeof(keysecret));
return (value_from_next);
case 'x':
if (*need_clone)
@@ -1686,9 +1753,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
*need_clone = ISC_TRUE;
if (get_reverse(textname, sizeof(textname), value,
ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
strncpy((*lookup)->textname, textname,
strlcpy((*lookup)->textname, textname,
sizeof((*lookup)->textname));
(*lookup)->textname[sizeof((*lookup)->textname)-1] = 0;
debug("looking up %s", (*lookup)->textname);
(*lookup)->trace_root = ISC_TF((*lookup)->trace ||
(*lookup)->ns_search_only);
@@ -1912,7 +1978,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
result = ISC_R_SUCCESS;
} else {
tr.base = rv[0];
tr.length = strlen(rv[0]);
tr.length =
(unsigned int) strlen(rv[0]);
result = dns_rdatatype_fromtext(&rdtype,
(isc_textregion_t *)&tr);
if (result == ISC_R_SUCCESS &&
@@ -1955,6 +2022,10 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
plusquest;
lookup->comments = pluscomm;
}
if (rdtype ==
dns_rdatatype_any &&
!lookup->tcp_mode_set)
lookup->tcp_mode = ISC_TRUE;
lookup->ixfr_serial = ISC_FALSE;
}
continue;
@@ -1977,9 +2048,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
lookup = clone_lookup(default_lookup,
ISC_TRUE);
need_clone = ISC_TRUE;
strncpy(lookup->textname, rv[0],
strlcpy(lookup->textname, rv[0],
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1]=0;
lookup->trace_root = ISC_TF(lookup->trace ||
lookup->ns_search_only);
lookup->new_search = ISC_TRUE;
@@ -2045,7 +2115,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
lookup->trace_root = ISC_TF(lookup->trace ||
lookup->ns_search_only);
lookup->new_search = ISC_TRUE;
strcpy(lookup->textname, ".");
strlcpy(lookup->textname, ".", sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_ns;
lookup->rdtypeset = ISC_TRUE;
if (firstarg) {
@@ -2063,8 +2133,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
* Here, we're possibly reading from a batch file, then shutting down
* for real if there's nothing in the batch file to read.
*/
void
dighost_shutdown(void) {
static void
query_finished(void) {
char batchline[MXNAME];
int bargc;
char *bargv[16];
@@ -2110,23 +2180,41 @@ dighost_shutdown(void) {
}
}
/*% Main processing routine for dig */
int
main(int argc, char **argv) {
void dig_setup(int argc, char **argv)
{
isc_result_t result;
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
ISC_LIST_INIT(search_list);
debug("main()");
debug("dig_setup()");
/* setup dighost callbacks */
#ifdef DIG_SIGCHASE
dighost_printrdataset = printrdataset;
#endif
dighost_printmessage = printmessage;
dighost_received = received;
dighost_trying = trying;
dighost_shutdown = query_finished;
progname = argv[0];
preparse_args(argc, argv);
result = isc_app_start();
check_result(result, "isc_app_start");
setup_libs();
setup_system(ipv4only, ipv6only);
parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
}
void dig_query_setup(isc_boolean_t is_batchfile, isc_boolean_t config_only,
int argc, char **argv)
{
debug("dig_query_setup");
parse_args(is_batchfile, config_only, argc, argv);
if (keyfile[0] != 0)
setup_file_key();
else if (keysecret[0] != 0)
@@ -2135,20 +2223,49 @@ main(int argc, char **argv) {
set_search_domain(domainopt);
usesearch = ISC_TRUE;
}
}
void dig_startup() {
isc_result_t result;
debug("dig_startup()");
result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
check_result(result, "isc_app_onrun");
isc_app_run();
}
void dig_query_start()
{
start_lookup();
}
void
dig_shutdown() {
destroy_lookup(default_lookup);
if (batchname != NULL) {
if (batchfp != stdin)
fclose(batchfp);
batchname = NULL;
}
#ifdef DIG_SIGCHASE
clean_trustedkey();
#endif
cancel_all();
destroy_libs();
isc_app_finish();
}
/*% Main processing routine for dig */
int
main(int argc, char **argv) {
dig_setup(argc, argv);
dig_query_setup(ISC_FALSE, ISC_FALSE, argc, argv);
dig_startup();
dig_shutdown();
return (exitcode);
}

View File

@@ -1,7 +1,7 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2000-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
<info>
<date>2014-02-19</date>
</info>
@@ -31,6 +31,10 @@
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
@@ -43,15 +47,9 @@
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
@@ -69,8 +67,10 @@
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">type</arg>
<arg choice="opt" rep="norepeat">class</arg>
@@ -91,8 +91,7 @@
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dig</command>
(domain information groper) is a flexible tool
<para><command>dig</command> is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
displays the answers that are returned from the name server(s) that
were queried. Most DNS administrators use <command>dig</command> to
@@ -393,7 +392,8 @@
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
is not specified, the default is <literal>hmac-md5</literal>.
is not specified, the default is <literal>hmac-md5</literal>
or if MD5 was disabled <literal>hmac-sha256</literal>.
</para>
<para>
NOTE: You should use the <option>-k</option> option and
@@ -709,7 +709,10 @@
<para>
Specify EDNS option with code point <option>code</option>
and optionally payload of <option>value</option> as a
hexadecimal string. <option>+noednsopt</option>
hexadecimal string. <option>code</option> can be
either an EDNS option name (for example,
<literal>NSID</literal> or <literal>ECS</literal>),
or an arbitrary numeric value. <option>+noednsopt</option>
clears the EDNS options to be sent.
</para>
</listitem>
@@ -760,6 +763,17 @@
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]idnout</option></term>
<listitem>
<para>
Convert [do not convert] puny code on output.
This requires IDN SUPPORT to have been enabled at
compile time. The default is to convert output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]ignore</option></term>
<listitem>
@@ -978,8 +992,9 @@
<term><option>+[no]sigchase</option></term>
<listitem>
<para>
Chase DNSSEC signature chains. Requires dig be
compiled with -DDIG_SIGCHASE.
Chase DNSSEC signature chains. Requires dig be compiled
with -DDIG_SIGCHASE. This feature is deprecated.
Use <command>delv</command> instead.
</para>
</listitem>
</varlistentry>
@@ -1022,7 +1037,7 @@
<para>
<command>dig +subnet=0.0.0.0/0</command>, or simply
<command>dig +subnet=0</command> for short, sends an EDNS
client-subnet option with an empty address and a source
CLIENT-SUBNET option with an empty address and a source
prefix-length of zero, which signals a resolver that
the client's address information must
<emphasis>not</emphasis> be used when resolving
@@ -1036,10 +1051,10 @@
<listitem>
<para>
Use [do not use] TCP when querying name servers. The
default behavior is to use UDP unless an
<literal>ixfr=N</literal> query is requested, in which
case the default is TCP. AXFR queries always use
TCP.
default behavior is to use UDP unless a type
<literal>any</literal> or <literal>ixfr=N</literal>
query is requested, in which case the default is TCP.
AXFR queries always use TCP.
</para>
</listitem>
</varlistentry>
@@ -1065,6 +1080,7 @@
<para>
When chasing DNSSEC signature chains perform a top-down
validation. Requires dig be compiled with -DDIG_SIGCHASE.
This feature is deprecated. Use <command>delv</command> instead.
</para>
</listitem>
</varlistentry>
@@ -1118,6 +1134,7 @@
directory.
</para> <para>
Requires dig be compiled with -DDIG_SIGCHASE.
This feature is deprecated. Use <command>delv</command> instead.
</para>
</listitem>
</varlistentry>
@@ -1256,6 +1273,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>delv</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@@ -1,17 +1,8 @@
.\" Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -48,7 +39,7 @@
host \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBhost\fR\ 'u
\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
\fBhost\fR [\fB\-aCdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
.SH "DESCRIPTION"
.PP
\fBhost\fR
@@ -190,13 +181,14 @@ If a query type of IXFR is chosen the starting serial number can be specified by
\fB\-t \fR\fBIXFR=12345678\fR)\&.
.RE
.PP
\-T
\-T, \-U
.RS 4
TCP: By default,
TCP/UDP: By default,
\fBhost\fR
uses UDP when making queries\&. The
\fB\-T\fR
option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&.
option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&. Type ANY queries default to TCP but can be forced to UDP initially using
\fB\-U\fR\&.
.RE
.PP
\-m \fIflag\fR
@@ -273,7 +265,5 @@ runs\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000-2002 Internet Software Consortium.
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2000-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2007, 2009-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -137,14 +137,15 @@ show_usage(void) ISC_PLATFORM_NORETURN_POST;
static void
show_usage(void) {
fputs(
"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
"Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]\n"
" [-R number] [-m flag] hostname [server]\n"
" -a is equivalent to -v -t ANY\n"
" -c specifies query class for non-IN data\n"
" -C compares SOA records on authoritative nameservers\n"
" -d is equivalent to -v\n"
" -l lists all hosts in a domain, using AXFR\n"
" -i IP6.INT reverse lookups\n"
" -l lists all hosts in a domain, using AXFR\n"
" -m set memory debugging flag (trace|record|usage)\n"
" -N changes the number of dots allowed before root lookup is done\n"
" -r disables recursive processing\n"
" -R specifies number of retries for UDP packets\n"
@@ -152,21 +153,20 @@ show_usage(void) {
" -t specifies the query type\n"
" -T enables TCP/IP mode\n"
" -v enables verbose output\n"
" -V print version number and exit\n"
" -w specifies to wait forever for a reply\n"
" -W specifies how long to wait for a reply\n"
" -4 use IPv4 query transport only\n"
" -6 use IPv6 query transport only\n"
" -m set memory debugging flag (trace|record|usage)\n"
" -V print version number and exit\n", stderr);
" -6 use IPv6 query transport only\n", stderr);
exit(1);
}
void
dighost_shutdown(void) {
isc_app_shutdown();
static void
host_shutdown(void) {
(void) isc_app_shutdown();
}
void
static void
received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
isc_time_t now;
int diff;
@@ -181,7 +181,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
}
}
void
static void
trying(char *frm, dig_lookup_t *lookup) {
UNUSED(lookup);
@@ -225,7 +225,7 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
}
#ifdef DIG_SIGCHASE
/* Just for compatibility : not use in host program */
isc_result_t
static isc_result_t
printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
isc_buffer_t *target)
{
@@ -406,7 +406,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
}
}
isc_result_t
static isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
isc_boolean_t did_flag = ISC_FALSE;
dns_rdataset_t *opt, *tsig = NULL;
@@ -466,9 +466,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
dns_name_format(name, namestr, sizeof(namestr));
lookup = clone_lookup(query->lookup, ISC_FALSE);
if (lookup != NULL) {
strncpy(lookup->textname, namestr,
strlcpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_aaaa;
lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
@@ -477,9 +476,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
}
lookup = clone_lookup(query->lookup, ISC_FALSE);
if (lookup != NULL) {
strncpy(lookup->textname, namestr,
strlcpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_mx;
lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
@@ -594,7 +592,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
return (result);
}
static const char * optstring = "46ac:dilnm:rst:vVwCDN:R:TW:";
static const char * optstring = "46ac:dilnm:rst:vVwCDN:R:TUW:";
/*% version */
static void
@@ -734,6 +732,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
lookup->ixfr_serial = serial;
lookup->tcp_mode = ISC_TRUE;
list_type = rdtype;
} else if (rdtype == dns_rdatatype_any) {
if (!lookup->tcp_mode_set)
lookup->tcp_mode = ISC_TRUE;
#ifdef WITH_IDN
} else if (rdtype == dns_rdatatype_a ||
rdtype == dns_rdatatype_aaaa ||
@@ -803,6 +804,11 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
break;
case 'T':
lookup->tcp_mode = ISC_TRUE;
lookup->tcp_mode_set = ISC_TRUE;
break;
case 'U':
lookup->tcp_mode = ISC_FALSE;
lookup->tcp_mode_set = ISC_TRUE;
break;
case 'C':
debug("showing all SOAs");
@@ -852,14 +858,12 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
lookup->pending = ISC_FALSE;
if (get_reverse(store, sizeof(store), hostname,
lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
strncpy(lookup->textname, store, sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
strlcpy(lookup->textname, store, sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_ptr;
lookup->rdtypeset = ISC_TRUE;
default_lookups = ISC_FALSE;
} else {
strncpy(lookup->textname, hostname, sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1]=0;
strlcpy(lookup->textname, hostname, sizeof(lookup->textname));
usesearch = ISC_TRUE;
}
lookup->new_search = ISC_TRUE;
@@ -881,6 +885,15 @@ main(int argc, char **argv) {
idnoptions = IDN_ASCCHECK;
#endif
/* setup dighost callbacks */
#ifdef DIG_SIGCHASE
dighost_printrdataset = printrdataset;
#endif
dighost_printmessage = printmessage;
dighost_received = received;
dighost_trying = trying;
dighost_shutdown = host_shutdown;
debug("main()");
progname = argv[0];
pre_parse_args(argc, argv);

View File

@@ -1,7 +1,7 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
<info>
<date>2009-01-20</date>
</info>
@@ -31,6 +31,9 @@
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
@@ -39,28 +42,25 @@
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>host</command>
<arg choice="opt" rep="norepeat"><option>-aCdlnrsTwv</option></arg>
<arg choice="opt" rep="norepeat"><option>-aCdlnrsTUwv</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">name</arg>
@@ -282,14 +282,16 @@
<varlistentry>
<term>-T</term>
<term>-U</term>
<listitem>
<para>
TCP:
TCP/UDP:
By default, <command>host</command> uses UDP when making
queries. The <option>-T</option> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests.
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <option>-U</option>.
</para>
</listitem>
</varlistentry>

View File

@@ -1,20 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host</title>
@@ -22,24 +14,56 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.host"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p>host &#8212; DNS lookup utility</p>
<p>
host
&#8212; DNS lookup utility
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">host</code>
[<code class="option">-aCdlnrsTUwv</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-v</code>]
[<code class="option">-V</code>]
{name}
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>host</strong></span>
<p><span class="command"><strong>host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<span class="command"><strong>host</strong></span>
prints a short summary of its command line arguments and options.
</p>
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
@@ -51,68 +75,86 @@
should query instead of the server or servers listed in
<code class="filename">/etc/resolv.conf</code>.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd><p>
<dd>
<p>
Use IPv4 only for query transport.
See also the <code class="option">-6</code> option.
</p></dd>
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd><p>
<dd>
<p>
Use IPv6 only for query transport.
See also the <code class="option">-4</code> option.
</p></dd>
</p>
</dd>
<dt><span class="term">-a</span></dt>
<dd><p>
<dd>
<p>
"All". The <code class="option">-a</code> option is normally equivalent
to <code class="option">-v -t <code class="literal">ANY</code></code>.
It also affects the behaviour of the <code class="option">-l</code>
list zone option.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Query class: This can be used to lookup HS (Hesiod) or CH
(Chaosnet) class resource records. The default class is IN
(Internet).
</p></dd>
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Check consistency: <span class="command"><strong>host</strong></span> will query the
SOA records for zone <em class="parameter"><code>name</code></em> from all
the listed authoritative name servers for that zone. The
list of name servers is defined by the NS records that are
found for the zone.
</p></dd>
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd><p>
<dd>
<p>
Print debugging traces.
Equivalent to the <code class="option">-v</code> verbose option.
</p></dd>
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd><p>
<dd>
<p>
Obsolete.
Use the IP6.INT domain for reverse lookups of IPv6
addresses as defined in RFC1886 and deprecated in RFC4159.
The default is to use IP6.ARPA as specified in RFC3596.
</p></dd>
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
<p>
List zone:
The <span class="command"><strong>host</strong></span> command performs a zone transfer of
zone <em class="parameter"><code>name</code></em> and prints out the NS,
PTR and address records (A/AAAA).
</p>
<p>
<p>
Together, the <code class="option">-l -a</code>
options print all records in the zone.
</p>
</dd>
</dd>
<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
<dd><p>
<dd>
<p>
The number of dots that have to be
in <em class="parameter"><code>name</code></em> for it to be considered
absolute. The default value is that defined using the
@@ -122,9 +164,11 @@
searched for in the domains listed in
the <span class="type">search</span> or <span class="type">domain</span> directive
in <code class="filename">/etc/resolv.conf</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd><p>
<dd>
<p>
Non-recursive query:
Setting this option clears the RD (recursion desired) bit
in the query. This should mean that the name server
@@ -135,30 +179,35 @@
name server by making non-recursive queries and expecting
to receive answers to those queries that can be
referrals to other name servers.
</p></dd>
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
<dd>
<p>
Number of retries for UDP queries:
If <em class="parameter"><code>number</code></em> is negative or zero, the
number of retries will default to 1. The default value is
1, or the value of the <em class="parameter"><code>attempts</code></em>
option in <code class="filename">/etc/resolv.conf</code>, if set.
</p></dd>
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd><p>
<dd>
<p>
Do <span class="emphasis"><em>not</em></span> send the query to the next
nameserver if any server responds with a SERVFAIL
response, which is the reverse of normal stub resolver
behavior.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
<p>
Query type:
The <em class="parameter"><code>type</code></em> argument can be any
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
</p>
<p>
<p>
When no query type is specified, <span class="command"><strong>host</strong></span>
automatically selects an appropriate query type. By default, it
looks for A, AAAA, and MX records.
@@ -169,70 +218,86 @@
address, <span class="command"><strong>host</strong></span> will query for PTR
records.
</p>
<p>
<p>
If a query type of IXFR is chosen the starting serial
number can be specified by appending an equal followed by
the starting serial number
(like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
</p>
</dd>
<dt><span class="term">-T</span></dt>
<dd><p>
TCP:
</dd>
<dt>
<span class="term">-T, </span><span class="term">-U</span>
</dt>
<dd>
<p>
TCP/UDP:
By default, <span class="command"><strong>host</strong></span> uses UDP when making
queries. The <code class="option">-T</code> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests.
</p></dd>
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <code class="option">-U</code>.
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
<dd>
<p>
Memory usage debugging: the flag can
be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
or <em class="parameter"><code>trace</code></em>. You can specify
the <code class="option">-m</code> option more than once to set
multiple flags.
</p></dd>
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd><p>
<dd>
<p>
Verbose output.
Equivalent to the <code class="option">-d</code> debug option.
Verbose output can also be enabled by setting
the <em class="parameter"><code>debug</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Print the version number and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-w</span></dt>
<dd><p>
<dd>
<p>
Wait forever: The query timeout is set to the maximum possible.
See also the <code class="option">-W</code> option.
</p></dd>
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
<dd>
<p>
<p>
Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
seconds for a reply. If <em class="parameter"><code>wait</code></em> is
less than one, the wait interval is set to one second.
</p>
<p>
<p>
By default, <span class="command"><strong>host</strong></span> will wait for 5
seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by
the <em class="parameter"><code>timeout</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p>
<p>
<p>
See also the <code class="option">-w</code> option.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>IDN SUPPORT</h2>
<p>
<p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
@@ -243,17 +308,26 @@
The IDN support is disabled if the variable is set when
<span class="command"><strong>host</strong></span> runs.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2000-2009, 2011-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -129,7 +129,8 @@ struct dig_lookup {
header_only,
ednsneg,
mapped,
print_unknown_format;
print_unknown_format,
idnout;
#ifdef DIG_SIGCHASE
isc_boolean_t sigchase;
#if DIG_SIGCHASE_TD
@@ -154,14 +155,13 @@ isc_boolean_t sigchase;
dns_rdataclass_t rdclass;
isc_boolean_t rdtypeset;
isc_boolean_t rdclassset;
char namespace[BUFSIZE];
char onamespace[BUFSIZE];
char name_space[BUFSIZE];
char oname_space[BUFSIZE];
isc_buffer_t namebuf;
isc_buffer_t onamebuf;
isc_buffer_t renderbuf;
char *sendspace;
dns_name_t *name;
isc_timer_t *timer;
isc_interval_t interval;
dns_message_t *sendmsg;
dns_name_t *oname;
@@ -190,6 +190,7 @@ isc_boolean_t sigchase;
isc_dscp_t dscp;
unsigned int ednsflags;
dns_opcode_t opcode;
unsigned int eoferr;
};
/*% The dig_query structure */
@@ -203,7 +204,8 @@ struct dig_query {
second_rr_rcvd,
first_repeat_rcvd,
recv_made,
warn_id;
warn_id,
timedout;
isc_uint32_t first_rr_serial;
isc_uint32_t second_rr_serial;
isc_uint32_t msg_count;
@@ -228,6 +230,7 @@ struct dig_query {
isc_time_t time_recv;
isc_uint64_t byte_count;
isc_buffer_t sendbuf;
isc_timer_t *timer;
};
struct dig_server {
@@ -390,37 +393,38 @@ void
clean_trustedkey(void);
#endif
char *
next_token(char **stringp, const char *delim);
/*
* Routines to be defined in dig.c, host.c, and nslookup.c.
* Routines to be defined in dig.c, host.c, and nslookup.c. and
* then assigned to the appropriate function pointer
*/
#ifdef DIG_SIGCHASE
isc_result_t
printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
extern isc_result_t
(*dighost_printrdataset)(dns_name_t *owner_name, dns_rdataset_t *rdataset,
isc_buffer_t *target);
#endif
isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
extern isc_result_t
(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
/*%<
* Print the final result of the lookup.
*/
void
received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
extern void
(*dighost_received)(int bytes, isc_sockaddr_t *from, dig_query_t *query);
/*%<
* Print a message about where and when the response
* was received from, like the final comment in the
* output of "dig".
*/
void
trying(char *frm, dig_lookup_t *lookup);
extern void
(*dighost_trying)(char *frm, dig_lookup_t *lookup);
void
dighost_shutdown(void);
char *
next_token(char **stringp, const char *delim);
extern void
(*dighost_shutdown)(void);
#ifdef DIG_SIGCHASE
/* Chasing functions */
@@ -435,6 +439,41 @@ void save_opt(dig_lookup_t *lookup, char *code, char *value);
void setup_file_key(void);
void setup_text_key(void);
/*
* Routines exported from dig.c for use by dig for iOS
*/
/*%<
* Call once only to set up libraries, parse global
* parameters and initial command line query parameters
*/
void
dig_setup(int argc, char **argv);
/*%<
* Call to supply new parameters for the next lookup
*/
void
dig_query_setup(isc_boolean_t, isc_boolean_t, int argc, char **argv);
/*%<
* set the main application event cycle running
*/
void
dig_startup(void);
/*%<
* Initiates the next lookup cycle
*/
void
dig_query_start(void);
/*%<
* Cleans up the application
*/
void
dig_shutdown(void);
ISC_LANG_ENDDECLS
#endif

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2007, 2010, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -197,7 +189,7 @@ The class specifies the protocol group of the information\&.
(Default = IN; abbreviation = cl)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
\fB\fI[no]\fR\fR\fBdebug\fR
.RS 4
Turn on or off the display of the full response packet and any intermediate response packets when searching\&.
.sp
@@ -205,7 +197,7 @@ Turn on or off the display of the full response packet and any intermediate resp
[no]deb)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBd2\fR
\fB\fI[no]\fR\fR\fBd2\fR
.RS 4
Turn debugging mode on or off\&. This displays more about what nslookup is doing\&.
.sp
@@ -218,7 +210,7 @@ Sets the search list to
\fIname\fR\&.
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
\fB\fI[no]\fR\fR\fBsearch\fR
.RS 4
If the lookup request contains at least one period but doesn\*(Aqt end with a trailing period, append the domain names in the domain search list to the request until an answer is received\&.
.sp
@@ -244,7 +236,7 @@ Change the type of the information query\&.
(Default = A; abbreviations = q, ty)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
\fB\fI[no]\fR\fR\fBrecurse\fR
.RS 4
Tell the name server to query other servers if it does not have the information\&.
.sp
@@ -266,14 +258,14 @@ Set the number of retries to number\&.
Change the initial timeout interval for waiting for a reply to number seconds\&.
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBvc\fR
\fB\fI[no]\fR\fR\fBvc\fR
.RS 4
Always use a virtual circuit when sending requests to the server\&.
.sp
(Default = novc)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBfail\fR
\fB\fI[no]\fR\fR\fBfail\fR
.RS 4
Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response\&.
.sp
@@ -298,5 +290,5 @@ returns with an exit status of 1 if any query failed, and 0 otherwise\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004-2007, 2010, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -18,7 +18,6 @@
#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>
#include <isc/task.h>
#include <isc/netaddr.h>
@@ -36,17 +35,29 @@
#include <dig/dig.h>
#if defined(HAVE_READLINE)
#if defined(HAVE_EDIT_READLINE_READLINE_H)
#include <edit/readline/readline.h>
#if defined(HAVE_EDIT_READLINE_HISTORY_H)
#include <edit/readline/history.h>
#endif
#elif defined(HAVE_EDITLINE_READLINE_H)
#include <editline/readline.h>
#elif defined(HAVE_READLINE_READLINE_H)
#include <readline/readline.h>
#if defined (HAVE_READLINE_HISTORY_H)
#include <readline/history.h>
#endif
#endif
#endif
static isc_boolean_t short_form = ISC_TRUE,
tcpmode = ISC_FALSE,
tcpmode = ISC_FALSE, tcpmode_set = ISC_FALSE,
identify = ISC_FALSE, stats = ISC_TRUE,
comments = ISC_TRUE, section_question = ISC_TRUE,
section_answer = ISC_TRUE, section_authority = ISC_TRUE,
section_additional = ISC_TRUE, recurse = ISC_TRUE,
aaonly = ISC_FALSE, nofail = ISC_TRUE;
aaonly = ISC_FALSE, nofail = ISC_TRUE,
default_lookups = ISC_TRUE, a_noanswer = ISC_FALSE;
static isc_boolean_t interactive;
@@ -145,8 +156,8 @@ rcode_totext(dns_rcode_t rcode)
return totext.deconsttext;
}
void
dighost_shutdown(void) {
static void
query_finished(void) {
isc_event_t *event = global_event;
flush_lookup_list();
@@ -182,9 +193,9 @@ printsoa(dns_rdata_t *rdata) {
}
static void
printa(dns_rdata_t *rdata) {
printaddr(dns_rdata_t *rdata) {
isc_result_t result;
char text[sizeof("255.255.255.255")];
char text[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
isc_buffer_t b;
isc_buffer_init(&b, text, sizeof(text));
@@ -193,9 +204,10 @@ printa(dns_rdata_t *rdata) {
printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
(char *)isc_buffer_base(&b));
}
#ifdef DIG_SIGCHASE
/* Just for compatibility : not use in host program */
isc_result_t
static isc_result_t
printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
isc_buffer_t *target)
{
@@ -264,12 +276,13 @@ printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
dns_rdataset_current(rdataset, &rdata);
switch (rdata.type) {
case dns_rdatatype_a:
case dns_rdatatype_aaaa:
if (section != DNS_SECTION_ANSWER)
goto def_short_section;
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("Name:\t%s\n", namebuf);
printa(&rdata);
printaddr(&rdata);
break;
case dns_rdatatype_soa:
dns_name_format(name, namebuf,
@@ -385,7 +398,7 @@ detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
return (ISC_R_SUCCESS);
}
void
static void
received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
{
UNUSED(bytes);
@@ -393,14 +406,38 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
UNUSED(query);
}
void
static void
trying(char *frm, dig_lookup_t *lookup) {
UNUSED(frm);
UNUSED(lookup);
}
isc_result_t
static void
chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
isc_result_t result;
dns_rdataset_t *rdataset;
dns_rdata_cname_t cname;
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int i = msg->counts[DNS_SECTION_ANSWER];
while (i-- > 0) {
rdataset = NULL;
result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_cname, 0, NULL, &rdataset);
if (result != ISC_R_SUCCESS)
return;
result = dns_rdataset_first(rdataset);
check_result(result, "dns_rdataset_first");
dns_rdata_reset(&rdata);
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_copy(&cname.cname, qname, NULL);
dns_rdata_freestruct(&cname);
}
}
static isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
char servtext[ISC_SOCKADDR_FORMATSIZE];
@@ -409,11 +446,13 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
debug("printmessage()");
isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
printf("Server:\t\t%s\n", query->userarg);
printf("Address:\t%s\n", servtext);
if(!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
printf("Server:\t\t%s\n", query->userarg);
printf("Address:\t%s\n", servtext);
puts("");
puts("");
}
if (!short_form) {
puts("------------");
@@ -438,16 +477,49 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
return (ISC_R_SUCCESS);
}
if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0)
if ( default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
char namestr[DNS_NAME_FORMATSIZE];
dig_lookup_t *lookup;
dns_fixedname_t fixed;
dns_name_t *name;
/* Add AAAA lookup. */
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
dns_name_copy(query->lookup->name, name, NULL);
chase_cnamechain(msg, name);
dns_name_format(name, namestr, sizeof(namestr));
lookup = clone_lookup(query->lookup, ISC_FALSE);
if (lookup != NULL) {
strlcpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_aaaa;
lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
}
if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0 &&
( !default_lookups || query->lookup->rdtype == dns_rdatatype_a) )
puts("Non-authoritative answer:");
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
printsection(query, msg, headers, DNS_SECTION_ANSWER);
else
printf("*** Can't find %s: No answer\n",
query->lookup->textname);
else {
if (default_lookups && query->lookup->rdtype == dns_rdatatype_a)
a_noanswer = ISC_TRUE;
else if (!default_lookups ||
(query->lookup->rdtype == dns_rdatatype_aaaa &&
a_noanswer ) )
printf("*** Can't find %s: No answer\n",
query->lookup->textname);
}
if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
(query->lookup->rdtype != dns_rdatatype_a)) {
(query->lookup->rdtype != dns_rdatatype_a) &&
(query->lookup->rdtype != dns_rdatatype_aaaa) ) {
puts("\nAuthoritative answers can be found from:");
printsection(query, msg, headers,
DNS_SECTION_AUTHORITY);
@@ -576,7 +648,12 @@ version(void) {
static void
setoption(char *opt) {
if (strncasecmp(opt, "all", 3) == 0) {
size_t l = strlen(opt);
#define CHECKOPT(A, N) \
((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
if (CHECKOPT("all", 3)) {
show_settings(ISC_TRUE, ISC_FALSE);
} else if (strncasecmp(opt, "class=", 6) == 0) {
if (testclass(&opt[6]))
@@ -585,23 +662,35 @@ setoption(char *opt) {
if (testclass(&opt[3]))
strlcpy(defclass, &opt[3], sizeof(defclass));
} else if (strncasecmp(opt, "type=", 5) == 0) {
if (testtype(&opt[5]))
if (testtype(&opt[5])) {
strlcpy(deftype, &opt[5], sizeof(deftype));
default_lookups = ISC_FALSE;
}
} else if (strncasecmp(opt, "ty=", 3) == 0) {
if (testtype(&opt[3]))
if (testtype(&opt[3])) {
strlcpy(deftype, &opt[3], sizeof(deftype));
default_lookups = ISC_FALSE;
}
} else if (strncasecmp(opt, "querytype=", 10) == 0) {
if (testtype(&opt[10]))
if (testtype(&opt[10])) {
strlcpy(deftype, &opt[10], sizeof(deftype));
default_lookups = ISC_FALSE;
}
} else if (strncasecmp(opt, "query=", 6) == 0) {
if (testtype(&opt[6]))
if (testtype(&opt[6])) {
strlcpy(deftype, &opt[6], sizeof(deftype));
default_lookups = ISC_FALSE;
}
} else if (strncasecmp(opt, "qu=", 3) == 0) {
if (testtype(&opt[3]))
if (testtype(&opt[3])) {
strlcpy(deftype, &opt[3], sizeof(deftype));
default_lookups = ISC_FALSE;
}
} else if (strncasecmp(opt, "q=", 2) == 0) {
if (testtype(&opt[2]))
if (testtype(&opt[2])) {
strlcpy(deftype, &opt[2], sizeof(deftype));
default_lookups = ISC_FALSE;
}
} else if (strncasecmp(opt, "domain=", 7) == 0) {
strlcpy(domainopt, &opt[7], sizeof(domainopt));
set_search_domain(domainopt);
@@ -618,41 +707,43 @@ setoption(char *opt) {
set_timeout(&opt[8]);
} else if (strncasecmp(opt, "t=", 2) == 0) {
set_timeout(&opt[2]);
} else if (strncasecmp(opt, "rec", 3) == 0) {
} else if (CHECKOPT("recurse", 3)) {
recurse = ISC_TRUE;
} else if (strncasecmp(opt, "norec", 5) == 0) {
} else if (CHECKOPT("norecurse", 5)) {
recurse = ISC_FALSE;
} else if (strncasecmp(opt, "retry=", 6) == 0) {
set_tries(&opt[6]);
} else if (strncasecmp(opt, "ret=", 4) == 0) {
set_tries(&opt[4]);
} else if (strncasecmp(opt, "def", 3) == 0) {
} else if (CHECKOPT("defname", 3)) {
usesearch = ISC_TRUE;
} else if (strncasecmp(opt, "nodef", 5) == 0) {
} else if (CHECKOPT("nodefname", 5)) {
usesearch = ISC_FALSE;
} else if (strncasecmp(opt, "vc", 3) == 0) {
} else if (CHECKOPT("vc", 2) == 0) {
tcpmode = ISC_TRUE;
} else if (strncasecmp(opt, "novc", 5) == 0) {
tcpmode_set = ISC_TRUE;
} else if (CHECKOPT("novc", 4) == 0) {
tcpmode = ISC_FALSE;
} else if (strncasecmp(opt, "deb", 3) == 0) {
tcpmode_set = ISC_TRUE;
} else if (CHECKOPT("debug", 3) == 0) {
short_form = ISC_FALSE;
showsearch = ISC_TRUE;
} else if (strncasecmp(opt, "nodeb", 5) == 0) {
} else if (CHECKOPT("nodebug", 5) == 0) {
short_form = ISC_TRUE;
showsearch = ISC_FALSE;
} else if (strncasecmp(opt, "d2", 2) == 0) {
} else if (CHECKOPT("d2", 2) == 0) {
debugging = ISC_TRUE;
} else if (strncasecmp(opt, "nod2", 4) == 0) {
} else if (CHECKOPT("nod2", 4) == 0) {
debugging = ISC_FALSE;
} else if (strncasecmp(opt, "search", 3) == 0) {
} else if (CHECKOPT("search", 3) == 0) {
usesearch = ISC_TRUE;
} else if (strncasecmp(opt, "nosearch", 5) == 0) {
} else if (CHECKOPT("nosearch", 5) == 0) {
usesearch = ISC_FALSE;
} else if (strncasecmp(opt, "sil", 3) == 0) {
} else if (CHECKOPT("sil", 3) == 0) {
/* deprecation_msg = ISC_FALSE; */
} else if (strncasecmp(opt, "fail", 3) == 0) {
} else if (CHECKOPT("fail", 3) == 0) {
nofail=ISC_FALSE;
} else if (strncasecmp(opt, "nofail", 3) == 0) {
} else if (CHECKOPT("nofail", 5) == 0) {
nofail=ISC_TRUE;
} else if (strncasecmp(opt, "ndots=", 6) == 0) {
set_ndots(&opt[6]);
@@ -671,6 +762,9 @@ addlookup(char *opt) {
char store[MXNAME];
debug("addlookup()");
a_noanswer = ISC_FALSE;
tr.base = deftype;
tr.length = strlen(deftype);
result = dns_rdatatype_fromtext(&rdtype, &tr);
@@ -707,7 +801,10 @@ addlookup(char *opt) {
lookup->retries = tries;
lookup->udpsize = 0;
lookup->comments = comments;
lookup->tcp_mode = tcpmode;
if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set)
lookup->tcp_mode = ISC_TRUE;
else
lookup->tcp_mode = tcpmode;
lookup->stats = stats;
lookup->section_question = section_question;
lookup->section_answer = section_answer;
@@ -857,8 +954,6 @@ flush_lookup_list(void) {
}
if (l->sendmsg != NULL)
dns_message_destroy(&l->sendmsg);
if (l->timer != NULL)
isc_timer_detach(&l->timer);
lp = l;
l = ISC_LIST_NEXT(l, link);
ISC_LIST_DEQUEUE(lookup_list, lp, link);
@@ -893,6 +988,15 @@ main(int argc, char **argv) {
check_ra = ISC_TRUE;
/* setup dighost callbacks */
#ifdef DIG_SIGCHASE
dighost_printrdataset = printrdataset;
#endif
dighost_printmessage = printmessage;
dighost_received = received;
dighost_trying = trying;
dighost_shutdown = query_finished;
result = isc_app_start();
check_result(result, "isc_app_start");

View File

@@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2010, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -35,7 +35,7 @@
- SUCH DAMAGE.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
<info>
<date>2014-01-24</date>
</info>
@@ -66,6 +66,7 @@
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -308,8 +309,7 @@ nslookup -query=hinfo -timeout=10
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>debug</constant></term>
<term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
Turn on or off the display of the full response packet and
@@ -322,8 +322,7 @@ nslookup -query=hinfo -timeout=10
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>d2</constant></term>
<term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
<listitem>
<para>
Turn debugging mode on or off. This displays more about
@@ -345,8 +344,7 @@ nslookup -query=hinfo -timeout=10
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>search</constant></term>
<term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
<listitem>
<para>
If the lookup request contains at least one period but
@@ -392,8 +390,7 @@ nslookup -query=hinfo -timeout=10
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>recurse</constant></term>
<term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
<listitem>
<para>
Tell the name server to query other servers if it does not
@@ -437,8 +434,7 @@ nslookup -query=hinfo -timeout=10
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>vc</constant></term>
<term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
<listitem>
<para>
Always use a virtual circuit when sending requests to the
@@ -451,8 +447,7 @@ nslookup -query=hinfo -timeout=10
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>fail</constant></term>
<term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
<listitem>
<para>
Try the next nameserver if a nameserver responds with

View File

@@ -1,37 +1,48 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2010, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nslookup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="id-1"></a><div class="titlepage"></div>
<div class="refnamediv">
<a name="man.nslookup"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>nslookup &#8212; query Internet name servers interactively</p>
<p>
nslookup
&#8212; query Internet name servers interactively
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [<code class="option">-option</code>] [name | -] [server]</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">nslookup</code>
[<code class="option">-option</code>]
[name | -]
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>Nslookup</strong></span>
<p><span class="command"><strong>Nslookup</strong></span>
is a program to query Internet domain name servers. <span class="command"><strong>Nslookup</strong></span>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
@@ -40,29 +51,37 @@
used to print just the name and requested information for a host or
domain.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<p>
<p>
Interactive mode is entered in the following cases:
</p>
<div class="orderedlist"><ol class="orderedlist" type="a">
<li class="listitem"><p>
<li class="listitem">
<p>
when no arguments are given (the default name server will be used)
</p></li>
<li class="listitem"><p>
</p>
</li>
<li class="listitem">
<p>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</p></li>
</p>
</li>
</ol></div>
<p>
</p>
<p>
<p>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</p>
<p>
<p>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
@@ -75,246 +94,293 @@ nslookup -query=hinfo -timeout=10
<p>
</p>
<p>
<p>
The <code class="option">-version</code> option causes
<span class="command"><strong>nslookup</strong></span> to print the version
number and immediately exits.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
<dd>
<p>
<p>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</p>
<p>
<p>
To look up a host not in the current domain, append a period to
the name.
</p>
</dd>
</dd>
<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p></p></dd>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
<dd>
<p>
Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">root</code></span></dt>
<dd><p>
<dd>
<p>
not implemented
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">finger</code></span></dt>
<dd><p>
<dd>
<p>
not implemented
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">ls</code></span></dt>
<dd><p>
<dd>
<p>
not implemented
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">view</code></span></dt>
<dd><p>
<dd>
<p>
not implemented
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">help</code></span></dt>
<dd><p>
<dd>
<p>
not implemented
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">?</code></span></dt>
<dd><p>
<dd>
<p>
not implemented
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">exit</code></span></dt>
<dd><p>
<dd>
<p>
Exits the program.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">set</code>
<em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
<dd>
<p>
<p>
This command is used to change state information that affects
the lookups. Valid keywords are:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">all</code></span></dt>
<dd><p>
<dd>
<p>
Prints the current values of the frequently used
options to <span class="command"><strong>set</strong></span>.
Information about the current default
server and host is also printed.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
<p>
Change the query class to one of:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">IN</code></span></dt>
<dd><p>
<dd>
<p>
the Internet class
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">CH</code></span></dt>
<dd><p>
<dd>
<p>
the Chaos class
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">HS</code></span></dt>
<dd><p>
<dd>
<p>
the Hesiod class
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">ANY</code></span></dt>
<dd><p>
<dd>
<p>
wildcard
</p></dd>
</p>
</dd>
</dl></div>
<p>
The class specifies the protocol group of the information.
</p>
<p>
<p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
<p>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</p>
<p>
<p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
<dd>
<p>
<p>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</p>
<p>
<p>
(Default = nod2)
</p>
</dd>
</dd>
<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
Sets the search list to <em class="replaceable"><code>name</code></em>.
</p></dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
<dd>
<p>
<p>
Sets the search list to <em class="replaceable"><code>name</code></em>.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
<dd>
<p>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</p>
<p>
<p>
(Default = search)
</p>
</dd>
</dd>
<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
<p>
<p>
(Default = 53; abbreviation = po)
</p>
</dd>
</dd>
<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd><p></p></dd>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
<p>
Change the type of the information query.
</p>
<p>
<p>
(Default = A; abbreviations = q, ty)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
<p>
<p>
Tell the name server to query other servers if it does not
have the
information.
</p>
<p>
<p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
</dd>
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the number of retries to number.
</p></dd>
</p>
</dd>
<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
<dd>
<p>
Change the initial timeout interval for waiting for a
reply to number seconds.
</p></dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
<dd>
<p>
<p>
Always use a virtual circuit when sending requests to the
server.
</p>
<p>
<p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
<p>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</p>
<p>
<p>
(Default = nofail)
</p>
</dd>
</dd>
</dl></div>
<p>
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>RETURN VALUES</h2>
<p>
<p>
<span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
if any query failed, and 0 otherwise.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">host</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -42,7 +42,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# SUBTRACT CPP /X /u @COPTY@
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"

View File

@@ -132,7 +132,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc"
BSC32_SBRS= \
@@ -192,7 +192,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc"
BSC32_SBRS= \

View File

@@ -53,7 +53,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -61,6 +61,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -78,7 +79,7 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -87,6 +88,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -108,4 +110,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -43,7 +43,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fddighost
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" @CRYPTO@ /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" @COPTY@ /FD /c /Fddighost
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fddighost
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" @CRYPTO@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR @COPTY@ /FD /GZ /c /Fddighost
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

View File

@@ -53,7 +53,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -61,6 +61,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -76,7 +77,7 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -85,6 +86,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -101,4 +103,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -42,7 +42,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# SUBTRACT CPP /X /u @COPTY@
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"

View File

@@ -132,7 +132,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc"
BSC32_SBRS= \
@@ -192,7 +192,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @IDN_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc"
BSC32_SBRS= \

View File

@@ -53,7 +53,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -61,6 +61,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -78,7 +79,7 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -87,6 +88,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -105,4 +107,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -42,7 +42,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# SUBTRACT CPP /X /u @COPTY@
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"

View File

@@ -132,7 +132,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc"
BSC32_SBRS= \
@@ -192,7 +192,7 @@ CLEAN :
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../include" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @READLINE_INC@ /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" @CRYPTO@ /D "WIN32" /D "USE_READLINE_STATIC" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc"
BSC32_SBRS= \

View File

@@ -53,7 +53,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
@@ -61,6 +61,7 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -78,7 +79,7 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;@CRYPTO@USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<WholeProgramOptimization>false</WholeProgramOptimization>
<StringPooling>true</StringPooling>
@@ -87,6 +88,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -106,4 +108,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

View File

@@ -14,7 +14,7 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
@@ -111,6 +111,10 @@ install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
uninstall::
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
clean distclean::
rm -f ${TARGETS}

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -183,7 +183,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("invalid keyfile name %s: %s",
fatal("can't load %s.key: %s",
filename, isc_result_totext(result));
if (verbose > 2) {

View File

@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
<info>
<date>2012-05-02</date>
</info>

View File

@@ -1,19 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-dsfromkey</title>
@@ -21,158 +14,242 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
<p>
<span class="application">dnssec-dsfromkey</span>
&#8212; DNSSEC DS RR generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-1</code>]
[<code class="option">-2</code>]
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
{keyfile}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
{-s}
[<code class="option">-1</code>]
[<code class="option">-2</code>]
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-A</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
{dnsname}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
[<code class="option">-h</code>]
[<code class="option">-V</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd><p>
<dd>
<p>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd><p>
<dd>
<p>
Use SHA-256 as the digest algorithm.
</p></dd>
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
<dd>
<p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</p></dd>
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the TTL of the DS records.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
<p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
</p>
<p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
</dd>
<dt><span class="term">-A</span></dt>
<dd><p>
<dd>
<p>
Include ZSKs when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</p></dd>
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
<dd>
<p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</p></dd>
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd><p>
<dd>
<p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints usage information.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLE</h2>
<p>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
keyfile name, the following command would be issued:
</p>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
</p>
<p>
<p>
The command would print something like:
</p>
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
<p>
<p>
The keyset file name is built from the <code class="option">directory</code>,
the string <code class="filename">keyset-</code> and the
<code class="option">dnsname</code>.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>CAVEAT</h2>
<p>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em>,
<em class="citetitle">RFC 4431</em>.
<em class="citetitle">RFC 4509</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l

View File

@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
<info>
<date>2014-02-20</date>
</info>

View File

@@ -1,19 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-importkey</title>
@@ -21,18 +14,56 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-importkey</span> &#8212; import DNSKEY records from external systems so they can be managed</p>
<p>
<span class="application">dnssec-importkey</span>
&#8212; import DNSKEY records from external systems so they can be managed
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">dnssec-importkey</code>
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
{<code class="option">keyfile</code>}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-importkey</code>
{<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">dnsname</code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-importkey</strong></span>
<p><span class="command"><strong>dnssec-importkey</strong></span>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
existing .key file, in which case a corresponding .private file
@@ -40,7 +71,7 @@
from the standard input, in which case both .key and .private
files will be generated.
</p>
<p>
<p>
The newly-created .private file does <span class="emphasis"><em>not</em></span>
contain private key data, and cannot be used for signing.
However, having a .private file makes it possible to set
@@ -49,53 +80,68 @@
public key can be added to and removed from the DNSKEY RRset
on schedule even if the true private key is stored offline.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
<p>
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the domain name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input.
</p>
</dd>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Emit usage message and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
@@ -106,47 +152,65 @@
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p>
<p>
A keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -63,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. These values are case insensitive\&.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. These values are case insensitive\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
@@ -309,5 +301,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -22,6 +22,8 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
@@ -50,7 +52,8 @@ int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST |"
" ECDSAP256SHA256 | ECDSAP384SHA384";
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
" ED25519 | ED448";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -153,7 +156,7 @@ main(int argc, char **argv) {
char *label = NULL;
dns_ttl_t ttl = 0;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t inactive = 0, deltime = 0;
isc_stdtime_t now;
int prepub = -1;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
@@ -315,8 +318,8 @@ main(int argc, char **argv) {
if (setdel || unsetdel)
fatal("-D specified more than once");
delete = strtotime(isc_commandline_argument,
now, now, &setdel);
deltime = strtotime(isc_commandline_argument,
now, now, &setdel);
unsetdel = !setdel;
break;
case 'S':
@@ -404,10 +407,20 @@ main(int argc, char **argv) {
}
if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
#else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
if (freeit != NULL)
free(freeit);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
#endif
if (freeit != NULL)
free(freeit);
return (1);
@@ -425,7 +438,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
@@ -504,6 +518,11 @@ main(int argc, char **argv) {
alg = dst_key_alg(prevkey);
flags = dst_key_flags(prevkey);
#ifdef PK11_MD5_DISABLE
if (alg == DST_ALG_RSAMD5)
fatal("Key %s uses disabled RSAMD5", predecessor);
#endif
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
@@ -645,7 +664,7 @@ main(int argc, char **argv) {
dst_key_settime(key, DST_TIME_INACTIVE, inactive);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
dst_key_settime(key, DST_TIME_DELETE, deltime);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
if (setsyncdel)

View File

@@ -1,5 +1,5 @@
<!--
- Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
<info>
<date>2014-02-27</date>
</info>
@@ -38,6 +38,7 @@
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -102,7 +103,7 @@
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</para>
<para>

View File

@@ -1,19 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keyfromlabel</title>
@@ -21,17 +14,58 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
<p>
<span class="application">dnssec-keyfromlabel</span>
&#8212; DNSSEC key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keyfromlabel</code>
{-l <em class="replaceable"><code>label</code></em>}
[<code class="option">-3</code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-y</code>]
{name}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
file can be used for DNSSEC signing of zone data as if it were a
@@ -39,52 +73,57 @@
but the key material is stored within the HSM, and the actual signing
takes place there.
</p>
<p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</p>
<p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
<p>
<p>
Note 2: DH automatically sets the -k flag.
</p>
</dd>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@@ -92,20 +131,20 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
<p>
<p>
Specifies the label for a key pair in the crypto hardware.
</p>
<p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
</p>
<p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
@@ -114,7 +153,7 @@
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</p>
<p>
<p>
If the label contains a
<code class="option">pin-source</code> field, tools using the generated
key files will be able to use the HSM for signing and other
@@ -123,18 +162,21 @@
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</p>
</dd>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
will include the key's creation date in the metadata stored
@@ -142,53 +184,71 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
</p>
</dd>
<dt><span class="term">-G</span></dt>
<dd><p>
<dd>
<p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p></dd>
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd><p>
<dd>
<p>
Generate KEY records rather than DNSKEY records.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
<dd>
<p>
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
@@ -196,35 +256,47 @@
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p></dd>
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-y</span></dt>
<dd><p>
<dd>
<p>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
@@ -235,52 +307,67 @@
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</p></dd>
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
@@ -289,68 +376,83 @@
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
<p>
<p>
When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key files it has generated.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p><code class="filename">nnnn</code> is the key name.
</p>
</li>
<li class="listitem">
<p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
</p>
</li>
<li class="listitem">
<p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</p>
</li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private key.
</p>
<p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4034</em>,
<em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -1,17 +1,8 @@
.\" Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\" Copyright (C) 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -63,7 +54,7 @@ of the key is specified on the command line\&. For DNSSEC keys, this must match
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
@@ -96,7 +87,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable\&.
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&.
.RE
.PP
\-C
@@ -359,7 +350,5 @@ RFC 4034\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000-2003 Internet Software Consortium.
Copyright \(co 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -1,5 +1,5 @@
/*
* Portions Copyright (C) 1999-2016 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -37,6 +37,8 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
@@ -80,7 +82,8 @@ usage(void) {
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
fprintf(stderr, " ED25519 | ED448 | DH |\n");
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
fprintf(stderr, " (default: RSASHA1, or "
@@ -99,6 +102,8 @@ usage(void) {
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " ED25519:\tignored\n");
fprintf(stderr, " ED448:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
@@ -237,7 +242,7 @@ main(int argc, char **argv) {
dns_ttl_t ttl = 0;
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
isc_stdtime_t publish = 0, activate = 0, revokekey = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t inactive = 0, deltime = 0;
isc_stdtime_t now;
int prepub = -1;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
@@ -465,8 +470,8 @@ main(int argc, char **argv) {
if (setdel || unsetdel)
fatal("-D specified more than once");
delete = strtotime(isc_commandline_argument,
now, now, &setdel);
deltime = strtotime(isc_commandline_argument,
now, now, &setdel);
unsetdel = !setdel;
break;
case 'S':
@@ -546,15 +551,30 @@ main(int argc, char **argv) {
}
if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0)
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
alg = DST_ALG_HMACMD5;
else if (strcasecmp(algname, "HMAC-SHA1") == 0)
#else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
fprintf(stderr,
"The use of HMAC-MD5 was disabled\n");
return (1);
#endif
} else if (strcasecmp(algname, "HMAC-SHA1") == 0)
alg = DST_ALG_HMACSHA1;
else if (strcasecmp(algname, "HMAC-SHA224") == 0)
alg = DST_ALG_HMACSHA224;
@@ -574,6 +594,10 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY;
}
#ifdef PK11_MD5_DISABLE
INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
#endif
if (!dst_algorithm_supported(alg))
fatal("unsupported algorithm: %d", alg);
@@ -581,7 +605,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
@@ -615,7 +640,9 @@ main(int argc, char **argv) {
" to %d\n", size);
} else if (alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 &&
alg != DST_ALG_ECDSA384)
alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 &&
alg != DST_ALG_ED448)
fatal("key size not specified (-b option)");
}
@@ -752,6 +779,12 @@ main(int argc, char **argv) {
case DST_ALG_ECDSA384:
size = 384;
break;
case DST_ALG_ED25519:
size = 256;
break;
case DST_ALG_ED448:
size = 456;
break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
@@ -885,6 +918,8 @@ main(int argc, char **argv) {
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
show_progress = ISC_TRUE;
/* fall through */
@@ -986,13 +1021,13 @@ main(int argc, char **argv) {
inactive);
if (setdel) {
if (setinact && delete < inactive)
if (setinact && deltime < inactive)
fprintf(stderr, "%s: warning: Key is "
"scheduled to be deleted "
"before it is scheduled to be "
"made inactive.\n",
program);
dst_key_settime(key, DST_TIME_DELETE, delete);
dst_key_settime(key, DST_TIME_DELETE, deltime);
}
if (setsyncadd)

View File

@@ -1,5 +1,5 @@
<!--
- Copyright (C) 2000-2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
<info>
<date>2014-02-06</date>
</info>
@@ -30,6 +30,10 @@
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
@@ -41,15 +45,9 @@
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
@@ -116,7 +114,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
@@ -188,8 +186,8 @@
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
</para>
</listitem>
</varlistentry>

View File

@@ -1,20 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
- Copyright (C) 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keygen</title>
@@ -22,63 +14,113 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
<p>
<span class="application">dnssec-keygen</span>
&#8212; DNSSEC key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
[<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-z</code>]
{name}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-keygen</strong></span>
<p><span class="command"><strong>dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</p>
<p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
<p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
@@ -87,7 +129,7 @@
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
<p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
@@ -96,9 +138,10 @@
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
@@ -106,18 +149,22 @@
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</p></dd>
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd><p>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
@@ -125,18 +172,21 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@@ -144,39 +194,52 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
<dd>
<p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
</p>
</dd>
<dt><span class="term">-G</span></dt>
<dd><p>
<dd>
<p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
</p>
</dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
<dd>
<p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keygen</strong></span>.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p></dd>
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd><p>
<dd>
<p>
Deprecated in favor of -T KEY.
</p></dd>
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
@@ -185,16 +248,20 @@
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <code class="literal">0</code>
or <code class="literal">none</code> is the same as leaving it unset.
</p></dd>
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd><p>
<dd>
<p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
@@ -206,9 +273,11 @@
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
@@ -218,9 +287,11 @@
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
<dd>
<p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
@@ -228,16 +299,19 @@
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
@@ -249,27 +323,36 @@
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
@@ -280,54 +363,69 @@
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</p></dd>
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</p></dd>
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</p></dd>
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
@@ -336,42 +434,51 @@
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>GENERATED KEYS</h2>
<p>
<p>
When <span class="command"><strong>dnssec-keygen</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key it has generated.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p><code class="filename">nnnn</code> is the key name.
</p>
</li>
<li class="listitem">
<p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
</p>
</li>
<li class="listitem">
<p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</p>
</li>
</ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span>
<p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
@@ -379,53 +486,60 @@
private
key.
</p>
<p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric cryptography algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
</p>
<p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
<p>
<p>
In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 4034</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l

View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2009-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2009-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -140,7 +140,7 @@ main(int argc, char **argv) {
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
/* FALLTHROUGH */
case 'h':
/* Does not return. */
usage();

View File

@@ -7,7 +7,7 @@
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
<info>
<date>2014-01-15</date>
</info>

View File

@@ -1,19 +1,12 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-revoke</title>
@@ -21,52 +14,88 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-revoke</span> &#8212; set the REVOKED bit on a DNSSEC key</p>
<p>
<span class="application">dnssec-revoke</span>
&#8212; set the REVOKED bit on a DNSSEC key
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">dnssec-revoke</code>
[<code class="option">-hr</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f</code>]
[<code class="option">-R</code>]
{keyfile}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-revoke</strong></span>
<p><span class="command"><strong>dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd><p>
<dd>
<p>
Emit usage message and exit.
</p></dd>
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the directory in which the key files are to reside.
</p></dd>
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd><p>
<dd>
<p>
After writing the new keyset files remove the original keyset
files.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level.
</p></dd>
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Prints version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
@@ -74,26 +103,35 @@
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dd>
<dt><span class="term">-f</span></dt>
<dd><p>
<dd>
<p>
Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</p></dd>
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd><p>
<dd>
<p>
Print the key tag of the key with the REVOKE bit set but do
not revoke the key.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
</div>
</div></body>
</html>

View File

@@ -1,16 +1,8 @@
.\" Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2009-2011, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
@@ -47,7 +39,7 @@
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
@@ -208,5 +200,5 @@ RFC 5011\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2009-2011, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
.br

Some files were not shown because too many files have changed in this diff Show More