build manpages from docbook

.gitattributes

@@ -1,8 +1,6 @@
 *.sln.in eol=crlf
 *.vcxproj.* eol=crlf
 
-/fuzz/dns_rdata_fromwire_text.in/input-* -text
-
 .gitignore			 export-ignore
 /conftools			 export-ignore
 /doc/design			 export-ignore

.gitignore

@@ -14,7 +14,6 @@
 *_test
 *.ipch # vscode/intellisense precompiled header
 *~
-__pycache__/
 .ccache/
 .cproject
 .deps/

.gitlab-ci.yml

@@ -18,19 +18,19 @@ variables:
   CONFIGURE: ./configure
   CLANG: clang-10
   SCAN_BUILD: scan-build-10
-  ASAN_SYMBOLIZER_PATH: /usr/lib/llvm-10/bin/llvm-symbolizer
+  SYMBOLIZER: /usr/lib/llvm-10/bin/llvm-symbolizer
+  ASAN_SYMBOLIZER_PATH: "$SYMBOLIZER"
   CLANG_FORMAT: clang-format-10
 
   CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra 
 
   # Pass run-time flags to AddressSanitizer to get core dumps on error.
   ASAN_OPTIONS_COMMON: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1
-  TSAN_OPTIONS_COMMON: "second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=/usr/lib/llvm-10/bin/llvm-symbolizer"
+  TSAN_OPTIONS_COMMON: "second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=$SYMBOLIZER"
 
+  TARBALL_COMPRESSOR: xz
   TARBALL_EXTENSION: xz
 
-  AM_COLOR_TESTS: always
-
 stages:
   - autoconf
   - precheck
@@ -44,7 +44,9 @@ stages:
 
 ### Runner Tag Templates
 
-.libvirt-amd64: &libvirt_amd64
+# Note: BSD runners extract the operating system version to use from job name
+
+.freebsd-amd64: &freebsd_amd64
   tags:
     - libvirt
     - amd64
@@ -54,21 +56,35 @@ stages:
     - linux
     - amd64
 
+.linux-arm64: &linux_arm64
+  tags:
+    - linux
+    - arm64
+
 .linux-i386: &linux_i386
   tags:
     - linux
     - i386
 
+.openbsd-amd64: &openbsd_amd64
+  tags:
+    - libvirt
+    - amd64
+
 ### Docker Image Templates
 
 # Alpine Linux
 
-.alpine-3.12-amd64: &alpine_3_12_amd64_image
-  image: "$CI_REGISTRY_IMAGE:alpine-3.12-amd64"
+.alpine-3.11-amd64: &alpine_3_11_amd64_image
+  image: "$CI_REGISTRY_IMAGE:alpine-3.11-amd64"
   <<: *linux_amd64
 
 # CentOS
 
+.centos-centos6-amd64: &centos_centos6_amd64_image
+  image: "$CI_REGISTRY_IMAGE:centos-centos6-amd64"
+  <<: *linux_amd64
+
 .centos-centos7-amd64: &centos_centos7_amd64_image
   image: "$CI_REGISTRY_IMAGE:centos-centos7-amd64"
   <<: *linux_amd64
@@ -91,6 +107,10 @@ stages:
   image: "$CI_REGISTRY_IMAGE:debian-sid-amd64"
   <<: *linux_amd64
 
+.debian-sid-arm64: &debian_sid_arm64_image
+  image: "$CI_REGISTRY_IMAGE:debian-sid-arm64"
+  <<: *linux_arm64
+
 .debian-sid-i386: &debian_sid_i386_image
   image: "$CI_REGISTRY_IMAGE:debian-sid-i386"
   <<: *linux_i386
@@ -103,8 +123,8 @@ stages:
 
 # Fedora
 
-.fedora-32-amd64: &fedora_32_amd64_image
-  image: "$CI_REGISTRY_IMAGE:fedora-32-amd64"
+.fedora-31-amd64: &fedora_31_amd64_image
+  image: "$CI_REGISTRY_IMAGE:fedora-31-amd64"
   <<: *linux_amd64
 
 # Ubuntu
@@ -113,8 +133,8 @@ stages:
   image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-amd64"
   <<: *linux_amd64
 
-.ubuntu-focal-amd64: &ubuntu_focal_amd64_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-focal-amd64"
+.ubuntu-bionic-amd64: &ubuntu_bionic_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-amd64"
   <<: *linux_amd64
 
 # Base image
@@ -123,20 +143,6 @@ stages:
 .base: &base_image
   <<: *debian_buster_amd64_image
 
-### QCOW2 Image Templates
-
-.freebsd-11-amd64: &freebsd_11_amd64_image
-  image: "freebsd-11.4-x86_64"
-  <<: *libvirt_amd64
-
-.freebsd-12-amd64: &freebsd_12_amd64_image
-  image: "freebsd-12.1-x86_64"
-  <<: *libvirt_amd64
-
-.openbsd-amd64: &openbsd_amd64_image
-  image: "openbsd-6.7-x86_64"
-  <<: *libvirt_amd64
-
 ### Job Templates
 
 .default-triggering-rules: &default_triggering_rules
@@ -152,7 +158,7 @@ stages:
     - tags
     - web
     - schedules
-    - main@isc-projects/bind9
+    - master@isc-projects/bind9
     - /^v9_[1-9][0-9]$/@isc-projects/bind9
 
 .precheck: &precheck_job
@@ -174,10 +180,14 @@ stages:
     ${CONFIGURE} \
     --disable-maintainer-mode \
     --enable-developer \
+    --with-libtool \
+    --disable-static \
     --with-cmocka \
     --with-libxml2 \
     --with-json-c \
     --prefix=$HOME/.local \
+    --without-make-clean \
+    --with-python=python3 \
     $EXTRA_CONFIGURE \
     || cat config.log
 
@@ -192,7 +202,6 @@ stages:
     - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
     - test -z "${RUN_MAKE_INSTALL}" || make install
     - test -z "${RUN_MAKE_INSTALL}" || sh util/check-make-install
-    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
   needs:
     - job: autoreconf
       artifacts: true
@@ -227,7 +236,6 @@ stages:
   artifacts:
     untracked: true
     expire_in: "1 day"
-    when: always
 
 .setup_interfaces: &setup_interfaces |
     if [ "$(id -u)" -eq "0" ]; then
@@ -247,10 +255,8 @@ stages:
     - *setup_interfaces
     - *setup_softhsm
   script:
-    - cd bin/tests/system
-    - make -j${TEST_PARALLEL_JOBS:-1} -k check V=1
-  after_script:
-    - cat bin/tests/system/test-suite.log
+    - ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k check V=1 ) || cat bin/tests/system/test-suite.log
+    - test -s bin/tests/system/test-suite.log
 
 .system_test: &system_test_job
   <<: *system_test_common
@@ -263,7 +269,6 @@ stages:
   <<: *system_test_common
   allow_failure: true
   after_script:
-    - cat bin/tests/system/test-suite.log
     - find bin -name 'tsan.*' -exec python3 util/parse_tsan.py {} \;
   artifacts:
     expire_in: "1 day"
@@ -310,7 +315,7 @@ stages:
   before_script:
     - *setup_softhsm
   script:
-    - make -j${TEST_PARALLEL_JOBS:-1} -k unit V=1
+    - cd lib && make -j${TEST_PARALLEL_JOBS:-1} -k check V=1
 
 .unit_test: &unit_test_job
   <<: *unit_test_common
@@ -341,15 +346,11 @@ stages:
   <<: *default_triggering_rules
   stage: postcheck
   script:
-    # Workaround for cppcheck 2.0 uninitvar false positives triggered by (&var)->field syntax
-    # (see: https://sourceforge.net/p/cppcheck/discussion/general/thread/122153e3c1/)
-    - sed -i '/^#define ISC__BUFFER.*\\$/{s|_b|__b|;N;s|do {|\0 isc_buffer_t *_b = (isc_buffer_t *)__b;|}; /^#define ISC__BUFFER.*REGION.*\\$/{s|_r|__r|;N;s|do {|\0 isc_region_t *_r = (isc_region_t *)__r;|; /USEDREGION/{s|isc_buffer_t|const \0|g}}' lib/isc/include/isc/buffer.h
     - *configure
     - (make -nwk all || true) | compiledb
-    - export GCC_VERSION=$(gcc --version | sed -n 's/.* \([0-9]\+\)\.[0-9]\+\.[0-9]\+.*/\1/p')
+    - export GCC_VERSION=$(gcc --version | sed -n 's/.*\([0-9]\+\)\.[0-9]\+\.[0-9]\+.*/\1/p')
     - sed -i "/gcc\",/a\"-DCPPCHECK\", \"-D__STDC__\", \"-D__GNUC__=${GCC_VERSION}\"," compile_commands.json
     - *run_cppcheck
-  after_script:
     - *cppcheck_report_html
   artifacts:
     paths:
@@ -386,9 +387,8 @@ misc:
     - perl -w util/update_copyrights < util/copyrights
     - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
     - xmllint --noout --nonet `git ls-files '*.xml' '*.docbook'`
+    - xmllint --noout --nonet --html `git ls-files '*.html'`
     - sh util/check-win32util-configure
-    - sh util/check-categories.sh
-    - if git grep SYSTEMTESTTOP -- ':!.gitlab-ci.yml'; then echo 'Please use relative paths instead of $SYSTEMTESTTOP.'; exit 1; fi
   needs: []
   artifacts:
     paths:
@@ -411,17 +411,6 @@ coccinelle:
     - util/check-cocci
     - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
 
-danger:
-  <<: *precheck_job
-  needs: []
-  script:
-    - danger-python ci -f
-  only:
-    refs:
-      - merge_requests
-    variables:
-      - $DANGER_GITLAB_API_TOKEN
-
 flake8:
   <<: *default_triggering_rules
   <<: *base_image
@@ -429,9 +418,11 @@ flake8:
   needs:
     - job: autoreconf
       artifacts: true
+  before_script:
+    - pip3 install flake8
   script:
     - *configure
-    - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py)')
+    - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -v 'ans\.py')
   only:
     - merge_requests
 
@@ -442,49 +433,47 @@ pylint:
   needs:
     - job: autoreconf
       artifacts: true
+  before_script:
+    - pip3 install pylint
+    - PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
   script:
     - *configure
-    - PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
-    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py)')
+    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -v 'ans\.py')
   only:
     - merge_requests
 
 tarball-create:
   stage: precheck
   <<: *base_image
-  <<: *default_triggering_rules
   script:
     - *configure
-    - make -j${BUILD_PARALLEL_JOBS:-1} all V=1
     - make -j${BUILD_PARALLEL_JOBS:-1} dist V=1
   artifacts:
     paths:
-      - bind-*.tar.${TARBALL_EXTENSION}
+      - bind-*.tar.*
   needs:
     - job: autoreconf
       artifacts: true
+  only:
+    - tags
 
-# Jobs for doc builds on Debian 10 "buster" (amd64)
+# Jobs for doc builds on Debian Sid (amd64)
 
 docs:
   <<: *release_branch_triggering_rules
   <<: *base_image
   stage: docs
-  before_script:
-    - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
-    - test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
   script:
-    - *configure
-    - make -j${BUILD_PARALLEL_JOBS:-1} -k doc V=1
+    - ./configure || cat config.log
+    - make -C doc/misc docbook
+    - make -C doc/arm Bv9ARM.html
   needs:
     - job: autoreconf
       artifacts: true
-  allow_failure: false
+  allow_failure: true
   artifacts:
     paths:
       - doc/arm/
-      - doc/man/
-      - doc/misc/
     expire_in: "1 month"
 
 push:docs:
@@ -494,33 +483,57 @@ push:docs:
     - job: docs
       artifacts: false
   script:
-    - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=main $GITLAB_PAGES_DOCS_TRIGGER_URL
+    - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=master $GITLAB_PAGES_DOCS_TRIGGER_URL
   only:
-    - main@isc-projects/bind9
+    - master@isc-projects/bind9
     - /^v9_[1-9][0-9]$/@isc-projects/bind9
 
-# Jobs for regular GCC builds on Alpine Linux 3.12 (amd64)
+# Jobs for regular GCC builds on Alpine Linux 3.11 (amd64)
 
-gcc:alpine3.12:amd64:
+gcc:alpine3.11:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
     EXTRA_CONFIGURE: "--enable-dnstap"
-  <<: *alpine_3_12_amd64_image
+  <<: *alpine_3_11_amd64_image
   <<: *build_job
 
-system:gcc:alpine3.12:amd64:
-  <<: *alpine_3_12_amd64_image
+system:gcc:alpine3.11:amd64:
+  <<: *alpine_3_11_amd64_image
   <<: *system_test_job
   needs:
-    - job: gcc:alpine3.12:amd64
+    - job: gcc:alpine3.11:amd64
       artifacts: true
 
-unit:gcc:alpine3.12:amd64:
-  <<: *alpine_3_12_amd64_image
+unit:gcc:alpine3.11:amd64:
+  <<: *alpine_3_11_amd64_image
   <<: *unit_test_job
   needs:
-    - job: gcc:alpine3.12:amd64
+    - job: gcc:alpine3.11:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on CentOS 6 (amd64)
+
+gcc:centos6:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error --without-python"
+  <<: *centos_centos6_amd64_image
+  <<: *build_job
+
+system:gcc:centos6:amd64:
+  <<: *centos_centos6_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:centos6:amd64
+      artifacts: true
+
+unit:gcc:centos6:amd64:
+  <<: *centos_centos6_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:centos6:amd64
       artifacts: true
 
 # Jobs for regular GCC builds on CentOS 7 (amd64)
@@ -571,7 +584,7 @@ unit:gcc:centos8:amd64:
     - job: gcc:centos8:amd64
       artifacts: true
 
-# Jobs for regular GCC builds on Debian 9 "stretch" (amd64)
+# Jobs for regular GCC builds on Debian 9 Stretch (amd64)
 
 gcc:stretch:amd64:
   variables:
@@ -594,7 +607,7 @@ unit:gcc:stretch:amd64:
     - job: gcc:stretch:amd64
       artifacts: true
 
-# Jobs for regular GCC builds on Debian 10 "buster" (amd64)
+# Jobs for regular GCC builds on Debian 10 Buster (amd64)
 
 gcc:buster:amd64:
   variables:
@@ -617,7 +630,7 @@ unit:gcc:buster:amd64:
     - job: gcc:buster:amd64
       artifacts: true
 
-# Jobs for scan-build builds on Debian 10 "buster" (amd64)
+# Jobs for scan-build builds on Debian Buster (amd64)
 
 .scan_build: &scan_build |
   ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" \
@@ -648,14 +661,13 @@ scan-build:
     expire_in: "1 day"
     when: on_failure
 
-# Jobs for regular GCC builds on Debian "sid" (amd64)
-# Also tests configration option: --without-lmdb.
+# Jobs for regular GCC builds on Debian Sid (amd64)
 
 gcc:sid:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -O3"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2 --without-lmdb"
+    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
     RUN_MAKE_INSTALL: 1
   <<: *debian_sid_amd64_image
   <<: *build_job
@@ -678,21 +690,20 @@ cppcheck:
   <<: *base_image
   <<: *cppcheck_job
 
-# Job for out-of-tree GCC build on Debian "sid" (amd64)
-# Also tests configration option: --with-lmdb.
+# Job for out-of-tree GCC build on Debian Sid (amd64)
 
 gcc:out-of-tree:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -Og"
     CONFIGURE: ../configure
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2 --with-lmdb"
+    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
     RUN_MAKE_INSTALL: 1
     OOT_BUILD_WORKSPACE: workspace
   <<: *base_image
   <<: *build_job
 
-# Jobs for tarball GCC builds on Debian 10 "buster" (amd64)
+# Jobs for tarball GCC builds on Debian Sid (amd64)
 
 gcc:tarball:
   variables:
@@ -709,7 +720,6 @@ gcc:tarball:
     - job: tarball-create
       artifacts: true
   only:
-    - schedules
     - tags
 
 system:gcc:tarball:
@@ -722,7 +732,6 @@ system:gcc:tarball:
     - job: gcc:tarball
       artifacts: true
   only:
-    - schedules
     - tags
 
 unit:gcc:tarball:
@@ -734,16 +743,39 @@ unit:gcc:tarball:
     - job: gcc:tarball
       artifacts: true
   only:
-    - schedules
     - tags
 
-# Jobs for regular GCC builds on Debian "sid" (i386)
+# Jobs for regular GCC builds on Debian Sid (arm64)
+
+gcc:sid:arm64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *debian_sid_arm64_image
+  <<: *build_job
+
+system:gcc:sid:arm64:
+  <<: *debian_sid_arm64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:sid:arm64
+      artifacts: true
+
+unit:gcc:sid:arm64:
+  <<: *debian_sid_arm64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:sid:arm64
+      artifacts: true
+
+# Jobs for regular GCC builds on Debian Sid (i386)
 
 gcc:sid:i386:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--with-libidn2"
+    EXTRA_CONFIGURE: "--with-libidn2 --without-python"
   <<: *debian_sid_i386_image
   <<: *build_job
 
@@ -767,7 +799,7 @@ gcc:tumbleweed:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr/lib/mit/bin/krb5-config"
+    EXTRA_CONFIGURE: "--with-libidn2 --with-python"
   <<: *tumbleweed_latest_amd64_image
   <<: *build_job
 
@@ -785,6 +817,30 @@ unit:gcc:tumbleweed:amd64:
     - job: gcc:tumbleweed:amd64
       artifacts: true
 
+# Jobs for regular GCC builds on Fedora 31 (amd64)
+
+gcc:fedora31:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -O1"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *fedora_31_amd64_image
+  <<: *build_job
+
+system:gcc:fedora31:amd64:
+  <<: *fedora_31_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:fedora31:amd64
+      artifacts: true
+
+unit:gcc:fedora31:amd64:
+  <<: *fedora_31_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:fedora31:amd64
+      artifacts: true
+
 # Jobs for regular GCC builds on Ubuntu 16.04 Xenial Xerus (amd64)
 
 gcc:xenial:amd64:
@@ -809,31 +865,31 @@ unit:gcc:xenial:amd64:
     - job: gcc:xenial:amd64
       artifacts: true
 
-# Jobs for regular GCC builds on Ubuntu 20.04 Focal Fossa (amd64)
+# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64)
 
-gcc:focal:amd64:
+gcc:bionic:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -Og"
     EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *ubuntu_focal_amd64_image
+  <<: *ubuntu_bionic_amd64_image
   <<: *build_job
 
-system:gcc:focal:amd64:
-  <<: *ubuntu_focal_amd64_image
+system:gcc:bionic:amd64:
+  <<: *ubuntu_bionic_amd64_image
   <<: *system_test_job
   needs:
-    - job: gcc:focal:amd64
+    - job: gcc:bionic:amd64
       artifacts: true
 
-unit:gcc:focal:amd64:
-  <<: *ubuntu_focal_amd64_image
+unit:gcc:bionic:amd64:
+  <<: *ubuntu_bionic_amd64_image
   <<: *unit_test_job
   needs:
-    - job: gcc:focal:amd64
+    - job: gcc:bionic:amd64
       artifacts: true
 
-# Jobs for ASAN builds on Debian 10 "buster" (amd64)
+# Jobs for builds with ASAN enabled
 
 gcc:asan:
   variables:
@@ -877,7 +933,7 @@ system:clang:asan:
   <<: *base_image
   <<: *system_test_job
   needs:
-    - job: clang:asan
+    - job: gcc:asan
       artifacts: true
 
 unit:clang:asan:
@@ -886,10 +942,10 @@ unit:clang:asan:
   <<: *base_image
   <<: *unit_test_job
   needs:
-    - job: clang:asan
+    - job: gcc:asan
       artifacts: true
 
-# Jobs for TSAN builds on Debian 10 "buster" (amd64)
+# Jobs for builds with TSAN enabled
 
 gcc:tsan:
   <<: *base_image
@@ -945,8 +1001,7 @@ unit:clang:tsan:
     - job: clang:tsan
       artifacts: true
 
-# Jobs for builds with mutex-based atomics on Debian 10 "buster" (amd64)
-
+# Jobs for mutex-based atomics on Debian SID (amd64)
 gcc:mutexatomics:
   variables:
     CC: gcc
@@ -969,12 +1024,13 @@ unit:gcc:mutexatomics:
     - job: gcc:mutexatomics
       artifacts: true
 
-# Jobs for Clang builds on Debian 10 "buster" (amd64)
+# Jobs for Clang builds on Debian Buster (amd64)
 
 clang:buster:amd64:
   variables:
     CC: ${CLANG}
     CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
+    EXTRA_CONFIGURE: "--with-python=python3"
   <<: *debian_buster_amd64_image
   <<: *build_job
 
@@ -992,9 +1048,9 @@ unit:clang:buster:amd64:
     - job: clang:buster:amd64
       artifacts: true
 
-# Jobs for PKCS#11-enabled GCC builds on Debian "sid" (amd64)
+# Jobs for PKCS#11-enabled GCC builds on Debian Sid (amd64)
 
-gcc:softhsm2.4:
+gcc:pkcs11:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
@@ -1002,189 +1058,105 @@ gcc:softhsm2.4:
   <<: *base_image
   <<: *build_job
 
-system:gcc:softhsm2.4:
+system:gcc:pkcs11:
   <<: *base_image
   <<: *system_test_job
   needs:
-    - job: gcc:softhsm2.4
+    - job: gcc:pkcs11
       artifacts: true
 
-unit:gcc:softhsm2.4:
+unit:gcc:pkcs11:
   <<: *base_image
   <<: *unit_test_job
   needs:
-    - job: gcc:softhsm2.4
+    - job: gcc:pkcs11
       artifacts: true
 
-# Jobs for PKCS#11-enabled GCC builds on Fedora 32 (amd64)
+# Jobs for Clang builds on FreeBSD 11.3 (amd64)
 
-gcc:softhsm2.6:
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O1"
-    EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so"
-  <<: *fedora_32_amd64_image
-  <<: *build_job
-
-system:gcc:softhsm2.6:
-  <<: *fedora_32_amd64_image
-  <<: *system_test_job
-  needs:
-    - job: gcc:softhsm2.6
-      artifacts: true
-
-unit:gcc:softhsm2.6:
-  <<: *fedora_32_amd64_image
-  <<: *unit_test_job
-  needs:
-    - job: gcc:softhsm2.6
-      artifacts: true
-
-# Jobs for Clang builds on FreeBSD 11 (amd64)
-
-clang:freebsd11:amd64:
+clang:freebsd11.3:amd64:
   variables:
     CFLAGS: "${CFLAGS_COMMON}"
     USER: gitlab-runner
-  <<: *freebsd_11_amd64_image
+  <<: *freebsd_amd64
   <<: *build_job
 
-system:clang:freebsd11:amd64:
-  <<: *freebsd_11_amd64_image
+system:clang:freebsd11.3:amd64:
+  <<: *freebsd_amd64
   <<: *system_test_job
   variables:
     USER: gitlab-runner
     TEST_PARALLEL_JOBS: 4
   needs:
-    - job: clang:freebsd11:amd64
+    - job: clang:freebsd11.3:amd64
       artifacts: true
 
-unit:clang:freebsd11:amd64:
-  <<: *freebsd_11_amd64_image
+unit:clang:freebsd11.3:amd64:
+  <<: *freebsd_amd64
   <<: *unit_test_job
   needs:
-    - job: clang:freebsd11:amd64
+    - job: clang:freebsd11.3:amd64
       artifacts: true
 
-# Jobs for Clang builds on FreeBSD 12 (amd64)
+# Jobs for Clang builds on FreeBSD 12.1 (amd64)
 
-clang:freebsd12:amd64:
+clang:freebsd12.1:amd64:
   variables:
     CFLAGS: "${CFLAGS_COMMON}"
     EXTRA_CONFIGURE: "--enable-dnstap"
     USER: gitlab-runner
-  <<: *freebsd_12_amd64_image
+  <<: *freebsd_amd64
   <<: *build_job
 
-system:clang:freebsd12:amd64:
-  <<: *freebsd_12_amd64_image
+system:clang:freebsd12.1:amd64:
+  <<: *freebsd_amd64
   <<: *system_test_job
   variables:
     USER: gitlab-runner
     TEST_PARALLEL_JOBS: 4
   needs:
-    - job: clang:freebsd12:amd64
+    - job: clang:freebsd12.1:amd64
       artifacts: true
 
-unit:clang:freebsd12:amd64:
-  <<: *freebsd_12_amd64_image
+unit:clang:freebsd12.1:amd64:
+  <<: *freebsd_amd64
   <<: *unit_test_job
   needs:
-    - job: clang:freebsd12:amd64
+    - job: clang:freebsd12.1:amd64
       artifacts: true
 
-# Jobs for Clang builds on OpenBSD (amd64)
+# Jobs for Clang builds on OpenBSD 6.6 (amd64)
 
-clang:openbsd:amd64:
+clang:openbsd6.6:amd64:
   variables:
     CC: clang
     USER: gitlab-runner
-  <<: *openbsd_amd64_image
+  <<: *openbsd_amd64
   <<: *build_job
 
-system:clang:openbsd:amd64:
-  <<: *openbsd_amd64_image
+system:clang:openbsd6.6:amd64:
+  <<: *openbsd_amd64
   <<: *system_test_job
   variables:
     USER: gitlab-runner
   needs:
-    - job: clang:openbsd:amd64
+    - job: clang:openbsd6.6:amd64
       artifacts: true
   only:
     - schedules
     - web
 
-# Jobs for Visual Studio 2017 builds on Windows (amd64)
-
-msvc:windows:amd64:
-  <<: *windows_build_job
-  <<: *default_triggering_rules
-  variables:
-    VSCONF: Release
-
-system:msvc:windows:amd64:
-  <<: *windows_system_test_job
-  variables:
-    VSCONF: Release
-  needs:
-    - job: msvc:windows:amd64
-      artifacts: true
-
-msvc-debug:windows:amd64:
-  <<: *windows_build_job
-  variables:
-    VSCONF: Debug
-  only:
-    - schedules
-    - tags
-    - web
-
-system:msvc-debug:windows:amd64:
-  <<: *windows_system_test_job
-  variables:
-    VSCONF: Debug
-  needs:
-    - job: msvc-debug:windows:amd64
-      artifacts: true
-
 # Job producing a release tarball
 
 release:
   <<: *base_image
   stage: release
   script:
-    - export BIND_DIRECTORY="$(basename "$(find . -name "bind-*.tar.*" -printf "%f")" ".tar.${TARBALL_EXTENSION}")"
-    # Remove redundant files and system test utilities from Windows build artifacts
-    - find Build/Release/ -name "*.pdb" -print -delete
-    - find Build/Debug/ \( -name "*.bsc" -o -name "*.idb" \) -print -delete
-    - find Build/ -regextype posix-extended -regex "Build/.*/($(find bin/tests/ -type f | sed -nE "s|^bin/tests(/system)?/win32/(.*)\.vcxproj$|\2|p" | paste -d"|" -s))\..*" -print -delete
-    # Create Windows zips
-    - openssl dgst -sha256 "${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" | tee Build/Release/SHA256 Build/Debug/SHA256
-    - ( cd Build/Release; zip "../../BIND${BIND_DIRECTORY#bind-}.x64.zip" * )
-    - ( cd Build/Debug; zip "../../BIND${BIND_DIRECTORY#bind-}.debug.x64.zip" * )
-    # Prepare release tarball contents (tarballs + zips + documentation)
-    - mkdir -p release/doc/arm
-    - pushd release
-    - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip .
-    - tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}"
-    - mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README.md,srcid} .
-    - rm -rf "${BIND_DIRECTORY}"
-    - mv "../doc/arm/_build/html" doc/arm/
-    - mv "../doc/arm/_build/latex/Bv9ARM.pdf" doc/arm/
-    - mv "../doc/arm/_build/epub/Bv9ARM.epub" doc/arm/
-    - echo '<!DOCTYPE HTML><html lang="en"><meta http-equiv="refresh" content="0; url=doc/arm/html/notes.html"><title>Redirect</title></html>' > "RELEASE-NOTES-${BIND_DIRECTORY}.html"
-    - popd
     # Create release tarball
     - tar --create --file="${CI_COMMIT_TAG}.tar.gz" --gzip release/
   needs:
     - job: tarball-create
       artifacts: true
-    - job: msvc:windows:amd64
-      artifacts: true
-    - job: msvc-debug:windows:amd64
-      artifacts: true
-    - job: docs
-      artifacts: true
   only:
     - tags
   artifacts:
@@ -1260,14 +1232,13 @@ respdiff:
     CFLAGS: "${CFLAGS_COMMON} -Og"
     BIND_BASELINE_VERSION: v9_11_3
   script:
-    - autoreconf -fi
-    - ./configure
+    - ./configure --without-make-clean
     - make -j${BUILD_PARALLEL_JOBS:-1} V=1
     - *setup_interfaces
     - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git
     - git clone --branch "${BIND_BASELINE_VERSION}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git refbind
     - cd refbind/
-    - ./configure
+    - ./configure --without-make-clean
     - make -j${BUILD_PARALLEL_JOBS:-1} V=1
     - cd ../bind-qa/bind9/respdiff
     - bash respdiff.sh -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}/refbind" "${CI_PROJECT_DIR}"
@@ -1294,58 +1265,21 @@ abi-check:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -Og"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-    BIND_BASELINE_VERSION: v9_17_3
+    BIND_BASELINE_VERSION: v9_17_1
   script:
     - *configure
     - make -j${BUILD_PARALLEL_JOBS:-1} V=1
     - git clone --branch "${BIND_BASELINE_VERSION}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git refbind
     - cd refbind/
-    - autoreconf -fi
     - *configure
     - make -j${BUILD_PARALLEL_JOBS:-1} V=1
     - cd ..
     - util/api-checker.sh . refbind
   artifacts:
     paths:
-      - "*-lib*.html"
-      - "*-lib*.txt"
+      - "*.html"
       - "abi-*.dump"
     expire_in: "1 week"
   only:
-    - main@isc-projects/bind9
-    - /^v9_[1-9][0-9]$/@isc-projects/bind9
-
-gcov:
-  <<: *base_image
-  stage: build
-  needs:
-    - job: autoreconf
-      artifacts: true
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} --coverage -O0"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-  script:
-    - *configure
-    - *setup_interfaces
-    - *setup_softhsm
-    - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
-    - make -j${TEST_PARALLEL_JOBS:-1} -k unit V=1 || true
-    - make -C bin/tests/system -j${TEST_PARALLEL_JOBS:-1} -k check V=1 || cat bin/tests/system/test-suite.log
-    # *.gcno and *.gcda files generated for shared library objects are created
-    # in directories in which gcovr is unable to process them properly
-    # (.../.libs/...).  Move such *.gcno and *.gcda files one level higher.
-    - find . -regex ".*/\.libs/.*\.\(gcda\|gcno\)" -execdir mv "{}" .. \;
-    # Help gcovr process the nasty tricks in lib/dns/code.h, where we include C
-    # source files from lib/dns/rdata/*/, using an even nastier trick.
-    - find lib/dns/rdata/* -name "*.c" -execdir cp -f "{}" ../../ \;
-    - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --html-details -o coverage.html
-    - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' -o coverage.txt
-    - tail -n 3 coverage.txt
-  artifacts:
-    paths:
-      - coverage*.html
-  only:
-    - main@isc-projects/bind9
+    - master@isc-projects/bind9
     - /^v9_[1-9][0-9]$/@isc-projects/bind9

.gitlab/issue_templates/Release.md

@@ -1,28 +1,21 @@
 ## Release Schedule
 
-**Code Freeze:**
-
 **Tagging Deadline:**
 
 **Public Release:**
 
 ## Release Checklist
 
-### Before the Code Freeze
+## 2 Working Days Before the Tagging Deadline
 
- - [ ] ***(QA)*** Inform Support and Marketing of impending release (and give estimated release dates).
- - [ ] ***(QA)*** Ensure there are no permanent test failures on any platform.
- - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
  - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
  - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
  - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
 
-### Before the Tagging Deadline
+## Before the Tagging Deadline
 
- - [ ] ***(QA)*** Look for outstanding documentation issues (e.g. `CHANGES` mistakes) and address them if any are found.
- - [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well.
- - [ ] ***(Support)*** Check release notes, ask QA to correct any mistakes found.
- - [ ] ***(Marketing)*** Check release notes, ask QA to correct any mistakes found.
+ - [ ] ***(QA)*** Inform Support/Marketing of impending release (and give estimated release dates).
+ - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
  - [ ] ***(SwEng)*** Update API files for libraries with new version information.
  - [ ] ***(SwEng)*** Change software version and library versions in `configure.ac` (new major release only).
  - [ ] ***(SwEng)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
@@ -32,11 +25,12 @@
  - [ ] ***(SwEng)*** Update `version`.
  - [ ] ***(SwEng)*** Build documentation on `docs.isc.org`.
  - [ ] ***(QA)*** Check that all the above steps were performed correctly.
+ - [ ] ***(QA)*** Check that the contents of release notes match the merge requests comprising the releases.
  - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
  - [ ] ***(SwEng)*** Tag the releases[^2].  (Tags may only be pushed to the public repository for releases which are *not* security releases.)
  - [ ] ***(SwEng)*** If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` to allow development to continue on the maintenance branch whilst release engineering continues.
 
-### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
+## Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
 
  - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
  - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
@@ -47,7 +41,7 @@
  - [ ] ***(QA)*** Notify Support that the releases have been prepared.
  - [ ] ***(Support)*** Send out ASNs (if applicable).
 
-### On the Day of Public Release
+## On the Day of Public Release
 
  - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
  - [ ] ***(Support)*** Place tarballs in public location on FTP site.
@@ -63,12 +57,9 @@
  - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
  - [ ] ***(Marketing)*** Write blog article (if a major release).
  - [ ] ***(QA)*** Ensure all new tags are annotated and signed.
- - [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
  - [ ] ***(SwEng)*** Push tags for the published releases to the public repository.
- - [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
- - [ ] ***(QA)*** Prepare empty release notes for the next set of releases.
- - [ ] ***(QA)*** Sanitize all confidential issues assigned to the release milestone and make them public.
- - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Flake8, PyLint) by modifying the relevant `Dockerfile`.
+ - [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
+ - [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check:sid:amd64` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
 
 [^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
 

.pylintrc

@@ -4,4 +4,3 @@ disable=
     C0115, # missing-class-docstring
     C0116, # missing-function-docstring
     R0801, # duplicate-code
-    C0103, # invalid-name

CHANGES

@@ -1,389 +1,29 @@
-5490.	[func]		Refactor the readline support to use pkg-config and
-			add support for editline library. [GL !3942]
-
-5489.	[bug]		Named failed to reject some invalid records resulting
-			in records that, after being printed, could not be
-			loaded or would result in DNSSEC validation failures
-			when re-read from zone files as the wire format
-			differed.  The covered records records are: CERT,
-			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
-			X25. [GL !3953]
-
-5488.	[bug]		nta needed to have a weak reference on view to prevent
-			the view being deleted while nta tests are being
-			performed. [GL #2067]
-
-5487.	[cleanup]	Update managed keys log messages to be less confusing.
-			[GL #2027]
-
-5486.	[func]		Add 'rndc dnssec -checkds' command to tell named
-			that the DS record has been published in the parent.
-			[GL #1613]
-
-5485.	[placeholder]
-
-5484.	[func]		Expire the 0 TTL RRSet quickly rather using them for
-			stale answers. [GL #1829]
-
-5483.	[func]		Keeping "stale" answers in cache has been disabled by
-			default and can be re-enabled with a new configuration
-			option "stale-cache-enable". [GL #1712]
-
-5482.	[bug]		BIND 9 would fail to bind to IPv6 addresses in a
-			tentative state when a new IPv6 address was added to the
-			system, but the Duplicate Address Detection (DAD)
-			mechanism had not yet finished. [GL #2038]
-
-5481.	[placeholder]
-
-5480.	[placeholder]
-
-5479.	[placeholder]
-
-5478.	[placeholder]
-
-5477.	[bug]		The idle timeout for connected TCP sockets is now
-			derived from the client query processing timeout
-			configured for a resolver. [GL #2024]
-
-5476.	[placeholder]
-
-5475.	[bug]		Fix RPZ wildcard passthru ignored when a rejection
-			would overwrite a passthru action matching some
-			rule in a previously loaded passthru rpz zone.
-			[GL #1619]
-
-5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
-			when it should have. [GL !3880]
-
-5473.	[func]		The rbt hashtable implementation has been changed
-			to use faster hash-function (HalfSipHash2-4) and
-			uses Fibonacci hashing for better distribution.
-			Setting the max-cache-size now preallocates fixed
-			size hashtable, so the rehashing doesn't cause
-			resolution brownouts when growing the hashtable.
-			[GL #1775]
-
-5472.	[func]		The statistics channel has been updated to use the
-			new network manager. [GL #2022]
-
-5471.	[bug]		The introduction of KASP support broke whether the
-			second field of sig-validity-interval was treated as
-			days or hours. (Thanks to Tony Finch.) [GL !3735]
-
-5470.	[port]		illumos: only call gsskrb5_register_acceptor_identity
-			if we have gssapi_krb5.h. [GL #1995]
-
-5469.	[port]		illumos: SEC is defined in <sys/time.h> which
-			conflicted with our use of SEC. [GL #1993]
-
-5468.	[bug]		Address potential double unlock in process_fd().
-			[GL #2005]
-
-5467.	[func]		The control channel and the rndc utility have been
-			updated to use the new network manager. To support
-			this, the network manager was updated to enable
-			wthe initiation of client TCP connections. Its
-			internal reference counting has been refactored.
-
-			Note: As side effects of this change, rndc cannot
-			currently be used with UNIX-domain sockets, and its
-			default timeout has changed from 60 seconds to 30.
-			These will be addressed in a future release.
-			[GL #1759]
-
-5466.	[bug]		Addressed an error in recursive clients stats reporting.
-			[GL #1719]
-
-5465.	[func]		Fallback to built in trust-anchors, managed-keys, or
-			trusted-keys if the bindkeys-file (bind.keys) cannot
-			be parsed. [GL #1235]
-
-5464.	[bug]		Specifying saving more than 128 files when rolling
-			dnstap / log files would cause buffer overflow.
-			[GL #1989]
-
-5463.	[placeholder]
-
-5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
-
-5461.	[bug]		The header STALE attribute was not being updated with
-			the write lock being held leading to incorrect
-			statistics.  Convert the header attributes to use atomic
-			operations. [GL #1475]
-
-5460.	[cleanup]	tsig-keygen was previously an alias for
-			ddns-confgen and was documented in the ddns-confgen
-			man page. This has been reversed; tsig-keygen is
-			now the primary name. [GL #1998]
-
-5459.	[bug]		Bad isc_mem_put() size when an invalid type was
-			specified in a update-policy rule. [GL #1990]
-
-	--- 9.17.3 released ---
-
-5458.	[bug]		Prevent a theoretically possible NULL dereference caused
-			by a data race between zone_maintenance() and
-			dns_zone_setview_helper(). [GL #1627]
-
-5457.	[placeholder]
-
-5456.	[func]		Added "primaries" as a synonym for "masters" in
-			named.conf, and "primary-only" as a synonym for
-			"master-only" in the parameters to "notify", to bring
-			terminology up-to-date with RFC 8499. [GL #1948]
-
-5455.	[bug]		named could crash when cleaning dead nodes in
-			lib/dns/rbtdb.c that were being reused. [GL #1968]
-
-5454.	[bug]		Address a startup crash that occurred when the server
-			was under load and the root zone had not yet been
-			loaded. [GL #1862]
-
-5453.	[bug]		named crashed on shutdown when a new rndc connection was
-			received during shutdown. [GL #1747]
-
-5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
-			queries. [GL #1936]
-
-5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]
-
-5450.	[placeholder]
-
-5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]
-
-5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
-			[GL #1937]
-
-5447.	[bug]		IPv6 addresses ending in "::" could break YAML
-			parsing. A "0" is now appended to such addresses
-			in YAML output from dig, mdig, delv, and dnstap-read.
-			[GL #1952]
-
-5446.	[bug]		The validator could fail to accept a properly signed
-			RRset if an unsupported algorithm appeared earlier in
-			the DNSKEY RRset than a supported algorithm. It could
-			also stop if it detected a malformed public key.
-			[GL #1689]
-
-5445.	[cleanup]	Disable and disallow static linking. [GL #1933]
-
-5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
-			saved files to <value>. [GL !3728]
-
-5443.	[bug]		The "primary" and "secondary" keywords, when used
-			as parameters for "check-names", were not
-			processed correctly and were being ignored. [GL #1949]
-
-5442.	[func]		Add support for outgoing TCP connections in netmgr.
-			[GL #1958]
-
-5441.	[placeholder]
-
-5440.	[placeholder]
-
-5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
-			a non-thread-safe manner. [GL #1926]
-
-	--- 9.17.2 released ---
-
-5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]
-
-5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
-			[GL #1808]
-
-5436.	[security]	It was possible to trigger an INSIST when determining
-			whether a record would fit into a TCP message buffer.
-			(CVE-2020-8618) [GL #1850]
-
-5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
-			test. [GL #1718]
-
-5434.	[security]	It was possible to trigger an INSIST in
-			lib/dns/rbtdb.c:new_reference() with a particular zone
-			content and query patterns. (CVE-2020-8619) [GL #1111]
-			[GL #1718]
-
-5433.	[placeholder]
-
-5432.	[bug]		Check the question section when processing AXFR, IXFR,
-			and SOA replies when transferring a zone in. [GL #1683]
-
-5431.	[func]		Reject DS records at the zone apex when loading
-			master files. Log but otherwise ignore attempts to
-			add DS records at the zone apex via UPDATE. [GL #1798]
-
-5430.	[doc]		Update docs - with netmgr, a separate listening socket
-			is created for each IPv6 interface (just as with IPv4).
-			[GL #1782]
-
-5429.	[cleanup]	Move BIND binaries which are neither daemons nor
-			administrative programs to $bindir. [GL #1724]
-
-5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
-			has been destroyed. Thanks to Petr Menšík. [GL !3316]
-
-5427.	[placeholder]
-
-5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
-			fails. [GL #1911]
-
-5425.	[func]		The default value of "max-stale-ttl" has been changed
-			from 1 week to 12 hours. [GL #1877]
-
-5424.	[bug]		With KASP, when creating a successor key, the "goal"
-			state of the current active key (predecessor) was not
-			changed and thus never removed from the zone. [GL #1846]
-
-5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
-			returned true if any other key in the keyring had a
-			successor. [GL #1845]
-
-5422.	[bug]		When using dnssec-policy, print correct key timing
-			metadata. [GL #1843]
-
-5421.	[bug]		Fix a race that could cause named to crash when looking
-			up the nodename of an RBT node if the tree was modified.
-			[GL #1857]
-
-5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
-			that caused a memory leak on FreeBSD. [GL #1893]
-
-5419.	[func]		Add new dig command line option, "+qid=<num>", which
-			allows the query ID to be set to an arbitrary value.
-			Add a new ./configure option, --enable-singletrace,
-			which allows trace logging of a single query when QID is
-			set to 0. [GL #1851]
-
-5418.	[bug]		delv failed to parse deprecated trusted-keys-style
-			trust anchors. [GL #1860]
-
-5417.	[cleanup]	The code determining the advertised UDP buffer size in
-			outgoing EDNS queries has been refactored to improve its
-			clarity. [GL #1868]
-
-5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
-			[GL #1859]
-
-5415.	[test]		Address race in dnssec system test that led to
-			test failures. [GL #1852]
-
-5414.	[test]		Adjust time allowed for journal truncation to occur
-			in nsupdate system test to avoid test failure.
-			[GL #1855]
-
-5413.	[test]		Address race in autosign system test that led to
-			test failures. [GL #1852]
-
-5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
-			when the serial was greater than or equal to the
-			current serial. [GL #1714]
-
-5411.	[cleanup]	TCP accept code has been refactored to use a single
-			accept() and pass the accepted socket to child threads
-			for processing. [GL !3320]
-
-5410.	[func]		Add the ability to specify per-type record count limits,
-			which are enforced when adding records via UPDATE, in an
-			"update-policy" statement. [GL #1657]
-
-5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
-			check for empty non-terminal nodes; the NSEC3 tree does
-			not have any. [GL #1834]
-
-5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
-			[GL #1835]
-
-5407.	[func]		Zone timers are now exported via statistics channel.
-			Thanks to Paul Frieden, Verizon Media. [GL #1232]
-
-5406.	[func]		Add a new logging category, "rpz-passthru", which allows
-			RPZ passthru actions to be logged in a separate channel.
-			[GL #54]
-
-5405.	[bug]		'named-checkconf -p' could include spurious text in
-			server-addresses statements due to an uninitialized DSCP
-			value. [GL #1812]
-
-5404.	[bug]		'named-checkconf -z' could incorrectly indicate
-			success if errors were found in one view but not in a
-			subsequent one. [GL #1807]
-
-5403.	[func]		Do not set UDP receive/send buffer sizes - use system
-			defaults. [GL #1713]
-
-5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
-			Enable use of SO_REUSEADDR on all platforms which
-			support it. [GL !3365]
-
-5401.	[bug]		The number of input queues allocated during dnstap
-			initialization was too low, which could prevent some
-			dnstap data from being logged. [GL #1795]
-
-5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
-			[GL #1763]
-
-5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
-			[GL #1534]
-
-5398.	[bug]		Named could fail to restart if a zone with a double
-			quote (") in its name was added with 'rndc addzone'.
-			[GL #1695]
-
-5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
-			Thanks to Aaron Thompson. [GL !3326]
-
-5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
-			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
-			libuv. [GL #1797]
-
-5395.	[security]	Further limit the number of queries that can be
-			triggered from a request.  Root and TLD servers
-			are no longer exempt from max-recursion-queries.
-			Fetches for missing name server address records
-			are limited to 4 for any domain. (CVE-2020-8616)
-			[GL #1388]
-
-5394.	[cleanup]	Named formerly attempted to change the effective UID and
-			GID in named_os_openfile(), which could trigger a
-			spurious log message if they were already set to the
-			desired values. This has been fixed. [GL #1042]
-			[GL #1090]
-
-5393.	[cleanup]	Unused and/or redundant APIs were removed from libirs.
-			[GL #1758]
-
 5392.	[bug]		It was possible for named to crash during shutdown
 			or reconfiguration if an RPZ zone was still being
 			updated. [GL #1779]
 
-5391.	[func]		The BIND 9 build system has been changed to use a
-			typical autoconf+automake+libtool stack. When building
-			from the Git repository, run "autoreconf -fi" first.
-			[GL #4]
+5391.	[func]		The BIND 9 build system has been changed to use the
+			usual stack of autoconf+automake+libtool.  [GL #4]
 
-5390.	[security]	Replaying a TSIG BADTIME response as a request could
-			trigger an assertion failure. (CVE-2020-8617)
-			[GL #1703]
+5390.	[placeholder]
 
-5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
+5389.	[bug]		Finish the PKCS#11 code cleanup, fix couple of smaller
 			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
 			Thanks to Aaron Thompson. [GL !3391]
 
-5388.	[func]		Reject AXFR streams where the message ID is not
+5388.	[func]		Reject AXFR streams where the message id is not
 			consistent. [GL #1674]
 
 5387.	[placeholder]
 
-5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
-			[GL #1737]
+5386.	[cleanup]	Address Coverity warnings in keymgr.c [GL #1737]
 
 5385.	[func]		Make ISC rwlock implementation the default again.
 			[GL #1753]
 
-5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
-			implicitly set to "yes". Now "inline-signing" is only
-			set to "yes" if the zone is not dynamic. [GL #1709]
+5384.	[bug]		With dnssec-policy, inline-signing was implicitly set
+			to yes.  Change and only set inline-signing to yes
+			if the zone is not dynamic. [GL #1709]
 
 	--- 9.17.1 released ---
 

CONTRIBUTING.md

@@ -8,8 +8,8 @@
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
-## BIND 9 Source Access and Contributor Guidelines
-*May 28, 2020*
+## BIND Source Access and Contributor Guidelines
+*Feb 22, 2018*
 
 ### Contents
 
@@ -19,12 +19,12 @@
 
 ### Introduction
 
-Thank you for using BIND 9!
+Thank you for using BIND!
 
 BIND is open source software that implements the Domain Name System (DNS)
 protocols for the Internet. It is a reference implementation of those
 protocols, but it is also production-grade software, suitable for use in
-high-volume and high-reliability applications.  It is very
+high-volume and high-reliability applications.  It is by far the most
 widely used DNS software, providing a robust and stable platform on top of
 which organizations can build distributed computing systems with the
 knowledge that those systems are fully compliant with published DNS
@@ -33,20 +33,20 @@ standards.
 BIND is and will always remain free and openly available.  It can be
 used and modified in any way by anyone.
 
-BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
+BIND is maintained by the [Internet Systems Consortium](https://www.isc.org),
 a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
 anyone can see the source, but only ISC employees have commit access.
-In the past, the source could only be seen once ISC had published
-a release; read access to the source repository was restricted just
-as commit access was.  That has changed, as ISC now provides a
+Until recently, the source could only be seen once ISC had published
+a release: read access to the source repository was restricted just
+as commit access was.  That's now changing, with the opening of a
 public git mirror to the BIND source tree (see below).
 
-At ISC, we're committed to
-building communities that are welcoming and inclusive: environments where people
+At [Internet Systems Consortium](https://www.isc.org), we're committed to
+building communities that are welcoming and inclusive; environments where people
 are encouraged to share ideas, treat each other with respect, and collaborate
-towards the best solutions. To reinforce our commitment, ISC
-has adopted a slightly modified version of the Django
-[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/master/CODE_OF_CONDUCT.md) for the BIND 9 project, as well as for the conduct of our
+towards the best solutions. To reinforce our commitment, the [Internet Systems
+Consortium](https://www.isc.org) has adopted the Contributor Covenant version
+1.4 as our Code of Conduct for BIND 9 project, as well as for the conduct of our
 developers throughout the industry.
 
 ### <a name="access"></a>Access to source code
@@ -76,7 +76,7 @@ branch, use:
 
 >       $ git checkout v9_12
 
-Whenever a branch is ready for publication, a tag is placed of the
+Whenever a branch is ready for publication, a tag will be placed of the
 form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
@@ -86,16 +86,16 @@ The branch in which the next major release is being developed is called
 
 Reports of flaws in the BIND package, including software bugs, errors
 in the documentation, missing files in the tarball, suggested changes
-or requests for new features, etc., can be filed using
+or requests for new features, etc, can be filed using
 [https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
 
 Due to a large ticket backlog, we are sometimes slow to respond,
 especially if a bug is cosmetic or if a feature request is vague or
-low in priority, but we try at least to acknowledge legitimate
+low in priority, but we will try at least to acknowledge legitimate
 bug reports within a week.
 
-ISC's GitLab system is publicly readable; however, you must have
-an account to create a new issue. You can either register locally or
+ISC's ticketing system is publicly readable; however, you must have
+an account to file a new issue. You can either register locally or
 use credentials from an existing account at GitHub, GitLab, Google,
 Twitter, or Facebook.
 
@@ -105,26 +105,26 @@ If you think you may be seeing a potential security vulnerability in BIND
 report it immediately by emailing to security-officer@isc.org. Plain-text
 e-mail is not a secure choice for communications concerning undisclosed
 security issues so please encrypt your communications to us if possible,
-using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
+using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
 
 Do not discuss undisclosed security vulnerabilities on any public mailing list.
 ISC has a long history of handling reported vulnerabilities promptly and
 effectively and we respect and acknowledge responsible reporters.
 
-ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
 
 If you have a crash, you may want to consult
-["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
+[‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
 
 ### <a name="contrib"></a>Contributing code
 
 BIND is licensed under the
-[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
-Earlier versions (BIND 9.10 and earlier) were licensed under the [ISC License](https://www.isc.org/licenses/)
+[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
+Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
 
 ISC does not require an explicit copyright assignment for patch
 contributions.  However, by submitting a patch to ISC, you implicitly
-certify that you are the author of the code, that you intend to relinquish
+certify that you are the author of the code, that you intend to reliquish
 exclusive copyright, and that you grant permission to publish your work
 under the open source license used for the BIND version(s) to which your
 patch will be applied.
@@ -132,7 +132,7 @@ patch will be applied.
 #### <a name="bind"></a>BIND code
 
 Patches for BIND may be submitted directly via merge requests in
-[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source
+[ISC's Gitlab](https://gitlab.isc.org/isc-projects/bind9/) source
 repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of
@@ -142,9 +142,10 @@ be generated using either `git format-patch` or `git diff`.
 Those wanting to write code for BIND may be interested in the
 [developer information](doc/dev/dev.md) page, which includes information
 about BIND design and coding practices, including discussion of internal
-APIs and overall system architecture.
+APIs and overall system architecture.  (This is a work in progress, and
+still quite preliminary.)
 
-Every patch submitted is reviewed by ISC engineers following our
+Every patch submitted will be reviewed by ISC engineers following our
 [code review process](doc/dev/dev.md#reviews) before it is merged.
 
 It may take considerable time to review patch submissions, especially if
@@ -155,7 +156,7 @@ we're busy with other work, it may take us a long time to get to it.
 To ensure your patch is acted on as promptly as possible, please:
 
 * Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
-* Run `make check` to ensure your change hasn't caused any
+* Run `make` `check` to ensure your change hasn't caused any
   functional regressions.
 * Document your work, both in the patch itself and in the
   accompanying email.
@@ -181,23 +182,28 @@ All functional changes should be documented. There are three types
 of documentation in the BIND source tree:
 
 * Man pages are kept alongside the source code for the commands
-  they document, in files ending in `.rst`: for example, the
-  `named` man page is `bin/named/named.rst`.
-* The *BIND 9 Administrator Reference Manual* is in the .rst files in
-  `doc/arm/`; the PDF and HTML versions are automatically generated from the `.rst` files.
+  they document, in files ending in `.docbook`; for example, the
+  `named` man page is `bin/named/named.docbook`.
+* The *BIND 9 Administrator Reference Manual* is mostly in
+  `doc/arm/Bv9ARM-book.xml`, plus a few other XML files that are included
+  in it.
 * API documentation is in the header file describing the API, in
   Doxygen-formatted comments.
 
+It is not necessary to edit any documentation files other than these;
+all PDF, HTML, and `nroff`-format man page files will be updated
+automatically from the `docbook` and `XML` files after merging.
+
 Patches to improve existing documentation are also very welcome!
 
 ##### Tests
 
 BIND is a large and complex project. We rely heavily on continuous
 automated testing and cannot merge new code without adequate test coverage.
-Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
+Please see [the 'Testing' section of doc/dev/dev.md](doc/dev/dev.md#testing)
 for more information.
 
 #### Thanks
 
 Thank you for your interest in contributing to the ongoing development
-of BIND 9.
+of BIND.

Makefile.am

@@ -1,25 +1,11 @@
 include $(top_srcdir)/Makefile.top
 
-SUBDIRS = . libltdl lib doc bin fuzz
+SUBDIRS = . libltdl lib bin # doc
 
 BUILT_SOURCES = bind.keys.h
 CLEANFILES = bind.keys.h
 
 bind.keys.h: bind.keys Makefile
-	${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
+	${PERL} ${top_srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
 
 dist_sysconf_DATA = bind.keys
-
-.PHONY: doc
-
-EXTRA_DIST = 			\
-	util/bindkeys.pl	\
-	contrib			\
-	CHANGES			\
-	COPYRIGHT		\
-	LICENSE			\
-	*.md
-
-dist-hook:
-	find $(distdir) -type f -name .gitignore -delete
-	git rev-parse --short HEAD | cut -b1-7 > $(distdir)/srcid

Makefile.docs

@@ -1,51 +0,0 @@
-SPHINX_V = $(SPHINX_V_@AM_V@)
-SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
-SPHINX_V_0 = -q
-SPHINX_V_1 = -n
-
-AM_V_SPHINX = $(AM_V_SPHINX_@AM_V@)
-AM_V_SPHINX_ = $(AM_V_SPHINX_@AM_DEFAULT_V@)
-AM_V_SPHINX_0 = @echo "  SPHINX   $@";
-
-SPHINXBUILDDIR = $(builddir)/_build
-
-common_SPHINXOPTS =			\
-	-c $(srcdir)			\
-	-a				\
-	$(SPHINX_V)
-
-ALLSPHINXOPTS =				\
-	$(common_SPHINXOPTS)		\
-	-D version="$(PACKAGE_VERSION)"	\
-	-D today="$(RELEASE_DATE)"	\
-	-D release="$(PACKAGE_VERSION)"	\
-	$(SPHINXOPTS)			\
-	$(srcdir)
-
-man_SPHINXOPTS =			\
-	$(common_SPHINXOPTS)		\
-	-D version="@""PACKAGE_VERSION@"\
-	-D today="@""RELEASE_DATE@"	\
-	-D release="@""PACKAGE_VERSION@"\
-	$(SPHINXOPTS)			\
-	$(srcdir)
-
-AM_V_SED = $(AM_V_SED_@AM_V@)
-AM_V_SED_ = $(AM_V_SED_@AM_DEFAULT_V@)
-AM_V_SED_0 = @echo "  SED $@";
-
-AM_V_CFG_TEST = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_CFG_TEST_ = $(AM_V_CFG_TEST_@AM_DEFAULT_V@)
-AM_V_CFG_TEST_0 = @echo "  CFG_GEN $@";
-
-AM_V_RST_OPTIONS = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_OPTIONS_ = $(AM_V_RST_OPTIONS_@AM_DEFAULT_V@)
-AM_V_RST_OPTIONS_0 = @echo "  RST_OPTIONS $@";
-
-AM_V_RST_ZONEOPT = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_ZONEOPT_ = $(AM_V_RST_ZONEOPT_@AM_DEFAULT_V@)
-AM_V_RST_ZONEOPT_0 = @echo "  RST_ZONEOPT $@";
-
-AM_V_RST_GRAMMARS = $(AM_V_CFG_TEST_@AM_V@)
-AM_V_RST_GRAMMARS_ = $(AM_V_RST_GRAMMARS_@AM_DEFAULT_V@)
-AM_V_RST_GRAMMARS_0 = @echo "  RST_GRAMMARS $@";

Makefile.tests

@@ -3,7 +3,7 @@
 
 AM_CPPFLAGS +=					\
 	$(CMOCKA_CFLAGS)			\
-	-DTESTS_DIR=\"$(abs_srcdir)\"		\
+	-DTESTS=\"$(abs_srcdir)\"		\
 	-DNAMED_PLUGINDIR=\"$(libdir)/named\"
 
 LDADD =			\

Makefile.top

@@ -33,11 +33,6 @@ LIBISC_CFLAGS +=					\
 	$(LIBXML2_CFLAGS)
 endif HAVE_LIBXML2
 
-if HAVE_READLINE
-LIBISC_CFLAGS +=					\
-	$(READLINE_CFLAGS)
-endif HAVE_READLINE
-
 LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
 
 LIBDNS_CFLAGS = \
@@ -47,16 +42,6 @@ LIBDNS_CFLAGS = \
 LIBDNS_LIBS = \
 	$(top_builddir)/lib/dns/libdns.la
 
-if HAVE_DNSTAP
-LIBDNS_CFLAGS +=					\
-	$(DNSTAP_CFLAGS)
-endif HAVE_DNSTAP
-
-if HAVE_LMDB
-LIBDNS_CFLAGS +=					\
-	$(LMDB_CFLAGS)
-endif HAVE_LMDB
-
 LIBNS_CFLAGS = \
 	-I$(top_srcdir)/lib/ns/include
 
@@ -92,3 +77,32 @@ LIBLTDL_CFLAGS = \
 
 LIBLTDL_LIBS = \
 	$(top_builddir)/libltdl/libltdlc.la
+
+SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8
+
+.docbook.html:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $<
+
+.docbook.1:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.2:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.3:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.4:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.5:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.6:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.7:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.8:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<

PLATFORMS.md

@@ -42,16 +42,16 @@ offer support on a "best effort" basis for some.
 
 ### Regularly tested platforms
 
-As of Jul 2020, BIND 9.17 is fully supported and regularly tested on the
+As of Mar 2020, BIND 9.17 is fully supported and regularly tested on the
 following systems:
 
 * Debian 9, 10
-* Ubuntu LTS 16.04, 20.04
-* Fedora 32
+* Ubuntu LTS 16.04, 18.04
+* Fedora 31
 * Red Hat Enterprise Linux / CentOS 7, 8
-* FreeBSD 11.4, 12.1
-* OpenBSD 6.7
-* Alpine Linux 3.12
+* FreeBSD 11.3, 12.1
+* OpenBSD 6.6
+* Alpine Linux
 
 The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
 

README.md

@@ -28,26 +28,26 @@
 ### <a name="intro"/> Introduction
 
 BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the Domain Name System (DNS) protocol.
+implementation of the DNS (Domain Name System) protocol.
 
-The BIND name server, `named`, can act as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
+The BIND name server, `named`, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously.  It
 implements views for split-horizon DNS, automatic DNSSEC zone signing and
 key management, catalog zones to facilitate provisioning of zone data
 throughout a name server constellation, response policy zones (RPZ) to
 protect clients from malicious data, response rate limiting (RRL) and
 recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
+and many other advanced DNS features.  BIND also includes a suite of
 administrative tools, including the `dig` and `delv` DNS lookup tools,
 `nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
 administration, and more.
 
-BIND 9 began as a complete rewrite of the BIND architecture that was
+BIND 9 began as a complete re-write of the BIND architecture that was
 used in versions 4 and 8.  Internet Systems Consortium
-([https://www.isc.org](https://www.isc.org)), a 501(c)(3) US public benefit
+([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
 corporation dedicated to providing software and services in support of the
 Internet infrastructure, developed BIND 9 and is responsible for its
-ongoing maintenance and improvement. BIND is open source software
+ongoing maintenance and improvement.  BIND is open source software
 licensed under the terms of the Mozilla Public License, version 2.0.
 
 For a summary of features introduced in past major releases of BIND,
@@ -65,19 +65,19 @@ For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
 ### <a name="help"/> Reporting bugs and getting help
 
 To report non-security-sensitive bugs or request new features, you may
-open an issue in the BIND 9 project on the
+open an Issue in the BIND 9 project on the
 [ISC GitLab server](https://gitlab.isc.org) at
 [https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
 
-Please note that, unless you explicitly mark the newly created issue as
-"confidential," it will be publicly readable. Please do not include any
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable.  Please do not include any
 information in bug reports that you consider to be confidential unless
-the issue has been marked as such. In particular, if submitting the
-contents of your configuration file in a non-confidential issue, it is
-advisable to obscure key secrets; this can be done automatically by
+the issue has been marked as such.  In particular, if submitting the
+contents of your configuration file in a non-confidential Issue, it is
+advisable to obscure key secrets: this can be done automatically by
 using `named-checkconf -px`.
 
-If you are reporting a bug that is a potential security issue, such as an
+If the bug you are reporting is a potential security issue, such as an
 assertion failure or other crash in `named`, please do *NOT* use GitLab to
 report it. Instead, send mail to
 [security-officer@isc.org](mailto:security-officer@isc.org) using our
@@ -86,12 +86,11 @@ to our key can be found at
 [https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
 discuss the bug on any public mailing list.
 
-For a general overview of ISC security policies, read the Knowledgebase
+For a general overview of ISC security policies, read the Knowledge Base
 article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
 
 Professional support and training for BIND are available from
-ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
-for more information.
+ISC at [https://www.isc.org/support](https://www.isc.org/support).
 
 To join the __BIND Users__ mailing list, or view the archives, visit
 [https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
@@ -103,7 +102,7 @@ may also want to join the __BIND Workers__ mailing list, at
 ### <a name="contrib"/> Contributing to BIND
 
 ISC maintains a public git repository for BIND; details can be found
-at [https://www.isc.org/sourceaccess/](https://www.isc.org/sourceaccess/).
+at [http://www.isc.org/git/](http://www.isc.org/git/).
 
 Information for BIND contributors can be found in the following files:
 - General information: [CONTRIBUTING.md](CONTRIBUTING.md)
@@ -113,15 +112,16 @@ Information for BIND contributors can be found in the following files:
 
 Patches for BIND may be submitted as
 [merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
-on the [ISC GitLab server](https://gitlab.isc.org).
+in the [ISC GitLab server](https://gitlab.isc.org) at
+at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
 
-By default, external contributors do not have the ability to fork BIND on the
-GitLab server; if you wish to contribute code to BIND, you may request
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
 permission to do so. Thereafter, you can create git branches and directly
 submit requests that they be reviewed and merged.
 
 If you prefer, you may also submit code by opening a
-[GitLab issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
+[GitLab Issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
 including your patch as an attachment, preferably generated by
 `git format-patch`.
 
@@ -130,15 +130,15 @@ including your patch as an attachment, preferably generated by
 BIND 9.17 is the newest development branch of BIND 9. It includes a
 number of changes from BIND 9.16 and earlier releases. New features include:
 
-* The new option `max-ixfr-ratio` to limit the size of outgoing IXFR responses
+* New option "max-ixfr-ratio" to limit the size of outgoing IXFR responses
   before falling back to full zone transfers.
-* `rndc nta -d` and `rndc secroots` now include `validate-except` entries
+* "rndc nta -d" and "rndc secroots" now include "validate-except" entries
   when listing negative trust anchors.
 
-### <a name="build"/> Building BIND 9
+### <a name="build"/> Building BIND
 
-At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. BIND also requires the
+Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
+basic POSIX support, and a 64-bit integer type.  BIND also requires the
 `libuv` asynchronous I/O library, and a cryptography provider library
 such as OpenSSL or a hardware service module supporting PKCS#11. On
 Linux, BIND requires the `libcap` library to set process privileges,
@@ -148,24 +148,23 @@ for details on other libraries that may be required to support
 optional features.
 
 Successful builds have been observed on many versions of Linux and
-Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
+UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
 Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
 OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
 
-BIND 9 is also available for Windows Server 2012 R2 and higher. See
+BIND is also available for Windows Server 2012 R2 and higher.  See
 `win32utils/build.txt` for details on building for Windows
 systems.
 
-To build on a Unix or Linux system, use:
+To build on a UNIX or Linux system, use:
 
-		$ autoreconf -fi (if you are building in the git repository)
 		$ ./configure
 		$ make
 
 If you're planning on making changes to the BIND 9 source, you should run
 `make depend`.  If you're using Emacs, you might find `make tags` helpful.
 
-Several environment variables, which can be set before running `configure`,
+Several environment variables that can be set before running `configure` will
 affect compilation.  Significant ones are:
 
 |Variable|Description |
@@ -182,33 +181,22 @@ command:
 
 #### <a name="macos"> macOS
 
-Building on macOS assumes that the "Command Tools for Xcode" are installed.
-These can be downloaded from
+Building on macOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from
 [https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
-or, if you have Xcode already installed, you can run `xcode-select --install`.
-(Note that an Apple ID may be required to access the download page.)
-
-#### <a name="dependencies"> Dependencies
-
-To build BIND you need to have the following packages installed:
-
-    libuv
-    pkg-config / pkgconfig / pkgconf
-
-To build BIND from the git repository, you need the following tools
-installed:
-
-    autoconf (includes autoreconf)
-    automake
-    libtool
-    libltdl-dev (Debian) / libtool-ltdl-dev (Fedora/CentOS) / libltdl (FreeBSD)
+or, if you have Xcode already installed, you can run `xcode-select
+--install`.  (Note that an Apple ID may be required to access the download
+page.)
 
 #### <a name="opts"/> Compile-time options
 
 To see a full list of configuration options, run `configure --help`.
 
+To build shared libraries, specify `--with-libtool` on the `configure`
+command line.
+
 For the server to support DNSSEC, you need to build it with crypto support.
-To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
+To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed.  If the
 OpenSSL library is installed in a nonstandard location, specify the prefix
 using `--with-openssl=<PREFIX>` on the configure command line. To use a
 PKCS#11 hardware service module for cryptographic operations, specify the
@@ -221,15 +209,15 @@ least one of the following libraries: `libxml2`
 [https://github.com/json-c/json-c](https://github.com/json-c/json-c).
 If these are installed at a nonstandard location, then:
 
-* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`.
+* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`,
 * for `json-c`, adjust `PKG_CONFIG_PATH`.
 
 To support compression on the HTTP statistics channel, the server must be
-linked against `libzlib`. If this is installed in a nonstandard location,
+linked against `libzlib`.  If this is installed in a nonstandard location,
 specify the prefix using `--with-zlib=/prefix`.
 
 To support storing configuration data for runtime-added zones in an LMDB
-database, the server must be linked with `liblmdb`. If this is installed in a
+database, the server must be linked with liblmdb. If this is installed in a
 nonstandard location, specify the prefix using `with-lmdb=/prefix`.
 
 To support MaxMind GeoIP2 location-based ACLs, the server must be linked
@@ -246,8 +234,8 @@ and BIND must be configured with `--enable-dnstap`.
 
 Certain compiled-in constants and default settings can be decreased to
 values better suited to small machines, e.g. OpenWRT boxes, by specifying
-`--with-tuning=small` on the `configure` command line. This decreases
-memory usage by using smaller structures, but degrades performance.
+`--with-tuning=small` on the `configure` command line. This will decrease
+memory usage by using smaller structures, but will degrade performance.
 
 On Linux, process capabilities are managed in user space using
 the `libcap` library, which can be installed on most Linux systems via
@@ -260,54 +248,51 @@ to handle files bigger than 2GB.  This can be done by using
 
 Support for the "fixed" rrset-order option can be enabled or disabled by
 specifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
-configure command line. By default, fixed rrset-order is disabled to
+configure command line.  By default, fixed rrset-order is disabled to
 reduce memory footprint.
 
 The `--enable-querytrace` option causes `named` to log every step of
-processing every query. The `--enable-singletrace` option turns on the
-same verbose tracing, but allows an individual query to be separately
-traced by setting its query ID to 0. These options should only be enabled
-when debugging, because they have a significant negative impact on query
-performance.
+processing every query. This should only be enabled when debugging, because
+it has a significant negative impact on query performance.
 
-`make install` installs `named` and the various BIND 9 libraries. By
+`make install` will install `named` and the various BIND 9 libraries.  By
 default, installation is into /usr/local, but this can be changed with the
 `--prefix` option when running `configure`.
 
 You may specify the option `--sysconfdir` to set the directory where
 configuration files like `named.conf` go by default, and `--localstatedir`
-to set the default parent directory of `run/named.pid`. `--sysconfdir`
+to set the default parent directory of `run/named.pid`.   `--sysconfdir`
 defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
 
 ### <a name="testing"/> Automated testing
 
-A system test suite can be run with `make check`. The system tests require
+A system test suite can be run with `make check`.  The system tests require
 you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with each other). These
+multiple servers to run locally and communicate with one another).  These
 IP addresses can be configured by running the command
 `bin/tests/system/ifconfig.sh up` as root.
 
 Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
-and are skipped if these are not available. Some tests require Python
-and the `dnspython` module and are skipped if these are not available.
+and will be skipped if these are not available. Some tests require Python
+and the `dnspython` module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
-Unit tests are implemented using the CMocka unit testing framework. To build
+Unit tests are implemented using the CMocka unit testing framework.  To build
 them, use `configure --with-cmocka`. Execution of tests is done by the automake
 parallel test driver; unit tests are also run by `make check`.
 
 ### <a name="doc"/> Documentation
 
-The *BIND 9 Administrator Reference Manual* (ARM) is included with the source
-distribution, and in .rst format, in the `doc/arm`
-directory. HTML and PDF versions are automatically generated and can
-be viewed at [https://bind9.readthedocs.io/en/latest/index.html](https://bind9.readthedocs.io/en/latest/index.html).
+The *BIND 9 Administrator Reference Manual* is included with the source
+distribution, in DocBook XML, HTML, and PDF format, in the `doc/arm`
+directory.
 
-Man pages for some of the programs in the BIND 9 distribution
-are also included in the BIND ARM.
+Some of the programs in the BIND 9 distribution have man pages in their
+directories.  In particular, the command line options of `named` are
+documented in `bin/named/named.8`.
 
 Frequently (and not-so-frequently) asked questions and their answers
-can be found in the ISC Knowledgebase at
+can be found in the ISC Knowledge Base at
 [https://kb.isc.org](https://kb.isc.org).
 
 Additional information on various subjects can be found in other
@@ -316,8 +301,8 @@ Additional information on various subjects can be found in other
 ### <a name="changes"/> Change log
 
 A detailed list of all changes that have been made throughout the
-development of BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first.  Change notes include tags indicating the category of
 the change that was made; these categories are:
 
 |Category	|Description	        			|
@@ -335,12 +320,12 @@ the change that was made; these categories are:
 | [cleanup] | Minor corrections and refactoring |
 | [doc] | Documentation |
 | [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
-| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
+| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
 
-In general, [func] and [experimental] tags only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero).  Some new
 functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently supported releases.
+All other change types may be applied to all currently-supported releases.
 
 #### Bug report identifiers
 
@@ -350,7 +335,7 @@ and referred to entries in the "bind9-bugs" RT database, which was not open
 to the public. More recent entries use the form `[GL #NNN]` or, less often,
 `[GL !NNN]`, which, respectively, refer to issues or merge requests in the
 GitLab database. Most of these are publicly readable, unless they include
-information which is confidential or security-sensitive.
+information which is confidential or security sensitive.
 
 To look up a GitLab issue by its number, use the URL
 [https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
@@ -380,7 +365,7 @@ GitLab instance, which is not visible to the public.
 
 * This product includes software developed by the OpenSSL Project for use
   in the OpenSSL Toolkit.
-  [https://www.OpenSSL.org/](https://www.OpenSSL.org/)
+  [http://www.OpenSSL.org/](http://www.OpenSSL.org/)
 * This product includes cryptographic software written by Eric Young
-  (eay@cryptsoft.com).
-* This product includes software written by Tim Hudson (tjh@cryptsoft.com).
+  (eay@cryptsoft.com)
+* This product includes software written by Tim Hudson (tjh@cryptsoft.com)

bin/check/Makefile.am

@@ -24,11 +24,11 @@ LDADD =				\
 	$(LIBISCCFG_LIBS)	\
 	$(LIBBIND9_LIBS)
 
-bin_PROGRAMS = named-checkconf named-checkzone
+sbin_PROGRAMS = named-checkconf named-checkzone
 
 install-exec-hook:
-	ln -f $(DESTDIR)$(bindir)/named-checkzone \
-	      $(DESTDIR)$(bindir)/named-compilezone
+	ln -f $(DESTDIR)$(sbindir)/named-checkzone \
+	      $(DESTDIR)$(sbindir)/named-compilezone
 
 uninstall-hook:
-	-rm -f $(DESTDIR)$(bindir)/named-compilezone
+	-rm -f $(DESTDIR)$(sbindir)/named-compilezone

bin/check/named-checkconf.8

@@ -0,0 +1,152 @@
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: named-checkconf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-10
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "NAMED\-CHECKCONF" "8" "2014\-01\-10" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+named-checkconf \- named configuration file syntax checking tool
+.SH "SYNOPSIS"
+.HP \w'\fBnamed\-checkconf\fR\ 'u
+\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+.SH "DESCRIPTION"
+.PP
+\fBnamed\-checkconf\fR
+checks the syntax, but not the semantics, of a
+\fBnamed\fR
+configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
+/etc/named\&.conf
+is read by default\&.
+.PP
+Note: files that
+\fBnamed\fR
+reads in separate parser contexts, such as
+rndc\&.key
+and
+bind\&.keys, are not automatically read by
+\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
+\fBnamed\fR
+to fail to run, even if
+\fBnamed\-checkconf\fR
+was successful\&.
+\fBnamed\-checkconf\fR
+can be run on these files explicitly, however\&.
+.SH "OPTIONS"
+.PP
+\-h
+.RS 4
+Print the usage summary and exit\&.
+.RE
+.PP
+\-j
+.RS 4
+When loading a zonefile read the journal if it exists\&.
+.RE
+.PP
+\-l
+.RS 4
+List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
+.RE
+.PP
+\-c
+.RS 4
+Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
+\fBplugin\fR
+statements to be ignored\&.
+.RE
+.PP
+\-i
+.RS 4
+Ignore warnings on deprecated options\&.
+.RE
+.PP
+\-p
+.RS 4
+Print out the
+named\&.conf
+and included files in canonical form if no errors were detected\&. See also the
+\fB\-x\fR
+option\&.
+.RE
+.PP
+\-t \fIdirectory\fR
+.RS 4
+Chroot to
+directory
+so that include directives in the configuration file are processed as if run by a similarly chrooted
+\fBnamed\fR\&.
+.RE
+.PP
+\-v
+.RS 4
+Print the version of the
+\fBnamed\-checkconf\fR
+program and exit\&.
+.RE
+.PP
+\-x
+.RS 4
+When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
+named\&.conf
+and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
+\fB\-p\fR\&.
+.RE
+.PP
+\-z
+.RS 4
+Perform a test load of all master zones found in
+named\&.conf\&.
+.RE
+.PP
+filename
+.RS 4
+The name of the configuration file to be checked\&. If not specified, it defaults to
+/etc/named\&.conf\&.
+.RE
+.SH "RETURN VALUES"
+.PP
+\fBnamed\-checkconf\fR
+returns an exit status of 1 if errors were detected and 0 otherwise\&.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBnamed-checkzone\fR(8),
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/check/named-checkconf.c

@@ -185,7 +185,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 	const char *zname;
 	const char *zfile = NULL;
 	const cfg_obj_t *maps[4];
-	const cfg_obj_t *primariesobj = NULL;
+	const cfg_obj_t *mastersobj = NULL;
 	const cfg_obj_t *inviewobj = NULL;
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *classobj = NULL;
@@ -279,12 +279,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
 	 * Is the redirect zone configured as a slave?
 	 */
 	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
-		cfg_map_get(zoptions, "primaries", &primariesobj);
-		if (primariesobj == NULL) {
-			cfg_map_get(zoptions, "masters", &primariesobj);
-		}
-
-		if (primariesobj != NULL) {
+		cfg_map_get(zoptions, "masters", &mastersobj);
+		if (mastersobj != NULL) {
 			return (ISC_R_SUCCESS);
 		}
 	}
@@ -534,12 +530,7 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
 		}
 
 		classobj = cfg_tuple_get(vconfig, "class");
-		tresult = config_getclass(classobj, dns_rdataclass_in,
-					  &viewclass);
-		if (tresult != ISC_R_SUCCESS) {
-			CHECK(tresult);
-		}
-
+		CHECK(config_getclass(classobj, dns_rdataclass_in, &viewclass));
 		if (dns_rdataclass_ismeta(viewclass)) {
 			CHECK(ISC_R_FAILURE);
 		}

bin/check/named-checkconf.docbook

@@ -0,0 +1,229 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
+  <info>
+    <date>2014-01-10</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkconf</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2009</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname><application>named-checkconf</application></refname>
+    <refpurpose>named configuration file syntax checking tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>named-checkconf</command>
+      <arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p</option>
+	<arg choice="opt" rep="norepeat"><option>-x</option>
+      </arg></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">filename</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>named-checkconf</command>
+      checks the syntax, but not the semantics, of a
+      <command>named</command> configuration file.  The file is parsed
+      and checked for syntax errors, along with all files included by it.
+      If no file is specified, <filename>/etc/named.conf</filename> is read
+      by default.
+    </para>
+    <para>
+      Note: files that <command>named</command> reads in separate
+      parser contexts, such as <filename>rndc.key</filename> and
+      <filename>bind.keys</filename>, are not automatically read
+      by <command>named-checkconf</command>.  Configuration
+      errors in these files may cause <command>named</command> to
+      fail to run, even if <command>named-checkconf</command> was
+      successful.  <command>named-checkconf</command> can be run
+      on these files explicitly, however.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+    <variablelist>
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+        <listitem>
+          <para>
+            When loading a zonefile read the journal if it exists.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l</term>
+        <listitem>
+          <para>
+            List all the configured zones. Each line of output
+            contains the zone name, class (e.g. IN), view, and type
+            (e.g. master or slave).
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c</term>
+        <listitem>
+          <para>
+	    Check "core" configuration only. This suppresses the loading
+	    of plugin modules, and causes all parameters to
+	    <command>plugin</command> statements to be ignored.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i</term>
+        <listitem>
+          <para>
+	    Ignore warnings on deprecated options.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p</term>
+        <listitem>
+          <para>
+	    Print out the <filename>named.conf</filename> and included files
+	    in canonical form if no errors were detected.
+            See also the <option>-x</option> option.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Chroot to <filename>directory</filename> so that include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <command>named</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkconf</command>
+            program and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-x</term>
+        <listitem>
+          <para>
+	    When printing the configuration files in canonical
+            form, obscure shared secrets by replacing them with
+            strings of question marks ('?'). This allows the
+            contents of <filename>named.conf</filename> and related
+            files to be shared &mdash; for example, when submitting
+            bug reports &mdash; without compromising private data.
+            This option cannot be used without <option>-p</option>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-z</term>
+        <listitem>
+          <para>
+	    Perform a test load of all master zones found in
+	    <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+        <listitem>
+          <para>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <filename>/etc/named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para><command>named-checkconf</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+</refentry>

bin/check/named-checkconf.html

@@ -0,0 +1,180 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkconf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.named-checkconf"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">named-checkconf</span>
+     &#8212; named configuration file syntax checking tool
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-checkconf</code> 
+       [<code class="option">-chjlvz</code>]
+       [<code class="option">-p</code>
+	 [<code class="option">-x</code>
+      ]]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       {filename}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>named-checkconf</strong></span>
+      checks the syntax, but not the semantics, of a
+      <span class="command"><strong>named</strong></span> configuration file.  The file is parsed
+      and checked for syntax errors, along with all files included by it.
+      If no file is specified, <code class="filename">/etc/named.conf</code> is read
+      by default.
+    </p>
+    <p>
+      Note: files that <span class="command"><strong>named</strong></span> reads in separate
+      parser contexts, such as <code class="filename">rndc.key</code> and
+      <code class="filename">bind.keys</code>, are not automatically read
+      by <span class="command"><strong>named-checkconf</strong></span>.  Configuration
+      errors in these files may cause <span class="command"><strong>named</strong></span> to
+      fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
+      successful.  <span class="command"><strong>named-checkconf</strong></span> can be run
+      on these files explicitly, however.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-h</span></dt>
+<dd>
+          <p>
+            Print the usage summary and exit.
+          </p>
+        </dd>
+<dt><span class="term">-j</span></dt>
+<dd>
+          <p>
+            When loading a zonefile read the journal if it exists.
+          </p>
+        </dd>
+<dt><span class="term">-l</span></dt>
+<dd>
+          <p>
+            List all the configured zones. Each line of output
+            contains the zone name, class (e.g. IN), view, and type
+            (e.g. master or slave).
+          </p>
+        </dd>
+<dt><span class="term">-c</span></dt>
+<dd>
+          <p>
+	    Check "core" configuration only. This suppresses the loading
+	    of plugin modules, and causes all parameters to
+	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
+          </p>
+        </dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+          <p>
+	    Ignore warnings on deprecated options.
+          </p>
+        </dd>
+<dt><span class="term">-p</span></dt>
+<dd>
+          <p>
+	    Print out the <code class="filename">named.conf</code> and included files
+	    in canonical form if no errors were detected.
+            See also the <code class="option">-x</code> option.
+          </p>
+        </dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            Chroot to <code class="filename">directory</code> so that include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <span class="command"><strong>named</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+          <p>
+            Print the version of the <span class="command"><strong>named-checkconf</strong></span>
+            program and exit.
+          </p>
+        </dd>
+<dt><span class="term">-x</span></dt>
+<dd>
+          <p>
+	    When printing the configuration files in canonical
+            form, obscure shared secrets by replacing them with
+            strings of question marks ('?'). This allows the
+            contents of <code class="filename">named.conf</code> and related
+            files to be shared &#8212; for example, when submitting
+            bug reports &#8212; without compromising private data.
+            This option cannot be used without <code class="option">-p</code>.
+          </p>
+        </dd>
+<dt><span class="term">-z</span></dt>
+<dd>
+          <p>
+	    Perform a test load of all master zones found in
+	    <code class="filename">named.conf</code>.
+          </p>
+        </dd>
+<dt><span class="term">filename</span></dt>
+<dd>
+          <p>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <code class="filename">/etc/named.conf</code>.
+          </p>
+        </dd>
+</dl></div>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>RETURN VALUES</h2>
+
+    <p><span class="command"><strong>named-checkconf</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named-checkzone</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+</div></body>
+</html>

bin/check/named-checkconf.rst

@@ -1,105 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_named-checkconf:
-
-named-checkconf - named configuration file syntax checking tool
----------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
-
-Description
-~~~~~~~~~~~
-
-``named-checkconf`` checks the syntax, but not the semantics, of a
-``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
-errors. If no file is specified,
-``/etc/named.conf`` is read by default.
-
-Note: files that ``named`` reads in separate parser contexts, such as
-``rndc.key`` and ``bind.keys``, are not automatically read by
-``named-checkconf``. Configuration errors in these files may cause
-``named`` to fail to run, even if ``named-checkconf`` was successful.
-However, ``named-checkconf`` can be run on these files explicitly.
-
-Options
-~~~~~~~
-
-``-h``
-   This option prints the usage summary and exits.
-
-``-j``
-   When loading a zonefile, this option instructs ``named`` to read the journal if it exists.
-
-``-l``
-   This option lists all the configured zones. Each line of output contains the zone
-   name, class (e.g. IN), view, and type (e.g. primary or secondary).
-
-``-c``
-   This option specifies that only the "core" configuration should be checked. This suppresses the loading of
-   plugin modules, and causes all parameters to ``plugin`` statements to
-   be ignored.
-
-``-i``
-   This option ignores warnings on deprecated options.
-
-``-p``
-   This option prints out the ``named.conf`` and included files in canonical form if
-   no errors were detected. See also the ``-x`` option.
-
-``-t directory``
-   This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   ``named``.
-
-``-v``
-   This option prints the version of the ``named-checkconf`` program and exits.
-
-``-x``
-   When printing the configuration files in canonical form, this option obscures
-   shared secrets by replacing them with strings of question marks
-   (``?``). This allows the contents of ``named.conf`` and related files
-   to be shared - for example, when submitting bug reports -
-   without compromising private data. This option cannot be used without
-   ``-p``.
-
-``-z``
-   This option performs a test load of all zones of type ``primary`` found in ``named.conf``.
-
-``filename``
-   This indicates the name of the configuration file to be checked. If not specified,
-   it defaults to ``/etc/named.conf``.
-
-Return Values
-~~~~~~~~~~~~~
-
-``named-checkconf`` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.

bin/check/named-checkzone.8

@@ -0,0 +1,329 @@
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: named-checkzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-19
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "NAMED\-CHECKZONE" "8" "2014\-02\-19" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+named-checkzone, named-compilezone \- zone file validity checking or converting tool
+.SH "SYNOPSIS"
+.HP \w'\fBnamed\-checkzone\fR\ 'u
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+.HP \w'\fBnamed\-compilezone\fR\ 'u
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
+.SH "DESCRIPTION"
+.PP
+\fBnamed\-checkzone\fR
+checks the syntax and integrity of a zone file\&. It performs the same checks as
+\fBnamed\fR
+does when loading a zone\&. This makes
+\fBnamed\-checkzone\fR
+useful for checking zone files before configuring them into a name server\&.
+.PP
+\fBnamed\-compilezone\fR
+is similar to
+\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
+\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
+\fBnamed\fR
+configuration file\&.
+.SH "OPTIONS"
+.PP
+\-d
+.RS 4
+Enable debugging\&.
+.RE
+.PP
+\-h
+.RS 4
+Print the usage summary and exit\&.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode \- exit code only\&.
+.RE
+.PP
+\-v
+.RS 4
+Print the version of the
+\fBnamed\-checkzone\fR
+program and exit\&.
+.RE
+.PP
+\-j
+.RS 4
+When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
+\&.jnl\&.
+.RE
+.PP
+\-J \fIfilename\fR
+.RS 4
+When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Specify the class of the zone\&. If not specified, "IN" is assumed\&.
+.RE
+.PP
+\-i \fImode\fR
+.RS 4
+Perform post\-load zone integrity checks\&. Possible modes are
+\fB"full"\fR
+(default),
+\fB"full\-sibling"\fR,
+\fB"local"\fR,
+\fB"local\-sibling"\fR
+and
+\fB"none"\fR\&.
+.sp
+Mode
+\fB"full"\fR
+checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
+\fB"local"\fR
+only checks MX records which refer to in\-zone hostnames\&.
+.sp
+Mode
+\fB"full"\fR
+checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
+\fB"local"\fR
+only checks SRV records which refer to in\-zone hostnames\&.
+.sp
+Mode
+\fB"full"\fR
+checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
+\fB"local"\fR
+only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
+.sp
+Mode
+\fB"full\-sibling"\fR
+and
+\fB"local\-sibling"\fR
+disable sibling glue checks but are otherwise the same as
+\fB"full"\fR
+and
+\fB"local"\fR
+respectively\&.
+.sp
+Mode
+\fB"none"\fR
+disables the checks\&.
+.RE
+.PP
+\-f \fIformat\fR
+.RS 4
+Specify the format of the zone file\&. Possible formats are
+\fB"text"\fR
+(default),
+\fB"raw"\fR, and
+\fB"map"\fR\&.
+.RE
+.PP
+\-F \fIformat\fR
+.RS 4
+Specify the format of the output file specified\&. For
+\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
+.sp
+Possible formats are
+\fB"text"\fR
+(default), which is the standard textual representation of the zone, and
+\fB"map"\fR,
+\fB"raw"\fR, and
+\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
+\fBnamed\fR\&.
+\fB"raw=N"\fR
+specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
+\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
+.RE
+.PP
+\-k \fImode\fR
+.RS 4
+Perform
+\fB"check\-names"\fR
+checks with the specified failure mode\&. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-l \fIttl\fR
+.RS 4
+Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
+\fBmax\-zone\-ttl\fR
+option in
+named\&.conf\&.
+.RE
+.PP
+\-L \fIserial\fR
+.RS 4
+When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
+.RE
+.PP
+\-m \fImode\fR
+.RS 4
+Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-M \fImode\fR
+.RS 4
+Check if a MX record refers to a CNAME\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-n \fImode\fR
+.RS 4
+Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-o \fIfilename\fR
+.RS 4
+Write zone output to
+filename\&. If
+filename
+is
+\-
+then write to standard out\&. This is mandatory for
+\fBnamed\-compilezone\fR\&.
+.RE
+.PP
+\-r \fImode\fR
+.RS 4
+Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-s \fIstyle\fR
+.RS 4
+Specify the style of the dumped zone file\&. Possible styles are
+\fB"full"\fR
+(default) and
+\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
+\fBnamed\-checkzone\fR
+this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
+.RE
+.PP
+\-S \fImode\fR
+.RS 4
+Check if a SRV record refers to a CNAME\&. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-t \fIdirectory\fR
+.RS 4
+Chroot to
+directory
+so that include directives in the configuration file are processed as if run by a similarly chrooted
+\fBnamed\fR\&.
+.RE
+.PP
+\-T \fImode\fR
+.RS 4
+Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
+\fB"warn"\fR
+(default),
+\fB"ignore"\fR\&.
+.RE
+.PP
+\-w \fIdirectory\fR
+.RS 4
+chdir to
+directory
+so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
+named\&.conf\&.
+.RE
+.PP
+\-D
+.RS 4
+Dump zone file in canonical format\&. This is always enabled for
+\fBnamed\-compilezone\fR\&.
+.RE
+.PP
+\-W \fImode\fR
+.RS 4
+Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR\&.
+.RE
+.PP
+zonename
+.RS 4
+The domain name of the zone being checked\&.
+.RE
+.PP
+filename
+.RS 4
+The name of the zone file\&.
+.RE
+.SH "RETURN VALUES"
+.PP
+\fBnamed\-checkzone\fR
+returns an exit status of 1 if errors were detected and 0 otherwise\&.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBnamed-checkconf\fR(8),
+RFC 1035,
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/check/named-checkzone.c

@@ -72,9 +72,9 @@ usage(void) {
 	fprintf(stderr,
 		"usage: %s [-djqvD] [-c class] "
 		"[-f inputformat] [-F outputformat] [-J filename] "
-		"[-s (full|relative)] [-t directory] [-w directory] "
-		"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
+		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
+		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-r (ignore|warn|fail)] "
 		"[-i (full|full-sibling|local|local-sibling|none)] "
 		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
 		"[-W (ignore|warn)] "

bin/check/named-checkzone.docbook

@@ -0,0 +1,529 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
+  <info>
+    <date>2014-02-19</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkzone</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <year>2012</year>
+      <year>2013</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname><application>named-checkzone</application></refname>
+    <refname><application>named-compilezone</application></refname>
+    <refpurpose>zone file validity checking or converting tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>named-checkzone</command>
+      <arg choice="opt" rep="norepeat"><option>-d</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-j</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">zonename</arg>
+      <arg choice="req" rep="norepeat">filename</arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>named-compilezone</command>
+      <arg choice="opt" rep="norepeat"><option>-d</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-j</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="req" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">zonename</arg>
+      <arg choice="req" rep="norepeat">filename</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>named-checkzone</command>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <command>named</command> does when loading a
+      zone.  This makes <command>named-checkzone</command> useful for
+      checking zone files before configuring them into a name server.
+    </para>
+    <para>
+        <command>named-compilezone</command> is similar to
+	<command>named-checkzone</command>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <command>named</command>.
+	When manually specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<command>named</command> configuration file.
+     </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+        <term>-d</term>
+        <listitem>
+          <para>
+            Enable debugging.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-q</term>
+        <listitem>
+          <para>
+            Quiet mode - exit code only.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkzone</command>
+            program and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+        <listitem>
+          <para>
+            When loading a zone file, read the journal if it exists.
+            The journal file name is assumed to be the zone file name
+	    appended with the string <filename>.jnl</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-J <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+            When loading the zone file read the journal from the given
+            file, if it exists. (Implies -j.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Specify the class of the zone.  If not specified, "IN" is assumed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Perform post-load zone integrity checks.  Possible modes are
+	      <command>"full"</command> (default),
+	      <command>"full-sibling"</command>,
+	      <command>"local"</command>,
+	      <command>"local-sibling"</command> and
+	      <command>"none"</command>.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks MX records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue address records
+	      in the zone match those advertised by the child.
+	      Mode <command>"local"</command> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </para>
+	  <para>
+	      Mode <command>"full-sibling"</command> and
+	      <command>"local-sibling"</command> disable sibling glue
+	      checks but are otherwise the same as <command>"full"</command>
+	      and <command>"local"</command> respectively.
+	  </para>
+	  <para>
+	      Mode <command>"none"</command> disables the checks.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f <replaceable class="parameter">format</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the format of the zone file.
+	    Possible formats are <command>"text"</command> (default),
+	    <command>"raw"</command>, and <command>"map"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-F <replaceable class="parameter">format</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the format of the output file specified.
+	    For <command>named-checkzone</command>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	  </para>
+	  <para>
+	    Possible formats are <command>"text"</command> (default),
+	    which is the standard textual representation of the zone,
+	    and <command>"map"</command>, <command>"raw"</command>,
+            and <command>"raw=N"</command>, which store the zone in a
+            binary format for rapid loading by <command>named</command>.
+            <command>"raw=N"</command> specifies the format version of
+            the raw zone file: if N is 0, the raw file can be read by
+            any version of <command>named</command>; if N is 1, the file
+            can be read by release 9.9.0 or higher; the default is 1.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Perform <command>"check-names"</command> checks with the
+	    specified failure mode.
+            Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l <replaceable class="parameter">ttl</replaceable></term>
+        <listitem>
+          <para>
+            Sets a maximum permissible TTL for the input file.
+            Any record with a TTL higher than this value will cause
+            the zone to be rejected.  This is similar to using the
+            <command>max-zone-ttl</command> option in
+            <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-L <replaceable class="parameter">serial</replaceable></term>
+        <listitem>
+          <para>
+            When compiling a zone to "raw" or "map" format, set the
+            "source serial" value in the header to the specified serial
+            number.  (This is expected to be used primarily for testing
+            purposes.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-m <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-M <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+            Write zone output to <filename>filename</filename>.
+	    If <filename>filename</filename> is <filename>-</filename> then
+	    write to standard out.
+	    This is mandatory for <command>named-compilezone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+            Check for records that are treated as different by DNSSEC but
+	    are semantically equal in plain DNS.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">style</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <command>"full"</command> (default)
+	    and <command>"relative"</command>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <command>named-checkzone</command>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-S <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Chroot to <filename>directory</filename> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <command>named</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	    Check if Sender Policy Framework (SPF) records exist
+	    and issues a warning if an SPF-formatted TXT record is
+	    not also present.  Possible modes are <command>"warn"</command>
+	    (default), <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-w <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            chdir to <filename>directory</filename> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+        <listitem>
+          <para>
+            Dump zone file in canonical format.
+	    This is always enabled for <command>named-compilezone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-W <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <command>"warn"</command> (default)
+            and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>zonename</term>
+        <listitem>
+          <para>
+            The domain name of the zone being checked.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+        <listitem>
+          <para>
+            The name of the zone file.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para><command>named-checkzone</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC 1035</citetitle>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/check/named-checkzone.html

@@ -0,0 +1,429 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.named-checkzone"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">named-checkzone</span>, 
+    <span class="application">named-compilezone</span>
+     &#8212; zone file validity checking or converting tool
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-checkzone</code> 
+       [<code class="option">-d</code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-j</code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-v</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
+       [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-D</code>]
+       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
+       {zonename}
+       {filename}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">named-compilezone</code> 
+       [<code class="option">-d</code>]
+       [<code class="option">-j</code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-v</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
+       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
+       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-D</code>]
+       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
+       {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
+       {zonename}
+       {filename}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>named-checkzone</strong></span>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <span class="command"><strong>named</strong></span> does when loading a
+      zone.  This makes <span class="command"><strong>named-checkzone</strong></span> useful for
+      checking zone files before configuring them into a name server.
+    </p>
+    <p>
+        <span class="command"><strong>named-compilezone</strong></span> is similar to
+	<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <span class="command"><strong>named</strong></span>.
+	When manually specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<span class="command"><strong>named</strong></span> configuration file.
+     </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-d</span></dt>
+<dd>
+          <p>
+            Enable debugging.
+          </p>
+        </dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+          <p>
+            Print the usage summary and exit.
+          </p>
+        </dd>
+<dt><span class="term">-q</span></dt>
+<dd>
+          <p>
+            Quiet mode - exit code only.
+          </p>
+        </dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+          <p>
+            Print the version of the <span class="command"><strong>named-checkzone</strong></span>
+            program and exit.
+          </p>
+        </dd>
+<dt><span class="term">-j</span></dt>
+<dd>
+          <p>
+            When loading a zone file, read the journal if it exists.
+            The journal file name is assumed to be the zone file name
+	    appended with the string <code class="filename">.jnl</code>.
+          </p>
+        </dd>
+<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
+<dd>
+          <p>
+            When loading the zone file read the journal from the given
+            file, if it exists. (Implies -j.)
+          </p>
+        </dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+          <p>
+            Specify the class of the zone.  If not specified, "IN" is assumed.
+          </p>
+        </dd>
+<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	      Perform post-load zone integrity checks.  Possible modes are
+	      <span class="command"><strong>"full"</strong></span> (default),
+	      <span class="command"><strong>"full-sibling"</strong></span>,
+	      <span class="command"><strong>"local"</strong></span>,
+	      <span class="command"><strong>"local-sibling"</strong></span> and
+	      <span class="command"><strong>"none"</strong></span>.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full"</strong></span> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
+	      checks MX records which refer to in-zone hostnames.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue address records
+	      in the zone match those advertised by the child.
+	      Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"full-sibling"</strong></span> and
+	      <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
+	      checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
+	      and <span class="command"><strong>"local"</strong></span> respectively.
+	  </p>
+	  <p>
+	      Mode <span class="command"><strong>"none"</strong></span> disables the checks.
+	  </p>
+	</dd>
+<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify the format of the zone file.
+	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
+	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify the format of the output file specified.
+	    For <span class="command"><strong>named-checkzone</strong></span>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	  </p>
+	  <p>
+	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
+	    which is the standard textual representation of the zone,
+	    and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
+            and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
+            binary format for rapid loading by <span class="command"><strong>named</strong></span>.
+            <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
+            the raw zone file: if N is 0, the raw file can be read by
+            any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
+            can be read by release 9.9.0 or higher; the default is 1.
+	  </p>
+	</dd>
+<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Perform <span class="command"><strong>"check-names"</strong></span> checks with the
+	    specified failure mode.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>
+	    (default for <span class="command"><strong>named-compilezone</strong></span>),
+            <span class="command"><strong>"warn"</strong></span>
+	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd>
+          <p>
+            Sets a maximum permissible TTL for the input file.
+            Any record with a TTL higher than this value will cause
+            the zone to be rejected.  This is similar to using the
+            <span class="command"><strong>max-zone-ttl</strong></span> option in
+            <code class="filename">named.conf</code>.
+          </p>
+        </dd>
+<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
+<dd>
+          <p>
+            When compiling a zone to "raw" or "map" format, set the
+            "source serial" value in the header to the specified serial
+            number.  (This is expected to be used primarily for testing
+            purposes.)
+          </p>
+        </dd>
+<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+        </dd>
+<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <span class="command"><strong>"fail"</strong></span>
+	    (default for <span class="command"><strong>named-compilezone</strong></span>),
+            <span class="command"><strong>"warn"</strong></span>
+	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
+<dd>
+          <p>
+            Write zone output to <code class="filename">filename</code>.
+	    If <code class="filename">filename</code> is <code class="filename">-</code> then
+	    write to standard out.
+	    This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+            Check for records that are treated as different by DNSSEC but
+	    are semantically equal in plain DNS.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+        </dd>
+<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <span class="command"><strong>"full"</strong></span> (default)
+	    and <span class="command"><strong>"relative"</strong></span>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <span class="command"><strong>named-checkzone</strong></span>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </p>
+	</dd>
+<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <span class="command"><strong>"fail"</strong></span>,
+            <span class="command"><strong>"warn"</strong></span> (default) and
+            <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+        </dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            Chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted <span class="command"><strong>named</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+	  <p>
+	    Check if Sender Policy Framework (SPF) records exist
+	    and issues a warning if an SPF-formatted TXT record is
+	    not also present.  Possible modes are <span class="command"><strong>"warn"</strong></span>
+	    (default), <span class="command"><strong>"ignore"</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            chdir to <code class="filename">directory</code> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <code class="filename">named.conf</code>.
+          </p>
+        </dd>
+<dt><span class="term">-D</span></dt>
+<dd>
+          <p>
+            Dump zone file in canonical format.
+	    This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+          <p>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
+            and
+            <span class="command"><strong>"ignore"</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">zonename</span></dt>
+<dd>
+          <p>
+            The domain name of the zone being checked.
+          </p>
+        </dd>
+<dt><span class="term">filename</span></dt>
+<dd>
+          <p>
+            The name of the zone file.
+          </p>
+        </dd>
+</dl></div>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>RETURN VALUES</h2>
+
+    <p><span class="command"><strong>named-checkzone</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named-checkconf</span>(8)
+      </span>,
+      <em class="citetitle">RFC 1035</em>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/check/named-checkzone.rst

@@ -1,215 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_named-checkzone:
-
-named-checkzone, named-compilezone - zone file validity checking or converting tool
------------------------------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
-
-:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
-
-Description
-~~~~~~~~~~~
-
-``named-checkzone`` checks the syntax and integrity of a zone file. It
-performs the same checks as ``named`` does when loading a zone. This
-makes ``named-checkzone`` useful for checking zone files before
-configuring them into a name server.
-
-``named-compilezone`` is similar to ``named-checkzone``, but it always
-dumps the zone contents to a specified file in a specified format.
-It also applies stricter check levels by default, since the
-dump output is used as an actual zone file loaded by ``named``.
-When manually specified otherwise, the check levels must at least be as
-strict as those specified in the ``named`` configuration file.
-
-Options
-~~~~~~~
-
-``-d``
-   This option enables debugging.
-
-``-h``
-   This option prints the usage summary and exits.
-
-``-q``
-   This option sets quiet mode, which only sets an exit code to indicate
-   successful or failed completion.
-
-``-v``
-   This option prints the version of the ``named-checkzone`` program and exits.
-
-``-j``
-   When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
-   file name is assumed to be the zone file name with the
-   string ``.jnl`` appended.
-
-``-J filename``
-   When loading the zone file, this option tells ``named`` to read the journal from the given file, if
-   it exists. This implies ``-j``.
-
-``-c class``
-   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
-
-``-i mode``
-   This option performs post-load zone integrity checks. Possible modes are
-   ``full`` (the default), ``full-sibling``, ``local``,
-   ``local-sibling``, and ``none``.
-
-   Mode ``full`` checks that MX records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks MX records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that SRV records refer to A or AAAA records
-   (both in-zone and out-of-zone hostnames). Mode ``local`` only
-   checks SRV records which refer to in-zone hostnames.
-
-   Mode ``full`` checks that delegation NS records refer to A or AAAA
-   records (both in-zone and out-of-zone hostnames). It also checks that
-   glue address records in the zone match those advertised by the child.
-   Mode ``local`` only checks NS records which refer to in-zone
-   hostnames or verifies that some required glue exists, i.e., when the
-   name server is in a child zone.
-
-   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
-   checks, but are otherwise the same as ``full`` and ``local``,
-   respectively.
-
-   Mode ``none`` disables the checks.
-
-``-f format``
-   This option specifies the format of the zone file. Possible formats are ``text``
-   (the default), ``raw``, and ``map``.
-
-``-F format``
-   This option specifies the format of the output file specified. For
-   ``named-checkzone``, this does not have any effect unless it dumps
-   the zone contents.
-
-   Possible formats are ``text`` (the default), which is the standard
-   textual representation of the zone, and ``map``, ``raw``, and
-   ``raw=N``, which store the zone in a binary format for rapid
-   loading by ``named``. ``raw=N`` specifies the format version of the
-   raw zone file: if ``N`` is 0, the raw file can be read by any version of
-   ``named``; if N is 1, the file can only be read by release 9.9.0 or
-   higher. The default is 1.
-
-``-k mode``
-   This option performs ``check-names`` checks with the specified failure mode.
-   Possible modes are ``fail`` (the default for ``named-compilezone``),
-   ``warn`` (the default for ``named-checkzone``), and ``ignore``.
-
-``-l ttl``
-   This option sets a maximum permissible TTL for the input file. Any record with a
-   TTL higher than this value causes the zone to be rejected. This
-   is similar to using the ``max-zone-ttl`` option in ``named.conf``.
-
-``-L serial``
-   When compiling a zone to ``raw`` or ``map`` format, this option sets the "source
-   serial" value in the header to the specified serial number. This is
-   expected to be used primarily for testing purposes.
-
-``-m mode``
-   This option specifies whether MX records should be checked to see if they are
-   addresses. Possible modes are ``fail``, ``warn`` (the default), and
-   ``ignore``.
-
-``-M mode``
-   This option checks whether a MX record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
-
-``-n mode``
-   This option specifies whether NS records should be checked to see if they are
-   addresses. Possible modes are ``fail`` (the default for
-   ``named-compilezone``), ``warn`` (the default for ``named-checkzone``),
-   and ``ignore``.
-
-``-o filename``
-   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
-   the zone output is written to standard output. This is mandatory for ``named-compilezone``.
-
-``-r mode``
-   This option checks for records that are treated as different by DNSSEC but are
-   semantically equal in plain DNS. Possible modes are ``fail``,
-   ``warn`` (the default), and ``ignore``.
-
-``-s style``
-   This option specifies the style of the dumped zone file. Possible styles are
-   ``full`` (the default) and ``relative``. The ``full`` format is most
-   suitable for processing automatically by a separate script.
-   The relative format is more human-readable and is thus
-   suitable for editing by hand. For ``named-checkzone``, this does not
-   have any effect unless it dumps the zone contents. It also does not
-   have any meaning if the output format is not text.
-
-``-S mode``
-   This option checks whether an SRV record refers to a CNAME. Possible modes are
-   ``fail``, ``warn`` (the default), and ``ignore``.
-
-``-t directory``
-   This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
-   configuration file are processed as if run by a similarly chrooted
-   ``named``.
-
-``-T mode``
-   This option checks whether Sender Policy Framework (SPF) records exist and issues a
-   warning if an SPF-formatted TXT record is not also present. Possible
-   modes are ``warn`` (the default) and ``ignore``.
-
-``-w directory``
-   This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
-   ``$INCLUDE`` directives work. This is similar to the directory clause in
-   ``named.conf``.
-
-``-D``
-   This option dumps the zone file in canonical format. This is always enabled for
-   ``named-compilezone``.
-
-``-W mode``
-   This option specifies whether to check for non-terminal wildcards. Non-terminal
-   wildcards are almost always the result of a failure to understand the
-   wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn``
-   (the default) and ``ignore``.
-
-``zonename``
-   This indicates the domain name of the zone being checked.
-
-``filename``
-   This is the name of the zone file.
-
-Return Values
-~~~~~~~~~~~~~
-
-``named-checkzone`` returns an exit status of 1 if errors were detected
-and 0 otherwise.
-
-See Also
-~~~~~~~~
-
-:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference
-Manual.

bin/check/win32/checkconf.vcxproj.in

@@ -118,26 +118,6 @@
   <ItemGroup>
     <ClCompile Include="..\named-checkconf.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
-      <Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\check\win32\checktool.vcxproj">
-      <Project>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/check/win32/checktool.vcxproj.in

@@ -104,20 +104,6 @@
       <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
     </Lib>
   </ItemDefinitionGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
-      <Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/check/win32/checkzone.vcxproj.in

@@ -129,23 +129,6 @@ copy /Y named-checkzone.exe named-compilezone.exe
   <ItemGroup>
     <ClCompile Include="..\named-checkzone.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\ns\win32\libns.vcxproj">
-      <Project>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\check\win32\checktool.vcxproj">
-      <Project>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/confgen/Makefile.am

@@ -20,11 +20,11 @@ libconfgen_la_SOURCES =		\
 	util.c			\
 	unix/os.c
 
-sbin_PROGRAMS = tsig-keygen rndc-confgen
+sbin_PROGRAMS = rndc-confgen ddns-confgen
 
 install-exec-hook:
-	ln -f $(DESTDIR)$(sbindir)/tsig-keygen \
-	      $(DESTDIR)$(sbindir)/ddns-confgen
+	ln -f $(DESTDIR)$(sbindir)/ddns-confgen \
+	      $(DESTDIR)$(sbindir)/tsig-confgen
 
 uninstall-hook:
-	-rm -f $(DESTDIR)$(sbindir)/ddns-confgen
+	-rm -f $(DESTDIR)$(sbindir)/tsig-confgen

bin/confgen/ddns-confgen.8

@@ -0,0 +1,148 @@
+.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: ddns-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-03-06
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DDNS\-CONFGEN" "8" "2014\-03\-06" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+ddns-confgen \- ddns key generation tool
+.SH "SYNOPSIS"
+.HP \w'\fBtsig\-keygen\fR\ 'u
+\fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [name]
+.HP \w'\fBddns\-confgen\fR\ 'u
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
+.SH "DESCRIPTION"
+.PP
+\fBtsig\-keygen\fR
+and
+\fBddns\-confgen\fR
+are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
+\fBrndc\fR
+command channel\&.
+.PP
+When run as
+\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
+\fBtsig\-key\fR\&.
+.PP
+When run as
+\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
+\fBnsupdate\fR
+and
+\fBnamed\fR
+when setting up dynamic DNS, including an example
+\fBupdate\-policy\fR
+statement\&. (This usage similar to the
+\fBrndc\-confgen\fR
+command for setting up command channel security\&.)
+.PP
+Note that
+\fBnamed\fR
+itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fR: it does this when a zone is configured with
+\fBupdate\-policy local;\fR\&.
+\fBddns\-confgen\fR
+is only needed when a more elaborate configuration is required: for instance, if
+\fBnsupdate\fR
+is to be used from a remote system\&.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of options and arguments\&.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the DDNS authentication key\&. The default is
+\fBddns\-key\fR
+when neither the
+\fB\-s\fR
+nor
+\fB\-z\fR
+option is specified; otherwise, the default is
+\fBddns\-key\fR
+as a separate label followed by the argument of the option, e\&.g\&.,
+\fBddns\-key\&.example\&.com\&.\fR
+The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
+.RE
+.PP
+\-q
+.RS 4
+(\fBddns\-confgen\fR
+only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
+\fBtsig\-keygen\fR\&.
+.RE
+.PP
+\-s \fIname\fR
+.RS 4
+(\fBddns\-confgen\fR
+only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
+\fBnamed\&.conf\fR
+text shows how to set an update policy for the specified
+\fIname\fR
+using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
+\fB\-z\fR
+option\&.
+.RE
+.PP
+\-z \fIzone\fR
+.RS 4
+(\fBddns\-confgen\fR
+only\&.) Generate configuration example to allow dynamic updates of a zone: The example
+\fBnamed\&.conf\fR
+text shows how to set an update policy for the specified
+\fIzone\fR
+using the "zonesub" nametype, allowing updates to all subdomain names within that
+\fIzone\fR\&. This option cannot be used with the
+\fB\-s\fR
+option\&.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBnsupdate\fR(1),
+\fBnamed.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/confgen/ddns-confgen.c

@@ -12,8 +12,9 @@
 /*! \file */
 
 /**
- * tsig-keygen generates TSIG keys that can be used in named configuration
- * files for dynamic DNS.
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
  */
 
 #include <stdarg.h>

bin/confgen/ddns-confgen.docbook

@@ -0,0 +1,213 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
+  <info>
+    <date>2014-03-06</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>ddns-confgen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>ddns-confgen</application></refname>
+    <refpurpose>ddns key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>tsig-keygen</command>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat">name</arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>ddns-confgen</command>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+      <group choice="opt" rep="norepeat">
+        <arg choice="plain" rep="norepeat">-s <replaceable class="parameter">name</replaceable></arg>
+        <arg choice="plain" rep="norepeat">-z <replaceable class="parameter">zone</replaceable></arg>
+      </group>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      <command>tsig-keygen</command> and <command>ddns-confgen</command>
+      are invocation methods for a utility that generates keys for use
+      in TSIG signing.  The resulting keys can be used, for example,
+      to secure dynamic DNS updates to a zone or for the
+      <command>rndc</command> command channel.
+    </para>
+
+    <para>
+      When run as <command>tsig-keygen</command>, a domain name
+      can be specified on the command line which will be used as
+      the name of the generated key.  If no name is specified,
+      the default is <constant>tsig-key</constant>.
+    </para>
+
+    <para>
+      When run as <command>ddns-confgen</command>, the generated
+      key is accompanied by configuration text and instructions
+      that can be used with <command>nsupdate</command> and
+      <command>named</command> when setting up dynamic DNS,
+      including an example <command>update-policy</command>
+      statement.  (This usage similar to the
+      <command>rndc-confgen</command> command for setting
+      up command channel security.)
+    </para>
+
+    <para>
+      Note that <command>named</command> itself can configure a
+      local DDNS key for use with <command>nsupdate -l</command>:
+      it does this when a zone is configured with
+      <command>update-policy local;</command>.
+      <command>ddns-confgen</command> is only needed when a
+      more elaborate configuration is required: for instance,
+      if <command>nsupdate</command> is to be used from a remote
+      system.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+            Options are case-insensitive, and the "hmac-" prefix
+            may be omitted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints a short summary of options and arguments.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-k <replaceable class="parameter">keyname</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <constant>ddns-key</constant> when neither
+	    the <option>-s</option> nor <option>-z</option> option is
+	    specified; otherwise, the default
+	    is <constant>ddns-key</constant> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <constant>ddns-key.example.com.</constant>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-q</term>
+	<listitem>
+	  <para>
+	    (<command>ddns-confgen</command> only.) Quiet mode:  Print
+            only the key, with no explanatory text or usage examples;
+            This is essentially identical to <command>tsig-keygen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">name</replaceable></term>
+	<listitem>
+	  <para>
+            (<command>ddns-confgen</command> only.)
+	    Generate configuration example to allow dynamic updates
+            of a single hostname.  The example <command>named.conf</command>
+            text shows how to set an update policy for the specified
+            <replaceable class="parameter">name</replaceable>
+	    using the "name" nametype.  The default key name is
+	    ddns-key.<replaceable class="parameter">name</replaceable>.
+	    Note that the "self" nametype cannot be used, since
+	    the name to be updated may differ from the key name.
+	    This option cannot be used with the <option>-z</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-z <replaceable class="parameter">zone</replaceable></term>
+	<listitem>
+	  <para>
+            (<command>ddns-confgen</command> only.)
+	    Generate configuration example to allow dynamic updates
+            of a zone:  The example <command>named.conf</command> text
+            shows how to set an update policy for the specified
+	    <replaceable class="parameter">zone</replaceable>
+	    using the "zonesub" nametype, allowing updates to
+            all subdomain names within that
+            <replaceable class="parameter">zone</replaceable>.
+	    This option cannot be used with the <option>-s</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+	<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/confgen/ddns-confgen.html

@@ -0,0 +1,187 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">ddns-confgen</span>
+     &#8212; ddns key generation tool
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">tsig-keygen</code> 
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-h</code>]
+       [name]
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">ddns-confgen</code> 
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
+       [
+         -s <em class="replaceable"><code>name</code></em> 
+         |   -z <em class="replaceable"><code>zone</code></em> 
+      ]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      <span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
+      are invocation methods for a utility that generates keys for use
+      in TSIG signing.  The resulting keys can be used, for example,
+      to secure dynamic DNS updates to a zone or for the
+      <span class="command"><strong>rndc</strong></span> command channel.
+    </p>
+
+    <p>
+      When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
+      can be specified on the command line which will be used as
+      the name of the generated key.  If no name is specified,
+      the default is <code class="constant">tsig-key</code>.
+    </p>
+
+    <p>
+      When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
+      key is accompanied by configuration text and instructions
+      that can be used with <span class="command"><strong>nsupdate</strong></span> and
+      <span class="command"><strong>named</strong></span> when setting up dynamic DNS,
+      including an example <span class="command"><strong>update-policy</strong></span>
+      statement.  (This usage similar to the
+      <span class="command"><strong>rndc-confgen</strong></span> command for setting
+      up command channel security.)
+    </p>
+
+    <p>
+      Note that <span class="command"><strong>named</strong></span> itself can configure a
+      local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
+      it does this when a zone is configured with
+      <span class="command"><strong>update-policy local;</strong></span>.
+      <span class="command"><strong>ddns-confgen</strong></span> is only needed when a
+      more elaborate configuration is required: for instance,
+      if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
+      system.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+	  <p>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+            Options are case-insensitive, and the "hmac-" prefix
+            may be omitted.
+	  </p>
+	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints a short summary of options and arguments.
+	  </p>
+	</dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <code class="constant">ddns-key</code> when neither
+	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
+	    specified; otherwise, the default
+	    is <code class="constant">ddns-key</code> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <code class="constant">ddns-key.example.com.</code>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </p>
+	</dd>
+<dt><span class="term">-q</span></dt>
+<dd>
+	  <p>
+	    (<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode:  Print
+            only the key, with no explanatory text or usage examples;
+            This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd>
+	  <p>
+            (<span class="command"><strong>ddns-confgen</strong></span> only.)
+	    Generate configuration example to allow dynamic updates
+            of a single hostname.  The example <span class="command"><strong>named.conf</strong></span>
+            text shows how to set an update policy for the specified
+            <em class="replaceable"><code>name</code></em>
+	    using the "name" nametype.  The default key name is
+	    ddns-key.<em class="replaceable"><code>name</code></em>.
+	    Note that the "self" nametype cannot be used, since
+	    the name to be updated may differ from the key name.
+	    This option cannot be used with the <code class="option">-z</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd>
+	  <p>
+            (<span class="command"><strong>ddns-confgen</strong></span> only.)
+	    Generate configuration example to allow dynamic updates
+            of a zone:  The example <span class="command"><strong>named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>zone</code></em>
+	    using the "zonesub" nametype, allowing updates to
+            all subdomain names within that
+            <em class="replaceable"><code>zone</code></em>.
+	    This option cannot be used with the <code class="option">-s</code> option.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">nsupdate</span>(1)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named.conf</span>(5)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/confgen/keygen.c

@@ -198,4 +198,5 @@ write_key_file(const char *keyfile, const char *user, const char *keyname,
 	if (fclose(fd)) {
 		fatal("fclose(%s) failed\n", keyfile);
 	}
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
 }

bin/confgen/rndc-confgen.8

@@ -0,0 +1,210 @@
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: rndc-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2013-03-14
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "RNDC\-CONFGEN" "8" "2013\-03\-14" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+rndc-confgen \- rndc key generation tool
+.SH "SYNOPSIS"
+.HP \w'\fBrndc\-confgen\fR\ 'u
+\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-A\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBrndc\-confgen\fR
+generates configuration files for
+\fBrndc\fR\&. It can be used as a convenient alternative to writing the
+rndc\&.conf
+file and the corresponding
+\fBcontrols\fR
+and
+\fBkey\fR
+statements in
+named\&.conf
+by hand\&. Alternatively, it can be run with the
+\fB\-a\fR
+option to set up a
+rndc\&.key
+file and avoid the need for a
+rndc\&.conf
+file and a
+\fBcontrols\fR
+statement altogether\&.
+.SH "OPTIONS"
+.PP
+\-a
+.RS 4
+Do automatic
+\fBrndc\fR
+configuration\&. This creates a file
+rndc\&.key
+in
+/etc
+(or whatever
+\fIsysconfdir\fR
+was specified as when
+BIND
+was built) that is read by both
+\fBrndc\fR
+and
+\fBnamed\fR
+on startup\&. The
+rndc\&.key
+file defines a default command channel and authentication key allowing
+\fBrndc\fR
+to communicate with
+\fBnamed\fR
+on the local host with no further configuration\&.
+.sp
+Running
+\fBrndc\-confgen \-a\fR
+allows BIND 9 and
+\fBrndc\fR
+to be used as drop\-in replacements for BIND 8 and
+\fBndc\fR, with no changes to the existing BIND 8
+named\&.conf
+file\&.
+.sp
+If a more elaborate configuration than that generated by
+\fBrndc\-confgen \-a\fR
+is required, for example if rndc is to be used remotely, you should run
+\fBrndc\-confgen\fR
+without the
+\fB\-a\fR
+option and set up a
+rndc\&.conf
+and
+named\&.conf
+as directed\&.
+.RE
+.PP
+\-A \fIalgorithm\fR
+.RS 4
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
+.RE
+.PP
+\-b \fIkeysize\fR
+.RS 4
+Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is the hash size\&.
+.RE
+.PP
+\-c \fIkeyfile\fR
+.RS 4
+Used with the
+\fB\-a\fR
+option to specify an alternate location for
+rndc\&.key\&.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBrndc\-confgen\fR\&.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is
+\fBrndc\-key\fR\&.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Specifies the command channel port where
+\fBnamed\fR
+listens for connections from
+\fBrndc\fR\&. The default is 953\&.
+.RE
+.PP
+\-s \fIaddress\fR
+.RS 4
+Specifies the IP address where
+\fBnamed\fR
+listens for command channel connections from
+\fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
+.RE
+.PP
+\-t \fIchrootdir\fR
+.RS 4
+Used with the
+\fB\-a\fR
+option to specify a directory where
+\fBnamed\fR
+will run chrooted\&. An additional copy of the
+rndc\&.key
+will be written relative to this directory so that it will be found by the chrooted
+\fBnamed\fR\&.
+.RE
+.PP
+\-u \fIuser\fR
+.RS 4
+Used with the
+\fB\-a\fR
+option to set the owner of the
+rndc\&.key
+file generated\&. If
+\fB\-t\fR
+is also specified only the file in the chroot area has its owner changed\&.
+.RE
+.SH "EXAMPLES"
+.PP
+To allow
+\fBrndc\fR
+to be used with no manual configuration, run
+.PP
+\fBrndc\-confgen \-a\fR
+.PP
+To print a sample
+rndc\&.conf
+file and corresponding
+\fBcontrols\fR
+and
+\fBkey\fR
+statements to be manually inserted into
+named\&.conf, run
+.PP
+\fBrndc\-confgen\fR
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBrndc.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/confgen/rndc-confgen.c

@@ -76,7 +76,6 @@ Usage:\n\
   -c keyfile:	 specify an alternate key file (requires -a)\n\
   -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
   -p port:	 the port named will listen on and rndc will connect to\n\
-  -q:		 suppress printing written key path\n\
   -s addr:	 the address to which rndc should connect\n\
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
@@ -105,7 +104,6 @@ main(int argc, char **argv) {
 	char *chrootdir = NULL;
 	char *user = NULL;
 	bool keyonly = false;
-	bool quiet = false;
 	int len;
 
 	keydef = keyfile = RNDC_KEYFILE;
@@ -166,9 +164,6 @@ main(int argc, char **argv) {
 				      isc_commandline_argument);
 			}
 			break;
-		case 'q':
-			quiet = true;
-			break;
 		case 'r':
 			fatal("The -r option has been deprecated.");
 			break;
@@ -232,9 +227,6 @@ main(int argc, char **argv) {
 	if (keyonly) {
 		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
 			       keyname, &key_txtbuffer, alg);
-		if (!quiet) {
-			printf("wrote key file \"%s\"\n", keyfile);
-		}
 
 		if (chrootdir != NULL) {
 			char *buf;
@@ -244,9 +236,6 @@ main(int argc, char **argv) {
 				 (*keyfile != '/') ? "/" : "", keyfile);
 
 			write_key_file(buf, user, keyname, &key_txtbuffer, alg);
-			if (!quiet) {
-				printf("wrote key file \"%s\"\n", buf);
-			}
 			isc_mem_put(mctx, buf, len);
 		}
 	} else {

bin/confgen/rndc-confgen.docbook

@@ -0,0 +1,271 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
+  <info>
+    <date>2013-03-14</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>rndc-confgen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>rndc-confgen</application></refname>
+    <refpurpose>rndc key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2001</year>
+      <year>2003</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2009</year>
+      <year>2013</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>rndc-confgen</command>
+      <arg choice="opt" rep="norepeat"><option>-a</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">address</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>rndc-confgen</command>
+      generates configuration files
+      for <command>rndc</command>.  It can be used as a
+      convenient alternative to writing the
+      <filename>rndc.conf</filename> file
+      and the corresponding <command>controls</command>
+      and <command>key</command>
+      statements in <filename>named.conf</filename> by hand.
+      Alternatively, it can be run with the <command>-a</command>
+      option to set up a <filename>rndc.key</filename> file and
+      avoid the need for a <filename>rndc.conf</filename> file
+      and a <command>controls</command> statement altogether.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+        <term>-a</term>
+        <listitem>
+          <para>
+            Do automatic <command>rndc</command> configuration.
+            This creates a file <filename>rndc.key</filename>
+            in <filename>/etc</filename> (or whatever
+            <varname>sysconfdir</varname>
+            was specified as when <acronym>BIND</acronym> was
+            built)
+            that is read by both <command>rndc</command>
+            and <command>named</command> on startup.  The
+            <filename>rndc.key</filename> file defines a default
+            command channel and authentication key allowing
+            <command>rndc</command> to communicate with
+            <command>named</command> on the local host
+            with no further configuration.
+          </para>
+          <para>
+            Running <command>rndc-confgen -a</command> allows
+            BIND 9 and <command>rndc</command> to be used as
+            drop-in
+            replacements for BIND 8 and <command>ndc</command>,
+            with no changes to the existing BIND 8
+            <filename>named.conf</filename> file.
+          </para>
+          <para>
+            If a more elaborate configuration than that
+            generated by <command>rndc-confgen -a</command>
+            is required, for example if rndc is to be used remotely,
+            you should run <command>rndc-confgen</command> without
+            the
+            <command>-a</command> option and set up a
+            <filename>rndc.conf</filename> and
+            <filename>named.conf</filename>
+            as directed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-A <replaceable class="parameter">algorithm</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-b <replaceable class="parameter">keysize</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the size of the authentication key in bits.
+            Must be between 1 and 512 bits; the default is the
+            hash size.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">keyfile</replaceable></term>
+        <listitem>
+          <para>
+            Used with the <command>-a</command> option to specify
+            an alternate location for <filename>rndc.key</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Prints a short summary of the options and arguments to
+            <command>rndc-confgen</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">keyname</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the key name of the rndc authentication key.
+            This must be a valid domain name.
+            The default is <constant>rndc-key</constant>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">port</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the command channel port where <command>named</command>
+            listens for connections from <command>rndc</command>.
+            The default is 953.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">address</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the IP address where <command>named</command>
+            listens for command channel connections from
+            <command>rndc</command>.  The default is the loopback
+            address 127.0.0.1.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
+        <listitem>
+          <para>
+            Used with the <command>-a</command> option to specify
+            a directory where <command>named</command> will run
+            chrooted.  An additional copy of the <filename>rndc.key</filename>
+            will be written relative to this directory so that
+            it will be found by the chrooted <command>named</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-u <replaceable class="parameter">user</replaceable></term>
+        <listitem>
+          <para>
+            Used with the <command>-a</command> option to set the
+            owner
+            of the <filename>rndc.key</filename> file generated.
+            If
+            <command>-t</command> is also specified only the file
+            in
+            the chroot area has its owner changed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>EXAMPLES</title></info>
+
+    <para>
+      To allow <command>rndc</command> to be used with
+      no manual configuration, run
+    </para>
+    <para><userinput>rndc-confgen -a</userinput>
+    </para>
+    <para>
+      To print a sample <filename>rndc.conf</filename> file and
+      corresponding <command>controls</command> and <command>key</command>
+      statements to be manually inserted into <filename>named.conf</filename>,
+      run
+    </para>
+    <para><userinput>rndc-confgen</userinput>
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/confgen/rndc-confgen.html

@@ -0,0 +1,226 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.rndc-confgen"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">rndc-confgen</span>
+     &#8212; rndc key generation tool
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">rndc-confgen</code> 
+       [<code class="option">-a</code>]
+       [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
+       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
+       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>rndc-confgen</strong></span>
+      generates configuration files
+      for <span class="command"><strong>rndc</strong></span>.  It can be used as a
+      convenient alternative to writing the
+      <code class="filename">rndc.conf</code> file
+      and the corresponding <span class="command"><strong>controls</strong></span>
+      and <span class="command"><strong>key</strong></span>
+      statements in <code class="filename">named.conf</code> by hand.
+      Alternatively, it can be run with the <span class="command"><strong>-a</strong></span>
+      option to set up a <code class="filename">rndc.key</code> file and
+      avoid the need for a <code class="filename">rndc.conf</code> file
+      and a <span class="command"><strong>controls</strong></span> statement altogether.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a</span></dt>
+<dd>
+          <p>
+            Do automatic <span class="command"><strong>rndc</strong></span> configuration.
+            This creates a file <code class="filename">rndc.key</code>
+            in <code class="filename">/etc</code> (or whatever
+            <code class="varname">sysconfdir</code>
+            was specified as when <acronym class="acronym">BIND</acronym> was
+            built)
+            that is read by both <span class="command"><strong>rndc</strong></span>
+            and <span class="command"><strong>named</strong></span> on startup.  The
+            <code class="filename">rndc.key</code> file defines a default
+            command channel and authentication key allowing
+            <span class="command"><strong>rndc</strong></span> to communicate with
+            <span class="command"><strong>named</strong></span> on the local host
+            with no further configuration.
+          </p>
+          <p>
+            Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
+            BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
+            drop-in
+            replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>,
+            with no changes to the existing BIND 8
+            <code class="filename">named.conf</code> file.
+          </p>
+          <p>
+            If a more elaborate configuration than that
+            generated by <span class="command"><strong>rndc-confgen -a</strong></span>
+            is required, for example if rndc is to be used remotely,
+            you should run <span class="command"><strong>rndc-confgen</strong></span> without
+            the
+            <span class="command"><strong>-a</strong></span> option and set up a
+            <code class="filename">rndc.conf</code> and
+            <code class="filename">named.conf</code>
+            as directed.
+          </p>
+        </dd>
+<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+          <p>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+          </p>
+        </dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd>
+          <p>
+            Specifies the size of the authentication key in bits.
+            Must be between 1 and 512 bits; the default is the
+            hash size.
+          </p>
+        </dd>
+<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
+<dd>
+          <p>
+            Used with the <span class="command"><strong>-a</strong></span> option to specify
+            an alternate location for <code class="filename">rndc.key</code>.
+          </p>
+        </dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+          <p>
+            Prints a short summary of the options and arguments to
+            <span class="command"><strong>rndc-confgen</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd>
+          <p>
+            Specifies the key name of the rndc authentication key.
+            This must be a valid domain name.
+            The default is <code class="constant">rndc-key</code>.
+          </p>
+        </dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd>
+          <p>
+            Specifies the command channel port where <span class="command"><strong>named</strong></span>
+            listens for connections from <span class="command"><strong>rndc</strong></span>.
+            The default is 953.
+          </p>
+        </dd>
+<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
+<dd>
+          <p>
+            Specifies the IP address where <span class="command"><strong>named</strong></span>
+            listens for command channel connections from
+            <span class="command"><strong>rndc</strong></span>.  The default is the loopback
+            address 127.0.0.1.
+          </p>
+        </dd>
+<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
+<dd>
+          <p>
+            Used with the <span class="command"><strong>-a</strong></span> option to specify
+            a directory where <span class="command"><strong>named</strong></span> will run
+            chrooted.  An additional copy of the <code class="filename">rndc.key</code>
+            will be written relative to this directory so that
+            it will be found by the chrooted <span class="command"><strong>named</strong></span>.
+          </p>
+        </dd>
+<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
+<dd>
+          <p>
+            Used with the <span class="command"><strong>-a</strong></span> option to set the
+            owner
+            of the <code class="filename">rndc.key</code> file generated.
+            If
+            <span class="command"><strong>-t</strong></span> is also specified only the file
+            in
+            the chroot area has its owner changed.
+          </p>
+        </dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>EXAMPLES</h2>
+
+    <p>
+      To allow <span class="command"><strong>rndc</strong></span> to be used with
+      no manual configuration, run
+    </p>
+    <p><strong class="userinput"><code>rndc-confgen -a</code></strong>
+    </p>
+    <p>
+      To print a sample <code class="filename">rndc.conf</code> file and
+      corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
+      statements to be manually inserted into <code class="filename">named.conf</code>,
+      run
+    </p>
+    <p><strong class="userinput"><code>rndc-confgen</code></strong>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">rndc</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">rndc.conf</span>(5)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/confgen/rndc-confgen.rst

@@ -1,119 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_rndc-confgen:
-
-rndc-confgen - rndc key generation tool
----------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
-
-Description
-~~~~~~~~~~~
-
-``rndc-confgen`` generates configuration files for ``rndc``. It can be
-used as a convenient alternative to writing the ``rndc.conf`` file and
-the corresponding ``controls`` and ``key`` statements in ``named.conf``
-by hand. Alternatively, it can be run with the ``-a`` option to set up a
-``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
-``controls`` statement altogether.
-
-Options
-~~~~~~~
-
-``-a``
-   This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
-   in ``/etc`` (or a different ``sysconfdir`` specified when BIND
-   was built) that is read by both ``rndc`` and ``named`` on startup.
-   The ``rndc.key`` file defines a default command channel and
-   authentication key allowing ``rndc`` to communicate with ``named`` on
-   the local host with no further configuration.
-
-   If a more elaborate configuration than that generated by
-   ``rndc-confgen -a`` is required, for example if rndc is to be used
-   remotely, run ``rndc-confgen`` without the ``-a`` option
-   and set up ``rndc.conf`` and ``named.conf`` as directed.
-
-``-A algorithm``
-   This option specifies the algorithm to use for the TSIG key. Available choices
-   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
-   hmac-sha512. The default is hmac-sha256.
-
-``-b keysize``
-   This option specifies the size of the authentication key in bits. The size must be between
-   1 and 512 bits; the default is the hash size.
-
-``-c keyfile``
-   This option is used with the ``-a`` option to specify an alternate location for
-   ``rndc.key``.
-
-``-h``
-   This option prints a short summary of the options and arguments to
-   ``rndc-confgen``.
-
-``-k keyname``
-   This option specifies the key name of the ``rndc`` authentication key. This must be a
-   valid domain name. The default is ``rndc-key``.
-
-``-p port``
-   This option specifies the command channel port where ``named`` listens for
-   connections from ``rndc``. The default is 953.
-
-``-q``
-   This option prevets printing the written path in automatic configuration mode.
-
-``-s address``
-   This option specifies the IP address where ``named`` listens for command-channel
-   connections from ``rndc``. The default is the loopback address
-   127.0.0.1.
-
-``-t chrootdir``
-   This option is used with the ``-a`` option to specify a directory where ``named``
-   runs chrooted. An additional copy of the ``rndc.key`` is
-   written relative to this directory, so that it is found by the
-   chrooted ``named``.
-
-``-u user``
-   This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file.
-   If ``-t`` is also specified, only the file in the chroot
-   area has its owner changed.
-
-Examples
-~~~~~~~~
-
-To allow ``rndc`` to be used with no manual configuration, run:
-
-``rndc-confgen -a``
-
-To print a sample ``rndc.conf`` file and the corresponding ``controls`` and
-``key`` statements to be manually inserted into ``named.conf``, run:
-
-``rndc-confgen``
-
-See Also
-~~~~~~~~
-
-:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/tsig-keygen.rst

@@ -1,103 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_tsig-keygen:
-
-tsig-keygen, ddns-confgen - TSIG key generation tool
-----------------------------------------------------
-
-Synopsis
-~~~~~~~~
-:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name]
-
-:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
-
-Description
-~~~~~~~~~~~
-
-``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
-utility that generates keys for use in TSIG signing. The resulting keys
-can be used, for example, to secure dynamic DNS updates to a zone, or for
-the ``rndc`` command channel.
-
-When run as ``tsig-keygen``, a domain name can be specified on the
-command line to be used as the name of the generated key. If no
-name is specified, the default is ``tsig-key``.
-
-When run as ``ddns-confgen``, the key name can specified using ``-k``
-parameter and defaults to ``ddns-key``. The generated key is accompanied
-by configuration text and instructions that can be used with ``nsupdate``
-and ``named`` when setting up dynamic DNS, including an example
-``update-policy`` statement. (This usage is similar to the ``rndc-confgen``
-command for setting up command-channel security.)
-
-Note that ``named`` itself can configure a local DDNS key for use with
-``nsupdate -l``; it does this when a zone is configured with
-``update-policy local;``. ``ddns-confgen`` is only needed when a more
-elaborate configuration is required: for instance, if ``nsupdate`` is to
-be used from a remote system.
-
-Options
-~~~~~~~
-
-``-a algorithm``
-   This option specifies the algorithm to use for the TSIG key. Available
-   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
-   and hmac-sha512. The default is hmac-sha256. Options are
-   case-insensitive, and the "hmac-" prefix may be omitted.
-
-``-h``
-   This option prints a short summary of options and arguments.
-
-``-k keyname``
-   This option specifies the key name of the DDNS authentication key. The
-   default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is
-   specified; otherwise, the default is ``ddns-key`` as a separate label
-   followed by the argument of the option, e.g., ``ddns-key.example.com.``
-   The key name must have the format of a valid domain name, consisting of
-   letters, digits, hyphens, and periods.
-
-``-q`` (``ddns-confgen`` only)
-   This option enables quiet mode, which prints only the key, with no
-   explanatory text or usage examples. This is essentially identical to
-   ``tsig-keygen``.
-
-``-s name`` (``ddns-confgen`` only)
-   This option generates a configuration example to allow dynamic updates
-   of a single hostname. The example ``named.conf`` text shows how to set
-   an update policy for the specified name using the "name" nametype. The
-   default key name is ``ddns-key.name``. Note that the "self" nametype
-   cannot be used, since the name to be updated may differ from the key
-   name. This option cannot be used with the ``-z`` option.
-
-``-z zone`` (``ddns-confgen`` only)
-   This option generates a configuration example to allow
-   dynamic updates of a zone. The example ``named.conf`` text shows how
-   to set an update policy for the specified zone using the "zonesub"
-   nametype, allowing updates to all subdomain names within that zone.
-   This option cannot be used with the ``-s`` option.
-
-See Also
-~~~~~~~~
-
-:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

bin/confgen/util.c

@@ -30,7 +30,7 @@ notify(const char *fmt, ...) {
 		va_start(ap, fmt);
 		vfprintf(stderr, fmt, ap);
 		va_end(ap);
-		fprintf(stderr, "\n");
+		fputs("\n", stderr);
 	}
 }
 

bin/confgen/win32/confgentool.vcxproj.in

@@ -114,14 +114,6 @@
     <ClCompile Include="..\util.c" />
     <ClCompile Include="os.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/confgen/win32/ddnsconfgen.vcxproj.filters.in

@@ -11,8 +11,8 @@
     </Filter>
   </ItemGroup>
   <ItemGroup>
-    <ClCompile Include="..\tsig-keygen.c">
+    <ClCompile Include="..\ddns-confgen.c">
       <Filter>Source Files</Filter>
     </ClCompile>
   </ItemGroup>
-</Project>
+</Project>

bin/confgen/win32/ddnsconfgen.vcxproj.in

@@ -13,7 +13,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
-    <RootNamespace>tsigkeygen</RootNamespace>
+    <RootNamespace>ddnsconfgen</RootNamespace>
     @WINDOWS_TARGET_PLATFORM_VERSION@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
@@ -45,14 +45,14 @@
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
     <IntDirSharingDetected>None</IntDirSharingDetected>
-    <TargetName>tsig-keygen</TargetName>
+    <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
     <IntDirSharingDetected>None</IntDirSharingDetected>
-    <TargetName>tsig-keygen</TargetName>
+    <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
@@ -69,20 +69,20 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
-copy /Y tsig-keygen.exe ddns-confgen.exe
-copy /Y tsig-keygen.ilk ddns-confgen.ilk
+copy /Y ddns-confgen.exe tsig-keygen.exe
+copy /Y ddns-confgen.ilk tsig-keygen.ilk
 </Command>
     </PostBuildEvent>
   </ItemDefinitionGroup>
@@ -104,7 +104,7 @@ copy /Y tsig-keygen.ilk ddns-confgen.ilk
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -114,28 +114,17 @@ copy /Y tsig-keygen.ilk ddns-confgen.ilk
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <PostBuildEvent>
       <Command>cd ..\..\..\Build\$(Configuration)
-copy /Y tsig-keygen.exe ddns-confgen.exe
+copy /Y ddns-confgen.exe tsig-keygen.exe
 </Command>
     </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemGroup>
-    <ClCompile Include="..\tsig-keygen.c" />
-  </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\confgen\win32\confgentool.vcxproj">
-      <Project>{64964B03-4815-41F0-9057-E766A94AF197}</Project>
-    </ProjectReference>
+    <ClCompile Include="..\ddns-confgen.c" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

bin/confgen/win32/ddnsconfgen.vcxproj.user

@@ -1,3 +1,3 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-</Project>
+</Project>

bin/confgen/win32/rndcconfgen.vcxproj.in

@@ -69,15 +69,15 @@
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <BrowseInformation>true</BrowseInformation>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -98,7 +98,7 @@
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
       <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <CompileAs>CompileAsC</CompileAs>
     </ClCompile>
     <Link>
@@ -108,24 +108,13 @@
       <OptimizeReferences>true</OptimizeReferences>
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
-      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\rndc-confgen.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\confgen\win32\confgentool.vcxproj">
-      <Project>{64964B03-4815-41F0-9057-E766A94AF197}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/delv/delv.1

@@ -0,0 +1,437 @@
+.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: delv
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-04-23
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DELV" "1" "2014\-04\-23" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+delv \- DNS lookup and validation utility
+.SH "SYNOPSIS"
+.HP \w'\fBdelv\fR\ 'u
+\fBdelv\fR [@server] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
+.HP \w'\fBdelv\fR\ 'u
+\fBdelv\fR [\fB\-h\fR]
+.HP \w'\fBdelv\fR\ 'u
+\fBdelv\fR [\fB\-v\fR]
+.HP \w'\fBdelv\fR\ 'u
+\fBdelv\fR [queryopt...] [query...]
+.SH "DESCRIPTION"
+.PP
+\fBdelv\fR
+is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
+\fBnamed\fR\&.
+.PP
+\fBdelv\fR
+will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
+.PP
+By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
+\fBdelv\fR
+are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
+\fBdelv\fR
+does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy\&.
+.PP
+Unless it is told to query a specific name server,
+\fBdelv\fR
+will try each of the servers listed in
+/etc/resolv\&.conf\&. If no usable server addresses are found,
+\fBdelv\fR
+will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
+.PP
+When no command line arguments or options are given,
+\fBdelv\fR
+will perform an NS query for "\&." (the root zone)\&.
+.SH "SIMPLE USAGE"
+.PP
+A typical invocation of
+\fBdelv\fR
+looks like:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+ delv @server name type 
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+where:
+.PP
+\fBserver\fR
+.RS 4
+is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
+\fIserver\fR
+argument is a hostname,
+\fBdelv\fR
+resolves that name before querying that name server (note, however, that this initial lookup is
+\fInot\fR
+validated by DNSSEC)\&.
+.sp
+If no
+\fIserver\fR
+argument is provided,
+\fBdelv\fR
+consults
+/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
+\fB\-4\fR
+or
+\fB\-6\fR
+options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
+\fBdelv\fR
+will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
+.RE
+.PP
+\fBname\fR
+.RS 4
+is the domain name to be looked up\&.
+.RE
+.PP
+\fBtype\fR
+.RS 4
+indicates what type of query is required \(em ANY, A, MX, etc\&.
+\fItype\fR
+can be any valid query type\&. If no
+\fItype\fR
+argument is supplied,
+\fBdelv\fR
+will perform a lookup for an A record\&.
+.RE
+.SH "OPTIONS"
+.PP
+\-a \fIanchor\-file\fR
+.RS 4
+Specifies a file from which to read DNSSEC trust anchors\&. The default is
+/etc/bind\&.keys, which is included with
+BIND
+9 and contains one or more trust anchors for the root zone ("\&.")\&.
+.sp
+Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
+\fB+root=NAME\fR
+options\&.
+.sp
+Note: When reading the trust anchor file,
+\fBdelv\fR
+treats
+\fBtrust\-anchors\fR\fBinitial\-key\fR
+and
+\fBstatic\-key\fR
+entries identically\&. That is, even if a key is configured with
+\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
+\fBdelv\fR
+as if it had been configured as a
+\fBstatic\-key\fR\&.
+\fBdelv\fR
+does not consult the managed keys database maintained by
+\fBnamed\fR\&. This means that if either of the keys in
+/etc/bind\&.keys
+is revoked and rolled over, it will be necessary to update
+/etc/bind\&.keys
+to use DNSSEC validation in
+\fBdelv\fR\&.
+.RE
+.PP
+\-b \fIaddress\fR
+.RS 4
+Sets the source IP address of the query to
+\fIaddress\fR\&. This must be a valid address on one of the host\*(Aqs network interfaces or "0\&.0\&.0\&.0" or "::"\&. An optional source port may be specified by appending "#<port>"
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Sets the query class for the requested data\&. Currently, only class "IN" is supported in
+\fBdelv\fR
+and any other value is ignored\&.
+.RE
+.PP
+\-d \fIlevel\fR
+.RS 4
+Set the systemwide debug level to
+\fBlevel\fR\&. The allowed range is from 0 to 99\&. The default is 0 (no debugging)\&. Debugging traces from
+\fBdelv\fR
+become more verbose as the debug level increases\&. See the
+\fB+mtrace\fR,
+\fB+rtrace\fR, and
+\fB+vtrace\fR
+options below for additional debugging details\&.
+.RE
+.PP
+\-h
+.RS 4
+Display the
+\fBdelv\fR
+help usage output and exit\&.
+.RE
+.PP
+\-i
+.RS 4
+Insecure mode\&. This disables internal DNSSEC validation\&. (Note, however, this does not set the CD bit on upstream queries\&. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
+\fBdelv\fR
+to time out\&. When it is necessary to examine invalid data to debug a DNSSEC problem, use
+\fBdig +cd\fR\&.)
+.RE
+.PP
+\-m
+.RS 4
+Enables memory usage debugging\&.
+.RE
+.PP
+\-p \fIport#\fR
+.RS 4
+Specifies a destination port to use for queries instead of the standard DNS port number 53\&. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number\&.
+.RE
+.PP
+\-q \fIname\fR
+.RS 4
+Sets the query name to
+\fIname\fR\&. While the query name can be specified without using the
+\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH)\&.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Sets the query type to
+\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR\&. As with
+\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous\&. it is sometimes necessary to disambiguate names from types\&.
+.sp
+The default query type is "A", unless the
+\fB\-x\fR
+option is supplied to indicate a reverse lookup, in which case it is "PTR"\&.
+.RE
+.PP
+\-v
+.RS 4
+Print the
+\fBdelv\fR
+version and exit\&.
+.RE
+.PP
+\-x \fIaddr\fR
+.RS 4
+Performs a reverse lookup, mapping an addresses to a name\&.
+\fIaddr\fR
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When
+\fB\-x\fR
+is used, there is no need to provide the
+\fIname\fR
+or
+\fItype\fR
+arguments\&.
+\fBdelv\fR
+automatically performs a lookup for a name like
+11\&.12\&.13\&.10\&.in\-addr\&.arpa
+and sets the query type to PTR\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
+.RE
+.PP
+\-4
+.RS 4
+Forces
+\fBdelv\fR
+to only use IPv4\&.
+.RE
+.PP
+\-6
+.RS 4
+Forces
+\fBdelv\fR
+to only use IPv6\&.
+.RE
+.SH "QUERY OPTIONS"
+.PP
+\fBdelv\fR
+provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed\&.
+.PP
+Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
+no
+to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
+\fB+keyword=value\fR\&. The query options are:
+.PP
+\fB+[no]cdflag\fR
+.RS 4
+Controls whether to set the CD (checking disabled) bit in queries sent by
+\fBdelv\fR\&. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver\&. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis\&. Setting the CD flag on queries will cause the resolver to return invalid responses, which
+\fBdelv\fR
+can then validate internally and report the errors in detail\&.
+.RE
+.PP
+\fB+[no]class\fR
+.RS 4
+Controls whether to display the CLASS when printing a record\&. The default is to display the CLASS\&.
+.RE
+.PP
+\fB+[no]ttl\fR
+.RS 4
+Controls whether to display the TTL when printing a record\&. The default is to display the TTL\&.
+.RE
+.PP
+\fB+[no]rtrace\fR
+.RS 4
+Toggle resolver fetch logging\&. This reports the name and type of each query sent by
+\fBdelv\fR
+in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation\&.
+.sp
+This is equivalent to setting the debug level to 1 in the "resolver" logging category\&. Setting the systemwide debug level to 1 using the
+\fB\-d\fR
+option will product the same output (but will affect other logging categories as well)\&.
+.RE
+.PP
+\fB+[no]mtrace\fR
+.RS 4
+Toggle message logging\&. This produces a detailed dump of the responses received by
+\fBdelv\fR
+in the process of carrying out the resolution and validation process\&.
+.sp
+This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category\&. Setting the systemwide debug level to 10 using the
+\fB\-d\fR
+option will produce the same output (but will affect other logging categories as well)\&.
+.RE
+.PP
+\fB+[no]vtrace\fR
+.RS 4
+Toggle validation logging\&. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid\&.
+.sp
+This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category\&. Setting the systemwide debug level to 3 using the
+\fB\-d\fR
+option will produce the same output (but will affect other logging categories as well)\&.
+.RE
+.PP
+\fB+[no]short\fR
+.RS 4
+Provide a terse answer\&. The default is to print the answer in a verbose form\&.
+.RE
+.PP
+\fB+[no]comments\fR
+.RS 4
+Toggle the display of comment lines in the output\&. The default is to print comments\&.
+.RE
+.PP
+\fB+[no]rrcomments\fR
+.RS 4
+Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is to print per\-record comments\&.
+.RE
+.PP
+\fB+[no]crypto\fR
+.RS 4
+Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
+.RE
+.PP
+\fB+[no]trust\fR
+.RS 4
+Controls whether to display the trust level when printing a record\&. The default is to display the trust level\&.
+.RE
+.PP
+\fB+[no]split[=W]\fR
+.RS 4
+Split long hex\- or base64\-formatted fields in resource records into chunks of
+\fIW\fR
+characters (where
+\fIW\fR
+is rounded up to the nearest multiple of 4)\&.
+\fI+nosplit\fR
+or
+\fI+split=0\fR
+causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
+.RE
+.PP
+\fB+[no]all\fR
+.RS 4
+Set or clear the display options
+\fB+[no]comments\fR,
+\fB+[no]rrcomments\fR, and
+\fB+[no]trust\fR
+as a group\&.
+.RE
+.PP
+\fB+[no]multiline\fR
+.RS 4
+Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
+\fBdelv\fR
+output\&.
+.RE
+.PP
+\fB+[no]dnssec\fR
+.RS 4
+Indicates whether to display RRSIG records in the
+\fBdelv\fR
+output\&. The default is to do so\&. Note that (unlike in
+\fBdig\fR) this does
+\fInot\fR
+control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
+\fB\-i\fR
+or
+\fB+noroot\fR\&.
+.RE
+.PP
+\fB+[no]root[=ROOT]\fR
+.RS 4
+Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
+\fB\-a\fR
+must be used to specify a file containing the key\&.
+.RE
+.PP
+\fB+[no]tcp\fR
+.RS 4
+Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
+.RE
+.PP
+\fB+[no]unknownformat\fR
+.RS 4
+Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
+.RE
+.PP
+\fB+[no]yaml\fR
+.RS 4
+Print response data in YAML format\&.
+.RE
+.SH "FILES"
+.PP
+/etc/bind\&.keys
+.PP
+/etc/resolv\&.conf
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBnamed\fR(8),
+RFC4034,
+RFC4035,
+RFC4431,
+RFC5074,
+RFC5155\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/delv/delv.c

@@ -72,6 +72,7 @@
 #include <isccfg/log.h>
 #include <isccfg/namedconf.h>
 
+#include <irs/netdb.h>
 #include <irs/resconf.h>
 
 #define CHECK(r)                             \
@@ -135,83 +136,73 @@ parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
 
 static void
 usage(void) {
-	fprintf(stderr,
-		"Usage:  delv [@server] {q-opt} {d-opt} [domain] [q-type] "
-		"[q-class]\n"
-		"Where:  domain	  is in the Domain Name System\n"
-		"        q-class  is one of (in,hs,ch,...) [default: in]\n"
-		"        q-type   is one of "
-		"(a,any,mx,ns,soa,hinfo,axfr,txt,...) "
-		"[default:a]\n"
-		"        q-opt    is one of:\n"
-		"                 -4                  (use IPv4 query "
-		"transport "
-		"only)\n"
-		"                 -6                  (use IPv6 query "
-		"transport "
-		"only)\n"
-		"                 -a anchor-file      (specify root trust "
-		"anchor)\n"
-		"                 -b address[#port]   (bind to source "
-		"address/port)\n"
-		"                 -c class            (option included for "
-		"compatibility;\n"
-		"                 -d level            (set debugging level)\n"
-		"                 -h                  (print help and exit)\n"
-		"                 -i                  (disable DNSSEC "
-		"validation)\n"
-		"                 -m                  (enable memory usage "
-		"debugging)\n"
-		"                 -p port             (specify port number)\n"
-		"                 -q name             (specify query name)\n"
-		"                 -t type             (specify query type)\n"
-		"                                      only IN is supported)\n"
-		"                 -v                  (print version and "
-		"exit)\n"
-		"                 -x dot-notation     (shortcut for reverse "
-		"lookups)\n"
-		"        d-opt    is of the form +keyword[=value], where "
-		"keyword "
-		"is:\n"
-		"                 +[no]all            (Set or clear all "
-		"display "
-		"flags)\n"
-		"                 +[no]class          (Control display of "
-		"class)\n"
-		"                 +[no]comments       (Control display of "
-		"comment lines)\n"
-		"                 +[no]crypto         (Control display of "
-		"cryptographic\n"
-		"                                      fields in records)\n"
-		"                 +[no]dlv            (Obsolete)\n"
-		"                 +[no]dnssec         (Display DNSSEC "
-		"records)\n"
-		"                 +[no]mtrace         (Trace messages "
-		"received)\n"
-		"                 +[no]multiline      (Print records in an "
-		"expanded format)\n"
-		"                 +[no]root           (DNSSEC validation trust "
-		"anchor)\n"
-		"                 +[no]rrcomments     (Control display of "
-		"per-record "
-		"comments)\n"
-		"                 +[no]rtrace         (Trace resolver "
-		"fetches)\n"
-		"                 +[no]short          (Short form answer)\n"
-		"                 +[no]split=##       (Split hex/base64 fields "
-		"into chunks)\n"
-		"                 +[no]tcp            (TCP mode)\n"
-		"                 +[no]ttl            (Control display of ttls "
-		"in records)\n"
-		"                 +[no]trust          (Control display of "
-		"trust "
-		"level)\n"
-		"                 +[no]unknownformat  (Print RDATA in RFC 3597 "
-		"\"unknown\" format)\n"
-		"                 +[no]vtrace         (Trace validation "
-		"process)\n"
-		"                 +[no]yaml           (Present the results as "
-		"YAML)\n");
+	fputs("Usage:  delv [@server] {q-opt} {d-opt} [domain] [q-type] "
+	      "[q-class]\n"
+	      "Where:  domain	  is in the Domain Name System\n"
+	      "        q-class  is one of (in,hs,ch,...) [default: in]\n"
+	      "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) "
+	      "[default:a]\n"
+	      "        q-opt    is one of:\n"
+	      "                 -4                  (use IPv4 query transport "
+	      "only)\n"
+	      "                 -6                  (use IPv6 query transport "
+	      "only)\n"
+	      "                 -a anchor-file      (specify root trust "
+	      "anchor)\n"
+	      "                 -b address[#port]   (bind to source "
+	      "address/port)\n"
+	      "                 -c class            (option included for "
+	      "compatibility;\n"
+	      "                 -d level            (set debugging level)\n"
+	      "                 -h                  (print help and exit)\n"
+	      "                 -i                  (disable DNSSEC "
+	      "validation)\n"
+	      "                 -m                  (enable memory usage "
+	      "debugging)\n"
+	      "                 -p port             (specify port number)\n"
+	      "                 -q name             (specify query name)\n"
+	      "                 -t type             (specify query type)\n"
+	      "                                      only IN is supported)\n"
+	      "                 -v                  (print version and exit)\n"
+	      "                 -x dot-notation     (shortcut for reverse "
+	      "lookups)\n"
+	      "        d-opt    is of the form +keyword[=value], where keyword "
+	      "is:\n"
+	      "                 +[no]all            (Set or clear all display "
+	      "flags)\n"
+	      "                 +[no]class          (Control display of "
+	      "class)\n"
+	      "                 +[no]comments       (Control display of "
+	      "comment lines)\n"
+	      "                 +[no]crypto         (Control display of "
+	      "cryptographic\n"
+	      "                                      fields in records)\n"
+	      "                 +[no]dlv            (Obsolete)\n"
+	      "                 +[no]dnssec         (Display DNSSEC records)\n"
+	      "                 +[no]mtrace         (Trace messages received)\n"
+	      "                 +[no]multiline      (Print records in an "
+	      "expanded format)\n"
+	      "                 +[no]root           (DNSSEC validation trust "
+	      "anchor)\n"
+	      "                 +[no]rrcomments     (Control display of "
+	      "per-record "
+	      "comments)\n"
+	      "                 +[no]rtrace         (Trace resolver fetches)\n"
+	      "                 +[no]short          (Short form answer)\n"
+	      "                 +[no]split=##       (Split hex/base64 fields "
+	      "into chunks)\n"
+	      "                 +[no]tcp            (TCP mode)\n"
+	      "                 +[no]ttl            (Control display of ttls "
+	      "in records)\n"
+	      "                 +[no]trust          (Control display of trust "
+	      "level)\n"
+	      "                 +[no]unknownformat  (Print RDATA in RFC 3597 "
+	      "\"unknown\" format)\n"
+	      "                 +[no]vtrace         (Trace validation "
+	      "process)\n"
+	      "                 +[no]yaml           (Present the results as "
+	      "YAML)\n",
+	      stderr);
 	exit(1);
 }
 
@@ -615,7 +606,6 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 	       INITIAL_DS,
 	       STATIC_DS,
 	       TRUSTED } anchortype;
-	const cfg_obj_t *obj;
 
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
@@ -648,30 +638,21 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 	rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
 
 	/* What type of trust anchor is this? */
-	obj = cfg_tuple_get(key, "anchortype");
-	if (cfg_obj_isvoid(obj)) {
-		/*
-		 * "anchortype" is not defined, this must be a static-key
-		 * configured with trusted-keys.
-		 */
+	atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
+	if (strcasecmp(atstr, "static-key") == 0) {
 		anchortype = STATIC_KEY;
+	} else if (strcasecmp(atstr, "static-ds") == 0) {
+		anchortype = STATIC_DS;
+	} else if (strcasecmp(atstr, "initial-key") == 0) {
+		anchortype = INITIAL_KEY;
+	} else if (strcasecmp(atstr, "initial-ds") == 0) {
+		anchortype = INITIAL_DS;
 	} else {
-		atstr = cfg_obj_asstring(obj);
-		if (strcasecmp(atstr, "static-key") == 0) {
-			anchortype = STATIC_KEY;
-		} else if (strcasecmp(atstr, "static-ds") == 0) {
-			anchortype = STATIC_DS;
-		} else if (strcasecmp(atstr, "initial-key") == 0) {
-			anchortype = INITIAL_KEY;
-		} else if (strcasecmp(atstr, "initial-ds") == 0) {
-			anchortype = INITIAL_DS;
-		} else {
-			delv_log(ISC_LOG_ERROR,
-				 "key '%s': invalid initialization method '%s'",
-				 keynamestr, atstr);
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
+		delv_log(ISC_LOG_ERROR,
+			 "key '%s': invalid initialization method '%s'",
+			 keynamestr, atstr);
+		result = ISC_R_FAILURE;
+		goto cleanup;
 	}
 
 	isc_buffer_init(&databuf, data, sizeof(data));
@@ -1732,7 +1713,7 @@ main(int argc, char *argv[]) {
 	char namestr[DNS_NAME_FORMATSIZE];
 	dns_rdataset_t *rdataset;
 	dns_namelist_t namelist;
-	unsigned int resopt;
+	unsigned int resopt, clopt;
 	isc_appctx_t *actx = NULL;
 	isc_taskmgr_t *taskmgr = NULL;
 	isc_socketmgr_t *socketmgr = NULL;
@@ -1779,8 +1760,9 @@ main(int argc, char *argv[]) {
 #endif /* ifndef WIN32 */
 
 	/* Create client */
-	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr, 0,
-				    &client, srcaddr4, srcaddr6);
+	clopt = DNS_CLIENTCREATEOPT_USECACHE;
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    clopt, &client, srcaddr4, srcaddr6);
 	if (result != ISC_R_SUCCESS) {
 		delv_log(ISC_LOG_ERROR, "dns_client_create: %s",
 			 isc_result_totext(result));

bin/delv/delv.docbook

@@ -0,0 +1,699 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
+  <info>
+    <date>2014-04-23</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>delv</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>delv</refname>
+    <refpurpose>DNS lookup and validation utility</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>delv</command>
+      <arg choice="opt" rep="norepeat">@server</arg>
+      <group choice="opt" rep="norepeat">
+	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
+	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      </group>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-m</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat">name</arg>
+      <arg choice="opt" rep="norepeat">type</arg>
+      <arg choice="opt" rep="norepeat">class</arg>
+      <arg choice="opt" rep="repeat">queryopt</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis sepchar=" ">
+      <command>delv</command>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis sepchar=" ">
+      <command>delv</command>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis sepchar=" ">
+      <command>delv</command>
+      <arg choice="opt" rep="repeat">queryopt</arg>
+      <arg choice="opt" rep="repeat">query</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>delv</command>
+      is a tool for sending
+      DNS queries and validating the results, using the same internal
+      resolver and validator logic as <command>named</command>.
+    </para>
+    <para>
+      <command>delv</command> will send to a specified name server all
+      queries needed to fetch and validate the requested data; this
+      includes the original requested query, subsequent queries to follow
+      CNAME or DNAME chains, and queries for DNSKEY and DS records
+      to establish a chain of trust for DNSSEC validation.
+      It does not perform iterative resolution, but simulates the
+      behavior of a name server configured for DNSSEC validating and
+      forwarding.
+    </para>
+    <para>
+      By default, responses are validated using built-in DNSSEC trust
+      anchor for the root zone (".").  Records returned by
+      <command>delv</command> are either fully validated or
+      were not signed.  If validation fails, an explanation of
+      the failure is included in the output; the validation process
+      can be traced in detail.  Because <command>delv</command> does
+      not rely on an external server to carry out validation, it can
+      be used to check the validity of DNS responses in environments
+      where local name servers may not be trustworthy.
+    </para>
+    <para>
+      Unless it is told to query a specific name server,
+      <command>delv</command> will try each of the servers listed in
+      <filename>/etc/resolv.conf</filename>. If no usable server
+      addresses are found, <command>delv</command> will send
+      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+      for IPv6).
+    </para>
+    <para>
+      When no command line arguments or options are given,
+      <command>delv</command> will perform an NS query for "."
+      (the root zone).
+    </para>
+  </refsection>
+
+  <refsection><info><title>SIMPLE USAGE</title></info>
+
+
+    <para>
+      A typical invocation of <command>delv</command> looks like:
+      <programlisting> delv @server name type </programlisting>
+      where:
+
+      <variablelist>
+	<varlistentry>
+	  <term><constant>server</constant></term>
+	  <listitem>
+	    <para>
+	      is the name or IP address of the name server to query.  This
+	      can be an IPv4 address in dotted-decimal notation or an IPv6
+	      address in colon-delimited notation.  When the supplied
+	      <parameter>server</parameter> argument is a hostname,
+	      <command>delv</command> resolves that name before
+	      querying that name server (note, however, that this
+	      initial lookup is <emphasis>not</emphasis> validated
+	      by DNSSEC).
+	    </para>
+	    <para>
+	      If no <parameter>server</parameter> argument is
+	      provided, <command>delv</command> consults
+	      <filename>/etc/resolv.conf</filename>; if an
+	      address is found there, it queries the name server at
+	      that address. If either of the <option>-4</option> or
+	      <option>-6</option> options are in use, then
+	      only addresses for the corresponding transport
+	      will be tried.  If no usable addresses are found,
+	      <command>delv</command> will send queries to
+	      the localhost addresses (127.0.0.1 for IPv4,
+	      ::1 for IPv6).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><constant>name</constant></term>
+	  <listitem>
+	    <para>
+	      is the domain name to be looked up.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><constant>type</constant></term>
+	  <listitem>
+	    <para>
+	      indicates what type of query is required &mdash;
+	      ANY, A, MX, etc.
+	      <parameter>type</parameter> can be any valid query
+	      type.  If no
+	      <parameter>type</parameter> argument is supplied,
+	      <command>delv</command> will perform a lookup for an
+	      A record.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+      </variablelist>
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+    <variablelist>
+
+      <varlistentry>
+	<term>-a <replaceable class="parameter">anchor-file</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies a file from which to read DNSSEC trust anchors.
+	    The default is <filename>/etc/bind.keys</filename>, which
+	    is included with <acronym>BIND</acronym> 9 and contains
+	    one or more trust anchors for the root zone (".").
+	  </para>
+	  <para>
+	    Keys that do not match the root zone name are ignored.
+            An alternate key name can be specified using the
+	    <option>+root=NAME</option> options.
+	  </para>
+	  <para>
+	    Note: When reading the trust anchor file,
+	    <command>delv</command> treats <option>trust-anchors</option>
+	    <option>initial-key</option> and <option>static-key</option>
+	    entries identically.  That is, even if a key is configured
+	    with <command>initial-key</command>, indicating that it is
+	    meant to be used only as an initializing key for RFC 5011
+	    key maintenance, it is still treated by <command>delv</command>
+	    as if it had been configured as a <command>static-key</command>.
+	    <command>delv</command> does not consult the managed keys
+	    database maintained by <command>named</command>. This means
+	    that if either of the keys in
+	    <filename>/etc/bind.keys</filename> is revoked
+	    and rolled over, it will be necessary to update
+	    <filename>/etc/bind.keys</filename> to use DNSSEC
+	    validation in <command>delv</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-b  <replaceable class="parameter">address</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the source IP address of the query to
+	    <parameter>address</parameter>.  This must be a valid address
+	    on one of the host's network interfaces or "0.0.0.0" or "::".
+	    An optional source port may be specified by appending
+	    "#&lt;port&gt;"
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the query class for the requested data. Currently,
+	    only class "IN" is supported in <command>delv</command>
+	    and any other value is ignored.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-d <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	    Set the systemwide debug level to <option>level</option>.
+	    The allowed range is from 0 to 99.
+	    The default is 0 (no debugging).
+	    Debugging traces from <command>delv</command> become
+	    more verbose as the debug level increases.
+	    See the <option>+mtrace</option>, <option>+rtrace</option>,
+	    and <option>+vtrace</option> options below for additional
+	    debugging details.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Display the <command>delv</command> help usage output and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-i</term>
+	<listitem>
+	  <para>
+	    Insecure mode. This disables internal DNSSEC validation.
+	    (Note, however, this does not set the CD bit on upstream
+	    queries. If the server being queried is performing DNSSEC
+	    validation, then it will not return invalid data; this
+	    can cause <command>delv</command> to time out. When it
+	    is necessary to examine invalid data to debug a DNSSEC
+	    problem, use <command>dig +cd</command>.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-m</term>
+	<listitem>
+	  <para>
+	    Enables memory usage debugging.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p <replaceable class="parameter">port#</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies a destination port to use for queries instead of
+	    the standard DNS port number 53.  This option would be used
+	    with a name server that has been configured to listen
+	    for queries on a non-standard port number.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-q <replaceable class="parameter">name</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the query name to <parameter>name</parameter>.
+	    While the query name can be specified without using the
+	    <option>-q</option>, it is sometimes necessary to disambiguate
+	    names from types or classes (for example, when looking up the
+	    name "ns", which could be misinterpreted as the type NS,
+	    or "ch", which could be misinterpreted as class CH).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t <replaceable class="parameter">type</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the query type to <parameter>type</parameter>, which
+	    can be any valid query type supported in BIND 9 except
+	    for zone transfer types AXFR and IXFR. As with
+	    <option>-q</option>, this is useful to distinguish
+	    query name type or class when they are ambiguous.
+	    it is sometimes necessary to disambiguate names from types.
+	  </para>
+	  <para>
+	    The default query type is "A", unless the <option>-x</option>
+	    option is supplied to indicate a reverse lookup, in which case
+	    it is "PTR".
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v</term>
+	<listitem>
+	  <para>
+	    Print the <command>delv</command> version and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-x <replaceable class="parameter">addr</replaceable></term>
+	<listitem>
+	  <para>
+	    Performs a reverse lookup, mapping an addresses to
+	    a name.  <parameter>addr</parameter> is an IPv4 address in
+	    dotted-decimal notation, or a colon-delimited IPv6 address.
+	    When <option>-x</option> is used, there is no need to provide
+	    the <parameter>name</parameter> or <parameter>type</parameter>
+	    arguments.  <command>delv</command> automatically performs a
+	    lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
+	    and sets the query type to PTR.  IPv6 addresses are looked up
+	    using nibble format under the IP6.ARPA domain.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-4</term>
+	<listitem>
+	  <para>
+	    Forces <command>delv</command> to only use IPv4.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-6</term>
+	<listitem>
+	  <para>
+	    Forces <command>delv</command> to only use IPv6.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>QUERY OPTIONS</title></info>
+
+
+    <para><command>delv</command>
+      provides a number of query options which affect the way results are
+      displayed, and in some cases the way lookups are performed.
+    </para>
+
+    <para>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<literal>+</literal>).  Some keywords set or reset an
+      option.  These may be preceded by the string
+      <literal>no</literal> to negate the meaning of that keyword.
+      Other keywords assign values to options like the timeout interval.
+      They have the form <option>+keyword=value</option>.
+      The query options are:
+
+      <variablelist>
+	<varlistentry>
+	  <term><option>+[no]cdflag</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to set the CD (checking disabled) bit in
+	      queries sent by <command>delv</command>. This may be useful
+	      when troubleshooting DNSSEC problems from behind a validating
+	      resolver. A validating resolver will block invalid responses,
+	      making it difficult to retrieve them for analysis. Setting
+	      the CD flag on queries will cause the resolver to return
+	      invalid responses, which <command>delv</command> can then
+	      validate internally and report the errors in detail.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]class</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to display the CLASS when printing
+	      a record. The default is to display the CLASS.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]ttl</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to display the TTL when printing
+	      a record. The default is to display the TTL.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]rtrace</option></term>
+	  <listitem>
+	    <para>
+	      Toggle resolver fetch logging. This reports the
+	      name and type of each query sent by <command>delv</command>
+	      in the process of carrying out the resolution and validation
+	      process: this includes including the original query and
+	      all subsequent queries to follow CNAMEs and to establish a
+	      chain of trust for DNSSEC validation.
+	    </para>
+	    <para>
+	      This is equivalent to setting the debug level to 1 in
+	      the "resolver" logging category. Setting the systemwide
+	      debug level to 1 using the <option>-d</option> option will
+	      product the same output (but will affect other logging
+	      categories as well).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]mtrace</option></term>
+	  <listitem>
+	    <para>
+	      Toggle message logging. This produces a detailed dump of
+	      the responses received by <command>delv</command> in the
+	      process of carrying out the resolution and validation process.
+	    </para>
+	    <para>
+	      This is equivalent to setting the debug level to 10
+	      for the "packets" module of the "resolver" logging
+	      category. Setting the systemwide debug level to 10 using
+	      the <option>-d</option> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]vtrace</option></term>
+	  <listitem>
+	    <para>
+	      Toggle validation logging. This shows the internal
+	      process of the validator as it determines whether an
+	      answer is validly signed, unsigned, or invalid.
+	    </para>
+	    <para>
+	      This is equivalent to setting the debug level to 3
+	      for the "validator" module of the "dnssec" logging
+	      category. Setting the systemwide debug level to 3 using
+	      the <option>-d</option> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]short</option></term>
+	  <listitem>
+	    <para>
+	      Provide a terse answer.  The default is to print the answer in a
+	      verbose form.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]comments</option></term>
+	  <listitem>
+	    <para>
+	      Toggle the display of comment lines in the output.  The default
+	      is to print comments.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]rrcomments</option></term>
+	  <listitem>
+	    <para>
+	      Toggle the display of per-record comments in the output (for
+	      example, human-readable key information about DNSKEY records).
+	      The default is to print per-record comments.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]crypto</option></term>
+	  <listitem>
+	    <para>
+	      Toggle the display of cryptographic fields in DNSSEC records.
+	      The contents of these field are unnecessary to debug most DNSSEC
+	      validation failures and removing them makes it easier to see
+	      the common failures.  The default is to display the fields.
+	      When omitted they are replaced by the string "[omitted]" or
+	      in the DNSKEY case the key id is displayed as the replacement,
+	      e.g. "[ key id = value ]".
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]trust</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to display the trust level when printing
+	      a record. The default is to display the trust level.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]split[=W]</option></term>
+	  <listitem>
+	    <para>
+	      Split long hex- or base64-formatted fields in resource
+	      records into chunks of <parameter>W</parameter> characters
+	      (where <parameter>W</parameter> is rounded up to the nearest
+	      multiple of 4).
+	      <parameter>+nosplit</parameter> or
+	      <parameter>+split=0</parameter> causes fields not to be
+	      split at all.  The default is 56 characters, or 44 characters
+	      when multiline mode is active.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]all</option></term>
+	  <listitem>
+	    <para>
+	      Set or clear the display options
+	      <option>+[no]comments</option>,
+	      <option>+[no]rrcomments</option>, and
+	      <option>+[no]trust</option> as a group.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]multiline</option></term>
+	  <listitem>
+	    <para>
+	      Print long records (such as RRSIG, DNSKEY, and SOA records)
+	      in a verbose multi-line format with human-readable comments.
+	      The default is to print each record on a single line, to
+	      facilitate machine parsing of the <command>delv</command>
+	      output.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]dnssec</option></term>
+	  <listitem>
+	    <para>
+	      Indicates whether to display RRSIG records in the
+	      <command>delv</command> output.  The default is to
+	      do so.  Note that (unlike in <command>dig</command>)
+	      this does <emphasis>not</emphasis> control whether to
+	      request DNSSEC records or whether to validate them.
+	      DNSSEC records are always requested, and validation
+	      will always occur unless suppressed by the use of
+	      <option>-i</option> or <option>+noroot</option>.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]root[=ROOT]</option></term>
+	  <listitem>
+	    <para>
+	      Indicates whether to perform conventional
+	      DNSSEC validation, and if so, specifies the
+	      name of a trust anchor.  The default is to validate using
+	      a trust anchor of "." (the root zone), for which there is
+	      a built-in key.  If specifying a different trust anchor,
+	      then <option>-a</option> must be used to specify a file
+	      containing the key.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]tcp</option></term>
+	  <listitem>
+	    <para>
+	      Controls whether to use TCP when sending queries.
+	      The default is to use UDP unless a truncated
+	      response has been received.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]unknownformat</option></term>
+	  <listitem>
+	    <para>
+	      Print all RDATA in unknown RR type presentation format
+	      (RFC 3597). The default is to print RDATA for known types
+	      in the type's presentation format.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><option>+[no]yaml</option></term>
+	  <listitem>
+	    <para>
+	      Print response data in YAML format.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+      </variablelist>
+
+    </para>
+  </refsection>
+
+  <refsection><info><title>FILES</title></info>
+
+    <para><filename>/etc/bind.keys</filename></para>
+    <para><filename>/etc/resolv.conf</filename></para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+	<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC4034</citetitle>,
+      <citetitle>RFC4035</citetitle>,
+      <citetitle>RFC4431</citetitle>,
+      <citetitle>RFC5074</citetitle>,
+      <citetitle>RFC5155</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/delv/delv.html

@@ -0,0 +1,588 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>delv</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.delv"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    delv
+     &#8212; DNS lookup and validation utility
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [@server]
+       [
+	[<code class="option">-4</code>]
+	 |  [<code class="option">-6</code>]
+      ]
+       [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
+       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-i</code>]
+       [<code class="option">-m</code>]
+       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
+       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
+       [name]
+       [type]
+       [class]
+       [queryopt...]
+    </p></div>
+
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [<code class="option">-h</code>]
+    </p></div>
+
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [<code class="option">-v</code>]
+    </p></div>
+
+    <div class="cmdsynopsis"><p>
+      <code class="command">delv</code> 
+       [queryopt...]
+       [query...]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>delv</strong></span>
+      is a tool for sending
+      DNS queries and validating the results, using the same internal
+      resolver and validator logic as <span class="command"><strong>named</strong></span>.
+    </p>
+    <p>
+      <span class="command"><strong>delv</strong></span> will send to a specified name server all
+      queries needed to fetch and validate the requested data; this
+      includes the original requested query, subsequent queries to follow
+      CNAME or DNAME chains, and queries for DNSKEY and DS records
+      to establish a chain of trust for DNSSEC validation.
+      It does not perform iterative resolution, but simulates the
+      behavior of a name server configured for DNSSEC validating and
+      forwarding.
+    </p>
+    <p>
+      By default, responses are validated using built-in DNSSEC trust
+      anchor for the root zone (".").  Records returned by
+      <span class="command"><strong>delv</strong></span> are either fully validated or
+      were not signed.  If validation fails, an explanation of
+      the failure is included in the output; the validation process
+      can be traced in detail.  Because <span class="command"><strong>delv</strong></span> does
+      not rely on an external server to carry out validation, it can
+      be used to check the validity of DNS responses in environments
+      where local name servers may not be trustworthy.
+    </p>
+    <p>
+      Unless it is told to query a specific name server,
+      <span class="command"><strong>delv</strong></span> will try each of the servers listed in
+      <code class="filename">/etc/resolv.conf</code>. If no usable server
+      addresses are found, <span class="command"><strong>delv</strong></span> will send
+      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+      for IPv6).
+    </p>
+    <p>
+      When no command line arguments or options are given,
+      <span class="command"><strong>delv</strong></span> will perform an NS query for "."
+      (the root zone).
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
+
+
+    <p>
+      A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
+      </p>
+<pre class="programlisting"> delv @server name type </pre>
+<p>
+      where:
+
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">server</code></span></dt>
+<dd>
+	    <p>
+	      is the name or IP address of the name server to query.  This
+	      can be an IPv4 address in dotted-decimal notation or an IPv6
+	      address in colon-delimited notation.  When the supplied
+	      <em class="parameter"><code>server</code></em> argument is a hostname,
+	      <span class="command"><strong>delv</strong></span> resolves that name before
+	      querying that name server (note, however, that this
+	      initial lookup is <span class="emphasis"><em>not</em></span> validated
+	      by DNSSEC).
+	    </p>
+	    <p>
+	      If no <em class="parameter"><code>server</code></em> argument is
+	      provided, <span class="command"><strong>delv</strong></span> consults
+	      <code class="filename">/etc/resolv.conf</code>; if an
+	      address is found there, it queries the name server at
+	      that address. If either of the <code class="option">-4</code> or
+	      <code class="option">-6</code> options are in use, then
+	      only addresses for the corresponding transport
+	      will be tried.  If no usable addresses are found,
+	      <span class="command"><strong>delv</strong></span> will send queries to
+	      the localhost addresses (127.0.0.1 for IPv4,
+	      ::1 for IPv6).
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="constant">name</code></span></dt>
+<dd>
+	    <p>
+	      is the domain name to be looked up.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="constant">type</code></span></dt>
+<dd>
+	    <p>
+	      indicates what type of query is required &#8212;
+	      ANY, A, MX, etc.
+	      <em class="parameter"><code>type</code></em> can be any valid query
+	      type.  If no
+	      <em class="parameter"><code>type</code></em> argument is supplied,
+	      <span class="command"><strong>delv</strong></span> will perform a lookup for an
+	      A record.
+	    </p>
+	  </dd>
+</dl></div>
+<p>
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>OPTIONS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies a file from which to read DNSSEC trust anchors.
+	    The default is <code class="filename">/etc/bind.keys</code>, which
+	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
+	    one or more trust anchors for the root zone (".").
+	  </p>
+	  <p>
+	    Keys that do not match the root zone name are ignored.
+            An alternate key name can be specified using the
+	    <code class="option">+root=NAME</code> options.
+	  </p>
+	  <p>
+	    Note: When reading the trust anchor file,
+	    <span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
+	    <code class="option">initial-key</code> and <code class="option">static-key</code>
+	    entries identically.  That is, even if a key is configured
+	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is
+	    meant to be used only as an initializing key for RFC 5011
+	    key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
+	    as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
+	    <span class="command"><strong>delv</strong></span> does not consult the managed keys
+	    database maintained by <span class="command"><strong>named</strong></span>. This means
+	    that if either of the keys in
+	    <code class="filename">/etc/bind.keys</code> is revoked
+	    and rolled over, it will be necessary to update
+	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
+	    validation in <span class="command"><strong>delv</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the source IP address of the query to
+	    <em class="parameter"><code>address</code></em>.  This must be a valid address
+	    on one of the host's network interfaces or "0.0.0.0" or "::".
+	    An optional source port may be specified by appending
+	    "#&lt;port&gt;"
+	  </p>
+	</dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the query class for the requested data. Currently,
+	    only class "IN" is supported in <span class="command"><strong>delv</strong></span>
+	    and any other value is ignored.
+	  </p>
+	</dd>
+<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
+<dd>
+	  <p>
+	    Set the systemwide debug level to <code class="option">level</code>.
+	    The allowed range is from 0 to 99.
+	    The default is 0 (no debugging).
+	    Debugging traces from <span class="command"><strong>delv</strong></span> become
+	    more verbose as the debug level increases.
+	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
+	    and <code class="option">+vtrace</code> options below for additional
+	    debugging details.
+	  </p>
+	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
+	  </p>
+	</dd>
+<dt><span class="term">-i</span></dt>
+<dd>
+	  <p>
+	    Insecure mode. This disables internal DNSSEC validation.
+	    (Note, however, this does not set the CD bit on upstream
+	    queries. If the server being queried is performing DNSSEC
+	    validation, then it will not return invalid data; this
+	    can cause <span class="command"><strong>delv</strong></span> to time out. When it
+	    is necessary to examine invalid data to debug a DNSSEC
+	    problem, use <span class="command"><strong>dig +cd</strong></span>.)
+	  </p>
+	</dd>
+<dt><span class="term">-m</span></dt>
+<dd>
+	  <p>
+	    Enables memory usage debugging.
+	  </p>
+	</dd>
+<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies a destination port to use for queries instead of
+	    the standard DNS port number 53.  This option would be used
+	    with a name server that has been configured to listen
+	    for queries on a non-standard port number.
+	  </p>
+	</dd>
+<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the query name to <em class="parameter"><code>name</code></em>.
+	    While the query name can be specified without using the
+	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
+	    names from types or classes (for example, when looking up the
+	    name "ns", which could be misinterpreted as the type NS,
+	    or "ch", which could be misinterpreted as class CH).
+	  </p>
+	</dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the query type to <em class="parameter"><code>type</code></em>, which
+	    can be any valid query type supported in BIND 9 except
+	    for zone transfer types AXFR and IXFR. As with
+	    <code class="option">-q</code>, this is useful to distinguish
+	    query name type or class when they are ambiguous.
+	    it is sometimes necessary to disambiguate names from types.
+	  </p>
+	  <p>
+	    The default query type is "A", unless the <code class="option">-x</code>
+	    option is supplied to indicate a reverse lookup, in which case
+	    it is "PTR".
+	  </p>
+	</dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+	  <p>
+	    Print the <span class="command"><strong>delv</strong></span> version and exit.
+	  </p>
+	</dd>
+<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
+<dd>
+	  <p>
+	    Performs a reverse lookup, mapping an addresses to
+	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
+	    dotted-decimal notation, or a colon-delimited IPv6 address.
+	    When <code class="option">-x</code> is used, there is no need to provide
+	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
+	    arguments.  <span class="command"><strong>delv</strong></span> automatically performs a
+	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
+	    and sets the query type to PTR.  IPv6 addresses are looked up
+	    using nibble format under the IP6.ARPA domain.
+	  </p>
+	</dd>
+<dt><span class="term">-4</span></dt>
+<dd>
+	  <p>
+	    Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
+	  </p>
+	</dd>
+<dt><span class="term">-6</span></dt>
+<dd>
+	  <p>
+	    Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
+
+
+    <p><span class="command"><strong>delv</strong></span>
+      provides a number of query options which affect the way results are
+      displayed, and in some cases the way lookups are performed.
+    </p>
+
+    <p>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<code class="literal">+</code>).  Some keywords set or reset an
+      option.  These may be preceded by the string
+      <code class="literal">no</code> to negate the meaning of that keyword.
+      Other keywords assign values to options like the timeout interval.
+      They have the form <code class="option">+keyword=value</code>.
+      The query options are:
+
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
+<dd>
+	    <p>
+	      Controls whether to set the CD (checking disabled) bit in
+	      queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
+	      when troubleshooting DNSSEC problems from behind a validating
+	      resolver. A validating resolver will block invalid responses,
+	      making it difficult to retrieve them for analysis. Setting
+	      the CD flag on queries will cause the resolver to return
+	      invalid responses, which <span class="command"><strong>delv</strong></span> can then
+	      validate internally and report the errors in detail.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]class</code></span></dt>
+<dd>
+	    <p>
+	      Controls whether to display the CLASS when printing
+	      a record. The default is to display the CLASS.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
+<dd>
+	    <p>
+	      Controls whether to display the TTL when printing
+	      a record. The default is to display the TTL.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
+<dd>
+	    <p>
+	      Toggle resolver fetch logging. This reports the
+	      name and type of each query sent by <span class="command"><strong>delv</strong></span>
+	      in the process of carrying out the resolution and validation
+	      process: this includes including the original query and
+	      all subsequent queries to follow CNAMEs and to establish a
+	      chain of trust for DNSSEC validation.
+	    </p>
+	    <p>
+	      This is equivalent to setting the debug level to 1 in
+	      the "resolver" logging category. Setting the systemwide
+	      debug level to 1 using the <code class="option">-d</code> option will
+	      product the same output (but will affect other logging
+	      categories as well).
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
+<dd>
+	    <p>
+	      Toggle message logging. This produces a detailed dump of
+	      the responses received by <span class="command"><strong>delv</strong></span> in the
+	      process of carrying out the resolution and validation process.
+	    </p>
+	    <p>
+	      This is equivalent to setting the debug level to 10
+	      for the "packets" module of the "resolver" logging
+	      category. Setting the systemwide debug level to 10 using
+	      the <code class="option">-d</code> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
+<dd>
+	    <p>
+	      Toggle validation logging. This shows the internal
+	      process of the validator as it determines whether an
+	      answer is validly signed, unsigned, or invalid.
+	    </p>
+	    <p>
+	      This is equivalent to setting the debug level to 3
+	      for the "validator" module of the "dnssec" logging
+	      category. Setting the systemwide debug level to 3 using
+	      the <code class="option">-d</code> option will produce the same output
+	      (but will affect other logging categories as well).
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]short</code></span></dt>
+<dd>
+	    <p>
+	      Provide a terse answer.  The default is to print the answer in a
+	      verbose form.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
+<dd>
+	    <p>
+	      Toggle the display of comment lines in the output.  The default
+	      is to print comments.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
+<dd>
+	    <p>
+	      Toggle the display of per-record comments in the output (for
+	      example, human-readable key information about DNSKEY records).
+	      The default is to print per-record comments.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
+<dd>
+	    <p>
+	      Toggle the display of cryptographic fields in DNSSEC records.
+	      The contents of these field are unnecessary to debug most DNSSEC
+	      validation failures and removing them makes it easier to see
+	      the common failures.  The default is to display the fields.
+	      When omitted they are replaced by the string "[omitted]" or
+	      in the DNSKEY case the key id is displayed as the replacement,
+	      e.g. "[ key id = value ]".
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
+<dd>
+	    <p>
+	      Controls whether to display the trust level when printing
+	      a record. The default is to display the trust level.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
+<dd>
+	    <p>
+	      Split long hex- or base64-formatted fields in resource
+	      records into chunks of <em class="parameter"><code>W</code></em> characters
+	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
+	      multiple of 4).
+	      <em class="parameter"><code>+nosplit</code></em> or
+	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
+	      split at all.  The default is 56 characters, or 44 characters
+	      when multiline mode is active.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]all</code></span></dt>
+<dd>
+	    <p>
+	      Set or clear the display options
+	      <code class="option">+[no]comments</code>,
+	      <code class="option">+[no]rrcomments</code>, and
+	      <code class="option">+[no]trust</code> as a group.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
+<dd>
+	    <p>
+	      Print long records (such as RRSIG, DNSKEY, and SOA records)
+	      in a verbose multi-line format with human-readable comments.
+	      The default is to print each record on a single line, to
+	      facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
+	      output.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
+<dd>
+	    <p>
+	      Indicates whether to display RRSIG records in the
+	      <span class="command"><strong>delv</strong></span> output.  The default is to
+	      do so.  Note that (unlike in <span class="command"><strong>dig</strong></span>)
+	      this does <span class="emphasis"><em>not</em></span> control whether to
+	      request DNSSEC records or whether to validate them.
+	      DNSSEC records are always requested, and validation
+	      will always occur unless suppressed by the use of
+	      <code class="option">-i</code> or <code class="option">+noroot</code>.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
+<dd>
+	    <p>
+	      Indicates whether to perform conventional
+	      DNSSEC validation, and if so, specifies the
+	      name of a trust anchor.  The default is to validate using
+	      a trust anchor of "." (the root zone), for which there is
+	      a built-in key.  If specifying a different trust anchor,
+	      then <code class="option">-a</code> must be used to specify a file
+	      containing the key.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
+<dd>
+	    <p>
+	      Controls whether to use TCP when sending queries.
+	      The default is to use UDP unless a truncated
+	      response has been received.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
+<dd>
+	    <p>
+	      Print all RDATA in unknown RR type presentation format
+	      (RFC 3597). The default is to print RDATA for known types
+	      in the type's presentation format.
+	    </p>
+	  </dd>
+<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
+<dd>
+	    <p>
+	      Print response data in YAML format.
+	    </p>
+	  </dd>
+</dl></div>
+<p>
+
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>FILES</h2>
+
+    <p><code class="filename">/etc/bind.keys</code></p>
+    <p><code class="filename">/etc/resolv.conf</code></p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">dig</span>(1)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">named</span>(8)
+      </span>,
+      <em class="citetitle">RFC4034</em>,
+      <em class="citetitle">RFC4035</em>,
+      <em class="citetitle">RFC4431</em>,
+      <em class="citetitle">RFC5074</em>,
+      <em class="citetitle">RFC5155</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/delv/delv.rst

@@ -1,336 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_delv:
-
-delv - DNS lookup and validation utility
-----------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
-
-:program:`delv` [**-h**]
-
-:program:`delv` [**-v**]
-
-:program:`delv` [queryopt...] [query...]
-
-Description
-~~~~~~~~~~~
-
-``delv`` is a tool for sending DNS queries and validating the results,
-using the same internal resolver and validator logic as ``named``.
-
-``delv`` sends to a specified name server all queries needed to
-fetch and validate the requested data; this includes the original
-requested query, subsequent queries to follow CNAME or DNAME chains,
-queries for DNSKEY, and DS records to establish a chain of trust for
-DNSSEC validation. It does not perform iterative resolution, but
-simulates the behavior of a name server configured for DNSSEC validating
-and forwarding.
-
-By default, responses are validated using the built-in DNSSEC trust anchor
-for the root zone ("."). Records returned by ``delv`` are either fully
-validated or were not signed. If validation fails, an explanation of the
-failure is included in the output; the validation process can be traced
-in detail. Because ``delv`` does not rely on an external server to carry
-out validation, it can be used to check the validity of DNS responses in
-environments where local name servers may not be trustworthy.
-
-Unless it is told to query a specific name server, ``delv`` tries
-each of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, ``delv`` sends queries to the localhost
-addresses (127.0.0.1 for IPv4, ::1 for IPv6).
-
-When no command-line arguments or options are given, ``delv``
-performs an NS query for "." (the root zone).
-
-Simple Usage
-~~~~~~~~~~~~
-
-A typical invocation of ``delv`` looks like:
-
-::
-
-    delv @server name type
-
-where:
-
-``server``
-   is the name or IP address of the name server to query. This can be an
-   IPv4 address in dotted-decimal notation or an IPv6 address in
-   colon-delimited notation. When the supplied ``server`` argument is a
-   hostname, ``delv`` resolves that name before querying that name
-   server (note, however, that this initial lookup is *not* validated by
-   DNSSEC).
-
-   If no ``server`` argument is provided, ``delv`` consults
-   ``/etc/resolv.conf``; if an address is found there, it queries the
-   name server at that address. If either of the ``-4`` or ``-6``
-   options is in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, ``delv``
-   sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
-   for IPv6).
-
-``name``
-   is the domain name to be looked up.
-
-``type``
-   indicates what type of query is required - ANY, A, MX, etc.
-   ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, ``delv`` performs a lookup for an A record.
-
-Options
-~~~~~~~
-
-``-a anchor-file``
-   This option specifies a file from which to read DNSSEC trust anchors. The default
-   is ``/etc/bind.keys``, which is included with BIND 9 and contains one
-   or more trust anchors for the root zone (".").
-
-   Keys that do not match the root zone name are ignored. An alternate
-   key name can be specified using the ``+root=NAME`` options.
-
-   Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``,
-   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
-   it is the *initial* key that is trusted; :rfc:`5011` key management is not
-   supported. ``delv`` does not consult the managed-keys database maintained by
-   ``named``, which means that if either of the keys in ``/etc/bind.keys`` is
-   revoked and rolled over, ``/etc/bind.keys`` must be updated to
-   use DNSSEC validation in ``delv``.
-
-``-b address``
-   This option sets the source IP address of the query to ``address``. This must be
-   a valid address on one of the host's network interfaces, or ``0.0.0.0``,
-   or ``::``. An optional source port may be specified by appending
-   ``#<port>``
-
-``-c class``
-   This option sets the query class for the requested data. Currently, only class
-   "IN" is supported in ``delv`` and any other value is ignored.
-
-``-d level``
-   This option sets the systemwide debug level to ``level``. The allowed range is
-   from 0 to 99. The default is 0 (no debugging). Debugging traces from
-   ``delv`` become more verbose as the debug level increases. See the
-   ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
-   additional debugging details.
-
-``-h``
-   This option displays the ``delv`` help usage output and exits.
-
-``-i``
-   This option sets insecure mode, which disables internal DNSSEC validation. (Note,
-   however, that this does not set the CD bit on upstream queries. If the
-   server being queried is performing DNSSEC validation, then it does
-   not return invalid data; this can cause ``delv`` to time out. When it
-   is necessary to examine invalid data to debug a DNSSEC problem, use
-   ``dig +cd``.)
-
-``-m``
-   This option enables memory usage debugging.
-
-``-p port#``
-   This option specifies a destination port to use for queries, instead of the
-   standard DNS port number 53. This option is used with a name
-   server that has been configured to listen for queries on a
-   non-standard port number.
-
-``-q name``
-   This option sets the query name to ``name``. While the query name can be
-   specified without using the ``-q`` option, it is sometimes necessary to
-   disambiguate names from types or classes (for example, when looking
-   up the name "ns", which could be misinterpreted as the type NS, or
-   "ch", which could be misinterpreted as class CH).
-
-``-t type``
-   This option sets the query type to ``type``, which can be any valid query type
-   supported in BIND 9 except for zone transfer types AXFR and IXFR. As
-   with ``-q``, this is useful to distinguish query-name types or classes
-   when they are ambiguous. It is sometimes necessary to disambiguate
-   names from types.
-
-   The default query type is "A", unless the ``-x`` option is supplied
-   to indicate a reverse lookup, in which case it is "PTR".
-
-``-v``
-   This option prints the ``delv`` version and exits.
-
-``-x addr``
-   This option performs a reverse lookup, mapping an address to a name. ``addr``
-   is an IPv4 address in dotted-decimal notation, or a colon-delimited
-   IPv6 address. When ``-x`` is used, there is no need to provide the
-   ``name`` or ``type`` arguments; ``delv`` automatically performs a
-   lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
-   query type to PTR. IPv6 addresses are looked up using nibble format
-   under the IP6.ARPA domain.
-
-``-4``
-   This option forces ``delv`` to only use IPv4.
-
-``-6``
-   This option forces ``delv`` to only use IPv6.
-
-Query Options
-~~~~~~~~~~~~~
-
-``delv`` provides a number of query options which affect the way results
-are displayed, and in some cases the way lookups are performed.
-
-Each query option is identified by a keyword preceded by a plus sign
-(``+``). Some keywords set or reset an option. These may be preceded by
-the string ``no`` to negate the meaning of that keyword. Other keywords
-assign values to options like the timeout interval. They have the form
-``+keyword=value``. The query options are:
-
-``+[no]cdflag``
-   This option controls whether to set the CD (checking disabled) bit in queries
-   sent by ``delv``. This may be useful when troubleshooting DNSSEC
-   problems from behind a validating resolver. A validating resolver
-   blocks invalid responses, making it difficult to retrieve them
-   for analysis. Setting the CD flag on queries causes the resolver
-   to return invalid responses, which ``delv`` can then validate
-   internally and report the errors in detail.
-
-``+[no]class``
-   This option controls whether to display the CLASS when printing a record. The
-   default is to display the CLASS.
-
-``+[no]ttl``
-   This option controls whether to display the TTL when printing a record. The
-   default is to display the TTL.
-
-``+[no]rtrace``
-   This option toggles resolver fetch logging. This reports the name and type of each
-   query sent by ``delv`` in the process of carrying out the resolution
-   and validation process, including the original query
-   and all subsequent queries to follow CNAMEs and to establish a chain
-   of trust for DNSSEC validation.
-
-   This is equivalent to setting the debug level to 1 in the "resolver"
-   logging category. Setting the systemwide debug level to 1 using the
-   ``-d`` option produces the same output, but affects other
-   logging categories as well.
-
-``+[no]mtrace``
-   This option toggles message logging. This produces a detailed dump of the
-   responses received by ``delv`` in the process of carrying out the
-   resolution and validation process.
-
-   This is equivalent to setting the debug level to 10 for the "packets"
-   module of the "resolver" logging category. Setting the systemwide
-   debug level to 10 using the ``-d`` option produces the same
-   output, but affects other logging categories as well.
-
-``+[no]vtrace``
-   This option toggles validation logging. This shows the internal process of the
-   validator as it determines whether an answer is validly signed,
-   unsigned, or invalid.
-
-   This is equivalent to setting the debug level to 3 for the
-   "validator" module of the "dnssec" logging category. Setting the
-   systemwide debug level to 3 using the ``-d`` option produces the
-   same output, but affects other logging categories as well.
-
-``+[no]short``
-   This option toggles between verbose and terse answers. The default is to print the answer in a
-   verbose form.
-
-``+[no]comments``
-   This option toggles the display of comment lines in the output. The default is to
-   print comments.
-
-``+[no]rrcomments``
-   This option toggles the display of per-record comments in the output (for example,
-   human-readable key information about DNSKEY records). The default is
-   to print per-record comments.
-
-``+[no]crypto``
-   This option toggles the display of cryptographic fields in DNSSEC records. The
-   contents of these fields are unnecessary to debug most DNSSEC
-   validation failures and removing them makes it easier to see the
-   common failures. The default is to display the fields. When omitted,
-   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
-   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
-
-``+[no]trust``
-   This option controls whether to display the trust level when printing a record.
-   The default is to display the trust level.
-
-``+[no]split[=W]``
-   This option splits long hex- or base64-formatted fields in resource records into
-   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
-   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
-   split at all. The default is 56 characters, or 44 characters when
-   multiline mode is active.
-
-``+[no]all``
-   This option sets or clears the display options ``+[no]comments``,
-   ``+[no]rrcomments``, and ``+[no]trust`` as a group.
-
-``+[no]multiline``
-   This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
-   verbose multi-line format with human-readable comments. The default
-   is to print each record on a single line, to facilitate machine
-   parsing of the ``delv`` output.
-
-``+[no]dnssec``
-   This option indicates whether to display RRSIG records in the ``delv`` output.
-   The default is to do so. Note that (unlike in ``dig``) this does
-   *not* control whether to request DNSSEC records or to
-   validate them. DNSSEC records are always requested, and validation
-   always occurs unless suppressed by the use of ``-i`` or
-   ``+noroot``.
-
-``+[no]root[=ROOT]``
-   This option indicates whether to perform conventional DNSSEC validation, and if so,
-   specifies the name of a trust anchor. The default is to validate using a
-   trust anchor of "." (the root zone), for which there is a built-in key. If
-   specifying a different trust anchor, then ``-a`` must be used to specify a
-   file containing the key.
-
-``+[no]tcp``
-   This option controls whether to use TCP when sending queries. The default is to
-   use UDP unless a truncated response has been received.
-
-``+[no]unknownformat``
-   This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
-   The default is to print RDATA for known types in the type's
-   presentation format.
-
-``+[no]yaml``
-   This option prints response data in YAML format.
-
-Files
-~~~~~
-
-``/etc/bind.keys``
-
-``/etc/resolv.conf``
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

bin/delv/win32/delv.vcxproj.in

@@ -113,20 +113,6 @@
   <ItemGroup>
     <ClCompile Include="..\delv.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/Makefile.am

@@ -25,10 +25,6 @@ libdighost_la_SOURCES = \
 
 bin_PROGRAMS = dig host nslookup
 
-nslookup_LDADD =		\
-	$(LDADD)
-
-if HAVE_READLINE
-nslookup_LDADD +=		\
-	$(READLINE_LIBS)
-endif HAVE_READLINE
+nslookup_LDADD =	\
+	$(LDADD)	\
+	$(READLINE_LIB)

bin/dig/dig.1

@@ -0,0 +1,853 @@
+.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: dig
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-02-19
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DIG" "1" "2014\-02\-19" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dig \- DNS lookup utility
+.SH "SYNOPSIS"
+.HP \w'\fBdig\fR\ 'u
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
+.HP \w'\fBdig\fR\ 'u
+\fBdig\fR [\fB\-h\fR]
+.HP \w'\fBdig\fR\ 'u
+\fBdig\fR [global\-queryopt...] [query...]
+.SH "DESCRIPTION"
+.PP
+\fBdig\fR
+is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
+\fBdig\fR
+to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
+\fBdig\fR\&.
+.PP
+Although
+\fBdig\fR
+is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file\&. A brief summary of its command\-line arguments and options is printed when the
+\fB\-h\fR
+option is given\&. Unlike earlier versions, the BIND 9 implementation of
+\fBdig\fR
+allows multiple lookups to be issued from the command line\&.
+.PP
+Unless it is told to query a specific name server,
+\fBdig\fR
+will try each of the servers listed in
+/etc/resolv\&.conf\&. If no usable server addresses are found,
+\fBdig\fR
+will send the query to the local host\&.
+.PP
+When no command line arguments or options are given,
+\fBdig\fR
+will perform an NS query for "\&." (the root)\&.
+.PP
+It is possible to set per\-user defaults for
+\fBdig\fR
+via
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
+\fB\-r\fR
+option disables this feature, for scripts that need predictable behaviour\&.
+.PP
+The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
+\fB\-t\fR
+and
+\fB\-c\fR
+options to specify the type and class, use the
+\fB\-q\fR
+the specify the domain name, or use "IN\&." and "CH\&." when looking up these top level domains\&.
+.SH "SIMPLE USAGE"
+.PP
+A typical invocation of
+\fBdig\fR
+looks like:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+ dig @server name type 
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+where:
+.PP
+\fBserver\fR
+.RS 4
+is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
+\fIserver\fR
+argument is a hostname,
+\fBdig\fR
+resolves that name before querying that name server\&.
+.sp
+If no
+\fIserver\fR
+argument is provided,
+\fBdig\fR
+consults
+/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
+\fB\-4\fR
+or
+\fB\-6\fR
+options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
+\fBdig\fR
+will send the query to the local host\&. The reply from the name server that responds is displayed\&.
+.RE
+.PP
+\fBname\fR
+.RS 4
+is the name of the resource record that is to be looked up\&.
+.RE
+.PP
+\fBtype\fR
+.RS 4
+indicates what type of query is required \(em ANY, A, MX, SIG, etc\&.
+\fItype\fR
+can be any valid query type\&. If no
+\fItype\fR
+argument is supplied,
+\fBdig\fR
+will perform a lookup for an A record\&.
+.RE
+.SH "OPTIONS"
+.PP
+\-4
+.RS 4
+Use IPv4 only\&.
+.RE
+.PP
+\-6
+.RS 4
+Use IPv6 only\&.
+.RE
+.PP
+\-b \fIaddress\fR\fI[#port]\fR
+.RS 4
+Set the source IP address of the query\&. The
+\fIaddress\fR
+must be a valid address on one of the host\*(Aqs network interfaces, or "0\&.0\&.0\&.0" or "::"\&. An optional port may be specified by appending "#<port>"
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Set the query class\&. The default
+\fIclass\fR
+is IN; other classes are HS for Hesiod records or CH for Chaosnet records\&.
+.RE
+.PP
+\-f \fIfile\fR
+.RS 4
+Batch mode:
+\fBdig\fR
+reads a list of lookup requests to process from the given
+\fIfile\fR\&. Each line in the file should be organized in the same way they would be presented as queries to
+\fBdig\fR
+using the command\-line interface\&.
+.RE
+.PP
+\-k \fIkeyfile\fR
+.RS 4
+Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
+\fBtsig-keygen\fR(8)\&. When using TSIG authentication with
+\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used\&. In BIND, this is done by providing appropriate
+\fBkey\fR
+and
+\fBserver\fR
+statements in
+named\&.conf\&.
+.RE
+.PP
+\-m
+.RS 4
+Enable memory usage debugging\&.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Send the query to a non\-standard port on the server, instead of the default port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&.
+.RE
+.PP
+\-q \fIname\fR
+.RS 4
+The domain name to query\&. This is useful to distinguish the
+\fIname\fR
+from other arguments\&.
+.RE
+.PP
+\-r
+.RS 4
+Do not read options from
+${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
+\fB\-x\fR
+option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
+\fItype\fR
+to
+ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
+\fIN\fR\&.
+.sp
+All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
+.RE
+.PP
+\-u
+.RS 4
+Print query times in microseconds instead of milliseconds\&.
+.RE
+.PP
+\-v
+.RS 4
+Print the version number and exit\&.
+.RE
+.PP
+\-x \fIaddr\fR
+.RS 4
+Simplified reverse lookups, for mapping addresses to names\&. The
+\fIaddr\fR
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When the
+\fB\-x\fR
+is used, there is no need to provide the
+\fIname\fR,
+\fIclass\fR
+and
+\fItype\fR
+arguments\&.
+\fBdig\fR
+automatically performs a lookup for a name like
+94\&.2\&.0\&.192\&.in\-addr\&.arpa
+and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
+.RE
+.PP
+\-y \fI[hmac:]\fR\fIkeyname:secret\fR
+.RS 4
+Sign queries using TSIG with the given authentication key\&.
+\fIkeyname\fR
+is the name of the key, and
+\fIsecret\fR
+is the base64 encoded shared secret\&.
+\fIhmac\fR
+is the name of the key algorithm; valid choices are
+hmac\-md5,
+hmac\-sha1,
+hmac\-sha224,
+hmac\-sha256,
+hmac\-sha384, or
+hmac\-sha512\&. If
+\fIhmac\fR
+is not specified, the default is
+hmac\-md5
+or if MD5 was disabled
+hmac\-sha256\&.
+.sp
+NOTE: You should use the
+\fB\-k\fR
+option and avoid the
+\fB\-y\fR
+option, because with
+\fB\-y\fR
+the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
+\fBps\fR(1)
+or in a history file maintained by the user\*(Aqs shell\&.
+.RE
+.SH "QUERY OPTIONS"
+.PP
+\fBdig\fR
+provides a number of query options which affect the way in which lookups are made and the results displayed\&. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies\&.
+.PP
+Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
+no
+to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
+\fB+keyword=value\fR\&. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
++cd
+is equivalent to
++cdflag\&. The query options are:
+.PP
+\fB+[no]aaflag\fR
+.RS 4
+A synonym for
+\fI+[no]aaonly\fR\&.
+.RE
+.PP
+\fB+[no]aaonly\fR
+.RS 4
+Sets the "aa" flag in the query\&.
+.RE
+.PP
+\fB+[no]additional\fR
+.RS 4
+Display [do not display] the additional section of a reply\&. The default is to display it\&.
+.RE
+.PP
+\fB+[no]adflag\fR
+.RS 4
+Set [do not set] the AD (authentic data) bit in the query\&. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server\&. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range\&. AD=0 indicate that some part of the answer was insecure or not validated\&. This bit is set by default\&.
+.RE
+.PP
+\fB+[no]all\fR
+.RS 4
+Set or clear all display flags\&.
+.RE
+.PP
+\fB+[no]answer\fR
+.RS 4
+Display [do not display] the answer section of a reply\&. The default is to display it\&.
+.RE
+.PP
+\fB+[no]authority\fR
+.RS 4
+Display [do not display] the authority section of a reply\&. The default is to display it\&.
+.RE
+.PP
+\fB+[no]badcookie\fR
+.RS 4
+Retry lookup with the new server cookie if a BADCOOKIE response is received\&.
+.RE
+.PP
+\fB+[no]besteffort\fR
+.RS 4
+Attempt to display the contents of messages which are malformed\&. The default is to not display malformed answers\&.
+.RE
+.PP
+\fB+bufsize=B\fR
+.RS 4
+Set the UDP message buffer size advertised using EDNS0 to
+\fIB\fR
+bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0 respectively\&. Values outside this range are rounded up or down appropriately\&. Values other than zero will cause a EDNS query to be sent\&.
+.RE
+.PP
+\fB+[no]cdflag\fR
+.RS 4
+Set [do not set] the CD (checking disabled) bit in the query\&. This requests the server to not perform DNSSEC validation of responses\&.
+.RE
+.PP
+\fB+[no]class\fR
+.RS 4
+Display [do not display] the CLASS when printing the record\&.
+.RE
+.PP
+\fB+[no]cmd\fR
+.RS 4
+Toggles the printing of the initial comment in the output, identifying the version of
+\fBdig\fR
+and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
+.RE
+.PP
+\fB+[no]comments\fR
+.RS 4
+Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
+.sp
+Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
+\fB+[no]cmd\fR,
+\fB+[no]question\fR,
+\fB+[no]stats\fR, and
+\fB+[no]rrcomments\fR\&.
+.RE
+.PP
+\fB+[no]cookie\fR\fB[=####]\fR
+.RS 4
+Send a COOKIE EDNS option, with optional value\&. Replaying a COOKIE from a previous response will allow the server to identify a previous client\&. The default is
+\fB+cookie\fR\&.
+.sp
+\fB+cookie\fR
+is also set when +trace is set to better emulate the default queries from a nameserver\&.
+.RE
+.PP
+\fB+[no]crypto\fR
+.RS 4
+Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
+.RE
+.PP
+\fB+[no]defname\fR
+.RS 4
+Deprecated, treated as a synonym for
+\fI+[no]search\fR
+.RE
+.PP
+\fB+[no]dnssec\fR
+.RS 4
+Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query\&.
+.RE
+.PP
+\fB+domain=somename\fR
+.RS 4
+Set the search list to contain the single domain
+\fIsomename\fR, as if specified in a
+\fBdomain\fR
+directive in
+/etc/resolv\&.conf, and enable search list processing as if the
+\fI+search\fR
+option were given\&.
+.RE
+.PP
+\fB+dscp=value\fR
+.RS 4
+Set the DSCP code point to be used when sending the query\&. Valid DSCP code points are in the range [0\&.\&.63]\&. By default no code point is explicitly set\&.
+.RE
+.PP
+\fB+[no]edns[=#]\fR
+.RS 4
+Specify the EDNS version to query with\&. Valid values are 0 to 255\&. Setting the EDNS version will cause a EDNS query to be sent\&.
+\fB+noedns\fR
+clears the remembered EDNS version\&. EDNS is set to 0 by default\&.
+.RE
+.PP
+\fB+[no]ednsflags[=#]\fR
+.RS 4
+Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value\&. Decimal, hex and octal encodings are accepted\&. Setting a named flag (e\&.g\&. DO) will silently be ignored\&. By default, no Z bits are set\&.
+.RE
+.PP
+\fB+[no]ednsnegotiation\fR
+.RS 4
+Enable / disable EDNS version negotiation\&. By default EDNS version negotiation is enabled\&.
+.RE
+.PP
+\fB+[no]ednsopt[=code[:value]]\fR
+.RS 4
+Specify EDNS option with code point
+\fBcode\fR
+and optionally payload of
+\fBvalue\fR
+as a hexadecimal string\&.
+\fBcode\fR
+can be either an EDNS option name (for example,
+NSID
+or
+ECS), or an arbitrary numeric value\&.
+\fB+noednsopt\fR
+clears the EDNS options to be sent\&.
+.RE
+.PP
+\fB+[no]expire\fR
+.RS 4
+Send an EDNS Expire option\&.
+.RE
+.PP
+\fB+[no]expandaaaa\fR
+.RS 4
+When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
+.RE
+.PP
+\fB+[no]fail\fR
+.RS 4
+Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
+.RE
+.PP
+\fB+[no]header\-only\fR
+.RS 4
+Send a query with a DNS header without a question section\&. The default is to add a question section\&. The query type and query name are ignored when this is set\&.
+.RE
+.PP
+\fB+[no]identify\fR
+.RS 4
+Show [or do not show] the IP address and port number that supplied the answer when the
+\fI+short\fR
+option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
+.RE
+.PP
+\fB+[no]idnin\fR
+.RS 4
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
+.sp
+The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+.RE
+.PP
+\fB+[no]idnout\fR
+.RS 4
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
+.sp
+The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
+.RE
+.PP
+\fB+[no]ignore\fR
+.RS 4
+Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
+.RE
+.PP
+\fB+[no]keepalive\fR
+.RS 4
+Send [or do not send] an EDNS Keepalive option\&.
+.RE
+.PP
+\fB+[no]keepopen\fR
+.RS 4
+Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup\&. The default is
+\fB+nokeepopen\fR\&.
+.RE
+.PP
+\fB+[no]mapped\fR
+.RS 4
+Allow mapped IPv4 over IPv6 addresses to be used\&. The default is
+\fB+mapped\fR\&.
+.RE
+.PP
+\fB+[no]multiline\fR
+.RS 4
+Print records like the SOA records in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
+\fBdig\fR
+output\&.
+.RE
+.PP
+\fB+ndots=D\fR
+.RS 4
+Set the number of dots that have to appear in
+\fIname\fR
+to
+\fID\fR
+for it to be considered absolute\&. The default value is that defined using the ndots statement in
+/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
+\fBsearch\fR
+or
+\fBdomain\fR
+directive in
+/etc/resolv\&.conf
+if
+\fB+search\fR
+is set\&.
+.RE
+.PP
+\fB+[no]nsid\fR
+.RS 4
+Include an EDNS name server ID request when sending a query\&.
+.RE
+.PP
+\fB+[no]nssearch\fR
+.RS 4
+When this option is set,
+\fBdig\fR
+attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&. Addresses of servers that that did not respond are also printed\&.
+.RE
+.PP
+\fB+[no]onesoa\fR
+.RS 4
+Print only one (starting) SOA record when performing an AXFR\&. The default is to print both the starting and ending SOA records\&.
+.RE
+.PP
+\fB+[no]opcode=value\fR
+.RS 4
+Set [restore] the DNS message opcode to the specified value\&. The default value is QUERY (0)\&.
+.RE
+.PP
+\fB+padding=value\fR
+.RS 4
+Pad the size of the query packet using the EDNS Padding option to blocks of
+\fIvalue\fR
+bytes\&. For example,
+\fB+padding=32\fR
+would cause a 48\-byte query to be padded to 64 bytes\&. The default block size is 0, which disables padding\&. The maximum is 512\&. Values are ordinarily expected to be powers of two, such as 128; however, this is not mandatory\&. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE\&.
+.RE
+.PP
+\fB+[no]qr\fR
+.RS 4
+Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
+.RE
+.PP
+\fB+[no]question\fR
+.RS 4
+Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
+.RE
+.PP
+\fB+[no]raflag\fR
+.RS 4
+Set [do not set] the RA (Recursion Available) bit in the query\&. The default is +noraflag\&. This bit should be ignored by the server for QUERY\&.
+.RE
+.PP
+\fB+[no]rdflag\fR
+.RS 4
+A synonym for
+\fI+[no]recurse\fR\&.
+.RE
+.PP
+\fB+[no]recurse\fR
+.RS 4
+Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
+\fBdig\fR
+normally sends recursive queries\&. Recursion is automatically disabled when using the
+\fI+nssearch\fR
+option, and when using
+\fI+trace\fR
+except for an initial recursive query to get the list of root servers\&.
+.RE
+.PP
+\fB+retry=T\fR
+.RS 4
+Sets the number of times to retry UDP queries to server to
+\fIT\fR
+instead of the default, 2\&. Unlike
+\fI+tries\fR, this does not include the initial query\&.
+.RE
+.PP
+\fB+[no]rrcomments\fR
+.RS 4
+Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is not to print record comments unless multiline mode is active\&.
+.RE
+.PP
+\fB+[no]search\fR
+.RS 4
+Use [do not use] the search list defined by the searchlist or domain directive in
+resolv\&.conf
+(if any)\&. The search list is not used by default\&.
+.sp
+\*(Aqndots\*(Aq from
+resolv\&.conf
+(default 1) which may be overridden by
+\fI+ndots\fR
+determines if the name will be treated as relative or not and hence whether a search is eventually performed or not\&.
+.RE
+.PP
+\fB+[no]short\fR
+.RS 4
+Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
+.RE
+.PP
+\fB+[no]showsearch\fR
+.RS 4
+Perform [do not perform] a search showing intermediate results\&.
+.RE
+.PP
+\fB+[no]sigchase\fR
+.RS 4
+This feature is now obsolete and has been removed; use
+\fBdelv\fR
+instead\&.
+.RE
+.PP
+\fB+split=W\fR
+.RS 4
+Split long hex\- or base64\-formatted fields in resource records into chunks of
+\fIW\fR
+characters (where
+\fIW\fR
+is rounded up to the nearest multiple of 4)\&.
+\fI+nosplit\fR
+or
+\fI+split=0\fR
+causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
+.RE
+.PP
+\fB+[no]stats\fR
+.RS 4
+Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
+.RE
+.PP
+\fB+[no]subnet=addr[/prefix\-length]\fR
+.RS 4
+Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address or network prefix\&.
+.sp
+\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
+\fBdig +subnet=0\fR
+for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
+\fInot\fR
+be used when resolving this query\&.
+.RE
+.PP
+\fB+[no]tcflag\fR
+.RS 4
+Set [do not set] the TC (TrunCation) bit in the query\&. The default is +notcflag\&. This bit should be ignored by the server for QUERY\&.
+.RE
+.PP
+\fB+[no]tcp\fR
+.RS 4
+Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless a type
+any
+or
+ixfr=N
+query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
+.RE
+.PP
+\fB+timeout=T\fR
+.RS 4
+Sets the timeout for a query to
+\fIT\fR
+seconds\&. The default timeout is 5 seconds\&. An attempt to set
+\fIT\fR
+to less than 1 will result in a query timeout of 1 second being applied\&.
+.RE
+.PP
+\fB+[no]topdown\fR
+.RS 4
+This feature is related to
+\fBdig +sigchase\fR, which is obsolete and has been removed\&. Use
+\fBdelv\fR
+instead\&.
+.RE
+.PP
+\fB+[no]trace\fR
+.RS 4
+Toggle tracing of the delegation path from the root name servers for the name being looked up\&. Tracing is disabled by default\&. When tracing is enabled,
+\fBdig\fR
+makes iterative queries to resolve the name being looked up\&. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup\&.
+.sp
+If @server is also specified, it affects only the initial query for the root zone name servers\&.
+.sp
+\fB+dnssec\fR
+is also set when +trace is set to better emulate the default queries from a nameserver\&.
+.RE
+.PP
+\fB+tries=T\fR
+.RS 4
+Sets the number of times to try UDP queries to server to
+\fIT\fR
+instead of the default, 3\&. If
+\fIT\fR
+is less than or equal to zero, the number of tries is silently rounded up to 1\&.
+.RE
+.PP
+\fB+trusted\-key=####\fR
+.RS 4
+Formerly specified trusted keys for use with
+\fBdig +sigchase\fR\&. This feature is now obsolete and has been removed; use
+\fBdelv\fR
+instead\&.
+.RE
+.PP
+\fB+[no]ttlid\fR
+.RS 4
+Display [do not display] the TTL when printing the record\&.
+.RE
+.PP
+\fB+[no]ttlunits\fR
+.RS 4
+Display [do not display] the TTL in friendly human\-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks\&. Implies +ttlid\&.
+.RE
+.PP
+\fB+[no]unexpected\fR
+.RS 4
+Accept [do not accept] answers from unexpected sources\&. By default,
+\fBdig\fR
+won\*(Aqt accept a reply from a source other than the one to which it sent the query\&.
+.RE
+.PP
+\fB+[no]unknownformat\fR
+.RS 4
+Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
+.RE
+.PP
+\fB+[no]vc\fR
+.RS 4
+Use [do not use] TCP when querying name servers\&. This alternate syntax to
+\fI+[no]tcp\fR
+is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
+.RE
+.PP
+\fB+[no]yaml\fR
+.RS 4
+Print the responses (and, if
+\fB+qr\fR
+is in use, also the outgoing queries) in a detailed YAML format\&.
+.RE
+.PP
+\fB+[no]zflag\fR
+.RS 4
+Set [do not set] the last unassigned DNS header flag in a DNS query\&. This flag is off by default\&.
+.RE
+.SH "MULTIPLE QUERIES"
+.PP
+The BIND 9 implementation of
+\fBdig \fR
+supports specifying multiple queries on the command line (in addition to supporting the
+\fB\-f\fR
+batch file option)\&. Each of those queries can be supplied with its own set of flags, options and query options\&.
+.PP
+In this case, each
+\fIquery\fR
+argument represent an individual query in the command\-line syntax described above\&. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query\&.
+.PP
+A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except
+\fB+[no]cmd\fR
+and
+\fB+[no]short\fR
+options) can be overridden by a query\-specific set of query options\&. For example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dig +qr www\&.isc\&.org any \-x 127\&.0\&.0\&.1 isc\&.org ns +noqr
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+shows how
+\fBdig\fR
+could be used from the command line to make three lookups: an ANY query for
+www\&.isc\&.org, a reverse lookup of 127\&.0\&.0\&.1 and a query for the NS records of
+isc\&.org\&. A global query option of
+\fI+qr\fR
+is applied, so that
+\fBdig\fR
+shows the initial query it made for each lookup\&. The final query has a local query option of
+\fI+noqr\fR
+which means that
+\fBdig\fR
+will not print the initial query when it looks up the NS records for
+isc\&.org\&.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBdig\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
+\fBdig\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
+\fI+noidnin\fR
+and
+\fI+noidnout\fR
+or define the
+\fBIDN_DISABLE\fR
+environment variable\&.
+.SH "FILES"
+.PP
+/etc/resolv\&.conf
+.PP
+${HOME}/\&.digrc
+.SH "SEE ALSO"
+.PP
+\fBdelv\fR(1),
+\fBhost\fR(1),
+\fBnamed\fR(8),
+\fBdnssec-keygen\fR(8),
+RFC 1035\&.
+.SH "BUGS"
+.PP
+There are probably too many query options\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dig/dig.c

@@ -97,12 +97,11 @@ rcode_totext(dns_rcode_t rcode) {
 /*% print usage */
 static void
 print_usage(FILE *fp) {
-	fprintf(fp,
-		"Usage:  dig [@global-server] [domain] [q-type] [q-class] "
-		"{q-opt}\n"
-		"            {global-d-opt} host [@local-server] "
-		"{local-d-opt}\n"
-		"            [ host [@local-server] {local-d-opt} [...]]\n");
+	fputs("Usage:  dig [@global-server] [domain] [q-type] [q-class] "
+	      "{q-opt}\n"
+	      "            {global-d-opt} host [@local-server] {local-d-opt}\n"
+	      "            [ host [@local-server] {local-d-opt} [...]]\n",
+	      fp);
 }
 
 #if TARGET_OS_IPHONE
@@ -117,8 +116,9 @@ usage(void);
 static void
 usage(void) {
 	print_usage(stderr);
-	fprintf(stderr, "\nUse \"dig -h\" (or \"dig -h | more\") "
-			"for complete list of options\n");
+	fputs("\nUse \"dig -h\" (or \"dig -h | more\") "
+	      "for complete list of options\n",
+	      stderr);
 	exit(1);
 }
 #endif /* if TARGET_OS_IPHONE */
@@ -133,187 +133,179 @@ version(void) {
 static void
 help(void) {
 	print_usage(stdout);
-	printf("Where:  domain	  is in the Domain Name System\n"
-	       "        q-class  is one of (in,hs,ch,...) [default: in]\n"
-	       "        q-type   is one of "
-	       "(a,any,mx,ns,soa,hinfo,axfr,txt,...) "
-	       "[default:a]\n"
-	       "                 (Use ixfr=version for type ixfr)\n"
-	       "        q-opt    is one of:\n"
-	       "                 -4                  (use IPv4 query transport "
-	       "only)\n"
-	       "                 -6                  (use IPv6 query transport "
-	       "only)\n"
-	       "                 -b address[#port]   (bind to source "
-	       "address/port)\n"
-	       "                 -c class            (specify query class)\n"
-	       "                 -f filename         (batch mode)\n"
-	       "                 -k keyfile          (specify tsig key file)\n"
-	       "                 -m                  (enable memory usage "
-	       "debugging)\n"
-	       "                 -p port             (specify port number)\n"
-	       "                 -q name             (specify query name)\n"
-	       "                 -r                  (do not read ~/.digrc)\n"
-	       "                 -t type             (specify query type)\n"
-	       "                 -u                  (display times in usec "
-	       "instead of msec)\n"
-	       "                 -x dot-notation     (shortcut for reverse "
-	       "lookups)\n"
-	       "                 -y [hmac:]name:key  (specify named base64 "
-	       "tsig "
-	       "key)\n"
-	       "        d-opt    is of the form +keyword[=value], where "
-	       "keyword "
-	       "is:\n"
-	       "                 +[no]aaflag         (Set AA flag in query "
-	       "(+[no]aaflag))\n"
-	       "                 +[no]aaonly         (Set AA flag in query "
-	       "(+[no]aaflag))\n"
-	       "                 +[no]additional     (Control display of "
-	       "additional section)\n"
-	       "                 +[no]adflag         (Set AD flag in query "
-	       "(default on))\n"
-	       "                 +[no]all            (Set or clear all display "
-	       "flags)\n"
-	       "                 +[no]answer         (Control display of "
-	       "answer "
-	       "section)\n"
-	       "                 +[no]authority      (Control display of "
-	       "authority section)\n"
-	       "                 +[no]badcookie      (Retry BADCOOKIE "
-	       "responses)\n"
-	       "                 +[no]besteffort     (Try to parse even "
-	       "illegal "
-	       "messages)\n"
-	       "                 +bufsize=###        (Set EDNS0 Max UDP packet "
-	       "size)\n"
-	       "                 +[no]cdflag         (Set checking disabled "
-	       "flag in query)\n"
-	       "                 +[no]class          (Control display of class "
-	       "in records)\n"
-	       "                 +[no]cmd            (Control display of "
-	       "command line -\n"
-	       "                                      global option)\n"
-	       "                 +[no]comments       (Control display of "
-	       "packet "
-	       "header\n"
-	       "                                      and section name "
-	       "comments)\n"
-	       "                 +[no]cookie         (Add a COOKIE option to "
-	       "the request)\n"
-	       "                 +[no]crypto         (Control display of "
-	       "cryptographic\n"
-	       "                                      fields in records)\n"
-	       "                 +[no]defname        (Use search list "
-	       "(+[no]search))\n"
-	       "                 +[no]dnssec         (Request DNSSEC records)\n"
-	       "                 +domain=###         (Set default domainname)\n"
-	       "                 +[no]dscp[=###]     (Set the DSCP value to "
-	       "### "
-	       "[0..63])\n"
-	       "                 +[no]edns[=###]     (Set EDNS version) [0]\n"
-	       "                 +ednsflags=###      (Set EDNS flag bits)\n"
-	       "                 +[no]ednsnegotiation (Set EDNS version "
-	       "negotiation)\n"
-	       "                 +ednsopt=###[:value] (Send specified EDNS "
-	       "option)\n"
-	       "                 +noednsopt          (Clear list of +ednsopt "
-	       "options)\n"
-	       "                 +[no]expandaaaa     (Expand AAAA records)\n"
-	       "                 +[no]expire         (Request time to expire)\n"
-	       "                 +[no]fail           (Don't try next server on "
-	       "SERVFAIL)\n"
-	       "                 +[no]header-only    (Send query without a "
-	       "question section)\n"
-	       "                 +[no]identify       (ID responders in short "
-	       "answers)\n"
+	fputs("Where:  domain	  is in the Domain Name System\n"
+	      "        q-class  is one of (in,hs,ch,...) [default: in]\n"
+	      "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) "
+	      "[default:a]\n"
+	      "                 (Use ixfr=version for type ixfr)\n"
+	      "        q-opt    is one of:\n"
+	      "                 -4                  (use IPv4 query transport "
+	      "only)\n"
+	      "                 -6                  (use IPv6 query transport "
+	      "only)\n"
+	      "                 -b address[#port]   (bind to source "
+	      "address/port)\n"
+	      "                 -c class            (specify query class)\n"
+	      "                 -f filename         (batch mode)\n"
+	      "                 -k keyfile          (specify tsig key file)\n"
+	      "                 -m                  (enable memory usage "
+	      "debugging)\n"
+	      "                 -p port             (specify port number)\n"
+	      "                 -q name             (specify query name)\n"
+	      "                 -r                  (do not read ~/.digrc)\n"
+	      "                 -t type             (specify query type)\n"
+	      "                 -u                  (display times in usec "
+	      "instead of msec)\n"
+	      "                 -x dot-notation     (shortcut for reverse "
+	      "lookups)\n"
+	      "                 -y [hmac:]name:key  (specify named base64 tsig "
+	      "key)\n"
+	      "        d-opt    is of the form +keyword[=value], where keyword "
+	      "is:\n"
+	      "                 +[no]aaflag         (Set AA flag in query "
+	      "(+[no]aaflag))\n"
+	      "                 +[no]aaonly         (Set AA flag in query "
+	      "(+[no]aaflag))\n"
+	      "                 +[no]additional     (Control display of "
+	      "additional section)\n"
+	      "                 +[no]adflag         (Set AD flag in query "
+	      "(default on))\n"
+	      "                 +[no]all            (Set or clear all display "
+	      "flags)\n"
+	      "                 +[no]answer         (Control display of answer "
+	      "section)\n"
+	      "                 +[no]authority      (Control display of "
+	      "authority section)\n"
+	      "                 +[no]badcookie      (Retry BADCOOKIE "
+	      "responses)\n"
+	      "                 +[no]besteffort     (Try to parse even illegal "
+	      "messages)\n"
+	      "                 +bufsize=###        (Set EDNS0 Max UDP packet "
+	      "size)\n"
+	      "                 +[no]cdflag         (Set checking disabled "
+	      "flag in query)\n"
+	      "                 +[no]class          (Control display of class "
+	      "in records)\n"
+	      "                 +[no]cmd            (Control display of "
+	      "command line -\n"
+	      "                                      global option)\n"
+	      "                 +[no]comments       (Control display of packet "
+	      "header\n"
+	      "                                      and section name "
+	      "comments)\n"
+	      "                 +[no]cookie         (Add a COOKIE option to "
+	      "the request)\n"
+	      "                 +[no]crypto         (Control display of "
+	      "cryptographic\n"
+	      "                                      fields in records)\n"
+	      "                 +[no]defname        (Use search list "
+	      "(+[no]search))\n"
+	      "                 +[no]dnssec         (Request DNSSEC records)\n"
+	      "                 +domain=###         (Set default domainname)\n"
+	      "                 +[no]dscp[=###]     (Set the DSCP value to ### "
+	      "[0..63])\n"
+	      "                 +[no]edns[=###]     (Set EDNS version) [0]\n"
+	      "                 +ednsflags=###      (Set EDNS flag bits)\n"
+	      "                 +[no]ednsnegotiation (Set EDNS version "
+	      "negotiation)\n"
+	      "                 +ednsopt=###[:value] (Send specified EDNS "
+	      "option)\n"
+	      "                 +noednsopt          (Clear list of +ednsopt "
+	      "options)\n"
+	      "                 +[no]expandaaaa     (Expand AAAA records)\n"
+	      "                 +[no]expire         (Request time to expire)\n"
+	      "                 +[no]fail           (Don't try next server on "
+	      "SERVFAIL)\n"
+	      "                 +[no]header-only    (Send query without a "
+	      "question section)\n"
+	      "                 +[no]identify       (ID responders in short "
+	      "answers)\n"
 #ifdef HAVE_LIBIDN2
-	       "                 +[no]idnin          (Parse IDN names "
-	       "[default=on on tty])\n"
-	       "                 +[no]idnout         (Convert IDN response "
-	       "[default=on on tty])\n"
+	      "                 +[no]idnin          (Parse IDN names "
+	      "[default=on on tty])\n"
+	      "                 +[no]idnout         (Convert IDN response "
+	      "[default=on on tty])\n"
 #endif /* ifdef HAVE_LIBIDN2 */
-	       "                 +[no]ignore         (Don't revert to TCP for "
-	       "TC responses.)\n"
-	       "                 +[no]keepalive      (Request EDNS TCP "
-	       "keepalive)\n"
-	       "                 +[no]keepopen       (Keep the TCP socket open "
-	       "between "
-	       "queries)\n"
-	       "                 +[no]mapped         (Allow mapped IPv4 over "
-	       "IPv6)\n"
-	       "                 +[no]multiline      (Print records in an "
-	       "expanded format)\n"
-	       "                 +ndots=###          (Set search NDOTS value)\n"
-	       "                 +[no]nsid           (Request Name Server ID)\n"
-	       "                 +[no]nssearch       (Search all authoritative "
-	       "nameservers)\n"
-	       "                 +[no]onesoa         (AXFR prints only one soa "
-	       "record)\n"
-	       "                 +[no]opcode=###     (Set the opcode of the "
-	       "request)\n"
-	       "                 +padding=###        (Set padding block size "
-	       "[0])\n"
-	       "                 +[no]qr             (Print question before "
-	       "sending)\n"
-	       "                 +[no]question       (Control display of "
-	       "question section)\n"
-	       "                 +[no]raflag         (Set RA flag in query "
-	       "(+[no]raflag))\n"
-	       "                 +[no]rdflag         (Recursive mode "
-	       "(+[no]recurse))\n"
-	       "                 +[no]recurse        (Recursive mode "
-	       "(+[no]rdflag))\n"
-	       "                 +retry=###          (Set number of UDP "
-	       "retries) [2]\n"
-	       "                 +[no]rrcomments     (Control display of "
-	       "per-record "
-	       "comments)\n"
-	       "                 +[no]search         (Set whether to use "
-	       "searchlist)\n"
-	       "                 +[no]short          (Display nothing except "
-	       "short\n"
-	       "                                      form of answers - global "
-	       "option)\n"
-	       "                 +[no]showsearch     (Search with intermediate "
-	       "results)\n"
-	       "                 +[no]split=##       (Split hex/base64 fields "
-	       "into chunks)\n"
-	       "                 +[no]stats          (Control display of "
-	       "statistics)\n"
-	       "                 +subnet=addr        (Set edns-client-subnet "
-	       "option)\n"
-	       "                 +[no]tcflag         (Set TC flag in query "
-	       "(+[no]tcflag))\n"
-	       "                 +[no]tcp            (TCP mode (+[no]vc))\n"
-	       "                 +timeout=###        (Set query timeout) [5]\n"
-	       "                 +[no]trace          (Trace delegation down "
-	       "from root "
-	       "[+dnssec])\n"
-	       "                 +tries=###          (Set number of UDP "
-	       "attempts) [3]\n"
-	       "                 +[no]ttlid          (Control display of ttls "
-	       "in records)\n"
-	       "                 +[no]ttlunits       (Display TTLs in "
-	       "human-readable units)\n"
-	       "                 +[no]unexpected     (Print replies from "
-	       "unexpected sources\n"
-	       "                                      default=off)\n"
-	       "                 +[no]unknownformat  (Print RDATA in RFC 3597 "
-	       "\"unknown\" "
-	       "format)\n"
-	       "                 +[no]vc             (TCP mode (+[no]tcp))\n"
-	       "                 +[no]yaml           (Present the results as "
-	       "YAML)\n"
-	       "                 +[no]zflag          (Set Z flag in query)\n"
-	       "        global d-opts and servers (before host name) affect "
-	       "all "
-	       "queries.\n"
-	       "        local d-opts and servers (after host name) affect only "
-	       "that lookup.\n"
-	       "        -h                           (print help and exit)\n"
-	       "        -v                           (print version "
-	       "and exit)\n");
+	      "                 +[no]ignore         (Don't revert to TCP for "
+	      "TC responses.)\n"
+	      "                 +[no]keepalive      (Request EDNS TCP "
+	      "keepalive)\n"
+	      "                 +[no]keepopen       (Keep the TCP socket open "
+	      "between "
+	      "queries)\n"
+	      "                 +[no]mapped         (Allow mapped IPv4 over "
+	      "IPv6)\n"
+	      "                 +[no]multiline      (Print records in an "
+	      "expanded format)\n"
+	      "                 +ndots=###          (Set search NDOTS value)\n"
+	      "                 +[no]nsid           (Request Name Server ID)\n"
+	      "                 +[no]nssearch       (Search all authoritative "
+	      "nameservers)\n"
+	      "                 +[no]onesoa         (AXFR prints only one soa "
+	      "record)\n"
+	      "                 +[no]opcode=###     (Set the opcode of the "
+	      "request)\n"
+	      "                 +padding=###        (Set padding block size "
+	      "[0])\n"
+	      "                 +[no]qr             (Print question before "
+	      "sending)\n"
+	      "                 +[no]question       (Control display of "
+	      "question section)\n"
+	      "                 +[no]raflag         (Set RA flag in query "
+	      "(+[no]raflag))\n"
+	      "                 +[no]rdflag         (Recursive mode "
+	      "(+[no]recurse))\n"
+	      "                 +[no]recurse        (Recursive mode "
+	      "(+[no]rdflag))\n"
+	      "                 +retry=###          (Set number of UDP "
+	      "retries) [2]\n"
+	      "                 +[no]rrcomments     (Control display of "
+	      "per-record "
+	      "comments)\n"
+	      "                 +[no]search         (Set whether to use "
+	      "searchlist)\n"
+	      "                 +[no]short          (Display nothing except "
+	      "short\n"
+	      "                                      form of answers - global "
+	      "option)\n"
+	      "                 +[no]showsearch     (Search with intermediate "
+	      "results)\n"
+	      "                 +[no]split=##       (Split hex/base64 fields "
+	      "into chunks)\n"
+	      "                 +[no]stats          (Control display of "
+	      "statistics)\n"
+	      "                 +subnet=addr        (Set edns-client-subnet "
+	      "option)\n"
+	      "                 +[no]tcflag         (Set TC flag in query "
+	      "(+[no]tcflag))\n"
+	      "                 +[no]tcp            (TCP mode (+[no]vc))\n"
+	      "                 +timeout=###        (Set query timeout) [5]\n"
+	      "                 +[no]trace          (Trace delegation down "
+	      "from root "
+	      "[+dnssec])\n"
+	      "                 +tries=###          (Set number of UDP "
+	      "attempts) [3]\n"
+	      "                 +[no]ttlid          (Control display of ttls "
+	      "in records)\n"
+	      "                 +[no]ttlunits       (Display TTLs in "
+	      "human-readable units)\n"
+	      "                 +[no]unexpected     (Print replies from "
+	      "unexpected sources\n"
+	      "                                      default=off)\n"
+	      "                 +[no]unknownformat  (Print RDATA in RFC 3597 "
+	      "\"unknown\" "
+	      "format)\n"
+	      "                 +[no]vc             (TCP mode (+[no]tcp))\n"
+	      "                 +[no]yaml           (Present the results as "
+	      "YAML)\n"
+	      "                 +[no]zflag          (Set Z flag in query)\n"
+	      "        global d-opts and servers (before host name) affect all "
+	      "queries.\n"
+	      "        local d-opts and servers (after host name) affect only "
+	      "that lookup.\n"
+	      "        -h                           (print help and exit)\n"
+	      "        -v                           (print version and exit)\n",
+	      stdout);
 }
 
 /*%
@@ -615,7 +607,7 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
 
 	if (query->lookup->cmdline[0] != 0) {
 		if (!short_form && printcmd) {
-			printf("%s", query->lookup->cmdline);
+			fputs(query->lookup->cmdline, stdout);
 		}
 		query->lookup->cmdline[0] = '\0';
 	}
@@ -1489,24 +1481,6 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
 		break;
 	case 'q':
 		switch (cmd[1]) {
-		case 'i': /* qid */
-			FULLCHECK("qid");
-			if (!state) {
-				lookup->setqid = false;
-				lookup->qid = 0;
-				break;
-			}
-			if (value == NULL) {
-				goto need_value;
-			}
-			result = parse_uint(&num, value, MAXQID, "qid");
-			if (result != ISC_R_SUCCESS) {
-				warn("Couldn't parse qid");
-				goto exit_or_usage;
-			}
-			lookup->setqid = true;
-			lookup->qid = num;
-			break;
 		case 'r': /* qr */
 			FULLCHECK("qr");
 			lookup->qr = state;

bin/dig/dig.rst

@@ -1,636 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dig:
-
-dig - DNS lookup utility
-------------------------
-
-Synopsis
-~~~~~~~~
-:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
-
-:program:`dig` [**-h**]
-
-:program:`dig` [global-queryopt...] [query...]
-
-Description
-~~~~~~~~~~~
-
-``dig`` is a flexible tool for interrogating DNS name servers. It
-performs DNS lookups and displays the answers that are returned from the
-name server(s) that were queried. Most DNS administrators use ``dig`` to
-troubleshoot DNS problems because of its flexibility, ease of use, and
-clarity of output. Other lookup tools tend to have less functionality
-than ``dig``.
-
-Although ``dig`` is normally used with command-line arguments, it also
-has a batch mode of operation for reading lookup requests from a file. A
-brief summary of its command-line arguments and options is printed when
-the ``-h`` option is given. The BIND 9
-implementation of ``dig`` allows multiple lookups to be issued from the
-command line.
-
-Unless it is told to query a specific name server, ``dig`` tries each
-of the servers listed in ``/etc/resolv.conf``. If no usable server
-addresses are found, ``dig`` sends the query to the local host.
-
-When no command-line arguments or options are given, ``dig``
-performs an NS query for "." (the root).
-
-It is possible to set per-user defaults for ``dig`` via
-``${HOME}/.digrc``. This file is read and any options in it are applied
-before the command-line arguments. The ``-r`` option disables this
-feature, for scripts that need predictable behavior.
-
-The IN and CH class names overlap with the IN and CH top-level domain
-names. Either use the ``-t`` and ``-c`` options to specify the type and
-class, use the ``-q`` to specify the domain name, or use "IN." and
-"CH." when looking up these top-level domains.
-
-Simple Usage
-~~~~~~~~~~~~
-
-A typical invocation of ``dig`` looks like:
-
-::
-
-    dig @server name type
-
-where:
-
-``server``
-   is the name or IP address of the name server to query. This can be an
-   IPv4 address in dotted-decimal notation or an IPv6 address in
-   colon-delimited notation. When the supplied ``server`` argument is a
-   hostname, ``dig`` resolves that name before querying that name
-   server.
-
-   If no ``server`` argument is provided, ``dig`` consults
-   ``/etc/resolv.conf``; if an address is found there, it queries the
-   name server at that address. If either of the ``-4`` or ``-6``
-   options are in use, then only addresses for the corresponding
-   transport are tried. If no usable addresses are found, ``dig``
-   sends the query to the local host. The reply from the name server
-   that responds is displayed.
-
-``name``
-   is the name of the resource record that is to be looked up.
-
-``type``
-   indicates what type of query is required - ANY, A, MX, SIG, etc.
-   ``type`` can be any valid query type. If no ``type`` argument is
-   supplied, ``dig`` performs a lookup for an A record.
-
-Options
-~~~~~~~
-
-``-4``
-   This option indicates that only IPv4 should be used.
-
-``-6``
-   This option indicates that only IPv6 should be used.
-
-``-b address[#port]``
-   This option sets the source IP address of the query. The ``address`` must be a
-   valid address on one of the host's network interfaces, or "0.0.0.0"
-   or "::". An optional port may be specified by appending ``#port``.
-
-``-c class``
-   This option sets the query class. The default ``class`` is IN; other classes are
-   HS for Hesiod records or CH for Chaosnet records.
-
-``-f file``
-   This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from
-   the given ``file``. Each line in the file should be organized in the
-   same way it would be presented as a query to ``dig`` using the
-   command-line interface.
-
-``-k keyfile``
-   This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key
-   files can be generated using ``tsig-keygen``. When using TSIG
-   authentication with ``dig``, the name server that is queried needs to
-   know the key and algorithm that is being used. In BIND, this is done
-   by providing appropriate ``key`` and ``server`` statements in
-   ``named.conf``.
-
-``-m``
-   This option enables memory usage debugging.
-
-``-p port``
-   This option sends the query to a non-standard port on the server, instead of the
-   default port 53. This option is used to test a name server that
-   has been configured to listen for queries on a non-standard port
-   number.
-
-``-q name``
-   This option specifies the domain name to query. This is useful to distinguish the ``name``
-   from other arguments.
-
-``-r``
-   This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
-   scripts that need predictable behavior.
-
-``-t type``
-   This option indicates the resource record type to query, which can be any valid query type. If
-   it is a resource record type supported in BIND 9, it can be given by
-   the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
-   ``A``, unless the ``-x`` option is supplied to indicate a reverse
-   lookup. A zone transfer can be requested by specifying a type of
-   AXFR. When an incremental zone transfer (IXFR) is required, set the
-   ``type`` to ``ixfr=N``. The incremental zone transfer contains
-   all changes made to the zone since the serial number in the zone's
-   SOA record was ``N``.
-
-   All resource record types can be expressed as ``TYPEnn``, where ``nn`` is
-   the number of the type. If the resource record type is not supported
-   in BIND 9, the result is displayed as described in :rfc:`3597`.
-
-``-u``
-   This option indicates that print query times should be provided in microseconds instead of milliseconds.
-
-``-v``
-   This option prints the version number and exits.
-
-``-x addr``
-   This option sets simplified reverse lookups, for mapping addresses to names. The
-   ``addr`` is an IPv4 address in dotted-decimal notation, or a
-   colon-delimited IPv6 address. When the ``-x`` option is used, there is no
-   need to provide the ``name``, ``class``, and ``type`` arguments.
-   ``dig`` automatically performs a lookup for a name like
-   ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
-   and IN respectively. IPv6 addresses are looked up using nibble format
-   under the IP6.ARPA domain.
-
-``-y [hmac:]keyname:secret``
-   This option signs queries using TSIG with the given authentication key.
-   ``keyname`` is the name of the key, and ``secret`` is the
-   base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
-   valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
-   ``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
-   not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
-   ``hmac-sha256``.
-
-.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option,
-   because with ``-y`` the shared secret is supplied as a command-line
-   argument in clear text. This may be visible in the output from ``ps1`` or
-   in a history file maintained by the user's shell.
-
-Query Options
-~~~~~~~~~~~~~
-
-``dig`` provides a number of query options which affect the way in which
-lookups are made and the results displayed. Some of these set or reset
-flag bits in the query header, some determine which sections of the
-answer get printed, and others determine the timeout and retry
-strategies.
-
-Each query option is identified by a keyword preceded by a plus sign
-(``+``). Some keywords set or reset an option; these may be preceded by
-the string ``no`` to negate the meaning of that keyword. Other keywords
-assign values to options, like the timeout interval. They have the form
-``+keyword=value``. Keywords may be abbreviated, provided the
-abbreviation is unambiguous; for example, ``+cd`` is equivalent to
-``+cdflag``. The query options are:
-
-``+[no]aaflag``
-   This option is a synonym for ``+[no]aaonly``.
-
-``+[no]aaonly``
-   This option sets the ``aa`` flag in the query.
-
-``+[no]additional``
-   This option displays [or does not display] the additional section of a reply. The
-   default is to display it.
-
-``+[no]adflag``
-   This option sets [or does not set] the AD (authentic data) bit in the query. This
-   requests the server to return whether all of the answer and authority
-   sections have been validated as secure, according to the security
-   policy of the server. ``AD=1`` indicates that all records have been
-   validated as secure and the answer is not from a OPT-OUT range. ``AD=0``
-   indicates that some part of the answer was insecure or not validated.
-   This bit is set by default.
-
-``+[no]all``
-   This option sets or clears all display flags.
-
-``+[no]answer``
-   This option displays [or does not display] the answer section of a reply. The default
-   is to display it.
-
-``+[no]authority``
-   This option displays [or does not display] the authority section of a reply. The
-   default is to display it.
-
-``+[no]badcookie``
-   This option retries the lookup with a new server cookie if a BADCOOKIE response is
-   received.
-
-``+[no]besteffort``
-   This option attempts to display the contents of messages which are malformed. The
-   default is to not display malformed answers.
-
-``+bufsize=B``
-   This option sets the UDP message buffer size advertised using EDNS0 to ``B``
-   bytes. The maximum and minimum sizes of this buffer are 65535 and 0,
-   respectively. Values outside this range are rounded up or down
-   appropriately. Values other than zero cause an EDNS query to be
-   sent.
-
-``+[no]cdflag``
-   This option sets [or does not set] the CD (checking disabled) bit in the query. This
-   requests the server to not perform DNSSEC validation of responses.
-
-``+[no]class``
-   This option displays [or does not display] the CLASS when printing the record.
-
-``+[no]cmd``
-   This option toggles the printing of the initial comment in the output, identifying the
-   version of ``dig`` and the query options that have been applied. This option
-   always has a global effect; it cannot be set globally and then overridden on a
-   per-lookup basis. The default is to print this comment.
-
-``+[no]comments``
-   This option toggles the display of some comment lines in the output, with
-   information about the packet header and OPT pseudosection, and the names of
-   the response section. The default is to print these comments.
-
-   Other types of comments in the output are not affected by this option, but
-   can be controlled using other command-line switches. These include
-   ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
-
-``+[no]cookie=####``
-   This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
-   from a previous response allows the server to identify a previous
-   client. The default is ``+cookie``.
-
-   ``+cookie`` is also set when ``+trace`` is set to better emulate the
-   default queries from a nameserver.
-
-``+[no]crypto``
-   This option toggles the display of cryptographic fields in DNSSEC records. The
-   contents of these fields are unnecessary for debugging most DNSSEC
-   validation failures and removing them makes it easier to see the
-   common failures. The default is to display the fields. When omitted,
-   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
-   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
-
-``+[no]defname``
-   This option, which is deprecated, is treated as a synonym for ``+[no]search``.
-
-``+[no]dnssec``
-   This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
-   the OPT record in the additional section of the query.
-
-``+domain=somename``
-   This option sets the search list to contain the single domain ``somename``, as if
-   specified in a ``domain`` directive in ``/etc/resolv.conf``, and
-   enables search list processing as if the ``+search`` option were
-   given.
-
-``+dscp=value``
-   This option sets the DSCP code point to be used when sending the query. Valid DSCP
-   code points are in the range [0...63]. By default no code point is
-   explicitly set.
-
-``+[no]edns[=#]``
-   This option specifies the EDNS version to query with. Valid values are 0 to 255.
-   Setting the EDNS version causes an EDNS query to be sent.
-   ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
-   default.
-
-``+[no]ednsflags[=#]``
-   This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
-   Decimal, hex, and octal encodings are accepted. Setting a named flag
-   (e.g., DO) is silently ignored. By default, no Z bits are set.
-
-``+[no]ednsnegotiation``
-   This option enables/disables EDNS version negotiation. By default, EDNS version
-   negotiation is enabled.
-
-``+[no]ednsopt[=code[:value]]``
-   This option specifies the EDNS option with code point ``code`` and an optional payload
-   of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
-   option name (for example, ``NSID`` or ``ECS``) or an arbitrary
-   numeric value. ``+noednsopt`` clears the EDNS options to be sent.
-
-``+[no]expire``
-   This option sends an EDNS Expire option.
-
-``+[no]fail``
-   This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is
-   to not try the next server, which is the reverse of normal stub
-   resolver behavior.
-
-``+[no]header-only``
-   This option sends a query with a DNS header without a question section. The
-   default is to add a question section. The query type and query name
-   are ignored when this is set.
-
-``+[no]identify``
-   This option shows [or does not show] the IP address and port number that supplied
-   the answer, when the ``+short`` option is enabled. If short form
-   answers are requested, the default is not to show the source address
-   and port number of the server that provided the answer.
-
-``+[no]idnin``
-   This option processes [or does not process] IDN domain names on input. This requires
-   ``IDN SUPPORT`` to have been enabled at compile time.
-
-   The default is to process IDN input when standard output is a tty.
-   The IDN processing on input is disabled when ``dig`` output is redirected
-   to files, pipes, and other non-tty file descriptors.
-
-``+[no]idnout``
-   This option converts [or does not convert] puny code on output. This requires
-   ``IDN SUPPORT`` to have been enabled at compile time.
-
-   The default is to process puny code on output when standard output is
-   a tty. The puny code processing on output is disabled when ``dig`` output
-   is redirected to files, pipes, and other non-tty file descriptors.
-
-``+[no]ignore``
-   This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
-   default, TCP retries are performed.
-
-``+[no]keepalive``
-   This option sends [or does not send] an EDNS Keepalive option.
-
-``+[no]keepopen``
-   This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
-   creating a new TCP socket for each lookup. The default is
-   ``+nokeepopen``.
-
-``+[no]mapped``
-   This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is
-   ``+mapped``.
-
-``+[no]multiline``
-   This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
-   with human-readable comments. The default is to print each record on
-   a single line to facilitate machine parsing of the ``dig`` output.
-
-``+ndots=D``
-   This option sets the number of dots (``D``) that must appear in ``name`` for
-   it to be considered absolute. The default value is that defined using
-   the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
-   statement is present. Names with fewer dots are interpreted as
-   relative names, and are searched for in the domains listed in the
-   ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
-   ``+search`` is set.
-
-``+[no]nsid``
-   When enabled, this option includes an EDNS name server ID request when sending a query.
-
-``+[no]nssearch``
-   When this option is set, ``dig`` attempts to find the authoritative
-   name servers for the zone containing the name being looked up, and
-   display the SOA record that each name server has for the zone.
-   Addresses of servers that did not respond are also printed.
-
-``+[no]onesoa``
-   When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
-   default is to print both the starting and ending SOA records.
-
-``+[no]opcode=value``
-   When enabled, this option sets (restores) the DNS message opcode to the specified value. The
-   default value is QUERY (0).
-
-``+padding=value``
-   This option pads the size of the query packet using the EDNS Padding option to
-   blocks of ``value`` bytes. For example, ``+padding=32`` causes a
-   48-byte query to be padded to 64 bytes. The default block size is 0,
-   which disables padding; the maximum is 512. Values are ordinarily
-   expected to be powers of two, such as 128; however, this is not
-   mandatory. Responses to padded queries may also be padded, but only
-   if the query uses TCP or DNS COOKIE.
-
-``+qid=value``
-   This option specifies the query ID to use when sending queries.
-
-``+[no]qr``
-   This option toggles the display of the query message as it is sent. By default, the query
-   is not printed.
-
-``+[no]question``
-   This option toggles the display of the question section of a query when an answer is
-   returned. The default is to print the question section as a comment.
-
-``+[no]raflag``
-   This option sets [or does not set] the RA (Recursion Available) bit in the query. The
-   default is ``+noraflag``. This bit is ignored by the server for
-   QUERY.
-
-``+[no]rdflag``
-   This option is a synonym for ``+[no]recurse``.
-
-``+[no]recurse``
-   This option toggles the setting of the RD (recursion desired) bit in the query.
-   This bit is set by default, which means ``dig`` normally sends
-   recursive queries. Recursion is automatically disabled when the
-   ``+nssearch`` or ``+trace`` query option is used.
-
-``+retry=T``
-   This option sets the number of times to retry UDP queries to server to ``T``
-   instead of the default, 2. Unlike ``+tries``, this does not include
-   the initial query.
-
-``+[no]rrcomments``
-   This option toggles the display of per-record comments in the output (for example,
-   human-readable key information about DNSKEY records). The default is
-   not to print record comments unless multiline mode is active.
-
-``+[no]search``
-   This option uses [or does not use] the search list defined by the searchlist or domain
-   directive in ``resolv.conf``, if any. The search list is not used by
-   default.
-
-   ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
-   ``+ndots``, determines whether the name is treated as relative
-   and hence whether a search is eventually performed.
-
-``+[no]short``
-   This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
-   form. This option always has a global effect; it cannot be set globally and
-   then overridden on a per-lookup basis.
-
-``+[no]showsearch``
-   This option performs [or does not perform] a search showing intermediate results.
-
-``+[no]sigchase``
-   This feature is now obsolete and has been removed; use ``delv``
-   instead.
-
-``+split=W``
-   This option splits long hex- or base64-formatted fields in resource records into
-   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
-   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
-   split at all. The default is 56 characters, or 44 characters when
-   multiline mode is active.
-
-``+[no]stats``
-   This option toggles the printing of statistics: when the query was made, the size of the
-   reply, etc. The default behavior is to print the query statistics as a
-   comment after each lookup.
-
-``+[no]subnet=addr[/prefix-length]``
-   This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
-   address or network prefix.
-
-   ``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
-   sends an EDNS CLIENT-SUBNET option with an empty address and a source
-   prefix-length of zero, which signals a resolver that the client's
-   address information must *not* be used when resolving this query.
-
-``+[no]tcflag``
-   This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
-   ``+notcflag``. This bit is ignored by the server for QUERY.
-
-``+[no]tcp``
-   This option uses [or does not use] TCP when querying name servers. The default behavior
-   is to use UDP unless a type ``any`` or ``ixfr=N`` query is requested,
-   in which case the default is TCP. AXFR queries always use TCP.
-
-``+timeout=T``
-   This option sets the timeout for a query to ``T`` seconds. The default timeout is
-   5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
-
-``+[no]topdown``
-   This feature is related to ``dig +sigchase``, which is obsolete and
-   has been removed. Use ``delv`` instead.
-
-``+[no]trace``
-   This option toggles tracing of the delegation path from the root name servers for
-   the name being looked up. Tracing is disabled by default. When
-   tracing is enabled, ``dig`` makes iterative queries to resolve the
-   name being looked up. It follows referrals from the root servers,
-   showing the answer from each server that was used to resolve the
-   lookup.
-
-   If ``@server`` is also specified, it affects only the initial query for
-   the root zone name servers.
-
-   ``+dnssec`` is also set when ``+trace`` is set, to better emulate the
-   default queries from a name server.
-
-``+tries=T``
-   This option sets the number of times to try UDP queries to server to ``T``
-   instead of the default, 3. If ``T`` is less than or equal to zero,
-   the number of tries is silently rounded up to 1.
-
-``+trusted-key=####``
-   This option formerly specified trusted keys for use with ``dig +sigchase``. This
-   feature is now obsolete and has been removed; use ``delv`` instead.
-
-``+[no]ttlid``
-   This option displays [or does not display] the TTL when printing the record.
-
-``+[no]ttlunits``
-   This option displays [or does not display] the TTL in friendly human-readable time
-   units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
-   hours, days, and weeks. This implies ``+ttlid``.
-
-``+[no]unexpected``
-   This option accepts [or does not accept] answers from unexpected sources.  By default, ``dig``
-   will not accept a reply from a source other than the one to which it sent the
-   query.
-
-``+[no]unknownformat``
-   This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
-   The default is to print RDATA for known types in the type's
-   presentation format.
-
-``+[no]vc``
-   This option uses [or does not use] TCP when querying name servers. This alternate
-   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
-   ``vc`` stands for "virtual circuit."
-
-``+[no]yaml``
-   When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
-   outgoing queries) in a detailed YAML format.
-
-``+[no]zflag``
-   This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
-   This flag is off by default.
-
-Multiple Queries
-~~~~~~~~~~~~~~~~
-
-The BIND 9 implementation of ``dig`` supports specifying multiple
-queries on the command line (in addition to supporting the ``-f`` batch
-file option). Each of those queries can be supplied with its own set of
-flags, options, and query options.
-
-In this case, each ``query`` argument represents an individual query in
-the command-line syntax described above. Each consists of any of the
-standard options and flags, the name to be looked up, an optional query
-type and class, and any query options that should be applied to that
-query.
-
-A global set of query options, which should be applied to all queries,
-can also be supplied. These global query options must precede the first
-tuple of name, class, type, options, flags, and query options supplied
-on the command line. Any global query options (except ``+[no]cmd`` and
-``+[no]short`` options) can be overridden by a query-specific set of
-query options. For example:
-
-::
-
-   dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-
-shows how ``dig`` can be used from the command line to make three
-lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
-and a query for the NS records of ``isc.org``. A global query option of
-``+qr`` is applied, so that ``dig`` shows the initial query it made for
-each lookup. The final query has a local query option of ``+noqr`` which
-means that ``dig`` does not print the initial query when it looks up the
-NS records for ``isc.org``.
-
-IDN Support
-~~~~~~~~~~~
-
-If ``dig`` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. ``dig``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, use the parameters
-``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
-variable.
-
-Files
-~~~~~
-
-``/etc/resolv.conf``
-
-``${HOME}/.digrc``
-
-See Also
-~~~~~~~~
-
-:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
-
-Bugs
-~~~~
-
-There are probably too many query options.

bin/dig/dighost.c

@@ -281,7 +281,7 @@ hex_dump(isc_buffer_t *b) {
 	for (len = 0; len < r.length; len++) {
 		printf("%02x ", r.base[len]);
 		if (len % 16 == 15) {
-			printf("         ");
+			fputs("         ", stdout);
 			for (i = len - 15; i <= len; i++) {
 				if (r.base[i] >= '!' && r.base[i] <= '}') {
 					putchar(r.base[i]);
@@ -294,9 +294,9 @@ hex_dump(isc_buffer_t *b) {
 	}
 	if (len % 16 != 0) {
 		for (i = len; (i % 16) != 0; i++) {
-			printf("   ");
+			fputs("   ", stdout);
 		}
-		printf("         ");
+		fputs("         ", stdout);
 		for (i = ((len >> 4) << 4); i < len; i++) {
 			if (r.base[i] >= '!' && r.base[i] <= '}') {
 				putchar(r.base[i]);
@@ -677,8 +677,6 @@ make_empty_lookup(void) {
 	looknew->tcflag = false;
 	looknew->print_unknown_format = false;
 	looknew->zflag = false;
-	looknew->setqid = false;
-	looknew->qid = 0;
 	looknew->ns_search_only = false;
 	looknew->origin = NULL;
 	looknew->tsigctx = NULL;
@@ -822,8 +820,6 @@ clone_lookup(dig_lookup_t *lookold, bool servers) {
 	looknew->tcflag = lookold->tcflag;
 	looknew->print_unknown_format = lookold->print_unknown_format;
 	looknew->zflag = lookold->zflag;
-	looknew->setqid = lookold->setqid;
-	looknew->qid = lookold->qid;
 	looknew->ns_search_only = lookold->ns_search_only;
 	looknew->tcp_mode = lookold->tcp_mode;
 	looknew->tcp_mode_set = lookold->tcp_mode_set;
@@ -1456,7 +1452,6 @@ dig_ednsoptname_t optnames[] = {
 	{ 12, "PAD" },	       /* shorthand */
 	{ 13, "CHAIN" },       /* RFC 7901 */
 	{ 14, "KEY-TAG" },     /* RFC 8145 */
-	{ 15, "EDE" },	       /* ietf-dnsop-extended-error-16 */
 	{ 16, "CLIENT-TAG" },  /* draft-bellis-dnsop-edns-tags */
 	{ 17, "SERVER-TAG" },  /* draft-bellis-dnsop-edns-tags */
 	{ 26946, "DEVICEID" }, /* Brian Hartvigsen */
@@ -1494,7 +1489,6 @@ save_opt(dig_lookup_t *lookup, char *code, char *value) {
 	if (lookup->ednsopts == NULL) {
 		cloneopts(lookup, NULL);
 	}
-	INSIST(lookup->ednsopts != NULL);
 
 	if (lookup->ednsopts[lookup->ednsoptscnt].value != NULL) {
 		isc_mem_free(mctx, lookup->ednsopts[lookup->ednsoptscnt].value);
@@ -2303,11 +2297,6 @@ setup_lookup(dig_lookup_t *lookup) {
 		lookup->sendmsg->flags |= 0x0040U;
 	}
 
-	if (lookup->setqid) {
-		debug("set QID");
-		lookup->sendmsg->id = lookup->qid;
-	}
-
 	dns_message_addname(lookup->sendmsg, lookup->name,
 			    DNS_SECTION_QUESTION);
 
@@ -3069,7 +3058,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 
 			dighost_error("no response from %s\n", buf);
 		} else {
-			printf("%s", l->cmdline);
+			fputs(l->cmdline, stdout);
 			dighost_error("connection timed out; "
 				      "no servers could be reached\n");
 		}

bin/dig/dighost.h

@@ -60,8 +60,6 @@
 #define MAXPORT 0xffff
 /*% Max serial number */
 #define MAXSERIAL 0xffffffff
-/*% Max query ID */
-#define MAXQID 0xffff
 
 /*% Default TCP Timeout */
 #define TCP_TIMEOUT 10
@@ -110,10 +108,9 @@ struct dig_lookup {
 		tcp_keepalive, header_only, ednsneg, mapped,
 		print_unknown_format, multiline, nottl, noclass, onesoa,
 		use_usec, nocrypto, ttlunits, idnin, idnout, expandaaaa, qr,
-		accept_reply_unexpected_src, /*%  print replies from
+		accept_reply_unexpected_src; /*%  print replies from
 					      * unexpected
 					      *   sources. */
-		setqid;			     /*% use a speciied query ID */
 	char textname[MXNAME];		     /*% Name we're going to be
 					      * looking up */
 	char cmdline[MXNAME];
@@ -160,7 +157,6 @@ struct dig_lookup {
 	dns_opcode_t opcode;
 	int rrcomments;
 	unsigned int eoferr;
-	uint16_t qid;
 };
 
 /*% The dig_query structure */

bin/dig/host.1

@@ -0,0 +1,278 @@
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: host
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2009-01-20
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "HOST" "1" "2009\-01\-20" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+host \- DNS lookup utility
+.SH "SYNOPSIS"
+.HP \w'\fBhost\fR\ 'u
+\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
+.SH "DESCRIPTION"
+.PP
+\fBhost\fR
+is a simple utility for performing DNS lookups\&. It is normally used to convert names to IP addresses and vice versa\&. When no arguments or options are given,
+\fBhost\fR
+prints a short summary of its command line arguments and options\&.
+.PP
+\fIname\fR
+is the domain name that is to be looked up\&. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
+\fBhost\fR
+will by default perform a reverse lookup for that address\&.
+\fIserver\fR
+is an optional argument which is either the name or IP address of the name server that
+\fBhost\fR
+should query instead of the server or servers listed in
+/etc/resolv\&.conf\&.
+.SH "OPTIONS"
+.PP
+\-4
+.RS 4
+Use IPv4 only for query transport\&. See also the
+\fB\-6\fR
+option\&.
+.RE
+.PP
+\-6
+.RS 4
+Use IPv6 only for query transport\&. See also the
+\fB\-4\fR
+option\&.
+.RE
+.PP
+\-a
+.RS 4
+"All"\&. The
+\fB\-a\fR
+option is normally equivalent to
+\fB\-v \-t \fR\fBANY\fR\&. It also affects the behaviour of the
+\fB\-l\fR
+list zone option\&.
+.RE
+.PP
+\-A
+.RS 4
+"Almost all"\&. The
+\fB\-A\fR
+option is equivalent to
+\fB\-a\fR
+except RRSIG, NSEC, and NSEC3 records are omitted from the output\&.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records\&. The default class is IN (Internet)\&.
+.RE
+.PP
+\-C
+.RS 4
+Check consistency:
+\fBhost\fR
+will query the SOA records for zone
+\fIname\fR
+from all the listed authoritative name servers for that zone\&. The list of name servers is defined by the NS records that are found for the zone\&.
+.RE
+.PP
+\-d
+.RS 4
+Print debugging traces\&. Equivalent to the
+\fB\-v\fR
+verbose option\&.
+.RE
+.PP
+\-l
+.RS 4
+List zone: The
+\fBhost\fR
+command performs a zone transfer of zone
+\fIname\fR
+and prints out the NS, PTR and address records (A/AAAA)\&.
+.sp
+Together, the
+\fB\-l \-a\fR
+options print all records in the zone\&.
+.RE
+.PP
+\-N \fIndots\fR
+.RS 4
+The number of dots that have to be in
+\fIname\fR
+for it to be considered absolute\&. The default value is that defined using the ndots statement in
+/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
+\fBsearch\fR
+or
+\fBdomain\fR
+directive in
+/etc/resolv\&.conf\&.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Specify the port on the server to query\&. The default is 53\&.
+.RE
+.PP
+\-r
+.RS 4
+Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
+\fIname\fR\&. The
+\fB\-r\fR
+option enables
+\fBhost\fR
+to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers\&.
+.RE
+.PP
+\-R \fInumber\fR
+.RS 4
+Number of retries for UDP queries: If
+\fInumber\fR
+is negative or zero, the number of retries will default to 1\&. The default value is 1, or the value of the
+\fIattempts\fR
+option in
+/etc/resolv\&.conf, if set\&.
+.RE
+.PP
+\-s
+.RS 4
+Do
+\fInot\fR
+send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Query type: The
+\fItype\fR
+argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc\&.
+.sp
+When no query type is specified,
+\fBhost\fR
+automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records\&. If the
+\fB\-C\fR
+option is given, queries will be made for SOA records\&. If
+\fIname\fR
+is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
+\fBhost\fR
+will query for PTR records\&.
+.sp
+If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like
+\fB\-t \fR\fBIXFR=12345678\fR)\&.
+.RE
+.PP
+\-T, \-U
+.RS 4
+TCP/UDP: By default,
+\fBhost\fR
+uses UDP when making queries\&. The
+\fB\-T\fR
+option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&. Type ANY queries default to TCP but can be forced to UDP initially using
+\fB\-U\fR\&.
+.RE
+.PP
+\-m \fIflag\fR
+.RS 4
+Memory usage debugging: the flag can be
+\fIrecord\fR,
+\fIusage\fR, or
+\fItrace\fR\&. You can specify the
+\fB\-m\fR
+option more than once to set multiple flags\&.
+.RE
+.PP
+\-v
+.RS 4
+Verbose output\&. Equivalent to the
+\fB\-d\fR
+debug option\&. Verbose output can also be enabled by setting the
+\fIdebug\fR
+option in
+/etc/resolv\&.conf\&.
+.RE
+.PP
+\-V
+.RS 4
+Print the version number and exit\&.
+.RE
+.PP
+\-w
+.RS 4
+Wait forever: The query timeout is set to the maximum possible\&. See also the
+\fB\-W\fR
+option\&.
+.RE
+.PP
+\-W \fIwait\fR
+.RS 4
+Timeout: Wait for up to
+\fIwait\fR
+seconds for a reply\&. If
+\fIwait\fR
+is less than one, the wait interval is set to one second\&.
+.sp
+By default,
+\fBhost\fR
+will wait for 5 seconds for UDP responses and 10 seconds for TCP connections\&. These defaults can be overridden by the
+\fItimeout\fR
+option in
+/etc/resolv\&.conf\&.
+.sp
+See also the
+\fB\-w\fR
+option\&.
+.RE
+.SH "IDN SUPPORT"
+.PP
+If
+\fBhost\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
+\fBhost\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+\fBIDN_DISABLE\fR
+environment variable\&. The IDN support is disabled if the variable is set when
+\fBhost\fR
+runs\&.
+.SH "FILES"
+.PP
+/etc/resolv\&.conf
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBnamed\fR(8)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dig/host.c

@@ -107,34 +107,32 @@ show_usage(void);
 
 static void
 show_usage(void) {
-	fprintf(stderr,
-		"Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
-		"time]\n"
-		"            [-R number] [-m flag] [-p port] hostname "
-		"[server]\n"
-		"       -a is equivalent to -v -t ANY\n"
-		"       -A is like -a but omits RRSIG, NSEC, NSEC3\n"
-		"       -c specifies query class for non-IN data\n"
-		"       -C compares SOA records on authoritative nameservers\n"
-		"       -d is equivalent to -v\n"
-		"       -l lists all hosts in a domain, using AXFR\n"
-		"       -m set memory debugging flag (trace|record|usage)\n"
-		"       -N changes the number of dots allowed before root "
-		"lookup "
-		"is done\n"
-		"       -p specifies the port on the server to query\n"
-		"       -r disables recursive processing\n"
-		"       -R specifies number of retries for UDP packets\n"
-		"       -s a SERVFAIL response should stop query\n"
-		"       -t specifies the query type\n"
-		"       -T enables TCP/IP mode\n"
-		"       -U enables UDP mode\n"
-		"       -v enables verbose output\n"
-		"       -V print version number and exit\n"
-		"       -w specifies to wait forever for a reply\n"
-		"       -W specifies how long to wait for a reply\n"
-		"       -4 use IPv4 query transport only\n"
-		"       -6 use IPv6 query transport only\n");
+	fputs("Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
+	      "time]\n"
+	      "            [-R number] [-m flag] [-p port] hostname [server]\n"
+	      "       -a is equivalent to -v -t ANY\n"
+	      "       -A is like -a but omits RRSIG, NSEC, NSEC3\n"
+	      "       -c specifies query class for non-IN data\n"
+	      "       -C compares SOA records on authoritative nameservers\n"
+	      "       -d is equivalent to -v\n"
+	      "       -l lists all hosts in a domain, using AXFR\n"
+	      "       -m set memory debugging flag (trace|record|usage)\n"
+	      "       -N changes the number of dots allowed before root lookup "
+	      "is done\n"
+	      "       -p specifies the port on the server to query\n"
+	      "       -r disables recursive processing\n"
+	      "       -R specifies number of retries for UDP packets\n"
+	      "       -s a SERVFAIL response should stop query\n"
+	      "       -t specifies the query type\n"
+	      "       -T enables TCP/IP mode\n"
+	      "       -U enables UDP mode\n"
+	      "       -v enables verbose output\n"
+	      "       -V print version number and exit\n"
+	      "       -w specifies to wait forever for a reply\n"
+	      "       -W specifies how long to wait for a reply\n"
+	      "       -4 use IPv4 query transport only\n"
+	      "       -6 use IPv6 query transport only\n",
+	      stderr);
 	exit(1);
 }
 

bin/dig/host.docbook

@@ -0,0 +1,416 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
+  <info>
+    <date>2009-01-20</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>host</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>host</refname>
+    <refpurpose>DNS lookup utility</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2008</year>
+      <year>2009</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>host</command>
+      <arg choice="opt" rep="norepeat"><option>-aACdlnrsTUwv</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="port">port</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
+      <group choice="opt" rep="norepeat">
+	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
+	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      </group>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+      <arg choice="req" rep="norepeat">name</arg>
+      <arg choice="opt" rep="norepeat">server</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><command>host</command>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <command>host</command>
+      prints a short summary of its command line arguments and options.
+    </para>
+
+    <para><parameter>name</parameter> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <command>host</command> will by
+      default
+      perform a reverse lookup for that address.
+      <parameter>server</parameter> is an optional argument which
+      is either
+      the name or IP address of the name server that <command>host</command>
+      should query instead of the server or servers listed in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+    <variablelist>
+
+      <varlistentry>
+	<term>-4</term>
+	<listitem>
+	  <para>
+	    Use IPv4 only for query transport.
+	    See also the <option>-6</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-6</term>
+	<listitem>
+	  <para>
+	    Use IPv6 only for query transport.
+	    See also the <option>-4</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-a</term>
+	<listitem>
+	  <para>
+	    "All". The <option>-a</option> option is normally equivalent
+	    to <option>-v -t <literal>ANY</literal></option>.
+	    It also affects the behaviour of the <option>-l</option>
+	    list zone option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-A</term>
+	<listitem>
+	  <para>
+	    "Almost all". The <option>-A</option> option is equivalent
+	    to <option>-a</option> except RRSIG, NSEC, and NSEC3
+	    records are omitted from the output.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	    Query class: This can be used to lookup HS (Hesiod) or CH
+	    (Chaosnet) class resource records. The default class is IN
+	    (Internet).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-C</term>
+	<listitem>
+	  <para>
+	    Check consistency: <command>host</command> will query the
+	    SOA records for zone <parameter>name</parameter> from all
+	    the listed authoritative name servers for that zone. The
+	    list of name servers is defined by the NS records that are
+	    found for the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-d</term>
+	<listitem>
+	  <para>
+	    Print debugging traces.
+	    Equivalent to the <option>-v</option> verbose option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-l</term>
+	<listitem>
+	  <para>
+	    List zone:
+	    The <command>host</command> command performs a zone transfer of
+	    zone <parameter>name</parameter> and prints out the NS,
+	    PTR and address records (A/AAAA).
+	  </para>
+	  <para>
+	    Together, the <option>-l -a</option>
+	    options print all records in the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-N <replaceable class="parameter">ndots</replaceable></term>
+	<listitem>
+	  <para>
+	    The number of dots that have to be
+	    in <parameter>name</parameter> for it to be considered
+	    absolute. The default value is that defined using the
+	    ndots statement in <filename>/etc/resolv.conf</filename>,
+	    or 1 if no ndots statement is present. Names with fewer
+	    dots are interpreted as relative names and will be
+	    searched for in the domains listed in
+	    the <type>search</type> or <type>domain</type> directive
+	    in <filename>/etc/resolv.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the port on the server to query.  The default is 53.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r</term>
+	<listitem>
+	  <para>
+	    Non-recursive query:
+	    Setting this option clears the RD (recursion desired) bit
+	    in the query. This should mean that the name server
+	    receiving the query will not attempt to
+	    resolve <parameter>name</parameter>.
+	    The <option>-r</option> option
+	    enables <command>host</command> to mimic the behavior of a
+	    name server by making non-recursive queries and expecting
+	    to receive answers to those queries that can be
+	    referrals to other name servers.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-R <replaceable class="parameter">number</replaceable></term>
+	<listitem>
+	  <para>
+	    Number of retries for UDP queries:
+	    If <parameter>number</parameter> is negative or zero, the
+	    number of retries will default to 1. The default value is
+	    1, or the value of the <parameter>attempts</parameter>
+	    option in <filename>/etc/resolv.conf</filename>, if set.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s</term>
+	<listitem>
+	  <para>
+	    Do <emphasis>not</emphasis> send the query to the next
+	    nameserver if any server responds with a SERVFAIL
+	    response, which is the reverse of normal stub resolver
+	    behavior.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t <replaceable class="parameter">type</replaceable></term>
+	<listitem>
+	  <para>
+	    Query type:
+	    The <parameter>type</parameter> argument can be any
+	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
+	  </para>
+	  <para>
+	    When no query type is specified, <command>host</command>
+	    automatically selects an appropriate query type. By default, it
+	    looks for A, AAAA, and MX records.
+	    If the <option>-C</option> option is given, queries will
+	    be made for SOA records.
+	    If <parameter>name</parameter> is a dotted-decimal IPv4
+	    address or colon-delimited IPv6
+	    address, <command>host</command> will query for PTR
+	    records.
+	  </para>
+	  <para>
+	    If a query type of IXFR is chosen the starting serial
+	    number can be specified by appending an equal followed by
+	    the starting serial number
+	    (like <option>-t <literal>IXFR=12345678</literal></option>).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T</term>
+	<term>-U</term>
+	<listitem>
+	  <para>
+	    TCP/UDP:
+	    By default, <command>host</command> uses UDP when making
+	    queries. The <option>-T</option> option makes it use a TCP
+	    connection when querying the name server. TCP will be
+	    automatically selected for queries that require it, such
+	    as zone transfer (AXFR) requests.  Type ANY queries default
+	    to TCP but can be forced to UDP initially using <option>-U</option>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-m <replaceable class="parameter">flag</replaceable></term>
+	<listitem>
+	  <para>
+	    Memory usage debugging: the flag can
+	    be <parameter>record</parameter>, <parameter>usage</parameter>,
+	    or <parameter>trace</parameter>. You can specify
+	    the <option>-m</option> option more than once to set
+	    multiple flags.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v</term>
+	<listitem>
+	  <para>
+	    Verbose output.
+	    Equivalent to the <option>-d</option> debug option.
+	    Verbose output can also be enabled by setting
+	    the <parameter>debug</parameter> option
+	    in <filename>/etc/resolv.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Print the version number and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-w</term>
+	<listitem>
+	  <para>
+	    Wait forever: The query timeout is set to the maximum possible.
+	    See also the <option>-W</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-W <replaceable class="parameter">wait</replaceable></term>
+	<listitem>
+	  <para>
+	    Timeout: Wait for up to <parameter>wait</parameter>
+	    seconds for a reply. If <parameter>wait</parameter> is
+	    less than one, the wait interval is set to one second.
+	  </para>
+	  <para>
+	    By default, <command>host</command> will wait for 5
+	    seconds for UDP responses and 10 seconds for TCP
+	    connections. These defaults can be overridden by
+	    the <parameter>timeout</parameter> option
+	    in <filename>/etc/resolv.conf</filename>.
+	  </para>
+	  <para>
+	    See also the <option>-w</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsection>
+
+  <refsection><info><title>IDN SUPPORT</title></info>
+
+    <para>
+      If <command>host</command> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <command>host</command> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, define
+      the <envar>IDN_DISABLE</envar> environment variable.
+      The IDN support is disabled if the variable is set when
+      <command>host</command> runs.
+    </para>
+  </refsection>
+
+  <refsection><info><title>FILES</title></info>
+
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+
+</refentry>

bin/dig/host.html

@@ -0,0 +1,339 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>host</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.host"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    host
+     &#8212; DNS lookup utility
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">host</code> 
+       [<code class="option">-aACdlnrsTUwv</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
+       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
+       [<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
+       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
+       [
+	[<code class="option">-4</code>]
+	 |  [<code class="option">-6</code>]
+      ]
+       [<code class="option">-v</code>]
+       [<code class="option">-V</code>]
+       {name}
+       [server]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><span class="command"><strong>host</strong></span>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <span class="command"><strong>host</strong></span>
+      prints a short summary of its command line arguments and options.
+    </p>
+
+    <p><em class="parameter"><code>name</code></em> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
+      default
+      perform a reverse lookup for that address.
+      <em class="parameter"><code>server</code></em> is an optional argument which
+      is either
+      the name or IP address of the name server that <span class="command"><strong>host</strong></span>
+      should query instead of the server or servers listed in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-4</span></dt>
+<dd>
+	  <p>
+	    Use IPv4 only for query transport.
+	    See also the <code class="option">-6</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-6</span></dt>
+<dd>
+	  <p>
+	    Use IPv6 only for query transport.
+	    See also the <code class="option">-4</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-a</span></dt>
+<dd>
+	  <p>
+	    "All". The <code class="option">-a</code> option is normally equivalent
+	    to <code class="option">-v -t <code class="literal">ANY</code></code>.
+	    It also affects the behaviour of the <code class="option">-l</code>
+	    list zone option.
+	  </p>
+	</dd>
+<dt><span class="term">-A</span></dt>
+<dd>
+	  <p>
+	    "Almost all". The <code class="option">-A</code> option is equivalent
+	    to <code class="option">-a</code> except RRSIG, NSEC, and NSEC3
+	    records are omitted from the output.
+	  </p>
+	</dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+	  <p>
+	    Query class: This can be used to lookup HS (Hesiod) or CH
+	    (Chaosnet) class resource records. The default class is IN
+	    (Internet).
+	  </p>
+	</dd>
+<dt><span class="term">-C</span></dt>
+<dd>
+	  <p>
+	    Check consistency: <span class="command"><strong>host</strong></span> will query the
+	    SOA records for zone <em class="parameter"><code>name</code></em> from all
+	    the listed authoritative name servers for that zone. The
+	    list of name servers is defined by the NS records that are
+	    found for the zone.
+	  </p>
+	</dd>
+<dt><span class="term">-d</span></dt>
+<dd>
+	  <p>
+	    Print debugging traces.
+	    Equivalent to the <code class="option">-v</code> verbose option.
+	  </p>
+	</dd>
+<dt><span class="term">-l</span></dt>
+<dd>
+	  <p>
+	    List zone:
+	    The <span class="command"><strong>host</strong></span> command performs a zone transfer of
+	    zone <em class="parameter"><code>name</code></em> and prints out the NS,
+	    PTR and address records (A/AAAA).
+	  </p>
+	  <p>
+	    Together, the <code class="option">-l -a</code>
+	    options print all records in the zone.
+	  </p>
+	</dd>
+<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
+<dd>
+	  <p>
+	    The number of dots that have to be
+	    in <em class="parameter"><code>name</code></em> for it to be considered
+	    absolute. The default value is that defined using the
+	    ndots statement in <code class="filename">/etc/resolv.conf</code>,
+	    or 1 if no ndots statement is present. Names with fewer
+	    dots are interpreted as relative names and will be
+	    searched for in the domains listed in
+	    the <span class="type">search</span> or <span class="type">domain</span> directive
+	    in <code class="filename">/etc/resolv.conf</code>.
+	  </p>
+	</dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify the port on the server to query.  The default is 53.
+	  </p>
+	</dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+	  <p>
+	    Non-recursive query:
+	    Setting this option clears the RD (recursion desired) bit
+	    in the query. This should mean that the name server
+	    receiving the query will not attempt to
+	    resolve <em class="parameter"><code>name</code></em>.
+	    The <code class="option">-r</code> option
+	    enables <span class="command"><strong>host</strong></span> to mimic the behavior of a
+	    name server by making non-recursive queries and expecting
+	    to receive answers to those queries that can be
+	    referrals to other name servers.
+	  </p>
+	</dd>
+<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
+<dd>
+	  <p>
+	    Number of retries for UDP queries:
+	    If <em class="parameter"><code>number</code></em> is negative or zero, the
+	    number of retries will default to 1. The default value is
+	    1, or the value of the <em class="parameter"><code>attempts</code></em>
+	    option in <code class="filename">/etc/resolv.conf</code>, if set.
+	  </p>
+	</dd>
+<dt><span class="term">-s</span></dt>
+<dd>
+	  <p>
+	    Do <span class="emphasis"><em>not</em></span> send the query to the next
+	    nameserver if any server responds with a SERVFAIL
+	    response, which is the reverse of normal stub resolver
+	    behavior.
+	  </p>
+	</dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd>
+	  <p>
+	    Query type:
+	    The <em class="parameter"><code>type</code></em> argument can be any
+	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
+	  </p>
+	  <p>
+	    When no query type is specified, <span class="command"><strong>host</strong></span>
+	    automatically selects an appropriate query type. By default, it
+	    looks for A, AAAA, and MX records.
+	    If the <code class="option">-C</code> option is given, queries will
+	    be made for SOA records.
+	    If <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
+	    address or colon-delimited IPv6
+	    address, <span class="command"><strong>host</strong></span> will query for PTR
+	    records.
+	  </p>
+	  <p>
+	    If a query type of IXFR is chosen the starting serial
+	    number can be specified by appending an equal followed by
+	    the starting serial number
+	    (like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
+	  </p>
+	</dd>
+<dt>
+<span class="term">-T, </span><span class="term">-U</span>
+</dt>
+<dd>
+	  <p>
+	    TCP/UDP:
+	    By default, <span class="command"><strong>host</strong></span> uses UDP when making
+	    queries. The <code class="option">-T</code> option makes it use a TCP
+	    connection when querying the name server. TCP will be
+	    automatically selected for queries that require it, such
+	    as zone transfer (AXFR) requests.  Type ANY queries default
+	    to TCP but can be forced to UDP initially using <code class="option">-U</code>.
+	  </p>
+	</dd>
+<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
+<dd>
+	  <p>
+	    Memory usage debugging: the flag can
+	    be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
+	    or <em class="parameter"><code>trace</code></em>. You can specify
+	    the <code class="option">-m</code> option more than once to set
+	    multiple flags.
+	  </p>
+	</dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+	  <p>
+	    Verbose output.
+	    Equivalent to the <code class="option">-d</code> debug option.
+	    Verbose output can also be enabled by setting
+	    the <em class="parameter"><code>debug</code></em> option
+	    in <code class="filename">/etc/resolv.conf</code>.
+	  </p>
+	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Print the version number and exit.
+	  </p>
+	</dd>
+<dt><span class="term">-w</span></dt>
+<dd>
+	  <p>
+	    Wait forever: The query timeout is set to the maximum possible.
+	    See also the <code class="option">-W</code> option.
+	  </p>
+	</dd>
+<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
+<dd>
+	  <p>
+	    Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
+	    seconds for a reply. If <em class="parameter"><code>wait</code></em> is
+	    less than one, the wait interval is set to one second.
+	  </p>
+	  <p>
+	    By default, <span class="command"><strong>host</strong></span> will wait for 5
+	    seconds for UDP responses and 10 seconds for TCP
+	    connections. These defaults can be overridden by
+	    the <em class="parameter"><code>timeout</code></em> option
+	    in <code class="filename">/etc/resolv.conf</code>.
+	  </p>
+	  <p>
+	    See also the <code class="option">-w</code> option.
+	  </p>
+	</dd>
+</dl></div>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>IDN SUPPORT</h2>
+
+    <p>
+      If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <span class="command"><strong>host</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, define
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when
+      <span class="command"><strong>host</strong></span> runs.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>FILES</h2>
+
+    <p><code class="filename">/etc/resolv.conf</code>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dig</span>(1)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/dig/host.rst

@@ -1,181 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_host:
-
-host - DNS lookup utility
--------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
-
-Description
-~~~~~~~~~~~
-
-``host`` is a simple utility for performing DNS lookups. It is normally
-used to convert names to IP addresses and vice versa. When no arguments
-or options are given, ``host`` prints a short summary of its
-command-line arguments and options.
-
-``name`` is the domain name that is to be looked up. It can also be a
-dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
-case ``host`` by default performs a reverse lookup for that address.
-``server`` is an optional argument which is either the name or IP
-address of the name server that ``host`` should query instead of the
-server or servers listed in ``/etc/resolv.conf``.
-
-Options
-~~~~~~~
-
-``-4``
-   This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option.
-
-``-6``
-   This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option.
-
-``-a``
-   The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It
-   also affects the behavior of the ``-l`` list zone option.
-
-``-A``
-   The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG,
-   NSEC, and NSEC3 records are omitted from the output.
-
-``-c class``
-   This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
-   class resource records. The default class is IN (Internet).
-
-``-C``
-   This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone
-   ``name`` from all the listed authoritative name servers for that
-   zone. The list of name servers is defined by the NS records that are
-   found for the zone.
-
-``-d``
-   This option prints debugging traces, and is equivalent to the ``-v`` verbose option.
-
-``-l``
-   This option tells ``named` to list the zone, meaning the ``host`` command performs a zone transfer of zone
-   ``name`` and prints out the NS, PTR, and address records (A/AAAA).
-
-   Together, the ``-l -a`` options print all records in the zone.
-
-``-N ndots``
-   This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
-   considered absolute. The default value is that defined using the
-   ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
-   is present. Names with fewer dots are interpreted as relative names,
-   and are searched for in the domains listed in the ``search`` or
-   ``domain`` directive in ``/etc/resolv.conf``.
-
-``-p port``
-   This option specifies the port to query on the server. The default is 53.
-
-``-r``
-   This option specifies a non-recursive query; setting this option clears the RD (recursion
-   desired) bit in the query. This means that the name server
-   receiving the query does not attempt to resolve ``name``. The ``-r``
-   option enables ``host`` to mimic the behavior of a name server by
-   making non-recursive queries, and expecting to receive answers to
-   those queries that can be referrals to other name servers.
-
-``-R number``
-   This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
-   the number of retries is silently set to 1. The default value is 1, or
-   the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
-
-``-s``
-   This option tells ``named`` *not* to send the query to the next nameserver if any server responds
-   with a SERVFAIL response, which is the reverse of normal stub
-   resolver behavior.
-
-``-t type``
-   This option specifies the query type. The ``type`` argument can be any recognized query type:
-   CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
-
-   When no query type is specified, ``host`` automatically selects an
-   appropriate query type. By default, it looks for A, AAAA, and MX
-   records. If the ``-C`` option is given, queries are made for SOA
-   records. If ``name`` is a dotted-decimal IPv4 address or
-   colon-delimited IPv6 address, ``host`` queries for PTR records.
-
-   If a query type of IXFR is chosen, the starting serial number can be
-   specified by appending an equals sign (=), followed by the starting serial
-   number, e.g., ``-t IXFR=12345678``.
-
-``-T``; ``-U``
-   This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the
-   ``-T`` option makes it use a TCP connection when querying the name
-   server. TCP is automatically selected for queries that require
-   it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
-   to TCP, but can be forced to use UDP initially via ``-U``.
-
-``-m flag``
-   This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
-   ``trace``. The ``-m`` option can be specified more than once to set
-   multiple flags.
-
-``-v``
-   This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output
-   can also be enabled by setting the ``debug`` option in
-   ``/etc/resolv.conf``.
-
-``-V``
-   This option prints the version number and exits.
-
-``-w``
-   This option sets "wait forever": the query timeout is set to the maximum possible. See
-   also the ``-W`` option.
-
-``-W wait``
-   This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
-   less than 1, the wait interval is set to 1 second.
-
-   By default, ``host`` waits for 5 seconds for UDP responses and 10
-   seconds for TCP connections. These defaults can be overridden by the
-   ``timeout`` option in ``/etc/resolv.conf``.
-
-   See also the ``-w`` option.
-
-IDN Support
-~~~~~~~~~~~
-
-If ``host`` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. ``host``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, define the ``IDN_DISABLE``
-environment variable. IDN support is disabled if the variable is set
-when ``host`` runs.
-
-Files
-~~~~~
-
-``/etc/resolv.conf``
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`named(8)`.

bin/dig/nslookup.1

@@ -0,0 +1,308 @@
+.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: nslookup
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-24
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "NSLOOKUP" "1" "2014\-01\-24" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+nslookup \- query Internet name servers interactively
+.SH "SYNOPSIS"
+.HP \w'\fBnslookup\fR\ 'u
+\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
+.SH "DESCRIPTION"
+.PP
+\fBNslookup\fR
+is a program to query Internet domain name servers\&.
+\fBNslookup\fR
+has two modes: interactive and non\-interactive\&. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain\&. Non\-interactive mode is used to print just the name and requested information for a host or domain\&.
+.SH "ARGUMENTS"
+.PP
+Interactive mode is entered in the following cases:
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 1.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  1." 4.2
+.\}
+when no arguments are given (the default name server will be used)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 2.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  2." 4.2
+.\}
+when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server\&.
+.RE
+.PP
+Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument\&. The optional second argument specifies the host name or address of a name server\&.
+.PP
+Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen\&. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+nslookup \-query=hinfo  \-timeout=10
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The
+\fB\-version\fR
+option causes
+\fBnslookup\fR
+to print the version number and immediately exits\&.
+.SH "INTERACTIVE COMMANDS"
+.PP
+\fBhost\fR [server]
+.RS 4
+Look up information for host using the current default server or using server, if specified\&. If host is an Internet address and the query type is A or PTR, the name of the host is returned\&. If host is a name and does not have a trailing period, the search list is used to qualify the name\&.
+.sp
+To look up a host not in the current domain, append a period to the name\&.
+.RE
+.PP
+\fBserver\fR \fIdomain\fR
+.RS 4
+.RE
+.PP
+\fBlserver\fR \fIdomain\fR
+.RS 4
+Change the default server to
+\fIdomain\fR;
+\fBlserver\fR
+uses the initial server to look up information about
+\fIdomain\fR, while
+\fBserver\fR
+uses the current default server\&. If an authoritative answer can\*(Aqt be found, the names of servers that might have the answer are returned\&.
+.RE
+.PP
+\fBroot\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBfinger\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBls\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBview\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBhelp\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fB?\fR
+.RS 4
+not implemented
+.RE
+.PP
+\fBexit\fR
+.RS 4
+Exits the program\&.
+.RE
+.PP
+\fBset\fR \fIkeyword\fR\fI[=value]\fR
+.RS 4
+This command is used to change state information that affects the lookups\&. Valid keywords are:
+.PP
+\fBall\fR
+.RS 4
+Prints the current values of the frequently used options to
+\fBset\fR\&. Information about the current default server and host is also printed\&.
+.RE
+.PP
+\fBclass=\fR\fIvalue\fR
+.RS 4
+Change the query class to one of:
+.PP
+\fBIN\fR
+.RS 4
+the Internet class
+.RE
+.PP
+\fBCH\fR
+.RS 4
+the Chaos class
+.RE
+.PP
+\fBHS\fR
+.RS 4
+the Hesiod class
+.RE
+.PP
+\fBANY\fR
+.RS 4
+wildcard
+.RE
+.sp
+The class specifies the protocol group of the information\&.
+.sp
+(Default = IN; abbreviation = cl)
+.RE
+.PP
+\fB\fI[no]\fR\fR\fBdebug\fR
+.RS 4
+Turn on or off the display of the full response packet and any intermediate response packets when searching\&.
+.sp
+(Default = nodebug; abbreviation =
+[no]deb)
+.RE
+.PP
+\fB\fI[no]\fR\fR\fBd2\fR
+.RS 4
+Turn debugging mode on or off\&. This displays more about what nslookup is doing\&.
+.sp
+(Default = nod2)
+.RE
+.PP
+\fBdomain=\fR\fIname\fR
+.RS 4
+Sets the search list to
+\fIname\fR\&.
+.RE
+.PP
+\fB\fI[no]\fR\fR\fBsearch\fR
+.RS 4
+If the lookup request contains at least one period but doesn\*(Aqt end with a trailing period, append the domain names in the domain search list to the request until an answer is received\&.
+.sp
+(Default = search)
+.RE
+.PP
+\fBport=\fR\fIvalue\fR
+.RS 4
+Change the default TCP/UDP name server port to
+\fIvalue\fR\&.
+.sp
+(Default = 53; abbreviation = po)
+.RE
+.PP
+\fBquerytype=\fR\fIvalue\fR
+.RS 4
+.RE
+.PP
+\fBtype=\fR\fIvalue\fR
+.RS 4
+Change the type of the information query\&.
+.sp
+(Default = A and then AAAA; abbreviations = q, ty)
+.sp
+\fBNote:\fR
+It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
+.RE
+.PP
+\fB\fI[no]\fR\fR\fBrecurse\fR
+.RS 4
+Tell the name server to query other servers if it does not have the information\&.
+.sp
+(Default = recurse; abbreviation = [no]rec)
+.RE
+.PP
+\fBndots=\fR\fInumber\fR
+.RS 4
+Set the number of dots (label separators) in a domain that will disable searching\&. Absolute names always stop searching\&.
+.RE
+.PP
+\fBretry=\fR\fInumber\fR
+.RS 4
+Set the number of retries to number\&.
+.RE
+.PP
+\fBtimeout=\fR\fInumber\fR
+.RS 4
+Change the initial timeout interval for waiting for a reply to number seconds\&.
+.RE
+.PP
+\fB\fI[no]\fR\fR\fBvc\fR
+.RS 4
+Always use a virtual circuit when sending requests to the server\&.
+.sp
+(Default = novc)
+.RE
+.PP
+\fB\fI[no]\fR\fR\fBfail\fR
+.RS 4
+Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response\&.
+.sp
+(Default = nofail)
+.RE
+.sp
+.RE
+.SH "RETURN VALUES"
+.PP
+\fBnslookup\fR
+returns with an exit status of 1 if any query failed, and 0 otherwise\&.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBnslookup\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
+\fBnslookup\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+\fBIDN_DISABLE\fR
+environment variable\&. The IDN support is disabled if the variable is set when
+\fBnslookup\fR
+runs or when the standard output is not a tty\&.
+.SH "FILES"
+.PP
+/etc/resolv\&.conf
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBhost\fR(1),
+\fBnamed\fR(8)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dig/nslookup.c

@@ -22,7 +22,6 @@
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
 #include <isc/print.h>
-#include <isc/readline.h>
 #include <isc/string.h>
 #include <isc/task.h>
 #include <isc/util.h>
@@ -39,6 +38,22 @@
 
 #include "dighost.h"
 
+#if defined(HAVE_READLINE)
+#if defined(HAVE_EDIT_READLINE_READLINE_H)
+#include <edit/readline/readline.h>
+#if defined(HAVE_EDIT_READLINE_HISTORY_H)
+#include <edit/readline/history.h>
+#endif /* if defined(HAVE_EDIT_READLINE_HISTORY_H) */
+#elif defined(HAVE_EDITLINE_READLINE_H)
+#include <editline/readline.h>
+#elif defined(HAVE_READLINE_READLINE_H)
+#include <readline/readline.h>
+#if defined(HAVE_READLINE_HISTORY_H)
+#include <readline/history.h>
+#endif /* if defined(HAVE_READLINE_HISTORY_H) */
+#endif /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
+#endif /* if defined(HAVE_READLINE) */
+
 static bool short_form = true, tcpmode = false, tcpmode_set = false,
 	    identify = false, stats = true, comments = true,
 	    section_question = true, section_answer = true,
@@ -773,8 +788,6 @@ addlookup(char *opt) {
 	lookup->aaonly = aaonly;
 	lookup->retries = tries;
 	lookup->udpsize = 0;
-	lookup->setqid = false;
-	lookup->qid = 0;
 	lookup->comments = comments;
 	if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set) {
 		lookup->tcp_mode = true;
@@ -833,27 +846,38 @@ do_next_command(char *input) {
 
 static void
 get_next_command(void) {
-	char cmdlinebuf[COMMSIZE];
-	char *cmdline, *ptr = NULL;
+	char *buf;
+	char *ptr;
 
+	fflush(stdout);
+	buf = isc_mem_allocate(mctx, COMMSIZE);
 	isc_app_block();
 	if (interactive) {
-		cmdline = ptr = readline("> ");
-		if (ptr != NULL && *ptr != 0) {
+#ifdef HAVE_READLINE
+		ptr = readline("> ");
+		if (ptr != NULL) {
 			add_history(ptr);
 		}
+#else  /* ifdef HAVE_READLINE */
+		fputs("> ", stderr);
+		fflush(stderr);
+		ptr = fgets(buf, COMMSIZE, stdin);
+#endif /* ifdef HAVE_READLINE */
 	} else {
-		cmdline = fgets(cmdlinebuf, COMMSIZE, stdin);
+		ptr = fgets(buf, COMMSIZE, stdin);
 	}
 	isc_app_unblock();
-	if (cmdline == NULL) {
+	if (ptr == NULL) {
 		in_use = false;
 	} else {
-		do_next_command(cmdline);
+		do_next_command(ptr);
 	}
-	if (ptr != NULL) {
+#ifdef HAVE_READLINE
+	if (interactive) {
 		free(ptr);
 	}
+#endif /* ifdef HAVE_READLINE */
+	isc_mem_free(mctx, buf);
 }
 
 ISC_NORETURN static void

bin/dig/nslookup.docbook

@@ -0,0 +1,524 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!--
+ - Copyright (c) 1985, 1989
+ -    The Regents of the University of California.  All rights reserved.
+ -
+ - Redistribution and use in source and binary forms, with or without
+ - modification, are permitted provided that the following conditions
+ - are met:
+ - 1. Redistributions of source code must retain the above copyright
+ -    notice, this list of conditions and the following disclaimer.
+ - 2. Redistributions in binary form must reproduce the above copyright
+ -    notice, this list of conditions and the following disclaimer in the
+ -    documentation and/or other materials provided with the distribution.
+ - 3. Neither the name of the University nor the names of its contributors
+ -    may be used to endorse or promote products derived from this software
+ -    without specific prior written permission.
+ -
+ - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ - ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ - SUCH DAMAGE.
+-->
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
+  <info>
+    <date>2014-01-24</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nslookup</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nslookup</refname>
+    <refpurpose>query Internet name servers interactively</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
+      <year>2010</year>
+      <year>2013</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>nslookup</command>
+      <arg choice="opt" rep="norepeat"><option>-option</option></arg>
+      <arg choice="opt" rep="norepeat">name | -</arg>
+      <arg choice="opt" rep="norepeat">server</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>Nslookup</command>
+      is a program to query Internet domain name servers.  <command>Nslookup</command>
+      has two modes: interactive and non-interactive.  Interactive mode allows
+      the user to query name servers for information about various hosts and
+      domains or to print a list of hosts in a domain.  Non-interactive mode
+      is
+      used to print just the name and requested information for a host or
+      domain.
+    </para>
+  </refsection>
+
+  <refsection><info><title>ARGUMENTS</title></info>
+
+    <para>
+      Interactive mode is entered in the following cases:
+      <orderedlist numeration="loweralpha" inheritnum="ignore" continuation="restarts">
+        <listitem>
+          <para>
+            when no arguments are given (the default name server will be used)
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            when the first argument is a hyphen (-) and the second argument is
+            the host name or Internet address of a name server.
+          </para>
+        </listitem>
+      </orderedlist>
+    </para>
+
+    <para>
+      Non-interactive mode is used when the name or Internet address of the
+      host to be looked up is given as the first argument. The optional second
+      argument specifies the host name or address of a name server.
+    </para>
+
+    <para>
+      Options can also be specified on the command line if they precede the
+      arguments and are prefixed with a hyphen.  For example, to
+      change the default query type to host information, and the initial
+      timeout to 10 seconds, type:
+      <!-- <informalexample> produces bad nroff. -->
+        <programlisting>
+nslookup -query=hinfo  -timeout=10
+</programlisting>
+      <!-- </informalexample> -->
+    </para>
+    <para>
+      The <option>-version</option> option causes
+      <command>nslookup</command> to print the version
+      number and immediately exits.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>INTERACTIVE COMMANDS</title></info>
+
+    <variablelist>
+      <varlistentry>
+        <term><constant>host</constant> <optional>server</optional></term>
+        <listitem>
+          <para>
+            Look up information for host using the current default server or
+            using server, if specified.  If host is an Internet address and
+            the query type is A or PTR, the name of the host is returned.
+            If host is a name and does not have a trailing period, the
+            search list is used to qualify the name.
+          </para>
+
+          <para>
+            To look up a host not in the current domain, append a period to
+            the name.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para>
+            Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
+            server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
+            the current default server.  If an authoritative answer can't be
+            found, the names of servers that might have the answer are
+            returned.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>root</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>finger</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>ls</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>view</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>help</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>?</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>exit</constant></term>
+        <listitem>
+          <para>
+            Exits the program.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>set</constant>
+          <replaceable>keyword<optional>=value</optional></replaceable></term>
+        <listitem>
+          <para>
+            This command is used to change state information that affects
+            the lookups.  Valid keywords are:
+            <variablelist>
+              <varlistentry>
+                <term><constant>all</constant></term>
+                <listitem>
+                  <para>
+                    Prints the current values of the frequently used
+                    options to <command>set</command>.
+                    Information about the  current default
+                    server and host is also printed.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>class=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the query class to one of:
+                    <variablelist>
+                      <varlistentry>
+                        <term><constant>IN</constant></term>
+                        <listitem>
+                          <para>
+                            the Internet class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>CH</constant></term>
+                        <listitem>
+                          <para>
+                            the Chaos class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>HS</constant></term>
+                        <listitem>
+                          <para>
+                            the Hesiod class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>ANY</constant></term>
+                        <listitem>
+                          <para>
+                            wildcard
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                    </variablelist>
+                    The class specifies the protocol group of the information.
+
+                  </para>
+                  <para>
+                    (Default = IN; abbreviation = cl)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
+                <listitem>
+                  <para>
+                    Turn on or off the display of the full response packet and
+                    any intermediate response packets when searching.
+                  </para>
+                  <para>
+                    (Default = nodebug; abbreviation = <optional>no</optional>deb)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
+                <listitem>
+                  <para>
+                    Turn debugging mode on or off.  This displays more about
+                    what nslookup is doing.
+                  </para>
+                  <para>
+                    (Default = nod2)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>domain=</constant><replaceable>name</replaceable></term>
+                <listitem>
+                  <para>
+                    Sets the search list to <replaceable>name</replaceable>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
+                <listitem>
+                  <para>
+                    If the lookup request contains at least one period but
+                    doesn't end with a trailing period, append the domain
+                    names in the domain search list to the request until an
+                    answer is received.
+                  </para>
+                  <para>
+                    (Default = search)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>port=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
+                  </para>
+                  <para>
+                    (Default = 53; abbreviation = po)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>querytype=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para/>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>type=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the type of the information query.
+                  </para>
+                  <para>
+                    (Default = A and then AAAA; abbreviations = q, ty)
+                  </para>
+                    <para>
+                      <emphasis role="bold">Note:</emphasis> It is
+                      only possible to specify one query type, only
+                      the default behavior looks up both when an
+                      alternative is not specified.
+                    </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
+                <listitem>
+                  <para>
+                    Tell the name server to query other servers if it does not
+                    have the
+                    information.
+                  </para>
+                  <para>
+                    (Default = recurse; abbreviation = [no]rec)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>ndots=</constant><replaceable>number</replaceable></term>
+                <listitem>
+                  <para>
+                    Set the number of dots (label separators) in a domain
+                    that will disable searching.  Absolute names always
+                    stop searching.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>retry=</constant><replaceable>number</replaceable></term>
+                <listitem>
+                  <para>
+                    Set the number of retries to number.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>timeout=</constant><replaceable>number</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the initial timeout interval for waiting for a
+                    reply to number seconds.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
+                <listitem>
+                  <para>
+                    Always use a virtual circuit when sending requests to the
+                    server.
+                  </para>
+                  <para>
+                    (Default = novc)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
+                <listitem>
+                  <para>
+                    Try the next nameserver if a nameserver responds with
+                    SERVFAIL or a referral (nofail) or terminate query
+                    (fail) on such a response.
+                  </para>
+                  <para>
+                    (Default = nofail)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+            </variablelist>
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+    <para>
+      <command>nslookup</command> returns with an exit status of 1
+      if any query failed, and 0 otherwise.
+    </para>
+  </refsection>
+
+  <refsection><info><title>IDN SUPPORT</title></info>
+
+    <para>
+      If <command>nslookup</command> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <command>nslookup</command> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, define
+      the <envar>IDN_DISABLE</envar> environment variable.
+      The IDN support is disabled if the variable is set when
+      <command>nslookup</command> runs or when the standard output is not
+      a tty.
+    </para>
+  </refsection>
+
+  <refsection><info><title>FILES</title></info>
+
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+</refentry>

bin/dig/nslookup.html

@@ -0,0 +1,409 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>nslookup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.nslookup"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    nslookup
+     &#8212; query Internet name servers interactively
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">nslookup</code> 
+       [<code class="option">-option</code>]
+       [name | -]
+       [server]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>Nslookup</strong></span>
+      is a program to query Internet domain name servers.  <span class="command"><strong>Nslookup</strong></span>
+      has two modes: interactive and non-interactive.  Interactive mode allows
+      the user to query name servers for information about various hosts and
+      domains or to print a list of hosts in a domain.  Non-interactive mode
+      is
+      used to print just the name and requested information for a host or
+      domain.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>ARGUMENTS</h2>
+
+    <p>
+      Interactive mode is entered in the following cases:
+      </p>
+<div class="orderedlist"><ol class="orderedlist" type="a">
+<li class="listitem">
+          <p>
+            when no arguments are given (the default name server will be used)
+          </p>
+        </li>
+<li class="listitem">
+          <p>
+            when the first argument is a hyphen (-) and the second argument is
+            the host name or Internet address of a name server.
+          </p>
+        </li>
+</ol></div>
+<p>
+    </p>
+
+    <p>
+      Non-interactive mode is used when the name or Internet address of the
+      host to be looked up is given as the first argument. The optional second
+      argument specifies the host name or address of a name server.
+    </p>
+
+    <p>
+      Options can also be specified on the command line if they precede the
+      arguments and are prefixed with a hyphen.  For example, to
+      change the default query type to host information, and the initial
+      timeout to 10 seconds, type:
+      
+        </p>
+<pre class="programlisting">
+nslookup -query=hinfo  -timeout=10
+</pre>
+<p>
+      
+    </p>
+    <p>
+      The <code class="option">-version</code> option causes
+      <span class="command"><strong>nslookup</strong></span> to print the version
+      number and immediately exits.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
+<dd>
+          <p>
+            Look up information for host using the current default server or
+            using server, if specified.  If host is an Internet address and
+            the query type is A or PTR, the name of the host is returned.
+            If host is a name and does not have a trailing period, the
+            search list is used to qualify the name.
+          </p>
+
+          <p>
+            To look up a host not in the current domain, append a period to
+            the name.
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
+<dd>
+          <p></p>
+        </dd>
+<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
+<dd>
+          <p>
+            Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
+            server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
+            the current default server.  If an authoritative answer can't be
+            found, the names of servers that might have the answer are
+            returned.
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">root</code></span></dt>
+<dd>
+          <p>
+            not implemented
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">finger</code></span></dt>
+<dd>
+          <p>
+            not implemented
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">ls</code></span></dt>
+<dd>
+          <p>
+            not implemented
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">view</code></span></dt>
+<dd>
+          <p>
+            not implemented
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">help</code></span></dt>
+<dd>
+          <p>
+            not implemented
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">?</code></span></dt>
+<dd>
+          <p>
+            not implemented
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">exit</code></span></dt>
+<dd>
+          <p>
+            Exits the program.
+          </p>
+        </dd>
+<dt><span class="term"><code class="constant">set</code>
+          <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
+<dd>
+          <p>
+            This command is used to change state information that affects
+            the lookups.  Valid keywords are:
+            </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">all</code></span></dt>
+<dd>
+                  <p>
+                    Prints the current values of the frequently used
+                    options to <span class="command"><strong>set</strong></span>.
+                    Information about the  current default
+                    server and host is also printed.
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd>
+                  <p>
+                    Change the query class to one of:
+                    </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">IN</code></span></dt>
+<dd>
+                          <p>
+                            the Internet class
+                          </p>
+                        </dd>
+<dt><span class="term"><code class="constant">CH</code></span></dt>
+<dd>
+                          <p>
+                            the Chaos class
+                          </p>
+                        </dd>
+<dt><span class="term"><code class="constant">HS</code></span></dt>
+<dd>
+                          <p>
+                            the Hesiod class
+                          </p>
+                        </dd>
+<dt><span class="term"><code class="constant">ANY</code></span></dt>
+<dd>
+                          <p>
+                            wildcard
+                          </p>
+                        </dd>
+</dl></div>
+<p>
+                    The class specifies the protocol group of the information.
+
+                  </p>
+                  <p>
+                    (Default = IN; abbreviation = cl)
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
+<dd>
+                  <p>
+                    Turn on or off the display of the full response packet and
+                    any intermediate response packets when searching.
+                  </p>
+                  <p>
+                    (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
+<dd>
+                  <p>
+                    Turn debugging mode on or off.  This displays more about
+                    what nslookup is doing.
+                  </p>
+                  <p>
+                    (Default = nod2)
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
+<dd>
+                  <p>
+                    Sets the search list to <em class="replaceable"><code>name</code></em>.
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
+<dd>
+                  <p>
+                    If the lookup request contains at least one period but
+                    doesn't end with a trailing period, append the domain
+                    names in the domain search list to the request until an
+                    answer is received.
+                  </p>
+                  <p>
+                    (Default = search)
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd>
+                  <p>
+                    Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
+                  </p>
+                  <p>
+                    (Default = 53; abbreviation = po)
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd>
+                  <p></p>
+                </dd>
+<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
+<dd>
+                  <p>
+                    Change the type of the information query.
+                  </p>
+                  <p>
+                    (Default = A and then AAAA; abbreviations = q, ty)
+                  </p>
+                    <p>
+                      <span class="bold"><strong>Note:</strong></span> It is
+                      only possible to specify one query type, only
+                      the default behavior looks up both when an
+                      alternative is not specified.
+                    </p>
+                </dd>
+<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
+<dd>
+                  <p>
+                    Tell the name server to query other servers if it does not
+                    have the
+                    information.
+                  </p>
+                  <p>
+                    (Default = recurse; abbreviation = [no]rec)
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
+<dd>
+                  <p>
+                    Set the number of dots (label separators) in a domain
+                    that will disable searching.  Absolute names always
+                    stop searching.
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
+<dd>
+                  <p>
+                    Set the number of retries to number.
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
+<dd>
+                  <p>
+                    Change the initial timeout interval for waiting for a
+                    reply to number seconds.
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
+<dd>
+                  <p>
+                    Always use a virtual circuit when sending requests to the
+                    server.
+                  </p>
+                  <p>
+                    (Default = novc)
+                  </p>
+                </dd>
+<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
+<dd>
+                  <p>
+                    Try the next nameserver if a nameserver responds with
+                    SERVFAIL or a referral (nofail) or terminate query
+                    (fail) on such a response.
+                  </p>
+                  <p>
+                    (Default = nofail)
+                  </p>
+                </dd>
+</dl></div>
+<p>
+          </p>
+        </dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>RETURN VALUES</h2>
+    <p>
+      <span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
+      if any query failed, and 0 otherwise.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
+
+    <p>
+      If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, define
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when
+      <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
+      a tty.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.12"></a><h2>FILES</h2>
+
+    <p><code class="filename">/etc/resolv.conf</code>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.13"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dig</span>(1)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">host</span>(1)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">named</span>(8)
+      </span>.
+    </p>
+  </div>
+</div></body>
+</html>

bin/dig/nslookup.rst

@@ -1,216 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_nslookup:
-
-nslookup - query Internet name servers interactively
-----------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`nslookup` [-option] [name | -] [server]
-
-Description
-~~~~~~~~~~~
-
-``nslookup`` is a program to query Internet domain name servers.
-``nslookup`` has two modes: interactive and non-interactive. Interactive
-mode allows the user to query name servers for information about various
-hosts and domains or to print a list of hosts in a domain.
-Non-interactive mode prints just the name and requested
-information for a host or domain.
-
-Arguments
-~~~~~~~~~
-
-Interactive mode is entered in the following cases:
-
-a. when no arguments are given (the default name server is used);
-
-b. when the first argument is a hyphen (-) and the second argument is
-   the host name or Internet address of a name server.
-
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen. For example, to change the
-default query type to host information, with an initial timeout of 10
-seconds, type:
-
-::
-
-   nslookup -query=hinfo  -timeout=10
-
-The ``-version`` option causes ``nslookup`` to print the version number
-and immediately exit.
-
-Interactive Commands
-~~~~~~~~~~~~~~~~~~~~
-
-``host [server]``
-   This command looks up information for ``host`` using the current default server or
-   using ``server``, if specified. If ``host`` is an Internet address and the
-   query type is A or PTR, the name of the host is returned. If ``host`` is
-   a name and does not have a trailing period (``.``), the search list is used
-   to qualify the name.
-
-   To look up a host not in the current domain, append a period to the
-   name.
-
-``server domain`` | ``lserver domain``
-   These commands change the default server to ``domain``; ``lserver`` uses the initial
-   server to look up information about ``domain``, while ``server`` uses the
-   current default server. If an authoritative answer cannot be found,
-   the names of servers that might have the answer are returned.
-
-``root``
-   This command is not implemented.
-
-``finger``
-   This command is not implemented.
-
-``ls``
-   This command is not implemented.
-
-``view``
-   This command is not implemented.
-
-``help``
-   This command is not implemented.
-
-``?``
-   This command is not implemented.
-
-``exit``
-   This command exits the program.
-
-``set keyword[=value]``
-   This command is used to change state information that affects the
-   lookups. Valid keywords are:
-
-   ``all``
-      This keyword prints the current values of the frequently used options to
-      ``set``. Information about the current default server and host is
-      also printed.
-
-   ``class=value``
-      This keyword changes the query class to one of:
-
-      ``IN``
-         the Internet class
-
-      ``CH``
-         the Chaos class
-
-      ``HS``
-         the Hesiod class
-
-      ``ANY``
-         wildcard
-
-      The class specifies the protocol group of the information. The default
-      is ``IN``; the abbreviation for this keyword is ``cl``.
-
-   ``nodebug``
-      This keyword turns on or off the display of the full response packet, and any
-      intermediate response packets, when searching. The default for this keyword is
-      ``nodebug``; the abbreviation for this keyword is ``[no]deb``.
-
-   ``nod2``
-      This keyword turns debugging mode on or off. This displays more about what
-      nslookup is doing. The default is ``nod2``.
-
-   ``domain=name``
-      This keyword sets the search list to ``name``.
-
-   ``nosearch``
-      If the lookup request contains at least one period, but does not end
-      with a trailing period, this keyword appends the domain names in the domain
-      search list to the request until an answer is received. The default is ``search``.
-
-   ``port=value``
-      This keyword changes the default TCP/UDP name server port to ``value`` from
-      its default, port 53. The abbreviation for this keyword is ``po``.
-
-   ``querytype=value`` | ``type=value``
-      This keyword changes the type of the information query to ``value``. The
-      defaults are A and then AAAA; the abbreviations for these keywords are
-      ``q`` and ``ty``.
-
-      Please note that it is only possible to specify one query type. Only the default
-      behavior looks up both when an alternative is not specified.
-
-   ``norecurse``
-      This keyword tells the name server to query other servers if it does not have
-      the information. The default is ``recurse``; the abbreviation for this
-      keyword is ``[no]rec``.
-
-   ``ndots=number``
-      This keyword sets the number of dots (label separators) in a domain that
-      disables searching. Absolute names always stop searching.
-
-   ``retry=number``
-      This keyword sets the number of retries to ``number``.
-
-   ``timeout=number``
-      This keyword changes the initial timeout interval to wait for a reply to
-      ``number``, in seconds.
-
-   ``novc``
-      This keyword indicates that a virtual circuit should always be used when sending requests to the server.
-      ``novc`` is the default.
-
-   ``nofail``
-      This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
-      a referral (nofail), or terminates the query (fail) on such a response. The
-      default is ``nofail``.
-
-Return Values
-~~~~~~~~~~~~~
-
-``nslookup`` returns with an exit status of 1 if any query failed, and 0
-otherwise.
-
-IDN Support
-~~~~~~~~~~~
-
-If ``nslookup`` has been built with IDN (internationalized domain name)
-support, it can accept and display non-ASCII domain names. ``nslookup``
-appropriately converts character encoding of a domain name before sending
-a request to a DNS server or displaying a reply from the server.
-To turn off IDN support, define the ``IDN_DISABLE``
-environment variable. IDN support is disabled if the variable is set
-when ``nslookup`` runs, or when the standard output is not a tty.
-
-Files
-~~~~~
-
-``/etc/resolv.conf``
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.

bin/dig/win32/dig.vcxproj.in

@@ -116,26 +116,6 @@
   <ItemGroup>
     <ClCompile Include="..\dig.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
-      <Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/win32/dighost.vcxproj.in

@@ -109,23 +109,6 @@
   <ItemGroup>
     <ClCompile Include="..\dighost.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/win32/host.vcxproj.in

@@ -113,26 +113,6 @@
   <ItemGroup>
     <ClCompile Include="..\host.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
-      <Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dig/win32/nslookup.vcxproj.in

@@ -114,26 +114,6 @@
     <ClCompile Include="..\dighost.c" />
     <ClCompile Include="..\nslookup.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\lib\isc\win32\libisc.vcxproj">
-      <Project>{3840E563-D180-4761-AA9C-E6155F02EAFF}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\dns\win32\libdns.vcxproj">
-      <Project>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\isccfg\win32\libisccfg.vcxproj">
-      <Project>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\irs\win32\libirs.vcxproj">
-      <Project>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\lib\bind9\win32\libbind9.vcxproj">
-      <Project>{E741C10B-B075-4206-9596-46765B665E03}</Project>
-    </ProjectReference>
-    <ProjectReference Include="..\..\..\bin\dig\win32\dighost.vcxproj">
-      <Project>{140DE800-E552-43CC-B0C7-A33A92E368CA}</Project>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

bin/dnssec/Makefile.am

@@ -14,7 +14,7 @@ LDADD =				\
 	$(LIBISC_LIBS)		\
 	$(LIBDNS_LIBS)
 
-bin_PROGRAMS = \
+sbin_PROGRAMS = \
 	dnssec-cds		\
 	dnssec-dsfromkey	\
 	dnssec-importkey	\

bin/dnssec/dnssec-cds.8

@@ -0,0 +1,297 @@
+.\" Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: dnssec-cds
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2017-10-02
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DNSSEC\-CDS" "8" "2017\-10\-02" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
+.SH "SYNOPSIS"
+.HP \w'\fBdnssec\-cds\fR\ 'u
+\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
+.SH "DESCRIPTION"
+.PP
+The
+\fBdnssec\-cds\fR
+command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&. This enables a child zone to inform its parent of upcoming changes to its key\-signing keys; by polling periodically with
+\fBdnssec\-cds\fR, the parent can keep the DS records up to date and enable automatic rolling of KSKs\&.
+.PP
+Two input files are required\&. The
+\fB\-f \fR\fB\fIchild\-file\fR\fR
+option specifies a file containing the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The
+\fB\-d \fR\fB\fIpath\fR\fR
+option specifies the location of a file containing the current DS records\&. For example, this could be a
+dsset\-
+file generated by
+\fBdnssec\-signzone\fR, or the output of
+\fBdnssec\-dsfromkey\fR, or the output of a previous run of
+\fBdnssec\-cds\fR\&.
+.PP
+The
+\fBdnssec\-cds\fR
+command uses special DNSSEC validation logic specified by RFC 7344\&. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records\&. This will typically be the pre\-existing key\-signing key (KSK)\&.
+.PP
+For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
+\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
+dsset\-
+file, or from the
+\fB\-s\fR
+option\&.
+.PP
+To protect against breaking the delegation,
+\fBdnssec\-cds\fR
+ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&.
+.PP
+By default, replacement DS records are written to the standard output; with the
+\fB\-i\fR
+option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&.
+.PP
+Warning: Be careful not to delete the DS records when
+\fBdnssec\-cds\fR
+fails!
+.PP
+Alternatively,
+\fBdnssec\-cds \-u\fR
+writes an
+\fBnsupdate\fR
+script to the standard output\&. You can use the
+\fB\-u\fR
+and
+\fB\-i\fR
+options together to maintain a
+dsset\-
+file as well as emit an
+\fBnsupdate\fR
+script\&.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&.
+.sp
+The
+\fIalgorithm\fR
+must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Specifies the DNS class of the zones\&.
+.RE
+.PP
+\-D
+.RS 4
+Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&.
+.RE
+.PP
+\-d \fIpath\fR
+.RS 4
+Location of the parent DS records\&. The
+\fIpath\fR
+can be the name of a file containing the DS records, or if it is a directory,
+\fBdnssec\-cds\fR
+looks for a
+dsset\-
+file for the
+\fIdomain\fR
+inside the directory\&.
+.sp
+To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the
+dsset\-
+file\&. This can be adjusted with the
+\fB\-s\fR
+option\&.
+.RE
+.PP
+\-f \fIchild\-file\fR
+.RS 4
+File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&.
+.sp
+The EXAMPLES below describe how to generate this file\&.
+.RE
+.PP
+\-i [\fIextension\fR]
+.RS 4
+Update the
+dsset\-
+file in place, instead of writing DS records to the standard output\&.
+.sp
+There must be no space between the
+\fB\-i\fR
+and the
+\fIextension\fR\&. If you provide no
+\fIextension\fR
+then the old
+dsset\-
+is discarded\&. If an
+\fIextension\fR
+is present, a backup of the old
+dsset\-
+file is kept with the
+\fIextension\fR
+appended to its filename\&.
+.sp
+To protect against replay attacks, the modification time of the
+dsset\-
+file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&.
+.RE
+.PP
+\-s \fIstart\-time\fR
+.RS 4
+Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the
+dsset\-
+file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&.
+.sp
+If no
+\fIstart\-time\fR
+is specified, the modification time of the
+dsset\-
+file is used\&.
+.RE
+.PP
+\-T \fIttl\fR
+.RS 4
+Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&.
+.RE
+.PP
+\-u
+.RS 4
+Write an
+\fBnsupdate\fR
+script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&.
+.sp
+Note: The TTL of new records needs to be specified, either in the original
+dsset\-
+file, or with the
+\fB\-T\fR
+option, or using the
+\fBnsupdate\fR\fBttl\fR
+command\&.
+.RE
+.PP
+\-V
+.RS 4
+Print version information\&.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&.
+.RE
+.PP
+\fIdomain\fR
+.RS 4
+The name of the delegation point / child zone apex\&.
+.RE
+.SH "EXIT STATUS"
+.PP
+The
+\fBdnssec\-cds\fR
+command exits 0 on success, or non\-zero if an error occurred\&.
+.PP
+In the success case, the DS records might or might not need to be changed\&.
+.SH "EXAMPLES"
+.PP
+Before running
+\fBdnssec\-signzone\fR, you can ensure that the delegations are up\-to\-date by running
+\fBdnssec\-cds\fR
+on every
+dsset\-
+file\&.
+.PP
+To fetch the child records required by
+\fBdnssec\-cds\fR
+you can invoke
+\fBdig\fR
+as in the script below\&. It\*(Aqs okay if the
+\fBdig\fR
+fails since
+\fBdnssec\-cds\fR
+performs all the necessary checking\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+for f in dsset\-*
+do
+	d=${f#dsset\-}
+	dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+	dnssec\-cds \-i \-f /dev/stdin \-d $f $d
+done
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+When the parent zone is automatically signed by
+\fBnamed\fR, you can use
+\fBdnssec\-cds\fR
+with
+\fBnsupdate\fR
+to maintain a delegation as follows\&. The
+dsset\-
+file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
+nsupdate \-l
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBdnssec-settime\fR(8),
+\fBdnssec-signzone\fR(8),
+\fBnsupdate\fR(1),
+BIND 9 Administrator Reference Manual,
+RFC 7344\&.
+.SH "AUTHORS"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.PP
+\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&>
+.br
+.RS 4
+.RE
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2017-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dnssec/dnssec-cds.docbook

@@ -0,0 +1,390 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-cds">
+  <info>
+    <date>2017-10-02</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+    <author>
+      <personname>Tony Finch</personname>
+      <email>dot@dotat.at</email>
+      <email>fanf2@cam.ac.uk</email>
+      <affiliation>Cambridge University Information Services</affiliation>
+      <personblurb></personblurb>
+    </author>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-cds</application></refentrytitle>
+   <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-cds</application></refname>
+    <refpurpose>change DS records for a child zone based on CDS/CDNSKEY</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-cds</command>
+      <arg choice="opt" rep="repeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D</option></arg>
+      <arg choice="req" rep="norepeat"><option>-d <replaceable class="parameter">dsset-file</replaceable></option></arg>
+      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">child-file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i</option><arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></arg>
+      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-u</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+      <arg choice="req" rep="norepeat">domain</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      The <command>dnssec-cds</command> command changes DS records at
+      a delegation point based on CDS or CDNSKEY records published in
+      the child zone. If both CDS and CDNSKEY records are present in
+      the child zone, the CDS is preferred. This enables a child zone
+      to inform its parent of upcoming changes to its key-signing keys;
+      by polling periodically with <command>dnssec-cds</command>, the
+      parent can keep the DS records up to date and enable automatic
+      rolling of KSKs.
+    </para>
+    <para>
+      Two input files are required.  The
+      <option>-f <replaceable class="parameter">child-file</replaceable></option>
+      option specifies a file containing the child's CDS and/or CDNSKEY
+      records, plus RRSIG and DNSKEY records so that they can be
+      authenticated.  The
+      <option>-d <replaceable class="parameter">path</replaceable></option>
+      option specifies the location of a file containing the current DS
+      records. For example, this could be a <filename>dsset-</filename>
+      file generated by <command>dnssec-signzone</command>, or the output of
+      <command>dnssec-dsfromkey</command>, or the output of a previous
+      run of <command>dnssec-cds</command>.
+    </para>
+    <para>
+      The <command>dnssec-cds</command> command uses special DNSSEC
+      validation logic specified by RFC 7344. It requires that the CDS
+      and/or CDNSKEY records are validly signed by a key represented in the
+      existing DS records. This will typically be the pre-existing
+      key-signing key (KSK).
+    </para>
+    <para>
+      For protection against replay attacks, the signatures on the
+      child records must not be older than they were on a previous run
+      of <command>dnssec-cds</command>. This time is obtained from the
+      modification time of the <filename>dsset-</filename> file, or
+      from the <option>-s</option> option.
+    </para>
+    <para>
+      To protect against breaking the delegation,
+      <command>dnssec-cds</command> ensures that the DNSKEY RRset can be
+      verified by every key algorithm in the new DS RRset, and that the
+      same set of keys are covered by every DS digest type.
+    </para>
+    <para>
+      By default, replacement DS records are written to the standard
+      output; with the <option>-i</option> option the input file is
+      overwritten in place. The replacement DS records will be the
+      same as the existing records when no change is required. The
+      output can be empty if the CDS / CDNSKEY records specify that
+      the child zone wants to go insecure.
+    </para>
+    <para>
+      Warning: Be careful not to delete the DS records
+      when <command>dnssec-cds</command> fails!
+    </para>
+    <para>
+      Alternatively, <command>dnssec-cds -u</command> writes
+      an <command>nsupdate</command> script to the standard output.
+      You can use the <option>-u</option> and <option>-i</option>
+      options together to maintain a <filename>dsset-</filename> file
+      as well as emit an <command>nsupdate</command> script.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+    <variablelist>
+
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+        <listitem>
+          <para>
+	    Specify a digest algorithm to use when converting CDNSKEY
+	    records to DS records. This option can be repeated, so
+	    that multiple DS records are created for each CDNSKEY
+	    record. This option has no effect when using CDS records.
+          </para>
+          <para>
+	    The <replaceable>algorithm</replaceable> must be one of
+	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
+	    and the hyphen may be omitted.  If no algorithm is specified,
+	    the default is SHA-256.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the DNS class of the zones.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+        <listitem>
+          <para>
+	    Generate DS records from CDNSKEY records if both CDS and
+	    CDNSKEY records are present in the child zone. By default
+	    CDS records are preferred.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-d <replaceable class="parameter">path</replaceable></term>
+        <listitem>
+          <para>
+            Location of the parent DS records.
+	    The <replaceable>path</replaceable> can be the name of a file
+	    containing the DS records, or if it is a
+	    directory, <command>dnssec-cds</command> looks for
+	    a <filename>dsset-</filename> file for
+	    the <replaceable>domain</replaceable> inside the directory.
+          </para>
+          <para>
+            To protect against replay attacks, child records are
+            rejected if they were signed earlier than the modification
+            time of the <filename>dsset-</filename> file. This can be
+            adjusted with the <option>-s</option> option.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f <replaceable class="parameter">child-file</replaceable></term>
+        <listitem>
+          <para>
+	    File containing the child's CDS and/or CDNSKEY records,
+	    plus its DNSKEY records and the covering RRSIG records so
+	    that they can be authenticated.
+          </para>
+	  <para>
+	    The EXAMPLES below describe how to generate this file.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i<arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></term>
+        <listitem>
+          <para>
+            Update the <filename>dsset-</filename> file in place,
+            instead of writing DS records to the standard output.
+          </para>
+	  <para>
+	    There must be no space between the <option>-i</option> and
+	    the <replaceable>extension</replaceable>. If you provide
+	    no <replaceable>extension</replaceable> then the
+	    old <filename>dsset-</filename> is discarded. If
+	    an <replaceable>extension</replaceable> is present, a
+	    backup of the old <filename>dsset-</filename> file is kept
+	    with the <replaceable>extension</replaceable> appended to
+	    its filename.
+	  </para>
+          <para>
+            To protect against replay attacks, the modification time
+            of the <filename>dsset-</filename> file is set to match
+            the signature inception time of the child records,
+            provided that is later than the file's current
+            modification time.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">start-time</replaceable></term>
+        <listitem>
+          <para>
+            Specify the date and time after which RRSIG records become
+            acceptable. This can be either an absolute or relative
+            time. An absolute start time is indicated by a number in
+            YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
+            UTC on August 27th, 2017. A time relative to
+            the <filename>dsset-</filename> file is indicated with -N,
+            which is N seconds before the file modification time. A
+            time relative to the current time is indicated with now+N.
+	  </para>
+	  <para>
+            If no <replaceable>start-time</replaceable> is specified, the
+            modification time of the <filename>dsset-</filename> file
+            is used.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-T <replaceable class="parameter">ttl</replaceable></term>
+        <listitem>
+          <para>
+            Specifies a TTL to be used for new DS records. If not
+            specified, the default is the TTL of the old DS records.
+            If they had no explicit TTL then the new DS records also
+            have no explicit TTL.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-u</term>
+        <listitem>
+          <para>
+	    Write an <command>nsupdate</command> script to the
+	    standard output, instead of printing the new DS reords.
+	    The output will be empty if no change is needed.
+          </para>
+	  <para>
+	    Note: The TTL of new records needs to be specified, either
+	    in the original <filename>dsset-</filename> file, or with
+	    the <option>-T</option> option, or using
+	    the <command>nsupdate</command> <command>ttl</command>
+	    command.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+        <listitem>
+	  <para>
+	    Print version information.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <listitem>
+          <para>
+            Sets the debugging level. Level 1 is intended to be
+            usefully verbose for general users; higher levels are
+            intended for developers.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><replaceable>domain</replaceable></term>
+        <listitem>
+          <para>
+            The name of the delegation point / child zone apex.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>EXIT STATUS</title></info>
+
+    <para>
+      The <command>dnssec-cds</command> command exits 0 on success, or
+      non-zero if an error occurred.
+    </para>
+    <para>
+      In the success case, the DS records might or might not need
+      to be changed.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>EXAMPLES</title></info>
+
+    <para>
+      Before running <command>dnssec-signzone</command>, you can ensure
+      that the delegations are up-to-date by running
+      <command>dnssec-cds</command> on every <filename>dsset-</filename> file.
+    </para>
+    <para>
+      To fetch the child records required by <command>dnssec-cds</command>
+      you can invoke <command>dig</command> as in the script below.  It's
+      okay if the <command>dig</command> fails since
+      <command>dnssec-cds</command> performs all the necessary checking.
+    </para>
+<programlisting>for f in dsset-*
+do
+	d=${f#dsset-}
+	dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+	dnssec-cds -i -f /dev/stdin -d $f $d
+done
+</programlisting>
+
+    <para>
+      When the parent zone is automatically signed by
+      <command>named</command>, you can use <command>dnssec-cds</command>
+      with <command>nsupdate</command> to maintain a delegation as follows.
+      The <filename>dsset-</filename> file allows the script to avoid
+      having to fetch and validate the parent DS records, and it keeps the
+      replay attack protection time.
+    </para>
+<programlisting>
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec-cds -u -i -f /dev/stdin -d $f $d |
+nsupdate -l
+</programlisting>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para>
+      <citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 7344</citetitle>.
+    </para>
+
+  </refsection>
+
+</refentry>

bin/dnssec/dnssec-cds.html

@@ -0,0 +1,343 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-cds</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.dnssec-cds"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">dnssec-cds</span>
+     &#8212; change DS records for a child zone based on CDS/CDNSKEY
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-cds</code> 
+       [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-D</code>]
+       {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>}
+       {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>}
+       [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]]
+       [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-u</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       {domain}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
+      a delegation point based on CDS or CDNSKEY records published in
+      the child zone. If both CDS and CDNSKEY records are present in
+      the child zone, the CDS is preferred. This enables a child zone
+      to inform its parent of upcoming changes to its key-signing keys;
+      by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
+      parent can keep the DS records up to date and enable automatic
+      rolling of KSKs.
+    </p>
+    <p>
+      Two input files are required.  The
+      <code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
+      option specifies a file containing the child's CDS and/or CDNSKEY
+      records, plus RRSIG and DNSKEY records so that they can be
+      authenticated.  The
+      <code class="option">-d <em class="replaceable"><code>path</code></em></code>
+      option specifies the location of a file containing the current DS
+      records. For example, this could be a <code class="filename">dsset-</code>
+      file generated by <span class="command"><strong>dnssec-signzone</strong></span>, or the output of
+      <span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
+      run of <span class="command"><strong>dnssec-cds</strong></span>.
+    </p>
+    <p>
+      The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
+      validation logic specified by RFC 7344. It requires that the CDS
+      and/or CDNSKEY records are validly signed by a key represented in the
+      existing DS records. This will typically be the pre-existing
+      key-signing key (KSK).
+    </p>
+    <p>
+      For protection against replay attacks, the signatures on the
+      child records must not be older than they were on a previous run
+      of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
+      modification time of the <code class="filename">dsset-</code> file, or
+      from the <code class="option">-s</code> option.
+    </p>
+    <p>
+      To protect against breaking the delegation,
+      <span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
+      verified by every key algorithm in the new DS RRset, and that the
+      same set of keys are covered by every DS digest type.
+    </p>
+    <p>
+      By default, replacement DS records are written to the standard
+      output; with the <code class="option">-i</code> option the input file is
+      overwritten in place. The replacement DS records will be the
+      same as the existing records when no change is required. The
+      output can be empty if the CDS / CDNSKEY records specify that
+      the child zone wants to go insecure.
+    </p>
+    <p>
+      Warning: Be careful not to delete the DS records
+      when <span class="command"><strong>dnssec-cds</strong></span> fails!
+    </p>
+    <p>
+      Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
+      an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
+      You can use the <code class="option">-u</code> and <code class="option">-i</code>
+      options together to maintain a <code class="filename">dsset-</code> file
+      as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+          <p>
+	    Specify a digest algorithm to use when converting CDNSKEY
+	    records to DS records. This option can be repeated, so
+	    that multiple DS records are created for each CDNSKEY
+	    record. This option has no effect when using CDS records.
+          </p>
+          <p>
+	    The <em class="replaceable"><code>algorithm</code></em> must be one of
+	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
+	    and the hyphen may be omitted.  If no algorithm is specified,
+	    the default is SHA-256.
+          </p>
+        </dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+          <p>
+            Specifies the DNS class of the zones.
+          </p>
+        </dd>
+<dt><span class="term">-D</span></dt>
+<dd>
+          <p>
+	    Generate DS records from CDNSKEY records if both CDS and
+	    CDNSKEY records are present in the child zone. By default
+	    CDS records are preferred.
+          </p>
+        </dd>
+<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
+<dd>
+          <p>
+            Location of the parent DS records.
+	    The <em class="replaceable"><code>path</code></em> can be the name of a file
+	    containing the DS records, or if it is a
+	    directory, <span class="command"><strong>dnssec-cds</strong></span> looks for
+	    a <code class="filename">dsset-</code> file for
+	    the <em class="replaceable"><code>domain</code></em> inside the directory.
+          </p>
+          <p>
+            To protect against replay attacks, child records are
+            rejected if they were signed earlier than the modification
+            time of the <code class="filename">dsset-</code> file. This can be
+            adjusted with the <code class="option">-s</code> option.
+          </p>
+        </dd>
+<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
+<dd>
+          <p>
+	    File containing the child's CDS and/or CDNSKEY records,
+	    plus its DNSKEY records and the covering RRSIG records so
+	    that they can be authenticated.
+          </p>
+	  <p>
+	    The EXAMPLES below describe how to generate this file.
+	  </p>
+        </dd>
+<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
+<dd>
+          <p>
+            Update the <code class="filename">dsset-</code> file in place,
+            instead of writing DS records to the standard output.
+          </p>
+	  <p>
+	    There must be no space between the <code class="option">-i</code> and
+	    the <em class="replaceable"><code>extension</code></em>. If you provide
+	    no <em class="replaceable"><code>extension</code></em> then the
+	    old <code class="filename">dsset-</code> is discarded. If
+	    an <em class="replaceable"><code>extension</code></em> is present, a
+	    backup of the old <code class="filename">dsset-</code> file is kept
+	    with the <em class="replaceable"><code>extension</code></em> appended to
+	    its filename.
+	  </p>
+          <p>
+            To protect against replay attacks, the modification time
+            of the <code class="filename">dsset-</code> file is set to match
+            the signature inception time of the child records,
+            provided that is later than the file's current
+            modification time.
+          </p>
+        </dd>
+<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
+<dd>
+          <p>
+            Specify the date and time after which RRSIG records become
+            acceptable. This can be either an absolute or relative
+            time. An absolute start time is indicated by a number in
+            YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
+            UTC on August 27th, 2017. A time relative to
+            the <code class="filename">dsset-</code> file is indicated with -N,
+            which is N seconds before the file modification time. A
+            time relative to the current time is indicated with now+N.
+	  </p>
+	  <p>
+            If no <em class="replaceable"><code>start-time</code></em> is specified, the
+            modification time of the <code class="filename">dsset-</code> file
+            is used.
+          </p>
+        </dd>
+<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd>
+          <p>
+            Specifies a TTL to be used for new DS records. If not
+            specified, the default is the TTL of the old DS records.
+            If they had no explicit TTL then the new DS records also
+            have no explicit TTL.
+          </p>
+        </dd>
+<dt><span class="term">-u</span></dt>
+<dd>
+          <p>
+	    Write an <span class="command"><strong>nsupdate</strong></span> script to the
+	    standard output, instead of printing the new DS reords.
+	    The output will be empty if no change is needed.
+          </p>
+	  <p>
+	    Note: The TTL of new records needs to be specified, either
+	    in the original <code class="filename">dsset-</code> file, or with
+	    the <code class="option">-T</code> option, or using
+	    the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
+	    command.
+	  </p>
+        </dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Print version information.
+	  </p>
+        </dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd>
+          <p>
+            Sets the debugging level. Level 1 is intended to be
+            usefully verbose for general users; higher levels are
+            intended for developers.
+          </p>
+        </dd>
+<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
+<dd>
+          <p>
+            The name of the delegation point / child zone apex.
+          </p>
+        </dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>EXIT STATUS</h2>
+
+    <p>
+      The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
+      non-zero if an error occurred.
+    </p>
+    <p>
+      In the success case, the DS records might or might not need
+      to be changed.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>EXAMPLES</h2>
+
+    <p>
+      Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
+      that the delegations are up-to-date by running
+      <span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
+    </p>
+    <p>
+      To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
+      you can invoke <span class="command"><strong>dig</strong></span> as in the script below.  It's
+      okay if the <span class="command"><strong>dig</strong></span> fails since
+      <span class="command"><strong>dnssec-cds</strong></span> performs all the necessary checking.
+    </p>
+<pre class="programlisting">for f in dsset-*
+do
+	d=${f#dsset-}
+	dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+	dnssec-cds -i -f /dev/stdin -d $f $d
+done
+</pre>
+
+    <p>
+      When the parent zone is automatically signed by
+      <span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
+      with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
+      The <code class="filename">dsset-</code> file allows the script to avoid
+      having to fetch and validate the parent DS records, and it keeps the
+      replay attack protection time.
+    </p>
+<pre class="programlisting">
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec-cds -u -i -f /dev/stdin -d $f $d |
+nsupdate -l
+</pre>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>SEE ALSO</h2>
+
+    <p>
+      <span class="citerefentry">
+        <span class="refentrytitle">dig</span>(1)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">dnssec-settime</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">nsupdate</span>(1)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 7344</em>.
+    </p>
+
+  </div>
+
+</div></body>
+</html>

bin/dnssec/dnssec-cds.rst

@@ -1,213 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-cds:
-
-dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
---------------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i**[extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
-
-Description
-~~~~~~~~~~~
-
-The ``dnssec-cds`` command changes DS records at a delegation point
-based on CDS or CDNSKEY records published in the child zone. If both CDS
-and CDNSKEY records are present in the child zone, the CDS is preferred.
-This enables a child zone to inform its parent of upcoming changes to
-its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the
-parent can keep the DS records up-to-date and enable automatic rolling
-of KSKs.
-
-Two input files are required. The ``-f child-file`` option specifies a
-file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
-DNSKEY records so that they can be authenticated. The ``-d path`` option
-specifies the location of a file containing the current DS records. For
-example, this could be a ``dsset-`` file generated by
-``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the
-output of a previous run of ``dnssec-cds``.
-
-The ``dnssec-cds`` command uses special DNSSEC validation logic
-specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
-be validly signed by a key represented in the existing DS records. This
-is typically the pre-existing KSK.
-
-For protection against replay attacks, the signatures on the child
-records must not be older than they were on a previous run of
-``dnssec-cds``. Their age is obtained from the modification time of the
-``dsset-`` file, or from the ``-s`` option.
-
-To protect against breaking the delegation, ``dnssec-cds`` ensures that
-the DNSKEY RRset can be verified by every key algorithm in the new DS
-RRset, and that the same set of keys are covered by every DS digest
-type.
-
-By default, replacement DS records are written to the standard output;
-with the ``-i`` option the input file is overwritten in place. The
-replacement DS records are the same as the existing records, when no
-change is required. The output can be empty if the CDS/CDNSKEY records
-specify that the child zone wants to be insecure.
-
-.. warning::
-
-   Be careful not to delete the DS records when ``dnssec-cds`` fails!
-
-Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
-standard output. The ``-u`` and ``-i`` options can be used together to
-maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
-
-Options
-~~~~~~~
-
-``-a algorithm``
-   This option specifies a digest algorithm to use when converting CDNSKEY records to
-   DS records. This option can be repeated, so that multiple DS records
-   are created for each CDNSKEY record. This option has no effect when
-   using CDS records.
-
-   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
-   are case-insensitive, and the hyphen may be omitted. If no algorithm
-   is specified, the default is SHA-256.
-
-``-c class``
-   This option specifies the DNS class of the zones.
-
-``-D``
-   This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
-   records are present in the child zone. By default CDS records are
-   preferred.
-
-``-d path``
-   This specifies the location of the parent DS records. The path can be the name of a file
-   containing the DS records; if it is a directory, ``dnssec-cds``
-   looks for a ``dsset-`` file for the domain inside the directory.
-
-   To protect against replay attacks, child records are rejected if they
-   were signed earlier than the modification time of the ``dsset-``
-   file. This can be adjusted with the ``-s`` option.
-
-``-f child-file``
-   This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its
-   DNSKEY records and the covering RRSIG records, so that they can be
-   authenticated.
-
-   The examples below describe how to generate this file.
-
-``-iextension``
-   This option updates the ``dsset-`` file in place, instead of writing DS records to
-   the standard output.
-
-   There must be no space between the ``-i`` and the extension. If
-   no extension is provided, the old ``dsset-`` is discarded. If an
-   extension is present, a backup of the old ``dsset-`` file is kept
-   with the extension appended to its filename.
-
-   To protect against replay attacks, the modification time of the
-   ``dsset-`` file is set to match the signature inception time of the
-   child records, provided that it is later than the file's current
-   modification time.
-
-``-s start-time``
-   This option specifies the date and time after which RRSIG records become
-   acceptable. This can be either an absolute or a relative time. An
-   absolute start time is indicated by a number in YYYYMMDDHHMMSS
-   notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
-   time relative to the ``dsset-`` file is indicated with ``-N``, which is N
-   seconds before the file modification time. A time relative to the
-   current time is indicated with ``now+N``.
-
-   If no start-time is specified, the modification time of the
-   ``dsset-`` file is used.
-
-``-T ttl``
-   This option specifies a TTL to be used for new DS records. If not specified, the
-   default is the TTL of the old DS records. If they had no explicit TTL,
-   the new DS records also have no explicit TTL.
-
-``-u``
-   This option writes an ``nsupdate`` script to the standard output, instead of
-   printing the new DS reords. The output is empty if no change is
-   needed.
-
-   Note: The TTL of new records needs to be specified: it can be done in the
-   original ``dsset-`` file, with the ``-T`` option, or using the
-   ``nsupdate`` ``ttl`` command.
-
-``-V``
-   This option prints version information.
-
-``-v level``
-   This option sets the debugging level. Level 1 is intended to be usefully verbose
-   for general users; higher levels are intended for developers.
-
-``domain``
-   This indicates the name of the delegation point/child zone apex.
-
-Exit Status
-~~~~~~~~~~~
-
-The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
-occurred.
-
-If successful, the DS records may or may not need to be
-changed.
-
-Examples
-~~~~~~~~
-
-Before running ``dnssec-signzone``, ensure that the delegations
-are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
-
-To fetch the child records required by ``dnssec-cds``, invoke
-``dig`` as in the script below. It is acceptable if the ``dig`` fails, since
-``dnssec-cds`` performs all the necessary checking.
-
-::
-
-   for f in dsset-*
-   do
-       d=${f#dsset-}
-       dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-       dnssec-cds -i -f /dev/stdin -d $f $d
-   done
-
-When the parent zone is automatically signed by ``named``,
-``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows.
-The ``dsset-`` file allows the script to avoid having to fetch and
-validate the parent DS records, and it maintains the replay attack
-protection time.
-
-::
-
-   dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
-   dnssec-cds -u -i -f /dev/stdin -d $f $d |
-   nsupdate -l
-
-See Also
-~~~~~~~~
-
-:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator
-Reference Manual, :rfc:`7344`.

bin/dnssec/dnssec-dsfromkey.8

@@ -0,0 +1,226 @@
+.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: dnssec-dsfromkey
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2019-05-08
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dnssec-dsfromkey \- DNSSEC DS RR generation tool
+.SH "SYNOPSIS"
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
+.SH "DESCRIPTION"
+.PP
+The
+\fBdnssec\-dsfromkey\fR
+command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
+\fB\-C\fR
+option\&.
+.PP
+The input keys can be specified in a number of ways:
+.PP
+By default,
+\fBdnssec\-dsfromkey\fR
+reads a key file named like
+Knnnn\&.+aaa+iiiii\&.key, as generated by
+\fBdnssec\-keygen\fR\&.
+.PP
+With the
+\fB\-f \fR\fB\fIfile\fR\fR
+option,
+\fBdnssec\-dsfromkey\fR
+reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
+.PP
+With the
+\fB\-s\fR
+option,
+\fBdnssec\-dsfromkey\fR
+reads a
+keyset\-
+file, as generated by
+\fBdnssec\-keygen\fR\fB\-C\fR\&.
+.SH "OPTIONS"
+.PP
+\-1
+.RS 4
+An abbreviation for
+\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
+.RE
+.PP
+\-2
+.RS 4
+An abbreviation for
+\fB\-a SHA\-256\fR\&.
+.RE
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
+.sp
+The
+\fIalgorithm\fR
+must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
+.RE
+.PP
+\-A
+.RS 4
+Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
+\fB\-f\fR
+zone file mode\&.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Specifies the DNS class (default is IN)\&. Useful only in
+\fB\-s\fR
+keyset or
+\fB\-f\fR
+zone file mode\&.
+.RE
+.PP
+\-C
+.RS 4
+Generate CDS records rather than DS records\&.
+.RE
+.PP
+\-f \fIfile\fR
+.RS 4
+Zone file mode:
+\fBdnssec\-dsfromkey\fR\*(Aqs final
+\fIdnsname\fR
+argument is the DNS domain name of a zone whose master file can be read from
+\fBfile\fR\&. If the zone name is the same as
+\fBfile\fR, then it may be omitted\&.
+.sp
+If
+\fIfile\fR
+is
+"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
+\fBdig\fR
+command as input, as in:
+.sp
+\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
+.RE
+.PP
+\-h
+.RS 4
+Prints usage information\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Look for key files or
+keyset\-
+files in
+\fBdirectory\fR\&.
+.RE
+.PP
+\-s
+.RS 4
+Keyset mode:
+\fBdnssec\-dsfromkey\fR\*(Aqs final
+\fIdnsname\fR
+argument is the DNS domain name used to locate a
+keyset\-
+file\&.
+.RE
+.PP
+\-T \fITTL\fR
+.RS 4
+Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&.
+.RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
+.SH "EXAMPLE"
+.PP
+To build the SHA\-256 DS RR from the
+\fBKexample\&.com\&.+003+26160\fR
+keyfile name, you can issue the following command:
+.PP
+\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
+.PP
+The command would print something like:
+.PP
+\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
+.SH "FILES"
+.PP
+The keyfile can be designated by the key identification
+Knnnn\&.+aaa+iiiii
+or the full file name
+Knnnn\&.+aaa+iiiii\&.key
+as generated by
+dnssec\-keygen(8)\&.
+.PP
+The keyset file name is built from the
+\fBdirectory\fR, the string
+keyset\-
+and the
+\fBdnsname\fR\&.
+.SH "CAVEAT"
+.PP
+A keyfile error can give a "file not found" even if the file exists\&.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 3658
+(DS RRs),
+RFC 4509
+(SHA\-256 for DS RRs),
+RFC 6605
+(SHA\-384 for DS RRs),
+RFC 7344
+(CDS and CDNSKEY RRs)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dnssec/dnssec-dsfromkey.c

@@ -331,7 +331,7 @@ usage(void) {
 	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
 	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
 	fprintf(stderr, "    %s [-h|-V]\n\n", program);
-	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
+	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n"
 			"    -1: digest algorithm SHA-1\n"
 			"    -2: digest algorithm SHA-256\n"

bin/dnssec/dnssec-dsfromkey.docbook

@@ -0,0 +1,355 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
+  <info>
+    <date>2019-05-08</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-dsfromkey</application></refname>
+    <refpurpose>DNSSEC DS RR generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2008</year>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <year>2012</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-dsfromkey</command>
+      <group choice="opt">
+	<arg choice="plain"><option>-1</option></arg>
+	<arg choice="plain"><option>-2</option></arg>
+	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      </group>
+      <group>
+	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
+	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      </group>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">keyfile</arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-dsfromkey</command>
+      <group choice="opt">
+	<arg choice="plain"><option>-1</option></arg>
+	<arg choice="plain"><option>-2</option></arg>
+	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      </group>
+      <group>
+	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
+	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      </group>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A</option></arg>
+      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat">dnsname</arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-dsfromkey</command>
+      <group choice="opt">
+	<arg choice="plain"><option>-1</option></arg>
+	<arg choice="plain"><option>-2</option></arg>
+	<arg choice="plain"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      </group>
+      <group>
+	<arg choice="plain" rep="norepeat"><option>-C</option></arg>
+	<arg choice="plain" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      </group>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">-s</arg>
+      <arg choice="req" rep="norepeat">dnsname</arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-dsfromkey</command>
+      <group choice="opt">
+	<arg choice="plain" rep="norepeat"><option>-h</option></arg>
+	<arg choice="plain" rep="norepeat"><option>-V</option></arg>
+      </group>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
+      Signer) resource records (RRs), or CDS (Child DS) RRs with the
+      <option>-C</option> option.
+    </para>
+
+    <para>
+      The input keys can be specified in a number of ways:
+    </para>
+
+    <para>
+      By default, <command>dnssec-dsfromkey</command> reads a key file
+      named like <filename>Knnnn.+aaa+iiiii.key</filename>, as generated
+      by <command>dnssec-keygen</command>.
+    </para>
+
+    <para>
+      With the <option>-f <replaceable>file</replaceable></option>
+      option, <command>dnssec-dsfromkey</command> reads keys from a zone file
+      or partial zone file (which can contain just the DNSKEY records).
+    </para>
+
+    <para>
+      With the <option>-s</option>
+      option, <command>dnssec-dsfromkey</command> reads
+      a <filename>keyset-</filename> file, as generated
+      by <command>dnssec-keygen</command> <option>-C</option>.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+    <variablelist>
+      <varlistentry>
+	<term>-1</term>
+	<listitem>
+	  <para>
+	    An abbreviation for <option>-a SHA-1</option>.
+	    (Note: The SHA-1 algorithm is no longer recommended for use
+	    when generating new DS and CDS records.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-2</term>
+	<listitem>
+	  <para>
+	    An abbreviation for <option>-a SHA-256</option>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify a digest algorithm to use when converting DNSKEY
+	    records to DS records. This option can be repeated, so
+	    that multiple DS records are created for each DNSKEY
+	    record.
+          </para>
+          <para>
+	    The <replaceable>algorithm</replaceable> must be one of
+	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
+	    and the hyphen may be omitted.  If no algorithm is specified,
+	    the default is SHA-256.
+	    (Note: The SHA-1 algorithm is no longer recommended for use
+	    when generating new DS and CDS records.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-A</term>
+        <listitem>
+          <para>
+            Include ZSKs when generating DS records. Without this option, only
+            keys which have the KSK flag set will be converted to DS records
+            and printed. Useful only in <option>-f</option> zone file mode.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the DNS class (default is IN). Useful only
+	    in <option>-s</option> keyset or <option>-f</option>
+	    zone file mode.
+	  </para>
+	  </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-C</term>
+	<listitem>
+	  <para>
+	    Generate CDS records rather than DS records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f <replaceable class="parameter">file</replaceable></term>
+	<listitem>
+	  <para>
+	    Zone file mode: <command>dnssec-dsfromkey</command>'s
+	    final <replaceable>dnsname</replaceable> argument is
+	    the DNS domain name of a zone whose master file can be read
+	    from <option>file</option>.  If the zone name is the same as
+	    <option>file</option>, then it may be omitted.
+	  </para>
+	  <para>
+	    If <replaceable>file</replaceable> is <literal>"-"</literal>, then
+	    the zone data is read from the standard input.  This makes it
+	    possible to use the output of the <command>dig</command>
+	    command as input, as in:
+	  </para>
+	  <para>
+	    <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints usage information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Look for key files or <filename>keyset-</filename> files in
+	    <option>directory</option>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s</term>
+	<listitem>
+	  <para>
+	    Keyset mode: <command>dnssec-dsfromkey</command>'s
+	    final <replaceable>dnsname</replaceable> argument is the DNS
+	    domain name used to locate a <filename>keyset-</filename> file.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">TTL</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	  </para>
+	  </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>EXAMPLE</title></info>
+
+    <para>
+      To build the SHA-256 DS RR from the
+      <userinput>Kexample.com.+003+26160</userinput>
+      keyfile name, you can issue the following command:
+    </para>
+    <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
+    </para>
+    <para>
+      The command would print something like:
+    </para>
+    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</userinput>
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>FILES</title></info>
+
+    <para>
+      The keyfile can be designated by the key identification
+      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
+      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
+      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
+    </para>
+    <para>
+      The keyset file name is built from the <option>directory</option>,
+      the string <filename>keyset-</filename> and the
+      <option>dnsname</option>.
+    </para>
+  </refsection>
+
+  <refsection><info><title>CAVEAT</title></info>
+
+    <para>
+      A keyfile error can give a "file not found" even if the file exists.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 3658</citetitle> (DS RRs),
+      <citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
+      <citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
+      <citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
+    </para>
+  </refsection>
+
+</refentry>

bin/dnssec/dnssec-dsfromkey.html

@@ -0,0 +1,307 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-dsfromkey</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">dnssec-dsfromkey</span>
+     &#8212; DNSSEC DS RR generation tool
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-dsfromkey</code> 
+       [
+	 <code class="option">-1</code> 
+	 |   <code class="option">-2</code> 
+	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
+      ]
+       [
+	 <code class="option">-C</code> 
+	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
+      ]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       {keyfile}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-dsfromkey</code> 
+       [
+	 <code class="option">-1</code> 
+	 |   <code class="option">-2</code> 
+	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
+      ]
+       [
+	 <code class="option">-C</code> 
+	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
+      ]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-A</code>]
+       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
+       [dnsname]
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-dsfromkey</code> 
+       [
+	 <code class="option">-1</code> 
+	 |   <code class="option">-2</code> 
+	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
+      ]
+       [
+	 <code class="option">-C</code> 
+	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
+      ]
+       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       {-s}
+       {dnsname}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-dsfromkey</code> 
+       [
+	 <code class="option">-h</code> 
+	 |   <code class="option">-V</code> 
+      ]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
+      Signer) resource records (RRs), or CDS (Child DS) RRs with the
+      <code class="option">-C</code> option.
+    </p>
+
+    <p>
+      The input keys can be specified in a number of ways:
+    </p>
+
+    <p>
+      By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
+      named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
+      by <span class="command"><strong>dnssec-keygen</strong></span>.
+    </p>
+
+    <p>
+      With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
+      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
+      or partial zone file (which can contain just the DNSKEY records).
+    </p>
+
+    <p>
+      With the <code class="option">-s</code>
+      option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
+      a <code class="filename">keyset-</code> file, as generated
+      by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-1</span></dt>
+<dd>
+	  <p>
+	    An abbreviation for <code class="option">-a SHA-1</code>.
+	    (Note: The SHA-1 algorithm is no longer recommended for use
+	    when generating new DS and CDS records.)
+	  </p>
+	</dd>
+<dt><span class="term">-2</span></dt>
+<dd>
+	  <p>
+	    An abbreviation for <code class="option">-a SHA-256</code>.
+	  </p>
+	</dd>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+	  <p>
+	    Specify a digest algorithm to use when converting DNSKEY
+	    records to DS records. This option can be repeated, so
+	    that multiple DS records are created for each DNSKEY
+	    record.
+          </p>
+          <p>
+	    The <em class="replaceable"><code>algorithm</code></em> must be one of
+	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
+	    and the hyphen may be omitted.  If no algorithm is specified,
+	    the default is SHA-256.
+	    (Note: The SHA-1 algorithm is no longer recommended for use
+	    when generating new DS and CDS records.)
+	  </p>
+	</dd>
+<dt><span class="term">-A</span></dt>
+<dd>
+          <p>
+            Include ZSKs when generating DS records. Without this option, only
+            keys which have the KSK flag set will be converted to DS records
+            and printed. Useful only in <code class="option">-f</code> zone file mode.
+          </p>
+        </dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the DNS class (default is IN). Useful only
+	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
+	    zone file mode.
+	  </p>
+	  </dd>
+<dt><span class="term">-C</span></dt>
+<dd>
+	  <p>
+	    Generate CDS records rather than DS records.
+	  </p>
+	</dd>
+<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
+<dd>
+	  <p>
+	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
+	    final <em class="replaceable"><code>dnsname</code></em> argument is
+	    the DNS domain name of a zone whose master file can be read
+	    from <code class="option">file</code>.  If the zone name is the same as
+	    <code class="option">file</code>, then it may be omitted.
+	  </p>
+	  <p>
+	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
+	    the zone data is read from the standard input.  This makes it
+	    possible to use the output of the <span class="command"><strong>dig</strong></span>
+	    command as input, as in:
+	  </p>
+	  <p>
+	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
+	  </p>
+	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints usage information.
+	  </p>
+	</dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Look for key files or <code class="filename">keyset-</code> files in
+	    <code class="option">directory</code>.
+	  </p>
+	</dd>
+<dt><span class="term">-s</span></dt>
+<dd>
+	  <p>
+	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
+	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
+	    domain name used to locate a <code class="filename">keyset-</code> file.
+	  </p>
+	</dd>
+<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the TTL of the DS records. By default the TTL is omitted.
+	  </p>
+	  </dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the debugging level.
+	  </p>
+	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>EXAMPLE</h2>
+
+    <p>
+      To build the SHA-256 DS RR from the
+      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+      keyfile name, you can issue the following command:
+    </p>
+    <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
+    </p>
+    <p>
+      The command would print something like:
+    </p>
+    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>FILES</h2>
+
+    <p>
+      The keyfile can be designated by the key identification
+      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
+      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
+      <span class="refentrytitle">dnssec-keygen</span>(8).
+    </p>
+    <p>
+      The keyset file name is built from the <code class="option">directory</code>,
+      the string <code class="filename">keyset-</code> and the
+      <code class="option">dnsname</code>.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>CAVEAT</h2>
+
+    <p>
+      A keyfile error can give a "file not found" even if the file exists.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 3658</em> (DS RRs),
+      <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
+      <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
+      <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/dnssec/dnssec-dsfromkey.rst

@@ -1,150 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-dsfromkey:
-
-dnssec-dsfromkey - DNSSEC DS RR generation tool
------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
-
-:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
-
-:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
-
-:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
-
-Description
-~~~~~~~~~~~
-
-The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
-(RRs), or CDS (Child DS) RRs with the ``-C`` option.
-
-The input keys can be specified in a number of ways:
-
-By default, ``dnssec-dsfromkey`` reads a key file named in the format
-``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
-
-With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
-file or partial zone file (which can contain just the DNSKEY records).
-
-With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
-as generated by ``dnssec-keygen`` ``-C``.
-
-Options
-~~~~~~~
-
-``-1``
-   This option is an abbreviation for ``-a SHA1``.
-
-``-2``
-   This option is an abbreviation for ``-a SHA-256``.
-
-``-a algorithm``
-   This option specifies a digest algorithm to use when converting DNSKEY records to
-   DS records. This option can be repeated, so that multiple DS records
-   are created for each DNSKEY record.
-
-   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
-   are case-insensitive, and the hyphen may be omitted. If no algorithm
-   is specified, the default is SHA-256.
-
-``-A``
-   This option indicates that ZSKs are to be included when generating DS records. Without this option, only
-   keys which have the KSK flag set are converted to DS records and
-   printed. This option is only useful in ``-f`` zone file mode.
-
-``-c class``
-   This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
-   or ``-f`` zone file mode.
-
-``-C``
-   This option generates CDS records rather than DS records.
-
-``-f file``
-   This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
-   DNS domain name of a zone whose master file can be read from
-   ``file``. If the zone name is the same as ``file``, then it may be
-   omitted.
-
-   If ``file`` is ``-``, then the zone data is read from the standard
-   input. This makes it possible to use the output of the ``dig``
-   command as input, as in:
-
-   ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
-
-``-h``
-   This option prints usage information.
-
-``-K directory``
-   This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
-
-``-s``
-   This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
-   domain name used to locate a ``keyset-`` file.
-
-``-T TTL``
-   This option specifies the TTL of the DS records. By default the TTL is omitted.
-
-``-v level``
-   This option sets the debugging level.
-
-``-V``
-   This option prints version information.
-
-Example
-~~~~~~~
-
-To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
-issue the following command:
-
-``dnssec-dsfromkey -2 Kexample.com.+003+26160``
-
-The command returns something similar to:
-
-``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
-
-Files
-~~~~~
-
-The keyfile can be designated by the key identification
-``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
-generated by ``dnssec-keygen``.
-
-The keyset file name is built from the ``directory``, the string
-``keyset-``, and the ``dnsname``.
-
-Caveat
-~~~~~~
-
-A keyfile error may return "file not found," even if the file exists.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
-:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
-:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).

bin/dnssec/dnssec-importkey.8

@@ -0,0 +1,138 @@
+.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: dnssec-importkey
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: August 21, 2015
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DNSSEC\-IMPORTKEY" "8" "August 21, 2015" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dnssec-importkey \- import DNSKEY records from external systems so they can be managed
+.SH "SYNOPSIS"
+.HP \w'\fBdnssec\-importkey\fR\ 'u
+\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
+.HP \w'\fBdnssec\-importkey\fR\ 'u
+\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-importkey\fR
+reads a public DNSKEY record and generates a pair of \&.key/\&.private files\&. The DNSKEY record may be read from an existing \&.key file, in which case a corresponding \&.private file will be generated, or it may be read from any other file or from the standard input, in which case both \&.key and \&.private files will be generated\&.
+.PP
+The newly\-created \&.private file does
+\fInot\fR
+contain private key data, and cannot be used for signing\&. However, having a \&.private file makes it possible to set publication (\fB\-P\fR) and deletion (\fB\-D\fR) times for the key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the true private key is stored offline\&.
+.SH "OPTIONS"
+.PP
+\-f \fIfilename\fR
+.RS 4
+Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
+\fBfile\fR\&. If the domain name is the same as
+\fBfile\fR, then it may be omitted\&.
+.sp
+If
+\fBfile\fR
+is set to
+"\-", then the zone data is read from the standard input\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside\&.
+.RE
+.PP
+\-L \fIttl\fR
+.RS 4
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. Setting the default TTL to
+0
+or
+none
+removes it\&.
+.RE
+.PP
+\-h
+.RS 4
+Emit usage message and exit\&.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&.
+.RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&.
+.RE
+.PP
+\-P sync \fIdate/offset\fR
+.RS 4
+Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
+.RE
+.PP
+\-D sync \fIdate/offset\fR
+.RS 4
+Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
+.RE
+.SH "FILES"
+.PP
+A keyfile can be designed by the key identification
+Knnnn\&.+aaa+iiiii
+or the full file name
+Knnnn\&.+aaa+iiiii\&.key
+as generated by
+dnssec\-keygen(8)\&.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dnssec/dnssec-importkey.docbook

@@ -0,0 +1,254 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
+  <info>
+    <date>2014-02-20</date>
+  </info>
+  <refentryinfo>
+    <date>August 21, 2015</date>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-importkey</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-importkey</application></refname>
+    <refpurpose>import DNSKEY records from external systems so they can be managed</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2013</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-importkey</command>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+      <arg choice="req" rep="norepeat"><option>keyfile</option></arg>
+    </cmdsynopsis>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-importkey</command>
+      <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+      <arg choice="opt" rep="norepeat"><option>dnsname</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>dnssec-importkey</command>
+      reads a public DNSKEY record and generates a pair of
+      .key/.private files.  The DNSKEY record may be read from an
+      existing .key file, in which case a corresponding .private file
+      will be generated, or it may be read from any other file or
+      from the standard input, in which case both .key and .private
+      files will be generated.
+    </para>
+    <para>
+      The newly-created .private file does <emphasis>not</emphasis>
+      contain private key data, and cannot be used for signing.
+      However, having a .private file makes it possible to set
+      publication (<option>-P</option>) and deletion
+      (<option>-D</option>) times for the key, which means the
+      public key can be added to and removed from the DNSKEY RRset
+      on schedule even if the true private key is stored offline.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+	<term>-f <replaceable class="parameter">filename</replaceable></term>
+	<listitem>
+	  <para>
+	    Zone file mode: instead of a public keyfile name, the argument
+	    is the DNS domain name of a zone master file, which can be read
+	    from <option>file</option>.  If the domain name is the same as
+	    <option>file</option>, then it may be omitted.
+	  </para>
+	  <para>
+	    If <option>file</option> is set to <literal>"-"</literal>, then
+	    the zone data is read from the standard input.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the directory in which the key files are to reside.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-L <replaceable class="parameter">ttl</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the default TTL to use for this key when it is converted
+	    into a DNSKEY RR.  If the key is imported into a zone,
+	    this is the TTL that will be used for it, unless there was
+	    already a DNSKEY RRset in place, in which case the existing TTL
+	    would take precedence.  Setting the default TTL to
+	    <literal>0</literal> or <literal>none</literal> removes it.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Emit usage message and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>TIMING OPTIONS</title></info>
+
+    <para>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To explicitly prevent a date from being
+      set, use 'none' or 'never'.
+    </para>
+
+    <variablelist>
+      <varlistentry>
+	<term>-P <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which a key is to be published to the zone.
+	    After that date, the key will be included in the zone but will
+	    not be used to sign it.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which CDS and CDNSKEY records that match this
+	    key are to be published to the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-D <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be deleted.  After that
+	    date, the key will no longer be included in the zone.  (It
+	    may remain in the key repository, however.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the CDS and CDNSKEY records that match
+	    this key are to be deleted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>FILES</title></info>
+
+    <para>
+      A keyfile can be designed by the key identification
+      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
+      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
+      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 5011</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/dnssec/dnssec-importkey.html

@@ -0,0 +1,216 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-importkey</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">dnssec-importkey</span>
+     &#8212; import DNSKEY records from external systems so they can be managed
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-importkey</code> 
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       {<code class="option">keyfile</code>}
+    </p></div>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-importkey</code> 
+       {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">dnsname</code>]
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>dnssec-importkey</strong></span>
+      reads a public DNSKEY record and generates a pair of
+      .key/.private files.  The DNSKEY record may be read from an
+      existing .key file, in which case a corresponding .private file
+      will be generated, or it may be read from any other file or
+      from the standard input, in which case both .key and .private
+      files will be generated.
+    </p>
+    <p>
+      The newly-created .private file does <span class="emphasis"><em>not</em></span>
+      contain private key data, and cannot be used for signing.
+      However, having a .private file makes it possible to set
+      publication (<code class="option">-P</code>) and deletion
+      (<code class="option">-D</code>) times for the key, which means the
+      public key can be added to and removed from the DNSKEY RRset
+      on schedule even if the true private key is stored offline.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
+<dd>
+	  <p>
+	    Zone file mode: instead of a public keyfile name, the argument
+	    is the DNS domain name of a zone master file, which can be read
+	    from <code class="option">file</code>.  If the domain name is the same as
+	    <code class="option">file</code>, then it may be omitted.
+	  </p>
+	  <p>
+	    If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
+	    the zone data is read from the standard input.
+	  </p>
+	</dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the directory in which the key files are to reside.
+	  </p>
+	</dd>
+<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the default TTL to use for this key when it is converted
+	    into a DNSKEY RR.  If the key is imported into a zone,
+	    this is the TTL that will be used for it, unless there was
+	    already a DNSKEY RRset in place, in which case the existing TTL
+	    would take precedence.  Setting the default TTL to
+	    <code class="literal">0</code> or <code class="literal">none</code> removes it.
+	  </p>
+	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Emit usage message and exit.
+	  </p>
+	</dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the debugging level.
+	  </p>
+	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
+
+    <p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To explicitly prevent a date from being
+      set, use 'none' or 'never'.
+    </p>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which a key is to be published to the zone.
+	    After that date, the key will be included in the zone but will
+	    not be used to sign it.
+	  </p>
+	</dd>
+<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which CDS and CDNSKEY records that match this
+	    key are to be published to the zone.
+	  </p>
+	</dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be deleted.  After that
+	    date, the key will no longer be included in the zone.  (It
+	    may remain in the key repository, however.)
+	  </p>
+	</dd>
+<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the CDS and CDNSKEY records that match
+	    this key are to be deleted.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>FILES</h2>
+
+    <p>
+      A keyfile can be designed by the key identification
+      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
+      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
+      <span class="refentrytitle">dnssec-keygen</span>(8).
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5011</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/dnssec/dnssec-importkey.rst

@@ -1,123 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-importkey:
-
-dnssec-importkey - import DNSKEY records from external systems so they can be managed
--------------------------------------------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-importkey` [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] {keyfile}
-
-:program:`dnssec-importkey` {**-f** filename} [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] [dnsname]
-
-Description
-~~~~~~~~~~~
-
-``dnssec-importkey`` reads a public DNSKEY record and generates a pair
-of .key/.private files. The DNSKEY record may be read from an existing
-.key file, in which case a corresponding .private file is
-generated, or it may be read from any other file or from the standard
-input, in which case both .key and .private files are generated.
-
-The newly created .private file does *not* contain private key data, and
-cannot be used for signing. However, having a .private file makes it
-possible to set publication (``-P``) and deletion (``-D``) times for the
-key, which means the public key can be added to and removed from the
-DNSKEY RRset on schedule even if the true private key is stored offline.
-
-Options
-~~~~~~~
-
-``-f filename``
-   This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
-   DNS domain name of a zone master file, which can be read from
-   ``filename``. If the domain name is the same as ``filename``, then it may be
-   omitted.
-
-   If ``filename`` is set to ``"-"``, then the zone data is read from the
-   standard input.
-
-``-K directory``
-   This option sets the directory in which the key files are to reside.
-
-``-L ttl``
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none``
-   removes it from the key.
-
-``-h``
-   This option emits a usage message and exits.
-
-``-v level``
-   This option sets the debugging level.
-
-``-V``
-   This option prints version information.
-
-Timing Options
-~~~~~~~~~~~~~~
-
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
-the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
-computed in years (defined as 365 24-hour days, ignoring leap years),
-months (defined as 30 24-hour days), weeks, days, hours, or minutes,
-respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
-
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
-   to sign it.
-
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
-   are to be published to the zone.
-
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
-
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
-   key are to be deleted.
-
-Files
-~~~~~
-
-A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
-or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by
-``dnssec-keygen``.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
-:rfc:`5011`.

bin/dnssec/dnssec-keyfromlabel.8

@@ -0,0 +1,311 @@
+.\" Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: dnssec-keyfromlabel
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: August 27, 2015
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DNSSEC\-KEYFROMLABEL" "8" "August 27, 2015" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dnssec-keyfromlabel \- DNSSEC key generation tool
+.SH "SYNOPSIS"
+.HP \w'\fBdnssec\-keyfromlabel\fR\ 'u
+\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-y\fR] {name}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-keyfromlabel\fR
+generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM)\&. The private key file can be used for DNSSEC signing of zone data as if it were a conventional signing key created by
+\fBdnssec\-keygen\fR, but the key material is stored within the HSM, and the actual signing takes place there\&.
+.PP
+The
+\fBname\fR
+of the key is specified on the command line\&. This must match the name of the zone for which the key is being generated\&.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Selects the cryptographic algorithm\&. The value of
+\fBalgorithm\fR
+must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
+.sp
+If no algorithm is specified, then RSASHA1 will be used by default, unless the
+\fB\-3\fR
+option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
+\fB\-3\fR
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
+.sp
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+\fB\-3\fR
+option, then NSEC3RSASHA1 will be used instead\&.
+.sp
+As of BIND 9\&.12\&.0, this option is mandatory except when using the
+\fB\-S\fR
+option (which copies the algorithm from the predecessory key)\&. Previously, the default for newly generated keys was RSASHA1\&.
+.RE
+.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Specifies the cryptographic hardware to use\&.
+.sp
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Specifies the label for a key pair in the crypto hardware\&.
+.sp
+When
+BIND
+9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
+.sp
+When
+BIND
+9 is built with native PKCS#11 support, the label is a PKCS#11 URI string in the format "pkcs11:\fBkeyword\fR=\fIvalue\fR[;\fBkeyword\fR=\fIvalue\fR;\&.\&.\&.]" Keywords include "token", which identifies the HSM; "object", which identifies the key; and "pin\-source", which identifies a file from which the HSM\*(Aqs PIN code can be obtained\&. The label will be stored in the on\-disk "private" file\&.
+.sp
+If the label contains a
+\fBpin\-source\fR
+field, tools using the generated key files will be able to use the HSM for signing and other operations without any need for an operator to manually enter a PIN\&. Note: Making the HSM\*(Aqs PIN accessible in this manner may reduce the security advantage of using an HSM; be sure this is what you want to do before making use of this feature\&.
+.RE
+.PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&.
+.RE
+.PP
+\-C
+.RS 4
+Compatibility mode: generates an old\-style key, without any metadata\&. By default,
+\fBdnssec\-keyfromlabel\fR
+will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
+\fB\-C\fR
+option suppresses them\&.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
+.RE
+.PP
+\-f \fIflag\fR
+.RS 4
+Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
+.RE
+.PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBdnssec\-keyfromlabel\fR\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to be written\&.
+.RE
+.PP
+\-k
+.RS 4
+Generate KEY records rather than DNSKEY records\&.
+.RE
+.PP
+\-L \fIttl\fR
+.RS 4
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. Setting the default TTL to
+0
+or
+none
+removes it\&.
+.RE
+.PP
+\-p \fIprotocol\fR
+.RS 4
+Sets the protocol value for the key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+.RE
+.PP
+\-S \fIkey\fR
+.RS 4
+Generate a key as an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the predecessor\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Indicates the use of the key\&.
+\fBtype\fR
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&.
+.RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
+.PP
+\-y
+.RS 4
+Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked\&. (This is only safe to use if you are sure you won\*(Aqt be using RFC 5011 trust anchor maintenance with either of the keys involved\&.)
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
+.RE
+.PP
+\-P sync \fIdate/offset\fR
+.RS 4
+Sets the date on which the CDS and CDNSKEY records which match this key are to be published to the zone\&.
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
+.RE
+.PP
+\-D sync \fIdate/offset\fR
+.RS 4
+Sets the date on which the CDS and CDNSKEY records which match this key are to be deleted\&.
+.RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
+.sp
+If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
+.sp
+As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
+.RE
+.SH "GENERATED KEY FILES"
+.PP
+When
+\fBdnssec\-keyfromlabel\fR
+completes successfully, it prints a string of the form
+Knnnn\&.+aaa+iiiii
+to the standard output\&. This is an identification string for the key files it has generated\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+nnnn
+is the key name\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+aaa
+is the numeric representation of the algorithm\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+iiiii
+is the key identifier (or footprint)\&.
+.RE
+.PP
+\fBdnssec\-keyfromlabel\fR
+creates two files, with names based on the printed string\&.
+Knnnn\&.+aaa+iiiii\&.key
+contains the public key, and
+Knnnn\&.+aaa+iiiii\&.private
+contains the private key\&.
+.PP
+The
+\&.key
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
+.PP
+The
+\&.private
+file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 4034,
+The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dnssec/dnssec-keyfromlabel.c

@@ -64,8 +64,7 @@ usage(void) {
 			"        DH | RSASHA1 |\n"
 			"        NSEC3RSASHA1 |\n"
 			"        RSASHA256 | RSASHA512 |\n"
-			"        ECDSAP256SHA256 | ECDSAP384SHA384 |\n"
-			"        ED25519 | ED448\n");
+			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 	fprintf(stderr, "    -E <engine>:\n");
@@ -362,7 +361,6 @@ main(int argc, char **argv) {
 	setup_logging(mctx, &log);
 
 	if (predecessor == NULL) {
-		/* cppcheck-suppress nullPointerRedundantCheck */
 		if (label == NULL) {
 			fatal("the key label was not specified");
 		}
@@ -384,7 +382,6 @@ main(int argc, char **argv) {
 			      isc_result_totext(ret));
 		}
 
-		/* cppcheck-suppress nullPointerRedundantCheck */
 		if (strchr(label, ':') == NULL) {
 			char *l;
 			int len;
@@ -396,13 +393,11 @@ main(int argc, char **argv) {
 			label = l;
 		}
 
-		/* cppcheck-suppress nullPointerRedundantCheck */
 		if (algname == NULL) {
 			fatal("no algorithm specified");
 		}
 
 		r.base = algname;
-		/* cppcheck-suppress nullPointerRedundantCheck */
 		r.length = strlen(algname);
 		ret = dns_secalg_fromtext(&alg, &r);
 		if (ret != ISC_R_SUCCESS) {

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -0,0 +1,556 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
+  <info>
+    <date>2014-02-27</date>
+  </info>
+  <refentryinfo>
+    <date>August 27, 2015</date>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-keyfromlabel</application></refname>
+    <refpurpose>DNSSEC key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2008</year>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <year>2012</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-keyfromlabel</command>
+      <arg choice="req" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
+      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-G</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-y</option></arg>
+      <arg choice="req" rep="norepeat">name</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>dnssec-keyfromlabel</command>
+      generates a key pair of files that referencing a key object stored
+      in a cryptographic hardware service module (HSM).  The private key
+      file can be used for DNSSEC signing of zone data as if it were a
+      conventional signing key created by <command>dnssec-keygen</command>,
+      but the key material is stored within the HSM, and the actual signing
+      takes place there.
+    </para>
+    <para>
+      The <option>name</option> of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+	    Selects the cryptographic algorithm.  The value of
+	    <option>algorithm</option> must be one of RSASHA1,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
+	  </para>
+	  <para>
+	    If no algorithm is specified, then RSASHA1 will be used by
+	    default, unless the <option>-3</option> option is specified,
+	    in which case NSEC3RSASHA1 will be used instead.  (If
+	    <option>-3</option> is used and an algorithm is specified,
+	    that algorithm will be checked for compatibility with NSEC3.)
+	  </para>
+	  <para>
+	    These values are case insensitive. In some cases, abbreviations
+	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    along with the <option>-3</option> option, then NSEC3RSASHA1
+	    will be used instead.
+	  </para>
+	  <para>
+	    As of BIND 9.12.0, this option is mandatory except when using
+	    the <option>-S</option> option (which copies the algorithm from
+	    the predecessory key). Previously, the default for newly
+	    generated keys was RSASHA1.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-3</term>
+	<listitem>
+	  <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-E <replaceable class="parameter">engine</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the cryptographic hardware to use.
+	  </para>
+	  <para>
+	    When BIND is built with OpenSSL PKCS#11 support, this defaults
+	    to the string "pkcs11", which identifies an OpenSSL engine
+	    that can drive a cryptographic accelerator or hardware service
+	    module.  When BIND is built with native PKCS#11 cryptography
+	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+	    provider library specified via "--with-pkcs11".
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-l <replaceable class="parameter">label</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the label for a key pair in the crypto hardware.
+	  </para>
+	  <para>
+	    When <acronym>BIND</acronym> 9 is built with OpenSSL-based
+	    PKCS#11 support, the label is an arbitrary string that
+	    identifies a particular key.
+	  </para>
+	  <para>
+	    When <acronym>BIND</acronym> 9 is built with native PKCS#11
+	    support, the label is a PKCS#11 URI string in the format
+	    "pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
+	    Keywords include "token", which identifies the HSM; "object", which
+	    identifies the key; and "pin-source", which identifies a file from
+	    which the HSM's PIN code can be obtained.  The label will be
+	    stored in the on-disk "private" file.
+	  </para>
+	  <para>
+	    If the label contains a
+	    <option>pin-source</option> field, tools using the generated
+	    key files will be able to use the HSM for signing and other
+	    operations without any need for an operator to manually enter
+	    a PIN.  Note: Making the HSM's PIN accessible in this manner
+	    may reduce the security advantage of using an HSM; be sure
+	    this is what you want to do before making use of this feature.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-n <replaceable class="parameter">nametype</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the owner type of the key.  The value of
+	    <option>nametype</option> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+	    a host (KEY)),
+	    USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+	    These values are case insensitive.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-C</term>
+	<listitem>
+	  <para>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <command>dnssec-keyfromlabel</command>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <option>-C</option> option suppresses them.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	    Indicates that the DNS record containing the key should have
+	    the specified class.  If not specified, class IN is used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f <replaceable class="parameter">flag</replaceable></term>
+	<listitem>
+	  <para>
+	    Set the specified flag in the flag field of the KEY/DNSKEY record.
+	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-G</term>
+	<listitem>
+	  <para>
+	    Generate a key, but do not publish it or sign with it.  This
+	    option is incompatible with -P and -A.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints a short summary of the options and arguments to
+	    <command>dnssec-keyfromlabel</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the directory in which the key files are to be written.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-k</term>
+	<listitem>
+	  <para>
+	    Generate KEY records rather than DNSKEY records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-L <replaceable class="parameter">ttl</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the default TTL to use for this key when it is converted
+	    into a DNSKEY RR.  If the key is imported into a zone,
+	    this is the TTL that will be used for it, unless there was
+	    already a DNSKEY RRset in place, in which case the existing TTL
+	    would take precedence.  Setting the default TTL to
+	    <literal>0</literal> or <literal>none</literal> removes it.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p <replaceable class="parameter">protocol</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the protocol value for the key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-S <replaceable class="parameter">key</replaceable></term>
+	<listitem>
+	  <para>
+	    Generate a key as an explicit successor to an existing key.
+	    The name, algorithm, size, and type of the key will be set
+	    to match the predecessor. The activation date of the new
+	    key will be set to the inactivation date of the existing
+	    one. The publication date will be set to the activation
+	    date minus the prepublication interval, which defaults to
+	    30 days.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t <replaceable class="parameter">type</replaceable></term>
+	<listitem>
+	  <para>
+	    Indicates the use of the key.  <option>type</option> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-y</term>
+	<listitem>
+	  <para>
+	    Allows DNSSEC key files to be generated even if the key ID
+	    would collide with that of an existing key, in the event of
+	    either key being revoked.  (This is only safe to use if you
+	    are sure you won't be using RFC 5011 trust anchor maintenance
+	    with either of the keys involved.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>TIMING OPTIONS</title></info>
+
+
+    <para>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To explicitly prevent a date from being
+      set, use 'none' or 'never'.
+    </para>
+
+    <variablelist>
+      <varlistentry>
+	<term>-P <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which a key is to be published to the zone.
+	    After that date, the key will be included in the zone but will
+	    not be used to sign it.  If not set, and if the -G option has
+	    not been used, the default is "now".
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the CDS and CDNSKEY records which match
+	    this key are to be published to the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-A <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be activated.  After that
+	    date, the key will be included in the zone and used to sign
+	    it.  If not set, and if the -G option has not been used, the
+	    default is "now".
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-R <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be revoked.  After that
+	    date, the key will be flagged as revoked.  It will be included
+	    in the zone and will be used to sign it.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-I <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be retired.  After that
+	    date, the key will still be included in the zone, but it
+	    will not be used to sign it.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-D <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be deleted.  After that
+	    date, the key will no longer be included in the zone.  (It
+	    may remain in the key repository, however.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the CDS and CDNSKEY records which match
+	    this key are to be deleted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-i <replaceable class="parameter">interval</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the prepublication interval for a key.  If set, then
+	    the publication and activation dates must be separated by at least
+	    this much time.  If the activation date is specified but the
+	    publication date isn't, then the publication date will default
+	    to this much time before the activation date; conversely, if
+	    the publication date is specified but activation date isn't,
+	    then activation will be set to this much time after publication.
+	  </para>
+	  <para>
+	    If the key is being created as an explicit successor to another
+	    key, then the default prepublication interval is 30 days;
+	    otherwise it is zero.
+	  </para>
+	  <para>
+	    As with date offsets, if the argument is followed by one of
+	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+	    interval is measured in years, months, weeks, days, hours,
+	    or minutes, respectively.  Without a suffix, the interval is
+	    measured in seconds.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>GENERATED KEY FILES</title></info>
+
+    <para>
+      When <command>dnssec-keyfromlabel</command> completes
+      successfully,
+      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+      to the standard output.  This is an identification string for
+      the key files it has generated.
+    </para>
+    <itemizedlist>
+      <listitem>
+	<para><filename>nnnn</filename> is the key name.
+	</para>
+      </listitem>
+      <listitem>
+	<para><filename>aaa</filename> is the numeric representation
+	  of the algorithm.
+	</para>
+      </listitem>
+      <listitem>
+	<para><filename>iiiii</filename> is the key identifier (or
+	  footprint).
+	</para>
+      </listitem>
+    </itemizedlist>
+    <para><command>dnssec-keyfromlabel</command>
+      creates two files, with names based
+      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
+      contains the public key, and
+      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
+      private key.
+    </para>
+    <para>
+      The <filename>.key</filename> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
+    </para>
+    <para>
+      The <filename>.private</filename> file contains
+      algorithm-specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 4034</citetitle>,
+      <citetitle>The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/dnssec/dnssec-keyfromlabel.html

@@ -0,0 +1,462 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keyfromlabel</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">dnssec-keyfromlabel</span>
+     &#8212; DNSSEC key generation tool
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-keyfromlabel</code> 
+       {-l <em class="replaceable"><code>label</code></em>}
+       [<code class="option">-3</code>]
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
+       [<code class="option">-G</code>]
+       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
+       [<code class="option">-k</code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
+       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-y</code>]
+       {name}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+      generates a key pair of files that referencing a key object stored
+      in a cryptographic hardware service module (HSM).  The private key
+      file can be used for DNSSEC signing of zone data as if it were a
+      conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
+      but the key material is stored within the HSM, and the actual signing
+      takes place there.
+    </p>
+    <p>
+      The <code class="option">name</code> of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+	  <p>
+	    Selects the cryptographic algorithm.  The value of
+	    <code class="option">algorithm</code> must be one of RSASHA1,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
+	  </p>
+	  <p>
+	    If no algorithm is specified, then RSASHA1 will be used by
+	    default, unless the <code class="option">-3</code> option is specified,
+	    in which case NSEC3RSASHA1 will be used instead.  (If
+	    <code class="option">-3</code> is used and an algorithm is specified,
+	    that algorithm will be checked for compatibility with NSEC3.)
+	  </p>
+	  <p>
+	    These values are case insensitive. In some cases, abbreviations
+	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
+	    will be used instead.
+	  </p>
+	  <p>
+	    As of BIND 9.12.0, this option is mandatory except when using
+	    the <code class="option">-S</code> option (which copies the algorithm from
+	    the predecessory key). Previously, the default for newly
+	    generated keys was RSASHA1.
+	  </p>
+	</dd>
+<dt><span class="term">-3</span></dt>
+<dd>
+	  <p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </p>
+	</dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the cryptographic hardware to use.
+	  </p>
+	  <p>
+	    When BIND is built with OpenSSL PKCS#11 support, this defaults
+	    to the string "pkcs11", which identifies an OpenSSL engine
+	    that can drive a cryptographic accelerator or hardware service
+	    module.  When BIND is built with native PKCS#11 cryptography
+	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+	    provider library specified via "--with-pkcs11".
+	  </p>
+	</dd>
+<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the label for a key pair in the crypto hardware.
+	  </p>
+	  <p>
+	    When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
+	    PKCS#11 support, the label is an arbitrary string that
+	    identifies a particular key.
+	  </p>
+	  <p>
+	    When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
+	    support, the label is a PKCS#11 URI string in the format
+	    "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
+	    Keywords include "token", which identifies the HSM; "object", which
+	    identifies the key; and "pin-source", which identifies a file from
+	    which the HSM's PIN code can be obtained.  The label will be
+	    stored in the on-disk "private" file.
+	  </p>
+	  <p>
+	    If the label contains a
+	    <code class="option">pin-source</code> field, tools using the generated
+	    key files will be able to use the HSM for signing and other
+	    operations without any need for an operator to manually enter
+	    a PIN.  Note: Making the HSM's PIN accessible in this manner
+	    may reduce the security advantage of using an HSM; be sure
+	    this is what you want to do before making use of this feature.
+	  </p>
+	</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the owner type of the key.  The value of
+	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+	    a host (KEY)),
+	    USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+	    These values are case insensitive.
+	  </p>
+	</dd>
+<dt><span class="term">-C</span></dt>
+<dd>
+	  <p>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <code class="option">-C</code> option suppresses them.
+	  </p>
+	</dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+	  <p>
+	    Indicates that the DNS record containing the key should have
+	    the specified class.  If not specified, class IN is used.
+	  </p>
+	</dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd>
+	  <p>
+	    Set the specified flag in the flag field of the KEY/DNSKEY record.
+	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
+	  </p>
+	</dd>
+<dt><span class="term">-G</span></dt>
+<dd>
+	  <p>
+	    Generate a key, but do not publish it or sign with it.  This
+	    option is incompatible with -P and -A.
+	  </p>
+	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints a short summary of the options and arguments to
+	    <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the directory in which the key files are to be written.
+	  </p>
+	</dd>
+<dt><span class="term">-k</span></dt>
+<dd>
+	  <p>
+	    Generate KEY records rather than DNSKEY records.
+	  </p>
+	</dd>
+<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the default TTL to use for this key when it is converted
+	    into a DNSKEY RR.  If the key is imported into a zone,
+	    this is the TTL that will be used for it, unless there was
+	    already a DNSKEY RRset in place, in which case the existing TTL
+	    would take precedence.  Setting the default TTL to
+	    <code class="literal">0</code> or <code class="literal">none</code> removes it.
+	  </p>
+	</dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the protocol value for the key.  The protocol
+	    is a number between 0 and 255.  The default is 3 (DNSSEC).
+	    Other possible values for this argument are listed in
+	    RFC 2535 and its successors.
+	  </p>
+	</dd>
+<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
+<dd>
+	  <p>
+	    Generate a key as an explicit successor to an existing key.
+	    The name, algorithm, size, and type of the key will be set
+	    to match the predecessor. The activation date of the new
+	    key will be set to the inactivation date of the existing
+	    one. The publication date will be set to the activation
+	    date minus the prepublication interval, which defaults to
+	    30 days.
+	  </p>
+	</dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd>
+	  <p>
+	    Indicates the use of the key.  <code class="option">type</code> must be
+	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	    is AUTHCONF.  AUTH refers to the ability to authenticate
+	    data, and CONF the ability to encrypt data.
+	  </p>
+	</dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the debugging level.
+	  </p>
+	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+	</dd>
+<dt><span class="term">-y</span></dt>
+<dd>
+	  <p>
+	    Allows DNSSEC key files to be generated even if the key ID
+	    would collide with that of an existing key, in the event of
+	    either key being revoked.  (This is only safe to use if you
+	    are sure you won't be using RFC 5011 trust anchor maintenance
+	    with either of the keys involved.)
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
+
+
+    <p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To explicitly prevent a date from being
+      set, use 'none' or 'never'.
+    </p>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which a key is to be published to the zone.
+	    After that date, the key will be included in the zone but will
+	    not be used to sign it.  If not set, and if the -G option has
+	    not been used, the default is "now".
+	  </p>
+	</dd>
+<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the CDS and CDNSKEY records which match
+	    this key are to be published to the zone.
+	  </p>
+	</dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be activated.  After that
+	    date, the key will be included in the zone and used to sign
+	    it.  If not set, and if the -G option has not been used, the
+	    default is "now".
+	  </p>
+	</dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be revoked.  After that
+	    date, the key will be flagged as revoked.  It will be included
+	    in the zone and will be used to sign it.
+	  </p>
+	</dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be retired.  After that
+	    date, the key will still be included in the zone, but it
+	    will not be used to sign it.
+	  </p>
+	</dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be deleted.  After that
+	    date, the key will no longer be included in the zone.  (It
+	    may remain in the key repository, however.)
+	  </p>
+	</dd>
+<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the CDS and CDNSKEY records which match
+	    this key are to be deleted.
+	  </p>
+	</dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the prepublication interval for a key.  If set, then
+	    the publication and activation dates must be separated by at least
+	    this much time.  If the activation date is specified but the
+	    publication date isn't, then the publication date will default
+	    to this much time before the activation date; conversely, if
+	    the publication date is specified but activation date isn't,
+	    then activation will be set to this much time after publication.
+	  </p>
+	  <p>
+	    If the key is being created as an explicit successor to another
+	    key, then the default prepublication interval is 30 days;
+	    otherwise it is zero.
+	  </p>
+	  <p>
+	    As with date offsets, if the argument is followed by one of
+	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+	    interval is measured in years, months, weeks, days, hours,
+	    or minutes, respectively.  Without a suffix, the interval is
+	    measured in seconds.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
+
+    <p>
+      When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
+      successfully,
+      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+      to the standard output.  This is an identification string for
+      the key files it has generated.
+    </p>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+	<p><code class="filename">nnnn</code> is the key name.
+	</p>
+      </li>
+<li class="listitem">
+	<p><code class="filename">aaa</code> is the numeric representation
+	  of the algorithm.
+	</p>
+      </li>
+<li class="listitem">
+	<p><code class="filename">iiiii</code> is the key identifier (or
+	  footprint).
+	</p>
+      </li>
+</ul></div>
+    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+      creates two files, with names based
+      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+      contains the public key, and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+      private key.
+    </p>
+    <p>
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
+    </p>
+    <p>
+      The <code class="filename">.private</code> file contains
+      algorithm-specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <span class="citerefentry">
+	<span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 4034</em>,
+      <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/dnssec/dnssec-keyfromlabel.rst

@@ -1,276 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-keyfromlabel:
-
-dnssec-keyfromlabel - DNSSEC key generation tool
-------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
-
-Description
-~~~~~~~~~~~
-
-``dnssec-keyfromlabel`` generates a pair of key files that reference a
-key object stored in a cryptographic hardware service module (HSM). The
-private key file can be used for DNSSEC signing of zone data as if it
-were a conventional signing key created by ``dnssec-keygen``, but the
-key material is stored within the HSM and the actual signing takes
-place there.
-
-The ``name`` of the key is specified on the command line. This must
-match the name of the zone for which the key is being generated.
-
-Options
-~~~~~~~
-
-``-a algorithm``
-   This option selects the cryptographic algorithm. The value of ``algorithm`` must
-   be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
-   ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
-
-   If no algorithm is specified, RSASHA1 is used by default
-   unless the ``-3`` option is specified, in which case NSEC3RSASHA1
-   is used instead. (If ``-3`` is used and an algorithm is
-   specified, that algorithm is checked for compatibility with
-   NSEC3.)
-
-   These values are case-insensitive. In some cases, abbreviations are
-   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
-   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
-   option, then NSEC3RSASHA1 is used instead.
-
-   Since BIND 9.12.0, this option is mandatory except when using the
-   ``-S`` option, which copies the algorithm from the predecessory key.
-   Previously, the default for newly generated keys was RSASHA1.
-
-``-3``
-   This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
-   option is used with an algorithm that has both NSEC and NSEC3
-   versions, then the NSEC3 version is used; for example,
-   ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
-
-``-E engine``
-   This option specifies the cryptographic hardware to use.
-
-   When BIND 9 is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
-   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
-   defaults to the path of the PKCS#11 provider library specified via
-   ``--with-pkcs11``.
-
-``-l label``
-   This option specifies the label for a key pair in the crypto hardware.
-
-   When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
-   an arbitrary string that identifies a particular key. It may be
-   preceded by an optional OpenSSL engine name, followed by a colon, as
-   in ``pkcs11:keylabel``.
-
-   When BIND 9 is built with native PKCS#11 support, the label is a
-   PKCS#11 URI string in the format
-   ``pkcs11:keyword\ =value[;\ keyword\ =value;...]``. Keywords
-   include ``token``, which identifies the HSM; ``object``, which identifies
-   the key; and ``pin-source``, which identifies a file from which the
-   HSM's PIN code can be obtained. The label is stored in the
-   on-disk ``private`` file.
-
-   If the label contains a ``pin-source`` field, tools using the
-   generated key files are able to use the HSM for signing and other
-   operations without any need for an operator to manually enter a PIN.
-   Note: Making the HSM's PIN accessible in this manner may reduce the
-   security advantage of using an HSM; use caution
-   with this feature.
-
-``-n nametype``
-   This option specifies the owner type of the key. The value of ``nametype`` must
-   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
-   (for a key associated with a host (KEY)), USER (for a key associated
-   with a user (KEY)), or OTHER (DNSKEY). These values are
-   case-insensitive.
-
-``-C``
-   This option enables compatibility mode, which generates an old-style key, without any metadata.
-   By default, ``dnssec-keyfromlabel`` includes the key's creation
-   date in the metadata stored with the private key; other dates may
-   be set there as well, including publication date, activation date, etc. Keys
-   that include this data may be incompatible with older versions of
-   BIND; the ``-C`` option suppresses them.
-
-``-c class``
-   This option indicates that the DNS record containing the key should have the
-   specified class. If not specified, class IN is used.
-
-``-f flag``
-   This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record.
-   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
-
-``-G``
-   This option generates a key, but does not publish it or sign with it. This option is
-   incompatible with ``-P`` and ``-A``.
-
-``-h``
-   This option prints a short summary of the options and arguments to
-   ``dnssec-keyfromlabel``.
-
-``-K directory``
-   This option sets the directory in which the key files are to be written.
-
-``-k``
-   This option generates KEY records rather than DNSKEY records.
-
-``-L`` ttl
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL would take precedence. Setting
-   the default TTL to ``0`` or ``none`` removes it.
-
-``-p protocol``
-   This option sets the protocol value for the key. The protocol is a number between
-   0 and 255. The default is 3 (DNSSEC). Other possible values for this
-   argument are listed in :rfc:`2535` and its successors.
-
-``-S key``
-   This option generates a key as an explicit successor to an existing key. The name,
-   algorithm, size, and type of the key are set to match the
-   predecessor. The activation date of the new key is set to the
-   inactivation date of the existing one. The publication date is
-   set to the activation date minus the prepublication interval, which
-   defaults to 30 days.
-
-``-t type``
-   This option indicates the type of the key. ``type`` must be one of AUTHCONF,
-   NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
-   to the ability to authenticate data, and CONF to the ability to encrypt
-   data.
-
-``-v level``
-   This option sets the debugging level.
-
-``-V``
-   This option prints version information.
-
-``-y``
-   This option allows DNSSEC key files to be generated even if the key ID would
-   collide with that of an existing key, in the event of either key
-   being revoked. (This is only safe to enable if
-   :rfc:`5011` trust anchor maintenance is not used with either of the keys
-   involved.)
-
-Timing Options
-~~~~~~~~~~~~~~
-
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
-the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
-computed in years (defined as 365 24-hour days, ignoring leap years),
-months (defined as 30 24-hour days), weeks, days, hours, or minutes,
-respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
-
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
-   to sign it. If not set, and if the ``-G`` option has not been used, the
-   default is the current date.
-
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
-   are to be published to the zone.
-
-``-A date/offset``
-   This option sets the date on which the key is to be activated. After that date,
-   the key is included in the zone and used to sign it. If not set,
-   and if the ``-G`` option has not been used, the default is the current date.
-
-``-R date/offset``
-   This option sets the date on which the key is to be revoked. After that date, the
-   key is flagged as revoked. It is included in the zone and
-   is used to sign it.
-
-``-I date/offset``
-   This option sets the date on which the key is to be retired. After that date, the
-   key is still included in the zone, but it is not used to
-   sign it.
-
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
-
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
-   key are to be deleted.
-
-``-i interval``
-   This option sets the prepublication interval for a key. If set, then the
-   publication and activation dates must be separated by at least this
-   much time. If the activation date is specified but the publication
-   date is not, the publication date defaults to this much time
-   before the activation date; conversely, if the publication date is
-   specified but not the activation date, activation is set to
-   this much time after publication.
-
-   If the key is being created as an explicit successor to another key,
-   then the default prepublication interval is 30 days; otherwise it is
-   zero.
-
-   As with date offsets, if the argument is followed by one of the
-   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
-   measured in years, months, weeks, days, hours, or minutes,
-   respectively. Without a suffix, the interval is measured in seconds.
-
-Generated Key Files
-~~~~~~~~~~~~~~~~~~~
-
-When ``dnssec-keyfromlabel`` completes successfully, it prints a string
-of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
-identification string for the key files it has generated.
-
--  ``nnnn`` is the key name.
-
--  ``aaa`` is the numeric representation of the algorithm.
-
--  ``iiiii`` is the key identifier (or footprint).
-
-``dnssec-keyfromlabel`` creates two files, with names based on the
-printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
-``Knnnn.+aaa+iiiii.private`` contains the private key.
-
-The ``.key`` file contains a DNS KEY record that can be inserted into a
-zone file (directly or with an $INCLUDE statement).
-
-The ``.private`` file contains algorithm-specific fields. For obvious
-security reasons, this file does not have general read permission.
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
-:rfc:`4034`, :rfc:`7512`.

bin/dnssec/dnssec-keygen.8

@@ -0,0 +1,378 @@
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: dnssec-keygen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: August 21, 2015
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dnssec-keygen \- DNSSEC key generation tool
+.SH "SYNOPSIS"
+.HP \w'\fBdnssec\-keygen\fR\ 'u
+\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-keygen\fR
+generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034\&. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930\&.
+.PP
+The
+\fBname\fR
+of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
+.PP
+The
+\fBdnssec\-keymgr\fR
+command acts as a wrapper around
+\fBdnssec\-keygen\fR, generating and updating keys as needed to enforce defined security policies such as key rollover scheduling\&. Using
+\fBdnssec\-keymgr\fR
+may be preferable to direct use of
+\fBdnssec\-keygen\fR\&.
+.SH "OPTIONS"
+.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
+\fBalgorithm\fR
+must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
+\fB\-T KEY\fR
+option as well\&.
+.sp
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
+\fB\-3\fR
+option, then NSEC3RSASHA1 will be used instead\&.
+.sp
+This parameter
+\fImust\fR
+be specified except when using the
+\fB\-S\fR
+option, which copies the algorithm from the predecessor key\&.
+.sp
+In prior releases, HMAC algorithms could be generated for use as TSIG keys, but that feature has been removed as of BIND 9\&.13\&.0\&. Use
+\fBtsig\-keygen\fR
+to generate TSIG keys\&.
+.RE
+.PP
+\-b \fIkeysize\fR
+.RS 4
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
+.sp
+If the key size is not specified, some algorithms have pre\-defined defaults\&. For instance, RSA keys have a default size of 2048 bits\&.
+.RE
+.PP
+\-C
+.RS 4
+Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
+\fBdnssec\-keygen\fR
+will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
+\fB\-C\fR
+option suppresses them\&.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
+.RE
+.PP
+\-d \fIbits\fR
+.RS 4
+Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Specifies the cryptographic hardware to use, when applicable\&.
+.sp
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
+.RE
+.PP
+\-f \fIflag\fR
+.RS 4
+Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
+.RE
+.PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
+.RE
+.PP
+\-g \fIgenerator\fR
+.RS 4
+If generating a Diffie Hellman key, use this generator\&. Allowed values are 2 and 5\&. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2\&.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBdnssec\-keygen\fR\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to be written\&.
+.RE
+.PP
+\-k \fIpolicy\fR
+.RS 4
+Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys,
+\fBdnssec\-keygen\fR
+will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&.
+.sp
+This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that
+\fBdnssec\-keygen\fR
+provides\&.
+.RE
+.PP
+\-L \fIttl\fR
+.RS 4
+Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
+0
+or
+none
+is the same as leaving it unset\&.
+.RE
+.PP
+\-l \fIfile\fR
+.RS 4
+Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with
+\fB\-k\fR)\&.
+.RE
+.PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
+\-p \fIprotocol\fR
+.RS 4
+Sets the protocol value for the generated key, for use with
+\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode: Suppresses unnecessary output, including progress indication\&. Without this option, when
+\fBdnssec\-keygen\fR
+is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
+stderr
+indicating the progress of the key generation\&. A \*(Aq\&.\*(Aq indicates that a random number has been found which passed an initial sieve test; \*(Aq+\*(Aq means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key\&.
+.RE
+.PP
+\-S \fIkey\fR
+.RS 4
+Create a new key which is an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the existing key\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
+.RE
+.PP
+\-s \fIstrength\fR
+.RS 4
+Specifies the strength value of the key\&. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC\&.
+.RE
+.PP
+\-T \fIrrtype\fR
+.RS 4
+Specifies the resource record type to use for the key\&.
+\fBrrtype\fR
+must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Indicates the use of the key, for use with
+\fB\-T KEY\fR\&.
+\fBtype\fR
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
+.RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&.
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
+.RE
+.PP
+\-P sync \fIdate/offset\fR
+.RS 4
+Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&.
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
+.RE
+.PP
+\-D sync \fIdate/offset\fR
+.RS 4
+Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
+.RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
+.sp
+If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
+.sp
+As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
+.RE
+.SH "GENERATED KEYS"
+.PP
+When
+\fBdnssec\-keygen\fR
+completes successfully, it prints a string of the form
+Knnnn\&.+aaa+iiiii
+to the standard output\&. This is an identification string for the key it has generated\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+nnnn
+is the key name\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+aaa
+is the numeric representation of the algorithm\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+iiiii
+is the key identifier (or footprint)\&.
+.RE
+.PP
+\fBdnssec\-keygen\fR
+creates two files, with names based on the printed string\&.
+Knnnn\&.+aaa+iiiii\&.key
+contains the public key, and
+Knnnn\&.+aaa+iiiii\&.private
+contains the private key\&.
+.PP
+The
+\&.key
+file contains a DNSKEY or KEY record\&. When a zone is being signed by
+\fBnamed\fR
+or
+\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
+\&.key
+file can be inserted into a zone file manually or with a
+\fB$INCLUDE\fR
+statement\&.
+.PP
+The
+\&.private
+file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
+.SH "EXAMPLE"
+.PP
+To generate an ECDSAP256SHA256 zone\-signing key for the zone
+\fBexample\&.com\fR, issue the command:
+.PP
+\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
+.PP
+The command would print a string of the form:
+.PP
+\fBKexample\&.com\&.+013+26160\fR
+.PP
+In this example,
+\fBdnssec\-keygen\fR
+creates the files
+Kexample\&.com\&.+013+26160\&.key
+and
+Kexample\&.com\&.+013+26160\&.private\&.
+.PP
+To generate a matching key\-signing key, issue the command:
+.PP
+\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
+.SH "SEE ALSO"
+.PP
+\fBdnssec-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 2539,
+RFC 2845,
+RFC 4034\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dnssec/dnssec-keygen.c

@@ -816,7 +816,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 
 			dst_key_free(&key);
 		}
-	} while (conflict);
+	} while (conflict == true);
 
 	if (conflict) {
 		fatal("cannot generate a null key due to possible key ID "
@@ -1180,12 +1180,10 @@ main(int argc, char **argv) {
 	}
 
 	if (ctx.predecessor == NULL && ctx.policy == NULL) {
-		/* cppcheck-suppress nullPointerRedundantCheck */
 		if (algname == NULL) {
 			fatal("no algorithm specified");
 		}
 		r.base = algname;
-		/* cppcheck-suppress nullPointerRedundantCheck */
 		r.length = strlen(algname);
 		ret = dns_secalg_fromtext(&ctx.alg, &r);
 		if (ret != ISC_R_SUCCESS) {
@@ -1225,7 +1223,18 @@ main(int argc, char **argv) {
 			fatal("-k and -3 cannot be used together");
 		}
 
+		if (ctx.setpub || ctx.setact || ctx.setrev || ctx.setinact ||
+		    ctx.setdel || ctx.unsetpub || ctx.unsetact ||
+		    ctx.unsetrev || ctx.unsetinact || ctx.unsetdel ||
+		    ctx.setsyncadd || ctx.setsyncdel)
+		{
+			fatal("cannot use -k together with "
+			      "-P, -A, -R, -I, or -D options "
+			      "(use dnssec-settime on keys afterwards)");
+		}
+
 		ctx.options |= DST_TYPE_STATE;
+		ctx.genonly = true;
 
 		if (strcmp(ctx.policy, "default") == 0) {
 			ctx.use_nsec3 = false;

bin/dnssec/dnssec-keygen.docbook

@@ -0,0 +1,664 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
+  <info>
+    <date>2014-02-06</date>
+  </info>
+  <refentryinfo>
+    <date>August 21, 2015</date>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-keygen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-keygen</application></refname>
+    <refpurpose>DNSSEC key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2008</year>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <year>2012</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-keygen</command>
+      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-C</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">bits</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-G</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">policy</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">file</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-q</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">rrtype</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="req" rep="norepeat">name</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>dnssec-keygen</command>
+      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC 4034.  It can also generate keys for use with
+      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
+      (Transaction Key) as defined in RFC 2930.
+    </para>
+    <para>
+      The <option>name</option> of the key is specified on the command
+      line.  For DNSSEC keys, this must match the name of the zone for
+      which the key is being generated.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+
+      <varlistentry>
+	<term>-3</term>
+	<listitem>
+	  <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <command>dnssec-keygen -3a RSASHA1</command>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
+	    of <option>algorithm</option> must be one of RSASHA1,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
+	    TKEY, the value must be DH (Diffie Hellman); specifying
+	    his value will automatically set the <option>-T KEY</option>
+	    option as well.
+	  </para>
+	  <para>
+	    These values are case insensitive. In some cases, abbreviations
+	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    along with the <option>-3</option> option, then NSEC3RSASHA1
+	    will be used instead.
+	  </para>
+	  <para>
+	    This parameter <emphasis>must</emphasis> be specified except
+	    when using the <option>-S</option> option, which copies the
+	    algorithm from the predecessor key.
+	  </para>
+	  <para>
+	    In prior releases, HMAC algorithms could be generated for
+	    use as TSIG keys, but that feature has been removed as of
+	    BIND 9.13.0. Use <command>tsig-keygen</command> to generate
+	    TSIG keys.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-b <replaceable class="parameter">keysize</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the number of bits in the key.  The choice of key
+	    size depends on the algorithm used.  RSA keys must be
+	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  Elliptic curve algorithms don't need this
+	    parameter.
+	  </para>
+	  <para>
+	    If the key size is not specified, some algorithms have
+	    pre-defined defaults.  For instance, RSA keys have a default
+	    size of 2048 bits.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-C</term>
+	<listitem>
+	  <para>
+	    Compatibility mode: generates an old-style key, without any
+	    timing metadata. By default, <command>dnssec-keygen</command>
+	    will include the key's creation date in the metadata stored with
+	    the private key, and other dates may be set there as well
+	    (publication date, activation date, etc). Keys that include this
+	    data may be incompatible with older versions of BIND; the
+	    <option>-C</option> option suppresses them.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	    Indicates that the DNS record containing the key should have
+	    the specified class.  If not specified, class IN is used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-d <replaceable class="parameter">bits</replaceable></term>
+	<listitem>
+	  <para>
+	    Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
+	    RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
+	    DH size is between 128 and 4096. This option is ignored for
+	    algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-E <replaceable class="parameter">engine</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the cryptographic hardware to use, when applicable.
+	  </para>
+	  <para>
+	    When BIND is built with OpenSSL PKCS#11 support, this defaults
+	    to the string "pkcs11", which identifies an OpenSSL engine
+	    that can drive a cryptographic accelerator or hardware service
+	    module.  When BIND is built with native PKCS#11 cryptography
+	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+	    provider library specified via "--with-pkcs11".
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f <replaceable class="parameter">flag</replaceable></term>
+	<listitem>
+	  <para>
+	    Set the specified flag in the flag field of the KEY/DNSKEY record.
+	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-G</term>
+	<listitem>
+	  <para>
+	    Generate a key, but do not publish it or sign with it.  This
+	    option is incompatible with -P and -A.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-g <replaceable class="parameter">generator</replaceable></term>
+	<listitem>
+	  <para>
+	    If generating a Diffie Hellman key, use this generator.
+	    Allowed values are 2 and 5.  If no generator
+	    is specified, a known prime from RFC 2539 will be used
+	    if possible; otherwise the default is 2.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints a short summary of the options and arguments to
+	    <command>dnssec-keygen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-K <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the directory in which the key files are to be written.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-k <replaceable class="parameter">policy</replaceable></term>
+	<listitem>
+	  <para>
+	    Create keys for a specific dnssec-policy.  If a policy uses
+	    multiple keys, <command>dnssec-keygen</command> will generate
+	    multiple keys.  This will also create a ".state" file to keep
+	    track of the key state.
+	  </para>
+	  <para>
+	    This option creates keys according to the dnssec-policy
+	    configuration, hence it cannot be used together with many of
+	    the other options that <command>dnssec-keygen</command>
+	    provides.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-L <replaceable class="parameter">ttl</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the default TTL to use for this key when it is converted
+	    into a DNSKEY RR.  If the key is imported into a zone,
+	    this is the TTL that will be used for it, unless there was
+	    already a DNSKEY RRset in place, in which case the existing TTL
+	    would take precedence.  If this value is not set and there
+	    is no existing DNSKEY RRset, the TTL will default to the
+	    SOA TTL. Setting the default TTL to <literal>0</literal>
+	    or <literal>none</literal> is the same as leaving it unset.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-l <replaceable class="parameter">file</replaceable></term>
+	<listitem>
+	  <para>
+	    Provide a configuration file that contains a dnssec-policy
+	    statement (matching the policy set with <command>-k</command>).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-n <replaceable class="parameter">nametype</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the owner type of the key.  The value of
+	    <option>nametype</option> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p <replaceable class="parameter">protocol</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the protocol value for the generated key, for use
+	    with <option>-T KEY</option>. The protocol is a number between 0
+	    and 255. The default is 3 (DNSSEC). Other possible values for
+	    this argument are listed in RFC 2535 and its successors.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-q</term>
+	<listitem>
+	  <para>
+	    Quiet mode: Suppresses unnecessary output, including
+	    progress indication.  Without this option, when
+	    <command>dnssec-keygen</command> is run interactively
+	    to generate an RSA or DSA key pair, it will print a string
+	    of symbols to <filename>stderr</filename> indicating the
+	    progress of the key generation.  A '.' indicates that a
+	    random number has been found which passed an initial
+	    sieve test; '+' means a number has passed a single
+	    round of the Miller-Rabin primality test; a space
+	    means that the number has passed all the tests and is
+	    a satisfactory key.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-S <replaceable class="parameter">key</replaceable></term>
+	<listitem>
+	  <para>
+	    Create a new key which is an explicit successor to an
+	    existing key.  The name, algorithm, size, and type of the
+	    key will be set to match the existing key.  The activation
+	    date of the new key will be set to the inactivation date of
+	    the existing one.  The publication date will be set to the
+	    activation date minus the prepublication interval, which
+	    defaults to 30 days.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">strength</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the strength value of the key.  The strength is
+	    a number between 0 and 15, and currently has no defined
+	    purpose in DNSSEC.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T <replaceable class="parameter">rrtype</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the resource record type to use for the key.
+	    <option>rrtype</option> must be either DNSKEY or KEY.  The
+	    default is DNSKEY when using a DNSSEC algorithm, but it can be
+	    overridden to KEY for use with SIG(0).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t <replaceable class="parameter">type</replaceable></term>
+	<listitem>
+	  <para>
+	    Indicates the use of the key, for use with <option>-T
+	    KEY</option>. <option>type</option> must be one of AUTHCONF,
+	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+	    refers to the ability to authenticate data, and CONF the ability
+	    to encrypt data.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+	<listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>TIMING OPTIONS</title></info>
+
+
+    <para>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To explicitly prevent a date from being
+      set, use 'none' or 'never'.
+    </para>
+
+    <variablelist>
+      <varlistentry>
+	<term>-P <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which a key is to be published to the zone.
+	    After that date, the key will be included in the zone but will
+	    not be used to sign it.  If not set, and if the -G option has
+	    not been used, the default is "now".
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which CDS and CDNSKEY records that match this
+	    key are to be published to the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-A <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be activated.  After that
+	    date, the key will be included in the zone and used to sign
+	    it.  If not set, and if the -G option has not been used, the
+	    default is "now".  If set, if and -P is not set, then
+	    the publication date will be set to the activation date
+	    minus the prepublication interval.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-R <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be revoked.  After that
+	    date, the key will be flagged as revoked.  It will be included
+	    in the zone and will be used to sign it.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-I <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be retired.  After that
+	    date, the key will still be included in the zone, but it
+	    will not be used to sign it.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-D <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the key is to be deleted.  After that
+	    date, the key will no longer be included in the zone.  (It
+	    may remain in the key repository, however.)
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the date on which the CDS and CDNSKEY records that match this
+	    key are to be deleted.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-i <replaceable class="parameter">interval</replaceable></term>
+	<listitem>
+	  <para>
+	    Sets the prepublication interval for a key.  If set, then
+	    the publication and activation dates must be separated by at least
+	    this much time.  If the activation date is specified but the
+	    publication date isn't, then the publication date will default
+	    to this much time before the activation date; conversely, if
+	    the publication date is specified but activation date isn't,
+	    then activation will be set to this much time after publication.
+	  </para>
+	  <para>
+	    If the key is being created as an explicit successor to another
+	    key, then the default prepublication interval is 30 days;
+	    otherwise it is zero.
+	  </para>
+	  <para>
+	    As with date offsets, if the argument is followed by one of
+	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+	    interval is measured in years, months, weeks, days, hours,
+	    or minutes, respectively.  Without a suffix, the interval is
+	    measured in seconds.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+
+  <refsection><info><title>GENERATED KEYS</title></info>
+
+    <para>
+      When <command>dnssec-keygen</command> completes
+      successfully,
+      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+      to the standard output.  This is an identification string for
+      the key it has generated.
+    </para>
+    <itemizedlist>
+      <listitem>
+	<para><filename>nnnn</filename> is the key name.
+	</para>
+      </listitem>
+      <listitem>
+	<para><filename>aaa</filename> is the numeric representation
+	  of the
+	  algorithm.
+	</para>
+      </listitem>
+      <listitem>
+	<para><filename>iiiii</filename> is the key identifier (or
+	  footprint).
+	</para>
+      </listitem>
+    </itemizedlist>
+    <para><command>dnssec-keygen</command>
+      creates two files, with names based
+      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
+      contains the public key, and
+      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
+      private
+      key.
+    </para>
+    <para>
+      The <filename>.key</filename> file contains a DNSKEY or KEY record.
+      When a zone is being signed by <command>named</command>
+      or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
+      records are included automatically. In other cases,
+      the <filename>.key</filename> file can be inserted into a zone file
+      manually or with a <userinput>$INCLUDE</userinput> statement.
+    </para>
+    <para>
+      The <filename>.private</filename> file contains
+      algorithm-specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </para>
+  </refsection>
+
+  <refsection><info><title>EXAMPLE</title></info>
+
+    <para>
+      To generate an ECDSAP256SHA256 zone-signing key for the zone
+      <userinput>example.com</userinput>, issue the command:
+    </para>
+    <para>
+      <userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
+    </para>
+    <para>
+      The command would print a string of the form:
+    </para>
+    <para><userinput>Kexample.com.+013+26160</userinput>
+    </para>
+    <para>
+      In this example, <command>dnssec-keygen</command> creates
+      the files <filename>Kexample.com.+013+26160.key</filename>
+      and
+      <filename>Kexample.com.+013+26160.private</filename>.
+    </para>
+    <para>
+      To generate a matching key-signing key, issue the command:
+    </para>
+    <para>
+      <userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+	<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2539</citetitle>,
+      <citetitle>RFC 2845</citetitle>,
+      <citetitle>RFC 4034</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/dnssec/dnssec-keygen.html

@@ -0,0 +1,555 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keygen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">dnssec-keygen</span>
+     &#8212; DNSSEC key generation tool
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-keygen</code> 
+       [<code class="option">-3</code>]
+       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
+       [<code class="option">-C</code>]
+       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
+       [<code class="option">-G</code>]
+       [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
+       [<code class="option">-h</code>]
+       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
+       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
+       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
+       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
+       [<code class="option">-q</code>]
+       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
+       [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
+       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       {name}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>dnssec-keygen</strong></span>
+      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC 4034.  It can also generate keys for use with
+      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
+      (Transaction Key) as defined in RFC 2930.
+    </p>
+    <p>
+      The <code class="option">name</code> of the key is specified on the command
+      line.  For DNSSEC keys, this must match the name of the zone for
+      which the key is being generated.
+    </p>
+    <p>
+      The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
+      around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
+      as needed to enforce defined security policies such as key rollover
+      scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
+      to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-3</span></dt>
+<dd>
+	  <p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+	    If this option is used with an algorithm that has both
+	    NSEC and NSEC3 versions, then the NSEC3 version will be
+	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+	    specifies the NSEC3RSASHA1 algorithm.
+	  </p>
+	</dd>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+	  <p>
+	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
+	    of <code class="option">algorithm</code> must be one of RSASHA1,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
+	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
+	    TKEY, the value must be DH (Diffie Hellman); specifying
+	    his value will automatically set the <code class="option">-T KEY</code>
+	    option as well.
+	  </p>
+	  <p>
+	    These values are case insensitive. In some cases, abbreviations
+	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
+	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
+	    will be used instead.
+	  </p>
+	  <p>
+	    This parameter <span class="emphasis"><em>must</em></span> be specified except
+	    when using the <code class="option">-S</code> option, which copies the
+	    algorithm from the predecessor key.
+	  </p>
+	  <p>
+	    In prior releases, HMAC algorithms could be generated for
+	    use as TSIG keys, but that feature has been removed as of
+	    BIND 9.13.0. Use <span class="command"><strong>tsig-keygen</strong></span> to generate
+	    TSIG keys.
+	  </p>
+	</dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the number of bits in the key.  The choice of key
+	    size depends on the algorithm used.  RSA keys must be
+	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
+	    128 and 4096 bits.  Elliptic curve algorithms don't need this
+	    parameter.
+	  </p>
+	  <p>
+	    If the key size is not specified, some algorithms have
+	    pre-defined defaults.  For instance, RSA keys have a default
+	    size of 2048 bits.
+	  </p>
+	</dd>
+<dt><span class="term">-C</span></dt>
+<dd>
+	  <p>
+	    Compatibility mode: generates an old-style key, without any
+	    timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
+	    will include the key's creation date in the metadata stored with
+	    the private key, and other dates may be set there as well
+	    (publication date, activation date, etc). Keys that include this
+	    data may be incompatible with older versions of BIND; the
+	    <code class="option">-C</code> option suppresses them.
+	  </p>
+	</dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd>
+	  <p>
+	    Indicates that the DNS record containing the key should have
+	    the specified class.  If not specified, class IN is used.
+	  </p>
+	</dd>
+<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
+<dd>
+	  <p>
+	    Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
+	    RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
+	    DH size is between 128 and 4096. This option is ignored for
+	    algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
+	  </p>
+	</dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the cryptographic hardware to use, when applicable.
+	  </p>
+	  <p>
+	    When BIND is built with OpenSSL PKCS#11 support, this defaults
+	    to the string "pkcs11", which identifies an OpenSSL engine
+	    that can drive a cryptographic accelerator or hardware service
+	    module.  When BIND is built with native PKCS#11 cryptography
+	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+	    provider library specified via "--with-pkcs11".
+	  </p>
+	</dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd>
+	  <p>
+	    Set the specified flag in the flag field of the KEY/DNSKEY record.
+	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
+	  </p>
+	</dd>
+<dt><span class="term">-G</span></dt>
+<dd>
+	  <p>
+	    Generate a key, but do not publish it or sign with it.  This
+	    option is incompatible with -P and -A.
+	  </p>
+	</dd>
+<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
+<dd>
+	  <p>
+	    If generating a Diffie Hellman key, use this generator.
+	    Allowed values are 2 and 5.  If no generator
+	    is specified, a known prime from RFC 2539 will be used
+	    if possible; otherwise the default is 2.
+	  </p>
+	</dd>
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Prints a short summary of the options and arguments to
+	    <span class="command"><strong>dnssec-keygen</strong></span>.
+	  </p>
+	</dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the directory in which the key files are to be written.
+	  </p>
+	</dd>
+<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
+<dd>
+	  <p>
+	    Create keys for a specific dnssec-policy.  If a policy uses
+	    multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
+	    multiple keys.  This will also create a ".state" file to keep
+	    track of the key state.
+	  </p>
+	  <p>
+	    This option creates keys according to the dnssec-policy
+	    configuration, hence it cannot be used together with many of
+	    the other options that <span class="command"><strong>dnssec-keygen</strong></span>
+	    provides.
+	  </p>
+	</dd>
+<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the default TTL to use for this key when it is converted
+	    into a DNSKEY RR.  If the key is imported into a zone,
+	    this is the TTL that will be used for it, unless there was
+	    already a DNSKEY RRset in place, in which case the existing TTL
+	    would take precedence.  If this value is not set and there
+	    is no existing DNSKEY RRset, the TTL will default to the
+	    SOA TTL. Setting the default TTL to <code class="literal">0</code>
+	    or <code class="literal">none</code> is the same as leaving it unset.
+	  </p>
+	</dd>
+<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
+<dd>
+	  <p>
+	    Provide a configuration file that contains a dnssec-policy
+	    statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
+	  </p>
+	</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the owner type of the key.  The value of
+	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+	    with a host (KEY)), USER (for a key associated with a
+	    user(KEY)) or OTHER (DNSKEY).  These values are case
+	    insensitive.  Defaults to ZONE for DNSKEY generation.
+	  </p>
+	</dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the protocol value for the generated key, for use
+	    with <code class="option">-T KEY</code>. The protocol is a number between 0
+	    and 255. The default is 3 (DNSSEC). Other possible values for
+	    this argument are listed in RFC 2535 and its successors.
+	  </p>
+	</dd>
+<dt><span class="term">-q</span></dt>
+<dd>
+	  <p>
+	    Quiet mode: Suppresses unnecessary output, including
+	    progress indication.  Without this option, when
+	    <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
+	    to generate an RSA or DSA key pair, it will print a string
+	    of symbols to <code class="filename">stderr</code> indicating the
+	    progress of the key generation.  A '.' indicates that a
+	    random number has been found which passed an initial
+	    sieve test; '+' means a number has passed a single
+	    round of the Miller-Rabin primality test; a space
+	    means that the number has passed all the tests and is
+	    a satisfactory key.
+	  </p>
+	</dd>
+<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
+<dd>
+	  <p>
+	    Create a new key which is an explicit successor to an
+	    existing key.  The name, algorithm, size, and type of the
+	    key will be set to match the existing key.  The activation
+	    date of the new key will be set to the inactivation date of
+	    the existing one.  The publication date will be set to the
+	    activation date minus the prepublication interval, which
+	    defaults to 30 days.
+	  </p>
+	</dd>
+<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the strength value of the key.  The strength is
+	    a number between 0 and 15, and currently has no defined
+	    purpose in DNSSEC.
+	  </p>
+	</dd>
+<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
+<dd>
+	  <p>
+	    Specifies the resource record type to use for the key.
+	    <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
+	    default is DNSKEY when using a DNSSEC algorithm, but it can be
+	    overridden to KEY for use with SIG(0).
+	  </p>
+	</dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd>
+	  <p>
+	    Indicates the use of the key, for use with <code class="option">-T
+	    KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
+	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+	    refers to the ability to authenticate data, and CONF the ability
+	    to encrypt data.
+	  </p>
+	</dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+	</dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the debugging level.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
+
+
+    <p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To explicitly prevent a date from being
+      set, use 'none' or 'never'.
+    </p>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which a key is to be published to the zone.
+	    After that date, the key will be included in the zone but will
+	    not be used to sign it.  If not set, and if the -G option has
+	    not been used, the default is "now".
+	  </p>
+	</dd>
+<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which CDS and CDNSKEY records that match this
+	    key are to be published to the zone.
+	  </p>
+	</dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be activated.  After that
+	    date, the key will be included in the zone and used to sign
+	    it.  If not set, and if the -G option has not been used, the
+	    default is "now".  If set, if and -P is not set, then
+	    the publication date will be set to the activation date
+	    minus the prepublication interval.
+	  </p>
+	</dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be revoked.  After that
+	    date, the key will be flagged as revoked.  It will be included
+	    in the zone and will be used to sign it.
+	  </p>
+	</dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be retired.  After that
+	    date, the key will still be included in the zone, but it
+	    will not be used to sign it.
+	  </p>
+	</dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the key is to be deleted.  After that
+	    date, the key will no longer be included in the zone.  (It
+	    may remain in the key repository, however.)
+	  </p>
+	</dd>
+<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the date on which the CDS and CDNSKEY records that match this
+	    key are to be deleted.
+	  </p>
+	</dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+	  <p>
+	    Sets the prepublication interval for a key.  If set, then
+	    the publication and activation dates must be separated by at least
+	    this much time.  If the activation date is specified but the
+	    publication date isn't, then the publication date will default
+	    to this much time before the activation date; conversely, if
+	    the publication date is specified but activation date isn't,
+	    then activation will be set to this much time after publication.
+	  </p>
+	  <p>
+	    If the key is being created as an explicit successor to another
+	    key, then the default prepublication interval is 30 days;
+	    otherwise it is zero.
+	  </p>
+	  <p>
+	    As with date offsets, if the argument is followed by one of
+	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+	    interval is measured in years, months, weeks, days, hours,
+	    or minutes, respectively.  Without a suffix, the interval is
+	    measured in seconds.
+	  </p>
+	</dd>
+</dl></div>
+  </div>
+
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>GENERATED KEYS</h2>
+
+    <p>
+      When <span class="command"><strong>dnssec-keygen</strong></span> completes
+      successfully,
+      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+      to the standard output.  This is an identification string for
+      the key it has generated.
+    </p>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+	<p><code class="filename">nnnn</code> is the key name.
+	</p>
+      </li>
+<li class="listitem">
+	<p><code class="filename">aaa</code> is the numeric representation
+	  of the
+	  algorithm.
+	</p>
+      </li>
+<li class="listitem">
+	<p><code class="filename">iiiii</code> is the key identifier (or
+	  footprint).
+	</p>
+      </li>
+</ul></div>
+    <p><span class="command"><strong>dnssec-keygen</strong></span>
+      creates two files, with names based
+      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+      contains the public key, and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+      private
+      key.
+    </p>
+    <p>
+      The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
+      When a zone is being signed by <span class="command"><strong>named</strong></span>
+      or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
+      records are included automatically. In other cases,
+      the <code class="filename">.key</code> file can be inserted into a zone file
+      manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
+    </p>
+    <p>
+      The <code class="filename">.private</code> file contains
+      algorithm-specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>EXAMPLE</h2>
+
+    <p>
+      To generate an ECDSAP256SHA256 zone-signing key for the zone
+      <strong class="userinput"><code>example.com</code></strong>, issue the command:
+    </p>
+    <p>
+      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
+    </p>
+    <p>
+      The command would print a string of the form:
+    </p>
+    <p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
+    </p>
+    <p>
+      In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
+      the files <code class="filename">Kexample.com.+013+26160.key</code>
+      and
+      <code class="filename">Kexample.com.+013+26160.private</code>.
+    </p>
+    <p>
+      To generate a matching key-signing key, issue the command:
+    </p>
+    <p>
+      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+	<span class="refentrytitle">dnssec-signzone</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2539</em>,
+      <em class="citetitle">RFC 2845</em>,
+      <em class="citetitle">RFC 4034</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>

bin/dnssec/dnssec-keygen.rst

@@ -1,322 +0,0 @@
-.. 
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-   
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-   
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-..
-   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-   This Source Code Form is subject to the terms of the Mozilla Public
-   License, v. 2.0. If a copy of the MPL was not distributed with this
-   file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-   See the COPYRIGHT file distributed with this work for additional
-   information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_dnssec-keygen:
-
-dnssec-keygen: DNSSEC key generation tool
------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-g** generator] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
-
-Description
-~~~~~~~~~~~
-
-``dnssec-keygen`` generates keys for DNSSEC (Secure DNS), as defined in
-:rfc:`2535` and :rfc:`4034`. It can also generate keys for use with TSIG
-(Transaction Signatures) as defined in :rfc:`2845`, or TKEY (Transaction
-Key) as defined in :rfc:`2930`.
-
-The ``name`` of the key is specified on the command line. For DNSSEC
-keys, this must match the name of the zone for which the key is being
-generated.
-
-Options
-~~~~~~~
-
-``-3``
-   This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
-   option is used with an algorithm that has both NSEC and NSEC3
-   versions, then the NSEC3 version is selected; for example,
-   ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
-
-``-a algorithm``
-   This option selects the cryptographic algorithm. For DNSSEC keys, the value of
-   ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
-   RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
-   TKEY, the value must be DH (Diffie-Hellman); specifying this value
-   automatically sets the ``-T KEY`` option as well.
-
-   These values are case-insensitive. In some cases, abbreviations are
-   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
-   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
-   option, NSEC3RSASHA1 is used instead.
-
-   This parameter *must* be specified except when using the ``-S``
-   option, which copies the algorithm from the predecessor key.
-
-   In prior releases, HMAC algorithms could be generated for use as TSIG
-   keys, but that feature was removed in BIND 9.13.0. Use
-   ``tsig-keygen`` to generate TSIG keys.
-
-``-b keysize``
-   This option specifies the number of bits in the key. The choice of key size
-   depends on the algorithm used: RSA keys must be between 1024 and 4096
-   bits; Diffie-Hellman keys must be between 128 and 4096 bits. Elliptic
-   curve algorithms do not need this parameter.
-
-   If the key size is not specified, some algorithms have pre-defined
-   defaults. For example, RSA keys for use as DNSSEC zone-signing keys
-   have a default size of 1024 bits; RSA keys for use as key-signing
-   keys (KSKs, generated with ``-f KSK``) default to 2048 bits.
-
-``-C``
-   This option enables compatibility mode, which generates an old-style key, without any timing
-   metadata. By default, ``dnssec-keygen`` includes the key's
-   creation date in the metadata stored with the private key; other
-   dates may be set there as well, including publication date, activation date,
-   etc. Keys that include this data may be incompatible with older
-   versions of BIND; the ``-C`` option suppresses them.
-
-``-c class``
-   This option indicates that the DNS record containing the key should have the
-   specified class. If not specified, class IN is used.
-
-``-d bits``
-   This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
-   RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
-   and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
-   ECDSAP384SHA384, ED25519, and ED448.
-
-``-E engine``
-   This option specifies the cryptographic hardware to use, when applicable.
-
-   When BIND is built with OpenSSL PKCS#11 support, this defaults to the
-   string ``pkcs11``, which identifies an OpenSSL engine that can drive a
-   cryptographic accelerator or hardware service module. When BIND is
-   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
-   defaults to the path of the PKCS#11 provider library specified via
-   ``--with-pkcs11``.
-
-``-f flag``
-   This option sets the specified flag in the flag field of the KEY/DNSKEY record.
-   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
-
-``-G``
-   This option generates a key, but does not publish it or sign with it. This option is
-   incompatible with ``-P`` and ``-A``.
-
-``-g generator``
-   This option indicates the generator to use if generating a Diffie-Hellman key. Allowed
-   values are 2 and 5. If no generator is specified, a known prime from
-   :rfc:`2539` is used if possible; otherwise the default is 2.
-
-``-h``
-   This option prints a short summary of the options and arguments to
-   ``dnssec-keygen``.
-
-``-K directory``
-   This option sets the directory in which the key files are to be written.
-
-``-k policy``
-   This option creates keys for a specific ``dnssec-policy``. If a policy uses multiple keys,
-   ``dnssec-keygen`` generates multiple keys. This also
-   creates a ".state" file to keep track of the key state.
-
-   This option creates keys according to the ``dnssec-policy`` configuration, hence
-   it cannot be used at the same time as many of the other options that
-   ``dnssec-keygen`` provides.
-
-``-L ttl``
-   This option sets the default TTL to use for this key when it is converted into a
-   DNSKEY RR. This is the TTL used when the key is imported into a zone,
-   unless there was already a DNSKEY RRset in
-   place, in which case the existing TTL takes precedence. If this
-   value is not set and there is no existing DNSKEY RRset, the TTL
-   defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
-   is the same as leaving it unset.
-
-``-l file``
-   This option provides a configuration file that contains a ``dnssec-policy`` statement
-   (matching the policy set with ``-k``).
-
-``-n nametype``
-   This option specifies the owner type of the key. The value of ``nametype`` must
-   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
-   (for a key associated with a host (KEY)), USER (for a key associated
-   with a user (KEY)), or OTHER (DNSKEY). These values are
-   case-insensitive. The default is ZONE for DNSKEY generation.
-
-``-p protocol``
-   This option sets the protocol value for the generated key, for use with
-   ``-T KEY``. The protocol is a number between 0 and 255. The default
-   is 3 (DNSSEC). Other possible values for this argument are listed in
-   :rfc:`2535` and its successors.
-
-``-q``
-   This option sets quiet mode, which suppresses unnecessary output, including progress
-   indication. Without this option, when ``dnssec-keygen`` is run
-   interactively to generate an RSA or DSA key pair, it prints a
-   string of symbols to ``stderr`` indicating the progress of the key
-   generation. A ``.`` indicates that a random number has been found which
-   passed an initial sieve test; ``+`` means a number has passed a single
-   round of the Miller-Rabin primality test; and a space ( ) means that the
-   number has passed all the tests and is a satisfactory key.
-
-``-S key``
-   This option creates a new key which is an explicit successor to an existing key.
-   The name, algorithm, size, and type of the key are set to match
-   the existing key. The activation date of the new key is set to
-   the inactivation date of the existing one. The publication date is
-   set to the activation date minus the prepublication interval,
-   which defaults to 30 days.
-
-``-s strength``
-   This option specifies the strength value of the key. The strength is a number
-   between 0 and 15, and currently has no defined purpose in DNSSEC.
-
-``-T rrtype``
-   This option specifies the resource record type to use for the key. ``rrtype``
-   must be either DNSKEY or KEY. The default is DNSKEY when using a
-   DNSSEC algorithm, but it can be overridden to KEY for use with
-   SIG(0).
-
-``-t type``
-   This option indicates the type of the key for use with ``-T KEY``. ``type``
-   must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
-   is AUTHCONF. AUTH refers to the ability to authenticate data, and
-   CONF to the ability to encrypt data.
-
-``-V``
-   This option prints version information.
-
-``-v level``
-   This option sets the debugging level.
-
-Timing Options
-~~~~~~~~~~~~~~
-
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
-argument begins with a ``+`` or ``-``, it is interpreted as an offset from
-the present time. For convenience, if such an offset is followed by one
-of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
-computed in years (defined as 365 24-hour days, ignoring leap years),
-months (defined as 30 24-hour days), weeks, days, hours, or minutes,
-respectively. Without a suffix, the offset is computed in seconds. To
-explicitly prevent a date from being set, use ``none`` or ``never``.
-
-``-P date/offset``
-   This option sets the date on which a key is to be published to the zone. After
-   that date, the key is included in the zone but is not used
-   to sign it. If not set, and if the ``-G`` option has not been used, the
-   default is the current date.
-
-``-P sync date/offset``
-   This option sets the date on which CDS and CDNSKEY records that match this key
-   are to be published to the zone.
-
-``-A date/offset``
-   This option sets the date on which the key is to be activated. After that date,
-   the key is included in the zone and used to sign it. If not set,
-   and if the ``-G`` option has not been used, the default is the current date. If set,
-   and ``-P`` is not set, the publication date is set to the
-   activation date minus the prepublication interval.
-
-``-R date/offset``
-   This option sets the date on which the key is to be revoked. After that date, the
-   key is flagged as revoked. It is included in the zone and
-   is used to sign it.
-
-``-I date/offset``
-   This option sets the date on which the key is to be retired. After that date, the
-   key is still included in the zone, but it is not used to
-   sign it.
-
-``-D date/offset``
-   This option sets the date on which the key is to be deleted. After that date, the
-   key is no longer included in the zone. (However, it may remain in the key
-   repository.)
-
-``-D sync date/offset``
-   This option sets the date on which the CDS and CDNSKEY records that match this
-   key are to be deleted.
-
-``-i interval``
-   This option sets the prepublication interval for a key. If set, then the
-   publication and activation dates must be separated by at least this
-   much time. If the activation date is specified but the publication
-   date is not, the publication date defaults to this much time
-   before the activation date; conversely, if the publication date is
-   specified but not the activation date, activation is set to
-   this much time after publication.
-
-   If the key is being created as an explicit successor to another key,
-   then the default prepublication interval is 30 days; otherwise it is
-   zero.
-
-   As with date offsets, if the argument is followed by one of the
-   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
-   measured in years, months, weeks, days, hours, or minutes,
-   respectively. Without a suffix, the interval is measured in seconds.
-
-Generated Keys
-~~~~~~~~~~~~~~
-
-When ``dnssec-keygen`` completes successfully, it prints a string of the
-form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
-identification string for the key it has generated.
-
--  ``nnnn`` is the key name.
-
--  ``aaa`` is the numeric representation of the algorithm.
-
--  ``iiiii`` is the key identifier (or footprint).
-
-``dnssec-keygen`` creates two files, with names based on the printed
-string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
-``Knnnn.+aaa+iiiii.private`` contains the private key.
-
-The ``.key`` file contains a DNSKEY or KEY record. When a zone is being
-signed by ``named`` or ``dnssec-signzone -S``, DNSKEY records are
-included automatically. In other cases, the ``.key`` file can be
-inserted into a zone file manually or with an ``$INCLUDE`` statement.
-
-The ``.private`` file contains algorithm-specific fields. For obvious
-security reasons, this file does not have general read permission.
-
-Example
-~~~~~~~
-
-To generate an ECDSAP256SHA256 zone-signing key for the zone
-``example.com``, issue the command:
-
-``dnssec-keygen -a ECDSAP256SHA256 example.com``
-
-The command prints a string of the form:
-
-``Kexample.com.+013+26160``
-
-In this example, ``dnssec-keygen`` creates the files
-``Kexample.com.+013+26160.key`` and ``Kexample.com.+013+26160.private``.
-
-To generate a matching key-signing key, issue the command:
-
-``dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com``
-
-See Also
-~~~~~~~~
-
-:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`2539`,
-:rfc:`2845`, :rfc:`4034`.

bin/dnssec/dnssec-revoke.8

@@ -0,0 +1,103 @@
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: dnssec-revoke
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2014-01-15
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "DNSSEC\-REVOKE" "8" "2014\-01\-15" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dnssec-revoke \- set the REVOKED bit on a DNSSEC key
+.SH "SYNOPSIS"
+.HP \w'\fBdnssec\-revoke\fR\ 'u
+\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-revoke\fR
+reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key\&.
+.SH "OPTIONS"
+.PP
+\-h
+.RS 4
+Emit usage message and exit\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside\&.
+.RE
+.PP
+\-r
+.RS 4
+After writing the new keyset files remove the original keyset files\&.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&.
+.RE
+.PP
+\-V
+.RS 4
+Prints version information\&.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Specifies the cryptographic hardware to use, when applicable\&.
+.sp
+When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
+.RE
+.PP
+\-f
+.RS 4
+Force overwrite: Causes
+\fBdnssec\-revoke\fR
+to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key\&.
+.RE
+.PP
+\-R
+.RS 4
+Print the key tag of the key with the REVOKE bit set but do not revoke the key\&.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.br

bin/dnssec/dnssec-revoke.docbook

@@ -0,0 +1,170 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
+  <info>
+    <date>2014-01-15</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-revoke</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-revoke</application></refname>
+    <refpurpose>set the REVOKED bit on a DNSSEC key</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <year>2011</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <year>2020</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>dnssec-revoke</command>
+      <arg choice="opt" rep="norepeat"><option>-hr</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-f</option></arg>
+      <arg choice="opt" rep="norepeat"><option>-R</option></arg>
+      <arg choice="req" rep="norepeat">keyfile</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><command>dnssec-revoke</command>
+      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+      in RFC 5011, and creates a new pair of key files containing the
+      now-revoked key.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OPTIONS</title></info>
+
+
+    <variablelist>
+      <varlistentry>
+	<term>-h</term>
+        <listitem>
+	  <para>
+	    Emit usage message and exit.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Sets the directory in which the key files are to reside.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r</term>
+        <listitem>
+	  <para>
+	    After writing the new keyset files remove the original keyset
+	    files.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-V</term>
+        <listitem>
+	  <para>
+	    Prints version information.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the cryptographic hardware to use, when applicable.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f</term>
+        <listitem>
+          <para>
+            Force overwrite: Causes <command>dnssec-revoke</command> to
+            write the new key pair even if a file already exists matching
+            the algorithm and key ID of the revoked key.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-R</term>
+        <listitem>
+          <para>
+	    Print the key tag of the key with the REVOKE bit set but do
+	    not revoke the key.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 5011</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>

bin/dnssec/dnssec-revoke.html

@@ -0,0 +1,137 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-revoke</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <span class="application">dnssec-revoke</span>
+     &#8212; set the REVOKED bit on a DNSSEC key
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">dnssec-revoke</code> 
+       [<code class="option">-hr</code>]
+       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+       [<code class="option">-V</code>]
+       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-f</code>]
+       [<code class="option">-R</code>]
+       {keyfile}
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><span class="command"><strong>dnssec-revoke</strong></span>
+      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+      in RFC 5011, and creates a new pair of key files containing the
+      now-revoked key.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-h</span></dt>
+<dd>
+	  <p>
+	    Emit usage message and exit.
+	  </p>
+        </dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+          <p>
+            Sets the directory in which the key files are to reside.
+          </p>
+        </dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+	  <p>
+	    After writing the new keyset files remove the original keyset
+	    files.
+	  </p>
+        </dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd>
+          <p>
+            Sets the debugging level.
+          </p>
+        </dd>
+<dt><span class="term">-V</span></dt>
+<dd>
+	  <p>
+	    Prints version information.
+	  </p>
+        </dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd>
+          <p>
+            Specifies the cryptographic hardware to use, when applicable.
+          </p>
+          <p>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
+          </p>
+        </dd>
+<dt><span class="term">-f</span></dt>
+<dd>
+          <p>
+            Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
+            write the new key pair even if a file already exists matching
+            the algorithm and key ID of the revoked key.
+          </p>
+        </dd>
+<dt><span class="term">-R</span></dt>
+<dd>
+          <p>
+	    Print the key tag of the key with the REVOKE bit set but do
+	    not revoke the key.
+          </p>
+        </dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">dnssec-keygen</span>(8)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5011</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>