Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
deb57872b6 | ||
|
27df67ca1e | ||
|
|
01ae9ce62f | ||
|
|
b6c3f27c98 |
2
CHANGES
2
CHANGES
@@ -1,3 +1,5 @@
|
||||
--- 9.17.1 released ---
|
||||
|
||||
5383. [func] Add a quota attach function with a callback and clean up
|
||||
the isc_quota API. [GL !3280]
|
||||
|
||||
|
||||
@@ -39,7 +39,7 @@
|
||||
host \- DNS lookup utility
|
||||
.SH "SYNOPSIS"
|
||||
.HP \w'\fBhost\fR\ 'u
|
||||
\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
|
||||
\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBhost\fR
|
||||
@@ -138,6 +138,11 @@ directive in
|
||||
/etc/resolv\&.conf\&.
|
||||
.RE
|
||||
.PP
|
||||
\-p \fIport\fR
|
||||
.RS 4
|
||||
Specify the port on the server to query\&. The default is 53\&.
|
||||
.RE
|
||||
.PP
|
||||
\-r
|
||||
.RS 4
|
||||
Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
|
||||
|
||||
@@ -36,6 +36,7 @@
|
||||
[<code class="option">-aACdlnrsTUwv</code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
|
||||
[<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
|
||||
[<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
|
||||
@@ -165,6 +166,12 @@
|
||||
in <code class="filename">/etc/resolv.conf</code>.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the port on the server to query. The default is 53.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
|
||||
@@ -719,7 +719,10 @@ ret=0
|
||||
$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type master; file "e.db"; };' > /dev/null 2>&1 || ret=1
|
||||
$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type master; file "e.db"; };' > /dev/null 2>&1 || ret=1
|
||||
$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
|
||||
$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
|
||||
# FIXME: This check triggers a known issue in non-LMDB BIND builds
|
||||
if [ -n "${NZD}" ]; then
|
||||
$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
|
||||
fi
|
||||
$PERL $SYSTEMTESTTOP/stop.pl addzone ns3
|
||||
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} addzone ns3 || ret=1
|
||||
retry_quiet 10 _check_version_bind || ret=1
|
||||
|
||||
@@ -614,6 +614,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Chapter 2. BIND Resource Requirements</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
|
||||
@@ -43,16 +43,17 @@
|
||||
<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
|
||||
</dl>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="hw_req"></a>Hardware requirements</h2></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
<acronym class="acronym">DNS</acronym> hardware requirements have
|
||||
traditionally been quite modest.
|
||||
For many installations, servers that have been pensioned off from
|
||||
active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
|
||||
may prove to be quite
|
||||
CPU intensive however, so organizations that make heavy use of these
|
||||
@@ -61,22 +62,22 @@
|
||||
full utilization of
|
||||
multiprocessor systems for installations that need it.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="cpu_req"></a>CPU Requirements</h2></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
|
||||
i386-class machines
|
||||
for serving of static zones without caching, to enterprise-class
|
||||
machines if you intend to process many dynamic updates and DNSSEC
|
||||
signed zones, serving many thousands of queries per second.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="mem_req"></a>Memory Requirements</h2></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
The memory of the server has to be large enough to fit the
|
||||
cache and zones loaded off disk. The <span class="command"><strong>max-cache-size</strong></span>
|
||||
option can be used to limit the amount of memory used by the cache,
|
||||
@@ -90,11 +91,14 @@
|
||||
a relatively stable size where entries are expiring from the cache as
|
||||
fast as they are being inserted.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="intensive_env"></a>Name Server Intensive Environment Issues</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
For name server intensive environments, there are two alternative
|
||||
configurations that may be used. The first is where clients and
|
||||
any second-level internal name servers query a main name server, which
|
||||
@@ -107,11 +111,13 @@
|
||||
this has the disadvantage of making many more external queries,
|
||||
as none of the name servers share their cached data.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="supported_os"></a>Supported Operating Systems</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
|
||||
number
|
||||
of Unix-like operating systems and on
|
||||
@@ -121,8 +127,8 @@
|
||||
directory
|
||||
of the BIND 9 source distribution.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -140,6 +146,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Chapter 3. Name Server Configuration</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
|
||||
@@ -54,18 +54,22 @@
|
||||
</dl></dd>
|
||||
</dl>
|
||||
</div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
In this chapter we provide some suggested configurations along
|
||||
with guidelines for their use. We suggest reasonable values for
|
||||
certain option settings.
|
||||
</p>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The following sample configuration is appropriate for a caching-only
|
||||
name server for use by clients internal to a corporation. All
|
||||
queries
|
||||
@@ -74,6 +78,7 @@
|
||||
suitable
|
||||
firewall rules.
|
||||
</p>
|
||||
|
||||
<pre class="programlisting">
|
||||
// Two corporate subnets we wish to allow queries from.
|
||||
acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
|
||||
@@ -91,15 +96,19 @@ zone "0.0.127.in-addr.arpa" {
|
||||
notify no;
|
||||
};
|
||||
</pre>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
This sample configuration is for an authoritative-only server
|
||||
that is the master server for "<code class="filename">example.com</code>"
|
||||
and a slave for the subdomain "<code class="filename">eng.example.com</code>".
|
||||
</p>
|
||||
|
||||
<pre class="programlisting">
|
||||
options {
|
||||
// Working directory
|
||||
@@ -138,23 +147,31 @@ zone "eng.example.com" {
|
||||
masters { 192.168.4.12; };
|
||||
};
|
||||
</pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="load_balancing"></a>Load Balancing</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
|
||||
|
||||
<p>
|
||||
A primitive form of load balancing can be achieved in
|
||||
the <acronym class="acronym">DNS</acronym> by using multiple records
|
||||
(such as multiple A records) for one name.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
For example, if you have three HTTP servers with network addresses
|
||||
of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
|
||||
following means that clients will connect to each machine one third
|
||||
of the time:
|
||||
</p>
|
||||
<div class="informaltable"><table class="informaltable" border="1">
|
||||
|
||||
<div class="informaltable">
|
||||
<table border="1">
|
||||
<colgroup>
|
||||
<col width="0.875in" class="1">
|
||||
<col width="0.500in" class="2">
|
||||
@@ -268,47 +285,52 @@ zone "eng.example.com" {
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table></div>
|
||||
<p>
|
||||
</table>
|
||||
</div>
|
||||
<p>
|
||||
When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
|
||||
them and respond to the query with the records in a different
|
||||
order. In the example above, clients will randomly receive
|
||||
records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
|
||||
will use the first record returned and discard the rest.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
For more detail on ordering responses, check the
|
||||
<span class="command"><strong>rrset-order</strong></span> sub-statement in the
|
||||
<span class="command"><strong>options</strong></span> statement, see
|
||||
<a class="xref" href="Bv9ARM.ch05.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="ns_operations"></a>Name Server Operations</h2></div></div></div>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
This section describes several indispensable diagnostic,
|
||||
administrative and monitoring tools available to the system
|
||||
administrator for controlling and debugging the name server
|
||||
daemon.
|
||||
</p>
|
||||
<div class="section">
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and
|
||||
<span class="command"><strong>nslookup</strong></span> programs are all command
|
||||
line tools
|
||||
for manually querying name servers. They differ in style and
|
||||
output format.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
<span class="command"><strong>dig</strong></span>
|
||||
is the most versatile and complete of these lookup tools.
|
||||
It has two modes: simple interactive
|
||||
@@ -318,22 +340,31 @@ zone "eng.example.com" {
|
||||
accessible
|
||||
from the command line.
|
||||
</p>
|
||||
<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
|
||||
<p>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dig</code>
|
||||
[@<em class="replaceable"><code>server</code></em>]
|
||||
<em class="replaceable"><code>domain</code></em>
|
||||
[<em class="replaceable"><code>query-type</code></em>]
|
||||
[<em class="replaceable"><code>query-class</code></em>]
|
||||
[+<em class="replaceable"><code>query-option</code></em>]
|
||||
[-<em class="replaceable"><code>dig-option</code></em>]
|
||||
[%<em class="replaceable"><code>comment</code></em>]
|
||||
</p></div>
|
||||
<p>
|
||||
The usual simple use of <span class="command"><strong>dig</strong></span> will take the form
|
||||
</p>
|
||||
<p class="simpara">
|
||||
<p class="simpara">
|
||||
<span class="command"><strong>dig @server domain query-type query-class</strong></span>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
For more information and a list of available commands and
|
||||
options, see the <span class="command"><strong>dig</strong></span> man
|
||||
page.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>host</strong></span></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
The <span class="command"><strong>host</strong></span> utility emphasizes
|
||||
simplicity
|
||||
and ease of use. By default, it converts
|
||||
@@ -341,16 +372,29 @@ zone "eng.example.com" {
|
||||
functionality
|
||||
can be extended with the use of options.
|
||||
</p>
|
||||
<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
|
||||
<p>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">host</code>
|
||||
[-aCdlnrsTwv]
|
||||
[-c <em class="replaceable"><code>class</code></em>]
|
||||
[-N <em class="replaceable"><code>ndots</code></em>]
|
||||
[-t <em class="replaceable"><code>type</code></em>]
|
||||
[-W <em class="replaceable"><code>timeout</code></em>]
|
||||
[-R <em class="replaceable"><code>retries</code></em>]
|
||||
[-m <em class="replaceable"><code>flag</code></em>]
|
||||
[-4]
|
||||
[-6]
|
||||
<em class="replaceable"><code>hostname</code></em>
|
||||
[<em class="replaceable"><code>server</code></em>]
|
||||
</p></div>
|
||||
<p>
|
||||
For more information and a list of available commands and
|
||||
options, see the <span class="command"><strong>host</strong></span> man
|
||||
page.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>nslookup</strong></span></span></dt>
|
||||
<dd>
|
||||
<p><span class="command"><strong>nslookup</strong></span>
|
||||
<p><span class="command"><strong>nslookup</strong></span>
|
||||
has two modes: interactive and
|
||||
non-interactive. Interactive mode allows the user to
|
||||
query name servers for information about various
|
||||
@@ -359,8 +403,15 @@ zone "eng.example.com" {
|
||||
the name and requested information for a host or
|
||||
domain.
|
||||
</p>
|
||||
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
|
||||
<p>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">nslookup</code>
|
||||
[-option...]
|
||||
[
|
||||
[<em class="replaceable"><code>host-to-find</code></em>]
|
||||
| [- [server]]
|
||||
]
|
||||
</p></div>
|
||||
<p>
|
||||
Interactive mode is entered when no arguments are given (the
|
||||
default name server will be used) or when the first argument
|
||||
is a
|
||||
@@ -368,7 +419,7 @@ zone "eng.example.com" {
|
||||
Internet address
|
||||
of a name server.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Non-interactive mode is used when the name or Internet
|
||||
address
|
||||
of the host to be looked up is given as the first argument.
|
||||
@@ -376,56 +427,76 @@ zone "eng.example.com" {
|
||||
optional second argument specifies the host name or address
|
||||
of a name server.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Due to its arcane user interface and frequently inconsistent
|
||||
behavior, we do not recommend the use of <span class="command"><strong>nslookup</strong></span>.
|
||||
Use <span class="command"><strong>dig</strong></span> instead.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
Administrative tools play an integral part in the management
|
||||
of a server.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt>
|
||||
<a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span>
|
||||
</dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
The <span class="command"><strong>named-checkconf</strong></span> program
|
||||
checks the syntax of a <code class="filename">named.conf</code> file.
|
||||
</p>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
|
||||
</dd>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-checkconf</code>
|
||||
[-jvz]
|
||||
[-t <em class="replaceable"><code>directory</code></em>]
|
||||
[<em class="replaceable"><code>filename</code></em>]
|
||||
</p></div>
|
||||
</dd>
|
||||
<dt>
|
||||
<a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span>
|
||||
</dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
The <span class="command"><strong>named-checkzone</strong></span> program
|
||||
checks a master file for
|
||||
syntax and consistency.
|
||||
</p>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
|
||||
</dd>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-checkzone</code>
|
||||
[-djqvD]
|
||||
[-c <em class="replaceable"><code>class</code></em>]
|
||||
[-o <em class="replaceable"><code>output</code></em>]
|
||||
[-t <em class="replaceable"><code>directory</code></em>]
|
||||
[-w <em class="replaceable"><code>directory</code></em>]
|
||||
[-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
|
||||
[-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
|
||||
[-W <em class="replaceable"><code>(ignore|warn)</code></em>]
|
||||
<em class="replaceable"><code>zone</code></em>
|
||||
[<em class="replaceable"><code>filename</code></em>]
|
||||
</p></div>
|
||||
</dd>
|
||||
<dt>
|
||||
<a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span>
|
||||
</dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Similar to <span class="command"><strong>named-checkzone,</strong></span> but
|
||||
it always dumps the zone content to a specified file
|
||||
(typically in a different format).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt>
|
||||
<a name="rndc"></a><span class="term"><span class="command"><strong>rndc</strong></span></span>
|
||||
</dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
The remote name daemon control
|
||||
(<span class="command"><strong>rndc</strong></span>) program allows the
|
||||
system
|
||||
@@ -433,11 +504,21 @@ zone "eng.example.com" {
|
||||
If you run <span class="command"><strong>rndc</strong></span> without any
|
||||
options, it will display a usage message as follows:
|
||||
</p>
|
||||
<div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
|
||||
<p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">rndc</code>
|
||||
[-c <em class="replaceable"><code>config</code></em>]
|
||||
[-s <em class="replaceable"><code>server</code></em>]
|
||||
[-p <em class="replaceable"><code>port</code></em>]
|
||||
[-y <em class="replaceable"><code>key</code></em>]
|
||||
<em class="replaceable"><code>command</code></em>
|
||||
[<em class="replaceable"><code>command</code></em>...]
|
||||
</p></div>
|
||||
|
||||
<p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
|
||||
the available <span class="command"><strong>rndc</strong></span> commands.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>rndc</strong></span> requires a configuration file,
|
||||
since all
|
||||
communication with the server is authenticated with
|
||||
@@ -461,7 +542,8 @@ zone "eng.example.com" {
|
||||
<a class="xref" href="Bv9ARM.ch05.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and
|
||||
Usage”</a>.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The format of the configuration file is similar to
|
||||
that of <code class="filename">named.conf</code>, but
|
||||
limited to
|
||||
@@ -473,7 +555,8 @@ zone "eng.example.com" {
|
||||
be shared. The order of statements is not
|
||||
significant.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <span class="command"><strong>options</strong></span> statement has
|
||||
three clauses:
|
||||
<span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,
|
||||
@@ -491,7 +574,8 @@ zone "eng.example.com" {
|
||||
port is given on the command line or in a
|
||||
<span class="command"><strong>server</strong></span> statement.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <span class="command"><strong>key</strong></span> statement defines a
|
||||
key to be used
|
||||
by <span class="command"><strong>rndc</strong></span> when authenticating
|
||||
@@ -520,7 +604,8 @@ zone "eng.example.com" {
|
||||
have any meaning. The secret is a Base64 encoded string
|
||||
as specified in RFC 3548.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <span class="command"><strong>server</strong></span> statement
|
||||
associates a key
|
||||
defined using the <span class="command"><strong>key</strong></span>
|
||||
@@ -536,9 +621,11 @@ zone "eng.example.com" {
|
||||
connect
|
||||
to on the server.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
A sample minimal configuration file is as follows:
|
||||
</p>
|
||||
|
||||
<pre class="programlisting">
|
||||
key rndc_key {
|
||||
algorithm "hmac-sha256";
|
||||
@@ -550,30 +637,36 @@ options {
|
||||
default-key rndc_key;
|
||||
};
|
||||
</pre>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
This file, if installed as <code class="filename">/etc/rndc.conf</code>,
|
||||
would allow the command:
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
to connect to 127.0.0.1 port 953 and cause the name server
|
||||
to reload, if a name server on the local machine were
|
||||
running with
|
||||
following controls statements:
|
||||
</p>
|
||||
|
||||
<pre class="programlisting">
|
||||
controls {
|
||||
inet 127.0.0.1
|
||||
allow { localhost; } keys { rndc_key; };
|
||||
};
|
||||
</pre>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
and it had an identical key statement for
|
||||
<code class="literal">rndc_key</code>.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Running the <span class="command"><strong>rndc-confgen</strong></span>
|
||||
program will
|
||||
conveniently create a <code class="filename">rndc.conf</code>
|
||||
@@ -588,19 +681,23 @@ controls {
|
||||
modify
|
||||
<code class="filename">named.conf</code> at all.
|
||||
</p>
|
||||
</dd>
|
||||
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="signals"></a>Signals</h3></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
Certain UNIX signals cause the name server to take specific
|
||||
actions, as described in the following table. These signals can
|
||||
be sent using the <span class="command"><strong>kill</strong></span> command.
|
||||
</p>
|
||||
<div class="informaltable"><table class="informaltable" border="1">
|
||||
<div class="informaltable">
|
||||
<table border="1">
|
||||
<colgroup>
|
||||
<col width="1.125in" class="1">
|
||||
<col width="4.000in" class="2">
|
||||
@@ -638,26 +735,29 @@ controls {
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table></div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="module-info"></a>Plugins</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Plugins are a mechanism to extend the functionality of
|
||||
<span class="command"><strong>named</strong></span> using dynamically loadable libraries.
|
||||
By using plugins, core server functionality can be kept simple
|
||||
for the majority of users; more complex code implementing optional
|
||||
features need only be installed by users that need those features.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The plugin interface is a work in progress, and is expected to evolve
|
||||
as more plugins are added. Currently, only "query plugins" are supported;
|
||||
these modify the name server query logic. Other plugin types may be added
|
||||
in the future.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The only plugin currently included in BIND is
|
||||
<code class="filename">filter-aaaa.so</code>, which replaces the
|
||||
<span class="command"><strong>filter-aaaa</strong></span> feature that previously existed natively
|
||||
@@ -668,19 +768,20 @@ controls {
|
||||
<code class="filename">filter-aaaa.so</code> plugin provides identical
|
||||
functionality.
|
||||
</p>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.4.6.5"></a>Configuring Plugins</h3></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
A plugin is configured with the <span class="command"><strong>plugin</strong></span>
|
||||
statement in <code class="filename">named.conf</code>:
|
||||
</p>
|
||||
<pre class="screen">
|
||||
<pre class="screen">
|
||||
plugin query "library.so" {
|
||||
<em class="replaceable"><code>parameters</code></em>
|
||||
};
|
||||
</pre>
|
||||
<p>
|
||||
<p>
|
||||
In this example, file <code class="filename">library.so</code> is the plugin
|
||||
library. <code class="literal">query</code> indicates that this is a query
|
||||
plugin.
|
||||
@@ -691,16 +792,17 @@ controls {
|
||||
Multiple <span class="command"><strong>plugin</strong></span> statements can be specified, to load
|
||||
different plugins or multiple instances of the same plugin.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<em class="replaceable"><code>parameters</code></em> are passed as an opaque
|
||||
string to the plugin's initialization routine. Configuration
|
||||
syntax will differ depending on the module.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.4.6.6"></a>Developing Plugins</h3></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
Each plugin implements four functions:
|
||||
</p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
@@ -720,7 +822,7 @@ controls {
|
||||
</ul></div>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
At various locations within the <span class="command"><strong>named</strong></span> source code,
|
||||
there are "hook points" at which a plugin may register itself.
|
||||
When a hook point is reached while <span class="command"><strong>named</strong></span> is
|
||||
@@ -732,9 +834,11 @@ controls {
|
||||
aborted. More details can be found in the file
|
||||
<code class="filename">lib/ns/include/ns/hooks.h</code>.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -752,6 +856,6 @@ controls {
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -2928,6 +2928,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -7798,18 +7798,36 @@ deny-answer-aliases { "example.net"; };
|
||||
<dd>
|
||||
<p>
|
||||
NSDNAME triggers match names of authoritative servers
|
||||
for the query name, a parent of the query name, a CNAME for
|
||||
query name, or a parent of a CNAME.
|
||||
They are encoded as subdomains of
|
||||
<span class="command"><strong>rpz-nsdname</strong></span> relativized
|
||||
to the RPZ origin name.
|
||||
NSIP triggers match IP addresses in A and
|
||||
AAAA RRsets for domains that can be checked against NSDNAME
|
||||
policy records.
|
||||
The <span class="command"><strong>nsdname-enable</strong></span> phrase turns NSDNAME
|
||||
for the query name, a parent of the query name, a CNAME
|
||||
for query name, or a parent of a CNAME. They are
|
||||
encoded as subdomains of <span class="command"><strong>rpz-nsdname</strong></span>
|
||||
relativized to the RPZ origin name. NSIP triggers match
|
||||
IP addresses in A and AAAA RRsets for domains that can
|
||||
be checked against NSDNAME policy records. The
|
||||
<span class="command"><strong>nsdname-enable</strong></span> phrase turns NSDNAME
|
||||
triggers off or on for a single policy zone or all
|
||||
zones.
|
||||
</p>
|
||||
<p>
|
||||
If authoritative nameservers for the query name are not
|
||||
yet known, <span class="command"><strong>named</strong></span> will recursively
|
||||
look up the authoritative servers for the query name
|
||||
before applying an RPZ-NSDNAME rule.
|
||||
This can cause a processing delay. To speed up
|
||||
processing at the cost of precision, the
|
||||
<span class="command"><strong>nsdname-wait-recurse</strong></span> option
|
||||
can be used: when set to <strong class="userinput"><code>no</code></strong>,
|
||||
RPZ-NSDNAME rules will only be applied when authoritative
|
||||
servers for the query name have already been looked up and
|
||||
cached. If authoritative servers for the query name
|
||||
are not in the cache, then the RPZ-NSDNAME rule will be
|
||||
ignored, but the authoritative servers for the query name
|
||||
will be looked up in the background, and the rule will be
|
||||
applied to subsequent queries. The default is
|
||||
<strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSDNAME
|
||||
rules should always be applied even if authoritative
|
||||
servers for the query name need to be looked up first.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>RPZ-NSIP</strong></span></span></dt>
|
||||
<dd>
|
||||
@@ -9882,79 +9900,72 @@ view "external" {
|
||||
<table border="1">
|
||||
<colgroup>
|
||||
<col class="1">
|
||||
<col width="4.017in" class="2">
|
||||
<col class="2">
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tbody valign="top">
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">master</code>
|
||||
<code class="varname">primary</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
The server has a master copy of the data
|
||||
for the zone and will be able to provide authoritative
|
||||
answers for it. Type <code class="varname">primary</code> is
|
||||
a synonym for <code class="varname">master</code>.
|
||||
answers for it. Type <code class="varname">master</code> is
|
||||
a synonym for <code class="varname">primary</code>.
|
||||
</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">slave</code>
|
||||
<code class="varname">secondary</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
A slave zone is a replica of a master
|
||||
zone. Type <code class="varname">secondary</code> is a
|
||||
synonym for <code class="varname">slave</code>.
|
||||
A secondary zone is a replica of a master
|
||||
zone. Type <code class="varname">slave</code> is a
|
||||
synonym for <code class="varname">secondary</code>.
|
||||
The <span class="command"><strong>masters</strong></span> list
|
||||
specifies one or more IP addresses
|
||||
of master servers that the slave contacts to update
|
||||
its copy of the zone.
|
||||
Masters list elements can also be names of other
|
||||
masters lists.
|
||||
By default, transfers are made from port 53 on the
|
||||
servers; this can
|
||||
be changed for all servers by specifying a port number
|
||||
before the
|
||||
list of IP addresses, or on a per-server basis after
|
||||
the IP address.
|
||||
its copy of the zone. Masters list elements can
|
||||
also be names of other masters lists. By default,
|
||||
transfers are made from port 53 on the servers;
|
||||
this can be changed for all servers by specifying
|
||||
a port number before the list of IP addresses,
|
||||
or on a per-server basis after the IP address.
|
||||
Authentication to the master can also be done with
|
||||
per-server TSIG keys.
|
||||
If a file is specified, then the
|
||||
per-server TSIG keys. If a file is specified, then the
|
||||
replica will be written to this file whenever the zone
|
||||
is changed,
|
||||
and reloaded from this file on a server restart. Use
|
||||
of a file is
|
||||
recommended, since it often speeds server startup and
|
||||
eliminates
|
||||
a needless waste of bandwidth. Note that for large
|
||||
numbers (in the
|
||||
tens or hundreds of thousands) of zones per server, it
|
||||
is best to
|
||||
use a two-level naming scheme for zone filenames. For
|
||||
example,
|
||||
a slave server for the zone <code class="literal">example.com</code> might place
|
||||
is changed, and reloaded from this file on a server
|
||||
restart. Use of a file is recommended, since it
|
||||
often speeds server startup and eliminates a
|
||||
needless waste of bandwidth. Note that for large
|
||||
numbers (in the tens or hundreds of thousands) of
|
||||
zones per server, it is best to use a two-level
|
||||
naming scheme for zone filenames. For example,
|
||||
a slave server for the zone
|
||||
<code class="literal">example.com</code> might place
|
||||
the zone contents into a file called
|
||||
<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
|
||||
just the first two letters of the zone name. (Most
|
||||
operating systems
|
||||
<code class="filename">ex/example.com</code> where
|
||||
<code class="filename">ex/</code> is just the first two
|
||||
letters of the zone name. (Most operating systems
|
||||
behave very slowly if you put 100000 files into
|
||||
a single directory.)
|
||||
</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">stub</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
A stub zone is similar to a slave zone,
|
||||
except that it replicates only the NS records of a
|
||||
@@ -10007,93 +10018,30 @@ view "external" {
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">mirror</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<span class="bold"><strong>Note:</strong></span> using
|
||||
this zone type with any zone other than the root
|
||||
zone should be considered
|
||||
<span class="emphasis"><em>experimental</em></span> and may cause
|
||||
performance issues, especially for zones which
|
||||
are large and/or frequently updated.
|
||||
</p>
|
||||
<p>
|
||||
A mirror zone acts like a zone of type
|
||||
<strong class="userinput"><code>secondary</code></strong> whose data is
|
||||
subject to DNSSEC validation before being used
|
||||
in answers. Validation is performed during the
|
||||
zone transfer process (for both AXFR and IXFR),
|
||||
and again when the zone file is loaded from disk
|
||||
when <span class="command"><strong>named</strong></span> is restarted. If
|
||||
A mirror zone is similar to a zone of type
|
||||
<strong class="userinput"><code>secondary</code></strong>, except its data
|
||||
is subject to DNSSEC validation before being used
|
||||
in answers. Validation is applied to the entire
|
||||
zone during the zone transfer process, and again
|
||||
when the zone file is loaded from disk when
|
||||
<span class="command"><strong>named</strong></span> is restarted. If
|
||||
validation of a new version of a mirror zone
|
||||
fails, a retransfer is scheduled and the most
|
||||
recent correctly validated version of that zone
|
||||
is used until it expires; if a newer version of
|
||||
that zone is later correctly validated, it
|
||||
replaces the previously used version. If no
|
||||
usable zone data is available for a mirror zone
|
||||
(either because it was never loaded from disk
|
||||
and has not yet been transferred from a primary
|
||||
server or because its most recent correctly
|
||||
validated version expired), traditional DNS
|
||||
recursion will be used to look up the answers
|
||||
instead.
|
||||
</p>
|
||||
<p>
|
||||
While any zone may be configured with this type,
|
||||
it is intended to be used to set up a fast local
|
||||
copy of the root zone, similar to the one
|
||||
described in RFC 7706. Note, however, that
|
||||
mirror zones are not supposed to augment the
|
||||
example configuration provided by RFC 7706 but
|
||||
rather to replace it altogether.
|
||||
</p>
|
||||
<p>
|
||||
A default list of primary servers for the IANA
|
||||
root zone is built into <span class="command"><strong>named</strong></span>
|
||||
and thus its mirroring can be enabled using the
|
||||
following configuration:
|
||||
</p>
|
||||
<pre class="programlisting">zone "." {
|
||||
type mirror;
|
||||
};</pre>
|
||||
<p>
|
||||
In order to set up mirroring of any other zone,
|
||||
an explicit list of primary servers needs to be
|
||||
provided using the <span class="command"><strong>masters</strong></span>
|
||||
option (see <a class="xref" href="Bv9ARM.ch05.html#masters_grammar" title="masters Statement Grammar">the section called “<span class="command"><strong>masters</strong></span> Statement Grammar”</a>
|
||||
for details).
|
||||
</p>
|
||||
<p>
|
||||
To make mirror zone contents persist between
|
||||
<span class="command"><strong>named</strong></span> restarts, use the
|
||||
<a class="xref" href="Bv9ARM.ch05.html#file_option"><span class="command"><strong>file</strong></span></a>
|
||||
option.
|
||||
</p>
|
||||
<p>
|
||||
Mirror zone validation always happens for the
|
||||
entire zone contents, i.e. no "incremental
|
||||
validation" takes place, even for IXFRs. This
|
||||
is required to ensure that each version of the
|
||||
zone used by the resolver is fully
|
||||
self-consistent with respect to DNSSEC. Other,
|
||||
more efficient zone verification methods may be
|
||||
added in the future.
|
||||
</p>
|
||||
<p>
|
||||
For validation to succeed, a key-signing key
|
||||
(KSK) for the zone must be configured as a trust
|
||||
anchor in <code class="filename">named.conf</code>: that
|
||||
is, a key for the zone must be specified in
|
||||
<span class="command"><strong>trust-anchors</strong></span>. In the case
|
||||
of the root zone, you may also rely on the
|
||||
built-in root trust anchor, which is enabled
|
||||
when <a class="xref" href="Bv9ARM.ch05.html#dnssec_validation"><span class="command"><strong>dnssec-validation</strong></span></a> is set to the
|
||||
default value <strong class="userinput"><code>auto</code></strong>.
|
||||
is used until it either expires or a newer version
|
||||
validates correctly. If no usable zone data is
|
||||
available for a mirror zone at all, either due to
|
||||
transfer failure or expiration, traditional DNS
|
||||
recursion is used to look up the answers instead.
|
||||
Mirror zones cannot be used in a view that does
|
||||
not have recursion enabled.
|
||||
</p>
|
||||
<p>
|
||||
Answers coming from a mirror zone look almost
|
||||
@@ -10104,27 +10052,50 @@ view "external" {
|
||||
bit ("authenticated data") is.
|
||||
</p>
|
||||
<p>
|
||||
Since mirror zones are intended to be used by
|
||||
recursive resolvers, adding one to a view with
|
||||
recursion disabled is considered to be a
|
||||
configuration error.
|
||||
Mirror zones are intended to be used to set up a
|
||||
fast local copy of the root zone, similar to the
|
||||
one described in RFC 7706. A default list of primary
|
||||
servers for the IANA root zone is built into
|
||||
<span class="command"><strong>named</strong></span> and thus its mirroring
|
||||
can be enabled using the following configuration:
|
||||
</p>
|
||||
<pre class="programlisting">zone "." {
|
||||
type mirror;
|
||||
};</pre>
|
||||
<p>
|
||||
Other zones can be configured as mirror zones,
|
||||
but this should be considered
|
||||
<span class="emphasis"><em>experimental</em></span> and may cause
|
||||
performance issues, especially with zones that
|
||||
are large and/or frequently updated.
|
||||
Mirroring a zone other than root requires an
|
||||
explicit list of primary servers to be provided
|
||||
using the <span class="command"><strong>masters</strong></span> option
|
||||
(see <a class="xref" href="Bv9ARM.ch05.html#masters_grammar" title="masters Statement Grammar">the section called “<span class="command"><strong>masters</strong></span> Statement Grammar”</a>
|
||||
for details), and a key-signing key (KSK)
|
||||
for the specified zone to be explicitly
|
||||
configured as a trust anchor.
|
||||
</p>
|
||||
<p>
|
||||
To make mirror zone contents persist between
|
||||
<span class="command"><strong>named</strong></span> restarts, use the
|
||||
<a class="xref" href="Bv9ARM.ch05.html#file_option"><span class="command"><strong>file</strong></span></a>
|
||||
option.
|
||||
</p>
|
||||
<p>
|
||||
When configuring NOTIFY for a mirror zone, only
|
||||
<strong class="userinput"><code>notify no;</code></strong> and
|
||||
<strong class="userinput"><code>notify explicit;</code></strong> can be
|
||||
used. Using any other <span class="command"><strong>notify</strong></span>
|
||||
setting at the zone level is a configuration
|
||||
error. Using any other
|
||||
used at the zone level. Using any other
|
||||
<span class="command"><strong>notify</strong></span> setting at the
|
||||
<span class="command"><strong>options</strong></span> or
|
||||
<span class="command"><strong>view</strong></span> level will cause
|
||||
that setting to be overridden with
|
||||
<strong class="userinput"><code>notify explicit;</code></strong> for the
|
||||
mirror zone in question. Since the global
|
||||
default for the <span class="command"><strong>notify</strong></span> option
|
||||
is <strong class="userinput"><code>yes</code></strong>, mirror zones are
|
||||
by default configured with
|
||||
mirror zone. The global default for the
|
||||
<span class="command"><strong>notify</strong></span> option is
|
||||
<strong class="userinput"><code>yes</code></strong>, so mirror
|
||||
zones are by default configured with
|
||||
<strong class="userinput"><code>notify explicit;</code></strong>.
|
||||
</p>
|
||||
<p>
|
||||
@@ -10135,12 +10106,12 @@ view "external" {
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">static-stub</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
A static-stub zone is similar to a stub zone
|
||||
with the following exceptions:
|
||||
@@ -10184,12 +10155,12 @@ view "external" {
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">forward</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
A "forward zone" is a way to configure
|
||||
forwarding on a per-domain basis. A <span class="command"><strong>zone</strong></span> statement
|
||||
@@ -10217,12 +10188,12 @@ view "external" {
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">hint</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
The initial set of root name servers is
|
||||
specified using a "hint zone". When the server starts
|
||||
@@ -10238,12 +10209,12 @@ view "external" {
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">redirect</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
Redirect zones are used to provide answers to
|
||||
queries when normal resolution would result in
|
||||
@@ -10303,12 +10274,12 @@ view "external" {
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
<code class="varname">delegation-only</code>
|
||||
</p>
|
||||
</td>
|
||||
<td>
|
||||
<td valign="top">
|
||||
<p>
|
||||
This is used to enforce the delegation-only
|
||||
status of infrastructure zones (e.g. COM,
|
||||
@@ -15374,6 +15345,6 @@ HOST-127.EXAMPLE. MX 0 .
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Chapter 6. BIND 9 Security Considerations</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. BIND 9 Configuration Reference">
|
||||
@@ -45,10 +45,12 @@
|
||||
<dt><span class="section"><a href="Bv9ARM.ch06.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
|
||||
</dl>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Access Control Lists (ACLs) are address match lists that
|
||||
you can set up and nickname for future use in
|
||||
<span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
|
||||
@@ -56,26 +58,27 @@
|
||||
<span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
|
||||
<span class="command"><strong>match-clients</strong></span>, etc.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Using ACLs allows you to have finer control over who can access
|
||||
your name server, without cluttering up your config files with huge
|
||||
lists of IP addresses.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
|
||||
control access to your server. Limiting access to your server by
|
||||
outside parties can help prevent spoofing and denial of service
|
||||
(DoS) attacks against your server.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
ACLs match clients on the basis of up to three characteristics:
|
||||
1) The client's IP address; 2) the TSIG or SIG(0) key that was
|
||||
used to sign the request, if any; and 3) an address prefix
|
||||
encoded in an EDNS Client Subnet option, if any.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Here is an example of ACLs based on client addresses:
|
||||
</p>
|
||||
|
||||
<pre class="programlisting">
|
||||
// Set up an ACL named "bogusnets" that will block
|
||||
// RFC1918 space and some reserved space, which is
|
||||
@@ -104,32 +107,33 @@ zone "example.com" {
|
||||
allow-query { any; };
|
||||
};
|
||||
</pre>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
This allows authoritative queries for "example.com" from any
|
||||
address, but recursive queries only from the networks specified
|
||||
in "our-nets", and no queries at all from the networks
|
||||
specified in "bogusnets".
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
In addition to network addresses and prefixes, which are
|
||||
matched against the source address of the DNS request, ACLs
|
||||
may include <code class="option">key</code> elements, which specify the
|
||||
name of a TSIG or SIG(0) key.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
|
||||
ACLs can also be used for geographic access restrictions.
|
||||
This is done by specifying an ACL element of the form:
|
||||
<span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <em class="replaceable"><code>field</code></em> indicates which field
|
||||
to search for a match. Available fields are "country",
|
||||
"region", "city", "continent", "postal" (postal code),
|
||||
"metro" (metro code), "area" (area code), "tz" (timezone),
|
||||
"isp", "asnum", and "domain".
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<em class="replaceable"><code>value</code></em> is the value to search
|
||||
for within the database. A string may be quoted if it
|
||||
contains spaces or other special characters. An "asnum"
|
||||
@@ -144,7 +148,7 @@ zone "example.com" {
|
||||
abbreviation; otherwise it treated as the full name of the
|
||||
state or province.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <em class="replaceable"><code>database</code></em> field indicates which
|
||||
GeoIP database to search for a match. In most cases this is
|
||||
unnecessary, because most search fields can only be found in
|
||||
@@ -159,10 +163,10 @@ zone "example.com" {
|
||||
is installed, in that order. Valid database names are
|
||||
"country", "city", "asnum", "isp", and "domain".
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Some example GeoIP ACLs:
|
||||
</p>
|
||||
<pre class="programlisting">geoip country US;
|
||||
<pre class="programlisting">geoip country US;
|
||||
geoip country JP;
|
||||
geoip db country country Canada;
|
||||
geoip region WA;
|
||||
@@ -172,7 +176,8 @@ geoip postal 95062;
|
||||
geoip tz "America/Los_Angeles";
|
||||
geoip org "Internet Systems Consortium";
|
||||
</pre>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
ACLs use a "first-match" logic rather than "best-match":
|
||||
if an address prefix matches an ACL element, then that ACL
|
||||
is considered to have matched even if a later element would
|
||||
@@ -182,7 +187,7 @@ geoip org "Internet Systems Consortium";
|
||||
indicated that the query should be accepted, and the second
|
||||
element is ignored.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When using "nested" ACLs (that is, ACLs included or referenced
|
||||
within other ACLs), a negative match of a nested ACL will
|
||||
the containing ACL to continue looking for matches. This
|
||||
@@ -192,10 +197,10 @@ geoip org "Internet Systems Consortium";
|
||||
it originates from a particular network <span class="emphasis"><em>and</em></span>
|
||||
only when it is signed with a particular key, use:
|
||||
</p>
|
||||
<pre class="programlisting">
|
||||
<pre class="programlisting">
|
||||
allow-query { !{ !10/8; any; }; key example; };
|
||||
</pre>
|
||||
<p>
|
||||
<p>
|
||||
Within the nested ACL, any address that is
|
||||
<span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
|
||||
be rejected, and this will terminate processing of the
|
||||
@@ -207,12 +212,14 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
will only matches when <span class="emphasis"><em>both</em></span> conditions
|
||||
are true.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
|
||||
</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
|
||||
in a <span class="emphasis"><em>chrooted</em></span> environment (using
|
||||
the <span class="command"><strong>chroot()</strong></span> function) by specifying
|
||||
@@ -221,23 +228,25 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
<acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
|
||||
the damage done if a server is compromised.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
|
||||
ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
|
||||
We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
|
||||
<span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
|
||||
user 202:
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
|
||||
</p>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
In order for a <span class="command"><strong>chroot</strong></span> environment
|
||||
to work properly in a particular directory (for example,
|
||||
<code class="filename">/var/named</code>), you will need to set
|
||||
@@ -249,7 +258,7 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
options like <span class="command"><strong>directory</strong></span> and
|
||||
<span class="command"><strong>pid-file</strong></span> to account for this.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Unlike with earlier versions of BIND, you typically will
|
||||
<span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
|
||||
statically nor install shared libraries under the new root.
|
||||
@@ -260,11 +269,13 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
<code class="filename">/dev/log</code>, and
|
||||
<code class="filename">/etc/localtime</code>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Prior to running the <span class="command"><strong>named</strong></span> daemon,
|
||||
use
|
||||
the <span class="command"><strong>touch</strong></span> utility (to change file
|
||||
@@ -275,7 +286,7 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
to which you want <acronym class="acronym">BIND</acronym>
|
||||
to write.
|
||||
</p>
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<h3 class="title">Note</h3>
|
||||
<p>
|
||||
If the <span class="command"><strong>named</strong></span> daemon is running as an
|
||||
@@ -283,12 +294,14 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
ports if the server is reloaded.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Access to the dynamic
|
||||
update facility should be strictly limited. In earlier versions of
|
||||
<acronym class="acronym">BIND</acronym>, the only way to do this was
|
||||
@@ -308,7 +321,8 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
forward it to the master with its own source IP address causing the
|
||||
master to approve it without question.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
For these reasons, we strongly recommend that updates be
|
||||
cryptographically authenticated by means of transaction signatures
|
||||
(TSIG). That is, the <span class="command"><strong>allow-update</strong></span>
|
||||
@@ -317,7 +331,8 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
|
||||
option can be used.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Some sites choose to keep all dynamically-updated DNS data
|
||||
in a subdomain and delegate that subdomain to a separate zone. This
|
||||
way, the top-level zone containing critical data such as the IP
|
||||
@@ -325,8 +340,9 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
of public web and mail servers need not allow dynamic update at
|
||||
all.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -344,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Chapter 7. Troubleshooting</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Security Considerations">
|
||||
@@ -45,24 +45,28 @@
|
||||
<dt><span class="section"><a href="Bv9ARM.ch07.html#more_help">Where Can I Get Help?</a></span></dt>
|
||||
</dl>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="common_problems"></a>Common Problems</h2></div></div></div>
|
||||
<div class="section">
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.8.2.2"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The best solution to solving installation and
|
||||
configuration issues is to take preventative measures by setting
|
||||
up logging files beforehand. The log files provide a
|
||||
source of hints and information that can be used to figure out
|
||||
what went wrong and how to fix the problem.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.8.2.3"></a>EDNS compliance issues</h3></div></div></div>
|
||||
<p>
|
||||
<p>
|
||||
EDNS (Extended DNS) is a standard that was first specified
|
||||
in 1999. It is required for DNSSEC validation, DNS COOKIE
|
||||
options, and other features. There are broken and outdated
|
||||
@@ -73,7 +77,7 @@
|
||||
situation, retrying queries in different ways and eventually
|
||||
falling back to plain DNS queries without EDNS.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Such workarounds cause unnecessary resolution delays,
|
||||
increase code complexity, and prevent deployment of new DNS
|
||||
features. As of February 2019, all major DNS software vendors
|
||||
@@ -82,7 +86,7 @@
|
||||
for further details. This change was implemented in BIND
|
||||
as of release 9.14.0.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
As a result, some domains may be non-resolvable without manual
|
||||
intervention. In these cases, resolution can be restored by
|
||||
adding <span class="command"><strong>server</strong></span> clauses for the offending
|
||||
@@ -90,32 +94,33 @@
|
||||
<span class="command"><strong>send-cookie no</strong></span>, depending on the specific
|
||||
noncompliance.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To determine which <span class="command"><strong>server</strong></span> clause to use,
|
||||
run the following commands to send queries to the authoritative
|
||||
servers for the broken domain:
|
||||
</p>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
dig soa <zone> @<server> +dnssec<br>
|
||||
dig soa <zone> @<server> +dnssec +nocookie<br>
|
||||
dig soa <zone> @<server> +noedns<br>
|
||||
</p></div>
|
||||
<p>
|
||||
<p>
|
||||
If the first command fails but the second succeeds, the
|
||||
server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
|
||||
If the first two fail but the third succeeds, then the server
|
||||
needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Please contact the administrators of noncompliant domains
|
||||
and encourage them to upgrade their broken DNS servers.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="id-1.8.3"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Zone serial numbers are just numbers — they aren't
|
||||
date related. A lot of people set them to a number that
|
||||
represents a date, usually of the form YYYYMMDDRR.
|
||||
@@ -127,22 +132,26 @@
|
||||
lower than the serial number on the master, the slave
|
||||
server will attempt to update its copy of the zone.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Setting the serial number to a lower number on the master
|
||||
server than the slave server means that the slave will not perform
|
||||
updates to its copy of the zone.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The solution to this is to add 2147483647 (2^31-1) to the
|
||||
number, reload the zone and make sure all slaves have updated to
|
||||
the new zone serial number, then reset the number to what you want
|
||||
it to be, and reload the zone again.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="more_help"></a>Where Can I Get Help?</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The Internet Systems Consortium
|
||||
(<acronym class="acronym">ISC</acronym>) offers a wide range
|
||||
of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
|
||||
@@ -155,15 +164,16 @@
|
||||
fix announcements to remote support. It also includes training in
|
||||
<acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
To discuss arrangements for support, contact
|
||||
<a class="link" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
|
||||
<acronym class="acronym">ISC</acronym> web page at
|
||||
<a class="link" href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
|
||||
to read more.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -181,6 +191,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -36,11 +36,12 @@
|
||||
<div class="toc">
|
||||
<p><b>Table of Contents</b></p>
|
||||
<dl class="toc">
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.0</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.1</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.1">Notes for BIND 9.17.1</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.0">Notes for BIND 9.17.0</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
|
||||
@@ -50,7 +51,7 @@
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.17.0</h2></div></div></div>
|
||||
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.17.1</h2></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
@@ -107,6 +108,100 @@
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.17.1"></a>Notes for BIND 9.17.1</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-security"></a>Security Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
DNS rebinding protection was ineffective when BIND 9 is configured as
|
||||
a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
Klein. [GL #1574]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-known"></a>Known Issues</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
We have received reports that in some circumstances, receipt of an
|
||||
IXFR can cause the processing of queries to slow significantly. Some
|
||||
of these were related to RPZ processing, which has been fixed in this
|
||||
release (see below). Others appear to occur where there are
|
||||
NSEC3-related changes (such as an operator changing the NSEC3 salt
|
||||
used in the hash calculation). These are being investigated.
|
||||
[GL #1685]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-new"></a>New Features</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
A new option, <span class="command"><strong>nsdname-wait-recurse</strong></span>, has been added
|
||||
to the <span class="command"><strong>response-policy</strong></span> clause in the configuration
|
||||
file. When set to <span class="command"><strong>no</strong></span>, RPZ NSDNAME rules are only
|
||||
applied if the authoritative nameservers for the query name have been
|
||||
looked up and are present in the cache. If this information is not
|
||||
present, the RPZ NSDNAME rules are ignored, but the information is
|
||||
looked up in the background and applied to subsequent queries. The
|
||||
default is <span class="command"><strong>yes</strong></span>, meaning that RPZ NSDNAME rules
|
||||
should always be applied, even if the information needs to be looked
|
||||
up first. [GL #1138]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-changes"></a>Feature Changes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
The previous DNSSEC sign statistics used lots of memory. The number of
|
||||
keys to track is reduced to four per zone, which should be enough for
|
||||
99% of all signed zones. [GL #1179]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-bugs"></a>Bug Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
When an RPZ policy zone was updated via zone transfer and a large
|
||||
number of records was deleted, <span class="command"><strong>named</strong></span> could become
|
||||
nonresponsive for a short period while deleted names were removed from
|
||||
the RPZ summary database. This database cleanup is now done
|
||||
incrementally over a longer period of time, reducing such delays.
|
||||
[GL #1447]
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
When trying to migrate an already-signed zone from
|
||||
<span class="command"><strong>auto-dnssec maintain</strong></span> to one based on
|
||||
<span class="command"><strong>dnssec-policy</strong></span>, the existing keys were immediately
|
||||
deleted and replaced with new ones. As the key rollover timing
|
||||
constraints were not being followed, it was possible that some clients
|
||||
would not have been able to validate responses until all old DNSSEC
|
||||
information had timed out from caches. BIND now looks at the time
|
||||
metadata of the existing keys and incorporates it into its DNSSEC
|
||||
policy operation. [GL #1706]
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
@@ -131,7 +226,8 @@
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
When a secondary server receives a large incremental zone
|
||||
transfer (IXFR), it can have a negative impact on query
|
||||
@@ -147,7 +243,21 @@
|
||||
to the size of a full zone transfer. The default is
|
||||
<code class="literal">100%</code>. [GL #1515]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
A new RPZ option <span class="command"><strong>nsdname-wait-recurse</strong></span>
|
||||
controls whether RPZ-NSDNAME rules should always be applied
|
||||
even if the names of authoritative name servers for the query
|
||||
name need to be looked up recurively first. The default is
|
||||
<strong class="userinput"><code>yes</code></strong>. Setting it to
|
||||
<strong class="userinput"><code>no</code></strong> speeds up initial responses by skipping
|
||||
RPZ-NSDNAME rules when name server domain names are not yet
|
||||
in the cache. The names will be looked up in the background and
|
||||
the rule will be applied for subsequent queries. [GL #1138]
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
@@ -264,6 +374,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Appendix B. A Brief History of the DNS and BIND</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="prev" href="Bv9ARM.ch08.html" title="Appendix A. Release Notes">
|
||||
@@ -35,7 +35,7 @@
|
||||
<div class="titlepage"><div><div><h1 class="title">
|
||||
<a name="Bv9ARM.ch09"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
|
||||
</h1></div></div></div>
|
||||
<p><a name="historical_dns_information"></a>
|
||||
<p><a name="historical_dns_information"></a>
|
||||
Although the "official" beginning of the Domain Name
|
||||
System occurred in 1984 with the publication of RFC 920, the
|
||||
core of the new system was described in 1983 in RFCs 882 and
|
||||
@@ -50,7 +50,8 @@
|
||||
became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
|
||||
built.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The first working domain name server, called "Jeeves", was
|
||||
written in 1983-84 by Paul Mockapetris for operation on DEC
|
||||
Tops-20
|
||||
@@ -68,7 +69,7 @@
|
||||
Administration
|
||||
(DARPA).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Versions of <acronym class="acronym">BIND</acronym> through
|
||||
4.8.3 were maintained by the Computer
|
||||
Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
|
||||
@@ -83,7 +84,7 @@
|
||||
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
|
||||
handled by Mike Karels and Øivind Kure.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
|
||||
released by Digital Equipment
|
||||
Corporation (now Compaq Computer Corporation). Paul Vixie, then
|
||||
@@ -95,41 +96,41 @@
|
||||
Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
|
||||
Wolfhugel, and others.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
|
||||
Vixie Enterprises. Paul
|
||||
Vixie became <acronym class="acronym">BIND</acronym>'s principal
|
||||
architect/programmer.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
|
||||
have been developed and maintained
|
||||
by the Internet Systems Consortium and its predecessor,
|
||||
the Internet Software Consortium, with support being provided
|
||||
by ISC's sponsors.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
As co-architects/programmers, Bob Halley and
|
||||
Paul Vixie released the first production-ready version of
|
||||
<acronym class="acronym">BIND</acronym> version 8 in May 1997.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
BIND version 9 was released in September 2000 and is a
|
||||
major rewrite of nearly all aspects of the underlying
|
||||
BIND architecture.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
BIND versions 4 and 8 are officially deprecated.
|
||||
No additional development is done
|
||||
on BIND version 4 or BIND version 8.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<acronym class="acronym">BIND</acronym> development work is made
|
||||
possible today by the sponsorship
|
||||
of several corporations, and by the tireless work efforts of
|
||||
numerous individuals.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -147,6 +148,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Appendix D. BIND 9 DNS Library Support</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="prev" href="Bv9ARM.ch10.html" title="Appendix C. General DNS Reference Information">
|
||||
@@ -46,10 +46,11 @@
|
||||
</dl></dd>
|
||||
</dl>
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
This version of BIND 9 "exports" its internal libraries so
|
||||
that they can be used by third-party applications more easily (we
|
||||
call them "export" libraries in this document). Certain library
|
||||
@@ -58,27 +59,32 @@
|
||||
the calling program initializes the libraries by calling
|
||||
<span class="command"><strong>isc_lib_register()</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
In addition to DNS-related APIs that are used within BIND 9, the
|
||||
libraries provide the following features:
|
||||
</p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem"><p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
The "DNS client" module. This is a higher level API that
|
||||
provides an interface to name resolution, single DNS transaction
|
||||
with a particular server, and dynamic update. Regarding name
|
||||
resolution, it supports advanced features such as DNSSEC validation
|
||||
and caching. This module supports both synchronous and asynchronous
|
||||
mode.
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
The "IRS" (Information Retrieval System) library. It provides an
|
||||
interface to parse the traditional <code class="filename">resolv.conf</code>
|
||||
file and more advanced, DNS-specific configuration file for the
|
||||
rest of this package (see the description for the
|
||||
<code class="filename">dns.conf</code> file below).
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
As part of the IRS library, the standard address-name
|
||||
mapping functions, <span class="command"><strong>getaddrinfo()</strong></span> and
|
||||
<span class="command"><strong>getnameinfo()</strong></span>, are provided. They use the
|
||||
@@ -87,33 +93,38 @@
|
||||
<span class="command"><strong>getaddrinfo()</strong></span> function resolves both A
|
||||
and AAAA RRs concurrently when the address family is
|
||||
unspecified.
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
An experimental framework to support other event
|
||||
libraries than BIND 9's internal event task system.
|
||||
</p></li>
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
<div class="section">
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.12.2.5"></a>Installation</h3></div></div></div>
|
||||
<pre class="screen">
|
||||
|
||||
<pre class="screen">
|
||||
$ <strong class="userinput"><code>make install</code></strong>
|
||||
</pre>
|
||||
<p>
|
||||
<p>
|
||||
Normal installation of BIND will also install library object
|
||||
and header files. Root privilege is normally required.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To see how to build your own application after the installation, see
|
||||
<code class="filename">lib/samples/Makefile-postinstall.in</code>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.12.2.6"></a>Known Defects/Restrictions</h3></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
<p>
|
||||
The "fixed" RRset order is not (currently) supported in the export
|
||||
library. If you want to use "fixed" RRset order for, e.g.
|
||||
<span class="command"><strong>named</strong></span> while still building the export library
|
||||
@@ -128,25 +139,30 @@ $ <strong class="userinput"><code>make</code></strong>
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem"><p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
RFC 5011 is not supported in the validating stub resolver of the
|
||||
export library. In fact, it is not clear whether it should: trust
|
||||
anchors would be a system-wide configuration which would be managed
|
||||
by an administrator, while the stub resolver will be used by
|
||||
ordinary applications run by a normal user.
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
Not all common <code class="filename">/etc/resolv.conf</code> options are
|
||||
supported in the IRS library. The only available options in this
|
||||
version are <span class="command"><strong>debug</strong></span> and <span class="command"><strong>ndots</strong></span>.
|
||||
</p></li>
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.12.2.7"></a>The dns.conf File</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The IRS library supports an "advanced" configuration file related to
|
||||
the DNS library for configuration parameters that would be beyond the
|
||||
capability of the <code class="filename">resolv.conf</code> file.
|
||||
@@ -164,38 +180,42 @@ $ <strong class="userinput"><code>make</code></strong>
|
||||
with <span class="command"><strong>initial-key</strong></span> or <span class="command"><strong>iniital-ds</strong></span>.
|
||||
(See <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Grammar">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Grammar”</a> for syntax details.)
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.12.2.8"></a>Sample Applications</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Some sample application programs using this API are provided for
|
||||
reference. The following is a brief description of these
|
||||
applications.
|
||||
</p>
|
||||
<div class="section">
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="id-1.12.2.8.3"></a>sample: a simple stub resolver utility</h4></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Sends a query of a given name (of a given optional RR type) to a
|
||||
specified recursive server and prints the result as a list of RRs.
|
||||
It can also act as a validating stub resolver if a trust anchor is
|
||||
given via a set of command line options.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Usage: sample [options] server_address hostname
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Options and Arguments:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-t RRtype</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
specify the RR type of the query. The default is the A RR.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">[-a algorithm] [-e] -k keyname -K keystring</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
specify a command-line DNS key to validate the answer. For
|
||||
example, to specify the following DNSKEY of example.com:
|
||||
</p>
|
||||
@@ -213,36 +233,43 @@ $ <strong class="userinput"><code>make</code></strong>
|
||||
as "secure entry point").
|
||||
When -a is omitted rsasha1 will be used by default.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-s domain:alt_server_address</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
specify a separate recursive server address for the specific
|
||||
"domain". Example: -s example.com:2001:db8::1234
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">server_address</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
an IP(v4/v6) address of the recursive server to which queries
|
||||
are sent.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">hostname</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
the domain name for the query
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="id-1.12.2.8.4"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Similar to "sample", but accepts a list
|
||||
of (query) domain names as a separate file and resolves the names
|
||||
asynchronously.</p>
|
||||
<p>
|
||||
<p>
|
||||
Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
|
||||
<p>
|
||||
<p>
|
||||
Options and Arguments:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-s server_address</span></dt>
|
||||
<dd>
|
||||
an IPv4 address of the recursive server to which queries are sent.
|
||||
@@ -262,13 +289,14 @@ $ <strong class="userinput"><code>make</code></strong>
|
||||
mx.example.net<br>
|
||||
ns.xxx.example<br>
|
||||
</p></div>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="id-1.12.2.8.5"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Sends a query to a specified server, and prints the response with
|
||||
minimal processing. It doesn't act as a "stub resolver": it stops
|
||||
the processing once it gets any response from the server, whether
|
||||
@@ -276,32 +304,39 @@ $ <strong class="userinput"><code>make</code></strong>
|
||||
further queries to get the ultimate answer. In other words, this
|
||||
utility acts as a very simplified <span class="command"><strong>dig</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Usage: sample-request [-t RRtype] server_address hostname
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Options and Arguments:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-t RRtype</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
specify the RR type of the queries. The default is the A RR.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">server_address</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
an IP(v4/v6) address of the recursive server to which
|
||||
the query is sent.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">hostname</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
the domain name for the query
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="id-1.12.2.8.6"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
This is a test program to check <span class="command"><strong>getaddrinfo()</strong></span> and
|
||||
<span class="command"><strong>getnameinfo()</strong></span> behavior. It takes a host name as an
|
||||
argument, calls <span class="command"><strong>getaddrinfo()</strong></span> with the given host
|
||||
@@ -313,130 +348,153 @@ $ <strong class="userinput"><code>make</code></strong>
|
||||
will fail with an EAI_INSECUREDATA error when DNSSEC validation
|
||||
fails.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Usage: sample-gai hostname
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="id-1.12.2.8.7"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Accepts a single update command as a command-line argument, sends
|
||||
an update request message to the authoritative server, and shows
|
||||
the response from the server. In other words, this is a simplified
|
||||
<span class="command"><strong>nsupdate</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Usage: sample-update [options] (add|delete) "update data"
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Options and Arguments:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a auth_server</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
An IP address of the authoritative server that has authority
|
||||
for the zone containing the update name. This should
|
||||
normally be the primary authoritative server that accepts
|
||||
dynamic updates. It can also be a secondary server that is
|
||||
configured to forward update requests to the primary server.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k keyfile</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
A TSIG key file to secure the update transaction. The
|
||||
keyfile format is the same as that for the nsupdate utility.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p prerequisite</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
A prerequisite for the update (only one prerequisite can be
|
||||
specified). The prerequisite format is the same as that is
|
||||
accepted by the nsupdate utility.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r recursive_server</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
An IP address of a recursive server that this utility will
|
||||
use. A recursive server may be necessary to identify the
|
||||
authoritative server address to which the update request is
|
||||
sent.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z zonename</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The domain name of the zone that contains
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">(add|delete)</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the type of update operation. Either "add" or
|
||||
"delete" must be specified.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">"update data"</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the data to be updated. A typical example of the
|
||||
data would look like "name TTL RRtype RDATA".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<h3 class="title">Note</h3>
|
||||
<p>
|
||||
<p>
|
||||
In practice, either -a or -r must be specified. Others can be
|
||||
optional; the underlying library routine tries to identify the
|
||||
appropriate server and the zone name for the update.
|
||||
</p>
|
||||
</div>
|
||||
<p>
|
||||
</div>
|
||||
<p>
|
||||
Examples: assuming the primary authoritative server of the
|
||||
dynamic.example.com zone has an IPv6 address 2001:db8::1234,
|
||||
</p>
|
||||
<pre class="screen">
|
||||
<pre class="screen">
|
||||
$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
|
||||
<p>
|
||||
<p>
|
||||
adds an A RR for foo.dynamic.example.com using the given key.
|
||||
</p>
|
||||
<pre class="screen">
|
||||
<pre class="screen">
|
||||
$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
|
||||
<p>
|
||||
<p>
|
||||
removes all A RRs for foo.dynamic.example.com using the given key.
|
||||
</p>
|
||||
<pre class="screen">
|
||||
<pre class="screen">
|
||||
$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
|
||||
<p>
|
||||
<p>
|
||||
removes all RRs for foo.dynamic.example.com using the given key.
|
||||
</p>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="id-1.12.2.8.8"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Checks a set of domains to see the name servers of the domains
|
||||
behave correctly in terms of RFC 4074. This is included in the set
|
||||
of sample programs to show how the export library can be used in a
|
||||
DNS-related application.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Options
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-d</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Run in "debug" mode. With this option nsprobe will dump
|
||||
every RRs it receives.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Increase verbosity of other normal log messages. This can be
|
||||
specified multiple times.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c cache_address</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify an IP address of a recursive (caching) name server.
|
||||
nsprobe uses this server to get the NS RRset of each domain
|
||||
and the A and/or AAAA RRsets for the name servers. The
|
||||
default value is 127.0.0.1.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">input_file</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
A file name containing a list of domain (zone) names to be
|
||||
probed. when omitted the standard input will be used. Each
|
||||
line of the input file specifies a single domain name such as
|
||||
@@ -446,21 +504,23 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
|
||||
for the given domain name, and sends A and AAAA queries to
|
||||
these servers for some "widely used" names under the zone;
|
||||
specifically, adding "www" and "ftp" to the zone name.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
</div>
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="id-1.12.2.9"></a>Library References</h3></div></div></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
As of this writing, there is no formal "manual" for the libraries,
|
||||
except this document, header files (some of which provide pretty
|
||||
detailed explanations), and sample application programs.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -478,6 +538,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>Manual pages</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="prev" href="Bv9ARM.ch11.html" title="Appendix D. BIND 9 DNS Library Support">
|
||||
@@ -154,7 +154,44 @@
|
||||
</dt>
|
||||
</dl>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -173,6 +210,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>BIND 9 Administrator Reference Manual</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
|
||||
</head>
|
||||
@@ -32,7 +32,7 @@
|
||||
<div>
|
||||
<div><h1 class="title">
|
||||
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
|
||||
<div><p class="releaseinfo">BIND Version 9.17.0</p></div>
|
||||
<div><p class="releaseinfo">BIND Version 9.17.1</p></div>
|
||||
<div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
|
||||
</div>
|
||||
<hr>
|
||||
@@ -247,11 +247,12 @@
|
||||
</dl></dd>
|
||||
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.0</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.17.1</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.1">Notes for BIND 9.17.1</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.17.0">Notes for BIND 9.17.0</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
|
||||
@@ -398,7 +399,32 @@
|
||||
</dl></dd>
|
||||
</dl>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
<table width="100%" summary="Navigation footer">
|
||||
@@ -415,6 +441,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Binary file not shown.
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>arpaname</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
@@ -32,27 +32,45 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.arpaname"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">arpaname</span> — translate IP addresses to the corresponding ARPA names</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.2.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">arpaname</span>
|
||||
— translate IP addresses to the corresponding ARPA names
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">arpaname</code>
|
||||
{<em class="replaceable"><code>ipaddress </code></em>...}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.2.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>arpaname</strong></span> translates IP addresses (IPv4 and
|
||||
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.2.8"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -72,6 +90,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>ddns-confgen</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.arpaname.html" title="arpaname">
|
||||
@@ -32,31 +32,62 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">ddns-confgen</span> — ddns key generation tool</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">tsig-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [name]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.3.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">ddns-confgen</span>
|
||||
— ddns key generation tool
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">tsig-keygen</code>
|
||||
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[name]
|
||||
</p></div>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">ddns-confgen</code>
|
||||
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
|
||||
[
|
||||
-s <em class="replaceable"><code>name</code></em>
|
||||
| -z <em class="replaceable"><code>zone</code></em>
|
||||
]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.3.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
|
||||
are invocation methods for a utility that generates keys for use
|
||||
in TSIG signing. The resulting keys can be used, for example,
|
||||
to secure dynamic DNS updates to a zone or for the
|
||||
<span class="command"><strong>rndc</strong></span> command channel.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
|
||||
can be specified on the command line which will be used as
|
||||
the name of the generated key. If no name is specified,
|
||||
the default is <code class="constant">tsig-key</code>.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
|
||||
key is accompanied by configuration text and instructions
|
||||
that can be used with <span class="command"><strong>nsupdate</strong></span> and
|
||||
@@ -66,7 +97,8 @@
|
||||
<span class="command"><strong>rndc-confgen</strong></span> command for setting
|
||||
up command channel security.)
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Note that <span class="command"><strong>named</strong></span> itself can configure a
|
||||
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
|
||||
it does this when a zone is configured with
|
||||
@@ -76,24 +108,32 @@
|
||||
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
|
||||
system.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.3.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the algorithm to use for the TSIG key. Available
|
||||
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
|
||||
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
|
||||
Options are case-insensitive, and the "hmac-" prefix
|
||||
may be omitted.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints a short summary of options and arguments.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the key name of the DDNS authentication key.
|
||||
The default is <code class="constant">ddns-key</code> when neither
|
||||
the <code class="option">-s</code> nor <code class="option">-z</code> option is
|
||||
@@ -103,15 +143,19 @@
|
||||
<code class="constant">ddns-key.example.com.</code>
|
||||
The key name must have the format of a valid domain name,
|
||||
consisting of letters, digits, hyphens and periods.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
(<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode: Print
|
||||
only the key, with no explanatory text or usage examples;
|
||||
This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
(<span class="command"><strong>ddns-confgen</strong></span> only.)
|
||||
Generate configuration example to allow dynamic updates
|
||||
of a single hostname. The example <span class="command"><strong>named.conf</strong></span>
|
||||
@@ -122,9 +166,11 @@
|
||||
Note that the "self" nametype cannot be used, since
|
||||
the name to be updated may differ from the key name.
|
||||
This option cannot be used with the <code class="option">-z</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
(<span class="command"><strong>ddns-confgen</strong></span> only.)
|
||||
Generate configuration example to allow dynamic updates
|
||||
of a zone: The example <span class="command"><strong>named.conf</strong></span> text
|
||||
@@ -134,17 +180,27 @@
|
||||
all subdomain names within that
|
||||
<em class="replaceable"><code>zone</code></em>.
|
||||
This option cannot be used with the <code class="option">-s</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.3.9"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">nsupdate</span>(1)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named.conf</span>(5)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -164,6 +220,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>delv</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
|
||||
@@ -32,25 +32,72 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.delv"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p>delv — DNS lookup and validation utility</p>
|
||||
<p>
|
||||
delv
|
||||
— DNS lookup and validation utility
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">delv</code> [@server] [[<code class="option">-4</code>] | [<code class="option">-6</code>]] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-h</code>]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-v</code>]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">delv</code>
|
||||
[@server]
|
||||
[
|
||||
[<code class="option">-4</code>]
|
||||
| [<code class="option">-6</code>]
|
||||
]
|
||||
[<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
|
||||
[<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-i</code>]
|
||||
[<code class="option">-m</code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
|
||||
[<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
|
||||
[<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
|
||||
[name]
|
||||
[type]
|
||||
[class]
|
||||
[queryopt...]
|
||||
</p></div>
|
||||
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">delv</code>
|
||||
[<code class="option">-h</code>]
|
||||
</p></div>
|
||||
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">delv</code>
|
||||
[<code class="option">-v</code>]
|
||||
</p></div>
|
||||
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">delv</code>
|
||||
[queryopt...]
|
||||
[query...]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.4.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>delv</strong></span>
|
||||
|
||||
<p><span class="command"><strong>delv</strong></span>
|
||||
is a tool for sending
|
||||
DNS queries and validating the results, using the same internal
|
||||
resolver and validator logic as <span class="command"><strong>named</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<span class="command"><strong>delv</strong></span> will send to a specified name server all
|
||||
queries needed to fetch and validate the requested data; this
|
||||
includes the original requested query, subsequent queries to follow
|
||||
@@ -60,7 +107,7 @@
|
||||
behavior of a name server configured for DNSSEC validating and
|
||||
forwarding.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
By default, responses are validated using built-in DNSSEC trust
|
||||
anchor for the root zone ("."). Records returned by
|
||||
<span class="command"><strong>delv</strong></span> are either fully validated or
|
||||
@@ -71,7 +118,7 @@
|
||||
be used to check the validity of DNS responses in environments
|
||||
where local name servers may not be trustworthy.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Unless it is told to query a specific name server,
|
||||
<span class="command"><strong>delv</strong></span> will try each of the servers listed in
|
||||
<code class="filename">/etc/resolv.conf</code>. If no usable server
|
||||
@@ -79,15 +126,18 @@
|
||||
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
|
||||
for IPv6).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When no command line arguments or options are given,
|
||||
<span class="command"><strong>delv</strong></span> will perform an NS query for "."
|
||||
(the root zone).
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.4.8"></a><h2>SIMPLE USAGE</h2>
|
||||
<p>
|
||||
|
||||
|
||||
<p>
|
||||
A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
|
||||
</p>
|
||||
<pre class="programlisting"> delv @server name type </pre>
|
||||
@@ -98,7 +148,7 @@
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="constant">server</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
is the name or IP address of the name server to query. This
|
||||
can be an IPv4 address in dotted-decimal notation or an IPv6
|
||||
address in colon-delimited notation. When the supplied
|
||||
@@ -108,7 +158,7 @@
|
||||
initial lookup is <span class="emphasis"><em>not</em></span> validated
|
||||
by DNSSEC).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If no <em class="parameter"><code>server</code></em> argument is
|
||||
provided, <span class="command"><strong>delv</strong></span> consults
|
||||
<code class="filename">/etc/resolv.conf</code>; if an
|
||||
@@ -121,13 +171,16 @@
|
||||
the localhost addresses (127.0.0.1 for IPv4,
|
||||
::1 for IPv6).
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">name</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
is the domain name to be looked up.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">type</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
indicates what type of query is required —
|
||||
ANY, A, MX, etc.
|
||||
<em class="parameter"><code>type</code></em> can be any valid query
|
||||
@@ -135,28 +188,32 @@
|
||||
<em class="parameter"><code>type</code></em> argument is supplied,
|
||||
<span class="command"><strong>delv</strong></span> will perform a lookup for an
|
||||
A record.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.4.9"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies a file from which to read DNSSEC trust anchors.
|
||||
The default is <code class="filename">/etc/bind.keys</code>, which
|
||||
is included with <acronym class="acronym">BIND</acronym> 9 and contains
|
||||
one or more trust anchors for the root zone (".").
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Keys that do not match the root zone name are ignored.
|
||||
An alternate key name can be specified using the
|
||||
<code class="option">+root=NAME</code> options.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Note: When reading the trust anchor file,
|
||||
<span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
|
||||
<code class="option">initial-key</code> and <code class="option">static-key</code>
|
||||
@@ -173,23 +230,28 @@
|
||||
<code class="filename">/etc/bind.keys</code> to use DNSSEC
|
||||
validation in <span class="command"><strong>delv</strong></span>.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the source IP address of the query to
|
||||
<em class="parameter"><code>address</code></em>. This must be a valid address
|
||||
on one of the host's network interfaces or "0.0.0.0" or "::".
|
||||
An optional source port may be specified by appending
|
||||
"#<port>"
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the query class for the requested data. Currently,
|
||||
only class "IN" is supported in <span class="command"><strong>delv</strong></span>
|
||||
and any other value is ignored.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the systemwide debug level to <code class="option">level</code>.
|
||||
The allowed range is from 0 to 99.
|
||||
The default is 0 (no debugging).
|
||||
@@ -198,13 +260,17 @@
|
||||
See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
|
||||
and <code class="option">+vtrace</code> options below for additional
|
||||
debugging details.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Insecure mode. This disables internal DNSSEC validation.
|
||||
(Note, however, this does not set the CD bit on upstream
|
||||
queries. If the server being queried is performing DNSSEC
|
||||
@@ -212,30 +278,37 @@
|
||||
can cause <span class="command"><strong>delv</strong></span> to time out. When it
|
||||
is necessary to examine invalid data to debug a DNSSEC
|
||||
problem, use <span class="command"><strong>dig +cd</strong></span>.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-m</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Enables memory usage debugging.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a destination port to use for queries instead of
|
||||
the standard DNS port number 53. This option would be used
|
||||
with a name server that has been configured to listen
|
||||
for queries on a non-standard port number.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the query name to <em class="parameter"><code>name</code></em>.
|
||||
While the query name can be specified without using the
|
||||
<code class="option">-q</code>, it is sometimes necessary to disambiguate
|
||||
names from types or classes (for example, when looking up the
|
||||
name "ns", which could be misinterpreted as the type NS,
|
||||
or "ch", which could be misinterpreted as class CH).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Sets the query type to <em class="parameter"><code>type</code></em>, which
|
||||
can be any valid query type supported in BIND 9 except
|
||||
for zone transfer types AXFR and IXFR. As with
|
||||
@@ -243,18 +316,21 @@
|
||||
query name type or class when they are ambiguous.
|
||||
it is sometimes necessary to disambiguate names from types.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The default query type is "A", unless the <code class="option">-x</code>
|
||||
option is supplied to indicate a reverse lookup, in which case
|
||||
it is "PTR".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the <span class="command"><strong>delv</strong></span> version and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Performs a reverse lookup, mapping an addresses to
|
||||
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
|
||||
dotted-decimal notation, or a colon-delimited IPv6 address.
|
||||
@@ -264,24 +340,33 @@
|
||||
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
|
||||
and sets the query type to PTR. IPv6 addresses are looked up
|
||||
using nibble format under the IP6.ARPA domain.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-4</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-6</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.4.10"></a><h2>QUERY OPTIONS</h2>
|
||||
<p><span class="command"><strong>delv</strong></span>
|
||||
|
||||
|
||||
<p><span class="command"><strong>delv</strong></span>
|
||||
provides a number of query options which affect the way results are
|
||||
displayed, and in some cases the way lookups are performed.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Each query option is identified by a keyword preceded by a plus sign
|
||||
(<code class="literal">+</code>). Some keywords set or reset an
|
||||
option. These may be preceded by the string
|
||||
@@ -293,7 +378,8 @@
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Controls whether to set the CD (checking disabled) bit in
|
||||
queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
|
||||
when troubleshooting DNSSEC problems from behind a validating
|
||||
@@ -302,20 +388,25 @@
|
||||
the CD flag on queries will cause the resolver to return
|
||||
invalid responses, which <span class="command"><strong>delv</strong></span> can then
|
||||
validate internally and report the errors in detail.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Controls whether to display the CLASS when printing
|
||||
a record. The default is to display the CLASS.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Controls whether to display the TTL when printing
|
||||
a record. The default is to display the TTL.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Toggle resolver fetch logging. This reports the
|
||||
name and type of each query sent by <span class="command"><strong>delv</strong></span>
|
||||
in the process of carrying out the resolution and validation
|
||||
@@ -323,62 +414,69 @@
|
||||
all subsequent queries to follow CNAMEs and to establish a
|
||||
chain of trust for DNSSEC validation.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This is equivalent to setting the debug level to 1 in
|
||||
the "resolver" logging category. Setting the systemwide
|
||||
debug level to 1 using the <code class="option">-d</code> option will
|
||||
product the same output (but will affect other logging
|
||||
categories as well).
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Toggle message logging. This produces a detailed dump of
|
||||
the responses received by <span class="command"><strong>delv</strong></span> in the
|
||||
process of carrying out the resolution and validation process.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This is equivalent to setting the debug level to 10
|
||||
for the "packets" module of the "resolver" logging
|
||||
category. Setting the systemwide debug level to 10 using
|
||||
the <code class="option">-d</code> option will produce the same output
|
||||
(but will affect other logging categories as well).
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Toggle validation logging. This shows the internal
|
||||
process of the validator as it determines whether an
|
||||
answer is validly signed, unsigned, or invalid.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This is equivalent to setting the debug level to 3
|
||||
for the "validator" module of the "dnssec" logging
|
||||
category. Setting the systemwide debug level to 3 using
|
||||
the <code class="option">-d</code> option will produce the same output
|
||||
(but will affect other logging categories as well).
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Provide a terse answer. The default is to print the answer in a
|
||||
verbose form.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Toggle the display of comment lines in the output. The default
|
||||
is to print comments.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Toggle the display of per-record comments in the output (for
|
||||
example, human-readable key information about DNSKEY records).
|
||||
The default is to print per-record comments.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Toggle the display of cryptographic fields in DNSSEC records.
|
||||
The contents of these field are unnecessary to debug most DNSSEC
|
||||
validation failures and removing them makes it easier to see
|
||||
@@ -386,14 +484,18 @@
|
||||
When omitted they are replaced by the string "[omitted]" or
|
||||
in the DNSKEY case the key id is displayed as the replacement,
|
||||
e.g. "[ key id = value ]".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Controls whether to display the trust level when printing
|
||||
a record. The default is to display the trust level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Split long hex- or base64-formatted fields in resource
|
||||
records into chunks of <em class="parameter"><code>W</code></em> characters
|
||||
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
|
||||
@@ -402,24 +504,30 @@
|
||||
<em class="parameter"><code>+split=0</code></em> causes fields not to be
|
||||
split at all. The default is 56 characters, or 44 characters
|
||||
when multiline mode is active.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set or clear the display options
|
||||
<code class="option">+[no]comments</code>,
|
||||
<code class="option">+[no]rrcomments</code>, and
|
||||
<code class="option">+[no]trust</code> as a group.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print long records (such as RRSIG, DNSKEY, and SOA records)
|
||||
in a verbose multi-line format with human-readable comments.
|
||||
The default is to print each record on a single line, to
|
||||
facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
|
||||
output.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Indicates whether to display RRSIG records in the
|
||||
<span class="command"><strong>delv</strong></span> output. The default is to
|
||||
do so. Note that (unlike in <span class="command"><strong>dig</strong></span>)
|
||||
@@ -428,9 +536,11 @@
|
||||
DNSSEC records are always requested, and validation
|
||||
will always occur unless suppressed by the use of
|
||||
<code class="option">-i</code> or <code class="option">+noroot</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Indicates whether to perform conventional
|
||||
DNSSEC validation, and if so, specifies the
|
||||
name of a trust anchor. The default is to validate using
|
||||
@@ -438,44 +548,60 @@
|
||||
a built-in key. If specifying a different trust anchor,
|
||||
then <code class="option">-a</code> must be used to specify a file
|
||||
containing the key.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Controls whether to use TCP when sending queries.
|
||||
The default is to use UDP unless a truncated
|
||||
response has been received.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print all RDATA in unknown RR type presentation format
|
||||
(RFC 3597). The default is to print RDATA for known types
|
||||
in the type's presentation format.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print response data in YAML format.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.4.11"></a><h2>FILES</h2>
|
||||
<p><code class="filename">/etc/bind.keys</code></p>
|
||||
<p><code class="filename">/etc/resolv.conf</code></p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
<p><code class="filename">/etc/bind.keys</code></p>
|
||||
<p><code class="filename">/etc/resolv.conf</code></p>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.4.12"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dig</span>(1)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">RFC4034</em>,
|
||||
<em class="citetitle">RFC4035</em>,
|
||||
<em class="citetitle">RFC4431</em>,
|
||||
<em class="citetitle">RFC5074</em>,
|
||||
<em class="citetitle">RFC5155</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -495,6 +621,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-cds</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dig.html" title="dig">
|
||||
@@ -32,17 +32,44 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-cds"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-cds</span> — change DS records for a child zone based on CDS/CDNSKEY</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-cds</code> [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D</code>] {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>} {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>} [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {domain}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.6.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">dnssec-cds</span>
|
||||
— change DS records for a child zone based on CDS/CDNSKEY
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-cds</code>
|
||||
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-D</code>]
|
||||
{<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>}
|
||||
{<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>}
|
||||
[<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]]
|
||||
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
|
||||
[<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-u</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
{domain}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.6.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
|
||||
a delegation point based on CDS or CDNSKEY records published in
|
||||
the child zone. If both CDS and CDNSKEY records are present in
|
||||
@@ -52,7 +79,7 @@
|
||||
parent can keep the DS records up to date and enable automatic
|
||||
rolling of KSKs.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Two input files are required. The
|
||||
<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
|
||||
option specifies a file containing the child's CDS and/or CDNSKEY
|
||||
@@ -65,27 +92,27 @@
|
||||
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
|
||||
run of <span class="command"><strong>dnssec-cds</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
|
||||
validation logic specified by RFC 7344. It requires that the CDS
|
||||
and/or CDNSKEY records are validly signed by a key represented in the
|
||||
existing DS records. This will typically be the pre-existing
|
||||
key-signing key (KSK).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
For protection against replay attacks, the signatures on the
|
||||
child records must not be older than they were on a previous run
|
||||
of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
|
||||
modification time of the <code class="filename">dsset-</code> file, or
|
||||
from the <code class="option">-s</code> option.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To protect against breaking the delegation,
|
||||
<span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
|
||||
verified by every key algorithm in the new DS RRset, and that the
|
||||
same set of keys are covered by every DS digest type.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
By default, replacement DS records are written to the standard
|
||||
output; with the <code class="option">-i</code> option the input file is
|
||||
overwritten in place. The replacement DS records will be the
|
||||
@@ -93,49 +120,56 @@
|
||||
output can be empty if the CDS / CDNSKEY records specify that
|
||||
the child zone wants to go insecure.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Warning: Be careful not to delete the DS records
|
||||
when <span class="command"><strong>dnssec-cds</strong></span> fails!
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
|
||||
an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
|
||||
You can use the <code class="option">-u</code> and <code class="option">-i</code>
|
||||
options together to maintain a <code class="filename">dsset-</code> file
|
||||
as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.6.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specify a digest algorithm to use when converting CDNSKEY
|
||||
records to DS records. This option can be repeated, so
|
||||
that multiple DS records are created for each CDNSKEY
|
||||
record. This option has no effect when using CDS records.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <em class="replaceable"><code>algorithm</code></em> must be one of
|
||||
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
|
||||
and the hyphen may be omitted. If no algorithm is specified,
|
||||
the default is SHA-256.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the DNS class of the zones.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate DS records from CDNSKEY records if both CDS and
|
||||
CDNSKEY records are present in the child zone. By default
|
||||
CDS records are preferred.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Location of the parent DS records.
|
||||
The <em class="replaceable"><code>path</code></em> can be the name of a file
|
||||
containing the DS records, or if it is a
|
||||
@@ -143,31 +177,31 @@
|
||||
a <code class="filename">dsset-</code> file for
|
||||
the <em class="replaceable"><code>domain</code></em> inside the directory.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To protect against replay attacks, child records are
|
||||
rejected if they were signed earlier than the modification
|
||||
time of the <code class="filename">dsset-</code> file. This can be
|
||||
adjusted with the <code class="option">-s</code> option.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
File containing the child's CDS and/or CDNSKEY records,
|
||||
plus its DNSKEY records and the covering RRSIG records so
|
||||
that they can be authenticated.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The EXAMPLES below describe how to generate this file.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Update the <code class="filename">dsset-</code> file in place,
|
||||
instead of writing DS records to the standard output.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
There must be no space between the <code class="option">-i</code> and
|
||||
the <em class="replaceable"><code>extension</code></em>. If you provide
|
||||
no <em class="replaceable"><code>extension</code></em> then the
|
||||
@@ -177,17 +211,17 @@
|
||||
with the <em class="replaceable"><code>extension</code></em> appended to
|
||||
its filename.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To protect against replay attacks, the modification time
|
||||
of the <code class="filename">dsset-</code> file is set to match
|
||||
the signature inception time of the child records,
|
||||
provided that is later than the file's current
|
||||
modification time.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specify the date and time after which RRSIG records become
|
||||
acceptable. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number in
|
||||
@@ -197,69 +231,82 @@
|
||||
which is N seconds before the file modification time. A
|
||||
time relative to the current time is indicated with now+N.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If no <em class="replaceable"><code>start-time</code></em> is specified, the
|
||||
modification time of the <code class="filename">dsset-</code> file
|
||||
is used.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a TTL to be used for new DS records. If not
|
||||
specified, the default is the TTL of the old DS records.
|
||||
If they had no explicit TTL then the new DS records also
|
||||
have no explicit TTL.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-u</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Write an <span class="command"><strong>nsupdate</strong></span> script to the
|
||||
standard output, instead of printing the new DS reords.
|
||||
The output will be empty if no change is needed.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Note: The TTL of new records needs to be specified, either
|
||||
in the original <code class="filename">dsset-</code> file, or with
|
||||
the <code class="option">-T</code> option, or using
|
||||
the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
|
||||
command.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level. Level 1 is intended to be
|
||||
usefully verbose for general users; higher levels are
|
||||
intended for developers.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The name of the delegation point / child zone apex.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.6.9"></a><h2>EXIT STATUS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
|
||||
non-zero if an error occurred.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
In the success case, the DS records might or might not need
|
||||
to be changed.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.6.10"></a><h2>EXAMPLES</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
|
||||
that the delegations are up-to-date by running
|
||||
<span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
|
||||
you can invoke <span class="command"><strong>dig</strong></span> as in the script below. It's
|
||||
okay if the <span class="command"><strong>dig</strong></span> fails since
|
||||
@@ -272,7 +319,8 @@ do
|
||||
dnssec-cds -i -f /dev/stdin -d $f $d
|
||||
done
|
||||
</pre>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
When the parent zone is automatically signed by
|
||||
<span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
|
||||
with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
|
||||
@@ -285,18 +333,30 @@ dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
|
||||
dnssec-cds -u -i -f /dev/stdin -d $f $d |
|
||||
nsupdate -l
|
||||
</pre>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.6.11"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dig</span>(1)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-settime</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">nsupdate</span>(1)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 7344</em>.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -316,6 +376,6 @@ nsupdate -l
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-checkds</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-cds.html" title="dnssec-cds">
|
||||
@@ -32,70 +32,110 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-checkds"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-checkds</span> — DNSSEC delegation consistency checking tool</p>
|
||||
<p>
|
||||
<span class="application">dnssec-checkds</span>
|
||||
— DNSSEC delegation consistency checking tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-checkds</code> [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s <em class="replaceable"><code>file</code></em></code>] {zone}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-checkds</code>
|
||||
[<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
|
||||
[<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
|
||||
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
|
||||
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>file</code></em></code>]
|
||||
{zone}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.7.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-checkds</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-checkds</strong></span>
|
||||
verifies the correctness of Delegation Signer (DS)
|
||||
resource records for keys in a specified zone.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.7.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specify a digest algorithm to use when converting the
|
||||
zone's DNSKEY records to expected DS records. This
|
||||
option can be repeated, so that multiple records are
|
||||
checked for each DNSKEY record.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <em class="replaceable"><code>algorithm</code></em> must be one of
|
||||
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
|
||||
and the hyphen may be omitted. If no algorithm is specified,
|
||||
the default is SHA-256.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If a <code class="option">file</code> is specified, then the zone is
|
||||
read from that file to find the DNSKEY records. If not,
|
||||
then the DNSKEY records for the zone are looked up in the DNS.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a prepared dsset file, such as would be generated
|
||||
by <span class="command"><strong>dnssec-signzone</strong></span>, to use as a source for
|
||||
the DS RRset instead of querying the parent.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a path to a <span class="command"><strong>dig</strong></span> binary. Used
|
||||
for testing.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a path to a <span class="command"><strong>dnssec-dsfromkey</strong></span> binary.
|
||||
Used for testing.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.7.9"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-dsfromkey</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -116,6 +156,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-coverage</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
|
||||
@@ -32,22 +32,47 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-coverage</span> — checks future DNSKEY coverage for a zone</p>
|
||||
<p>
|
||||
<span class="application">dnssec-coverage</span>
|
||||
— checks future DNSKEY coverage for a zone
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone...]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-coverage</code>
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
|
||||
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
|
||||
[<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
|
||||
[<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
|
||||
[<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
|
||||
[<code class="option">-k</code>]
|
||||
[<code class="option">-z</code>]
|
||||
[zone...]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.8.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-coverage</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-coverage</strong></span>
|
||||
verifies that the DNSSEC keys for a given zone or a set of zones
|
||||
have timing metadata set properly to ensure no future lapses in DNSSEC
|
||||
coverage.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If <code class="option">zone</code> is specified, then keys found in
|
||||
the key repository matching that zone are scanned, and an ordered
|
||||
list is generated of the events scheduled for that key (i.e.,
|
||||
@@ -60,47 +85,54 @@
|
||||
key is rolled, and cached data signed by the prior key has not had
|
||||
time to expire from resolver caches.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If <code class="option">zone</code> is not specified, then all keys in the
|
||||
key repository will be scanned, and all zones for which there are
|
||||
keys will be analyzed. (Note: This method of reporting is only
|
||||
accurate if all the zones that have keys in a given repository
|
||||
share the same TTL parameters.)
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.8.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the directory in which keys can be found. Defaults to the
|
||||
current working directory.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If a <code class="option">file</code> is specified, then the zone is
|
||||
read from that file; the largest TTL and the DNSKEY TTL are
|
||||
determined directly from the zone data, and the
|
||||
<code class="option">-m</code> and <code class="option">-d</code> options do
|
||||
not need to be specified on the command line.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
The length of time to check for DNSSEC coverage. Key events
|
||||
scheduled further into the future than <code class="option">duration</code>
|
||||
will be ignored, and assumed to be correct.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The value of <code class="option">duration</code> can be set in seconds,
|
||||
or in larger units of time by adding a suffix: 'mi' for minutes,
|
||||
'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
|
||||
'y' for years.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Sets the value to be used as the maximum TTL for the zone or
|
||||
zones being analyzed when determining whether there is a
|
||||
possibility of validation failure. When a zone-signing key is
|
||||
@@ -109,26 +141,26 @@
|
||||
before that key can be purged from the DNSKEY RRset. If that
|
||||
condition does not apply, a warning will be generated.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The length of the TTL can be set in seconds, or in larger units
|
||||
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
|
||||
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This option is not necessary if the <code class="option">-f</code> has
|
||||
been used to specify a zone file. If <code class="option">-f</code> has
|
||||
been specified, this option may still be used; it will override
|
||||
the value found in the file.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If this option is not used and the maximum TTL cannot be retrieved
|
||||
from a zone file, a warning is generated and a default value of
|
||||
1 week is used.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Sets the value to be used as the DNSKEY TTL for the zone or
|
||||
zones being analyzed when determining whether there is a
|
||||
possibility of validation failure. When a key is rolled (that
|
||||
@@ -137,12 +169,12 @@
|
||||
the new key is activated and begins generating signatures. If
|
||||
that condition does not apply, a warning will be generated.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The length of the TTL can be set in seconds, or in larger units
|
||||
of time by adding a suffix: 'mi' for minutes, 'h' for hours,
|
||||
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This option is not necessary if <code class="option">-f</code> has
|
||||
been used to specify a zone file from which the TTL
|
||||
of the DNSKEY RRset can be read, or if a default key TTL was
|
||||
@@ -151,15 +183,15 @@
|
||||
this option may still be used; it will override the values
|
||||
found in the zone file or the key file.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If this option is not used and the key TTL cannot be retrieved
|
||||
from the zone file or the key file, then a warning is generated
|
||||
and a default value of 1 day is used.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Sets the value to be used as the resign interval for the zone
|
||||
or zones being analyzed when determining whether there is a
|
||||
possibility of validation failure. This value defaults to
|
||||
@@ -169,38 +201,55 @@
|
||||
<code class="filename">named.conf</code>, then it should also be
|
||||
changed here.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The length of the interval can be set in seconds, or in larger
|
||||
units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
|
||||
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-k</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Only check KSK coverage; ignore ZSK events. Cannot be
|
||||
used with <code class="option">-z</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Only check ZSK coverage; ignore KSK events. Cannot be
|
||||
used with <code class="option">-k</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
|
||||
Used for testing.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.8.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-checkds</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-dsfromkey</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -221,6 +270,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-dsfromkey</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
|
||||
@@ -32,66 +32,145 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [ <code class="option">-1</code> | <code class="option">-2</code> | <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code> | <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] {keyfile}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [ <code class="option">-1</code> | <code class="option">-2</code> | <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code> | <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-A</code>] {<code class="option">-f <em class="replaceable"><code>file</code></em></code>} [dnsname]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [ <code class="option">-1</code> | <code class="option">-2</code> | <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code> | <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] {-s} {dnsname}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [ <code class="option">-h</code> | <code class="option">-V</code> ]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.9.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">dnssec-dsfromkey</span>
|
||||
— DNSSEC DS RR generation tool
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-dsfromkey</code>
|
||||
[
|
||||
<code class="option">-1</code>
|
||||
| <code class="option">-2</code>
|
||||
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
|
||||
]
|
||||
[
|
||||
<code class="option">-C</code>
|
||||
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
|
||||
]
|
||||
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
{keyfile}
|
||||
</p></div>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-dsfromkey</code>
|
||||
[
|
||||
<code class="option">-1</code>
|
||||
| <code class="option">-2</code>
|
||||
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
|
||||
]
|
||||
[
|
||||
<code class="option">-C</code>
|
||||
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
|
||||
]
|
||||
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-A</code>]
|
||||
{<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
|
||||
[dnsname]
|
||||
</p></div>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-dsfromkey</code>
|
||||
[
|
||||
<code class="option">-1</code>
|
||||
| <code class="option">-2</code>
|
||||
| <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
|
||||
]
|
||||
[
|
||||
<code class="option">-C</code>
|
||||
| <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
|
||||
]
|
||||
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
{-s}
|
||||
{dnsname}
|
||||
</p></div>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-dsfromkey</code>
|
||||
[
|
||||
<code class="option">-h</code>
|
||||
| <code class="option">-V</code>
|
||||
]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.9.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
|
||||
Signer) resource records (RRs), or CDS (Child DS) RRs with the
|
||||
<code class="option">-C</code> option.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The input keys can be specified in a number of ways:
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
|
||||
named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
|
||||
by <span class="command"><strong>dnssec-keygen</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
|
||||
option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
|
||||
or partial zone file (which can contain just the DNSKEY records).
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
With the <code class="option">-s</code>
|
||||
option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
|
||||
a <code class="filename">keyset-</code> file, as generated
|
||||
by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.9.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-1</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
An abbreviation for <code class="option">-a SHA-1</code>.
|
||||
(Note: The SHA-1 algorithm is no longer recommended for use
|
||||
when generating new DS and CDS records.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-2</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
An abbreviation for <code class="option">-a SHA-256</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specify a digest algorithm to use when converting DNSKEY
|
||||
records to DS records. This option can be repeated, so
|
||||
that multiple DS records are created for each DNSKEY
|
||||
record.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <em class="replaceable"><code>algorithm</code></em> must be one of
|
||||
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
|
||||
and the hyphen may be omitted. If no algorithm is specified,
|
||||
@@ -99,117 +178,149 @@
|
||||
(Note: The SHA-1 algorithm is no longer recommended for use
|
||||
when generating new DS and CDS records.)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-A</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Include ZSKs when generating DS records. Without this option, only
|
||||
keys which have the KSK flag set will be converted to DS records
|
||||
and printed. Useful only in <code class="option">-f</code> zone file mode.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the DNS class (default is IN). Useful only
|
||||
in <code class="option">-s</code> keyset or <code class="option">-f</code>
|
||||
zone file mode.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate CDS records rather than DS records.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
|
||||
final <em class="replaceable"><code>dnsname</code></em> argument is
|
||||
the DNS domain name of a zone whose master file can be read
|
||||
from <code class="option">file</code>. If the zone name is the same as
|
||||
<code class="option">file</code>, then it may be omitted.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
|
||||
the zone data is read from the standard input. This makes it
|
||||
possible to use the output of the <span class="command"><strong>dig</strong></span>
|
||||
command as input, as in:
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints usage information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Look for key files or <code class="filename">keyset-</code> files in
|
||||
<code class="option">directory</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
|
||||
final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
|
||||
domain name used to locate a <code class="filename">keyset-</code> file.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the TTL of the DS records. By default the TTL is omitted.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.9.9"></a><h2>EXAMPLE</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
To build the SHA-256 DS RR from the
|
||||
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
|
||||
keyfile name, you can issue the following command:
|
||||
</p>
|
||||
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
|
||||
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The command would print something like:
|
||||
</p>
|
||||
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
|
||||
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.9.10"></a><h2>FILES</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The keyfile can be designated by the key identification
|
||||
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
|
||||
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The keyset file name is built from the <code class="option">directory</code>,
|
||||
the string <code class="filename">keyset-</code> and the
|
||||
<code class="option">dnsname</code>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.9.11"></a><h2>CAVEAT</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
A keyfile error can give a "file not found" even if the file exists.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.9.12"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 3658</em> (DS RRs),
|
||||
<em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
|
||||
<em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
|
||||
<em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -230,6 +341,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-importkey</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
|
||||
@@ -32,18 +32,56 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-importkey</span> — import DNSKEY records from external systems so they can be managed</p>
|
||||
<p>
|
||||
<span class="application">dnssec-importkey</span>
|
||||
— import DNSKEY records from external systems so they can be managed
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-importkey</code>
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
{<code class="option">keyfile</code>}
|
||||
</p></div>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-importkey</code>
|
||||
{<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">dnsname</code>]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.10.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-importkey</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-importkey</strong></span>
|
||||
reads a public DNSKEY record and generates a pair of
|
||||
.key/.private files. The DNSKEY record may be read from an
|
||||
existing .key file, in which case a corresponding .private file
|
||||
@@ -51,7 +89,7 @@
|
||||
from the standard input, in which case both .key and .private
|
||||
files will be generated.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The newly-created .private file does <span class="emphasis"><em>not</em></span>
|
||||
contain private key data, and cannot be used for signing.
|
||||
However, having a .private file makes it possible to set
|
||||
@@ -60,53 +98,68 @@
|
||||
public key can be added to and removed from the DNSKEY RRset
|
||||
on schedule even if the true private key is stored offline.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.10.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Zone file mode: instead of a public keyfile name, the argument
|
||||
is the DNS domain name of a zone master file, which can be read
|
||||
from <code class="option">file</code>. If the domain name is the same as
|
||||
<code class="option">file</code>, then it may be omitted.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
|
||||
the zone data is read from the standard input.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the directory in which the key files are to reside.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the default TTL to use for this key when it is converted
|
||||
into a DNSKEY RR. If the key is imported into a zone,
|
||||
this is the TTL that will be used for it, unless there was
|
||||
already a DNSKEY RRset in place, in which case the existing TTL
|
||||
would take precedence. Setting the default TTL to
|
||||
<code class="literal">0</code> or <code class="literal">none</code> removes it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Emit usage message and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.10.9"></a><h2>TIMING OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
@@ -117,48 +170,66 @@
|
||||
is computed in seconds. To explicitly prevent a date from being
|
||||
set, use 'none' or 'never'.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which CDS and CDNSKEY records that match this
|
||||
key are to be published to the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the CDS and CDNSKEY records that match
|
||||
this key are to be deleted.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.10.10"></a><h2>FILES</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
A keyfile can be designed by the key identification
|
||||
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
|
||||
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8).
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.10.11"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 5011</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -179,6 +250,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-keyfromlabel</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
|
||||
@@ -32,17 +32,58 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
|
||||
<p>
|
||||
<span class="application">dnssec-keyfromlabel</span>
|
||||
— DNSSEC key generation tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-keyfromlabel</code>
|
||||
{-l <em class="replaceable"><code>label</code></em>}
|
||||
[<code class="option">-3</code>]
|
||||
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
|
||||
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
|
||||
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
|
||||
[<code class="option">-G</code>]
|
||||
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
|
||||
[<code class="option">-k</code>]
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
|
||||
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
|
||||
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">-y</code>]
|
||||
{name}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.11.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
|
||||
generates a key pair of files that referencing a key object stored
|
||||
in a cryptographic hardware service module (HSM). The private key
|
||||
file can be used for DNSSEC signing of zone data as if it were a
|
||||
@@ -50,58 +91,63 @@
|
||||
but the key material is stored within the HSM, and the actual signing
|
||||
takes place there.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">name</code> of the key is specified on the command
|
||||
line. This must match the name of the zone for which the key is
|
||||
being generated.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.11.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Selects the cryptographic algorithm. The value of
|
||||
<code class="option">algorithm</code> must be one of RSASHA1,
|
||||
NSEC3RSASHA1, RSASHA256, RSASHA512,
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If no algorithm is specified, then RSASHA1 will be used by
|
||||
default, unless the <code class="option">-3</code> option is specified,
|
||||
in which case NSEC3RSASHA1 will be used instead. (If
|
||||
<code class="option">-3</code> is used and an algorithm is specified,
|
||||
that algorithm will be checked for compatibility with NSEC3.)
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
These values are case insensitive. In some cases, abbreviations
|
||||
are supported, such as ECDSA256 for ECDSAP256SHA256 and
|
||||
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
|
||||
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
|
||||
will be used instead.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
As of BIND 9.12.0, this option is mandatory except when using
|
||||
the <code class="option">-S</code> option (which copies the algorithm from
|
||||
the predecessory key). Previously, the default for newly
|
||||
generated keys was RSASHA1.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-3</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used with an algorithm that has both
|
||||
NSEC and NSEC3 versions, then the NSEC3 version will be
|
||||
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
|
||||
specifies the NSEC3RSASHA1 algorithm.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies the cryptographic hardware to use.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When BIND is built with OpenSSL PKCS#11 support, this defaults
|
||||
to the string "pkcs11", which identifies an OpenSSL engine
|
||||
that can drive a cryptographic accelerator or hardware service
|
||||
@@ -109,18 +155,18 @@
|
||||
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
|
||||
provider library specified via "--with-pkcs11".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies the label for a key pair in the crypto hardware.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
|
||||
PKCS#11 support, the label is an arbitrary string that
|
||||
identifies a particular key.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
|
||||
support, the label is a PKCS#11 URI string in the format
|
||||
"pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
|
||||
@@ -129,7 +175,7 @@
|
||||
which the HSM's PIN code can be obtained. The label will be
|
||||
stored in the on-disk "private" file.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If the label contains a
|
||||
<code class="option">pin-source</code> field, tools using the generated
|
||||
key files will be able to use the HSM for signing and other
|
||||
@@ -138,18 +184,21 @@
|
||||
may reduce the security advantage of using an HSM; be sure
|
||||
this is what you want to do before making use of this feature.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the owner type of the key. The value of
|
||||
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
|
||||
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
|
||||
a host (KEY)),
|
||||
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
|
||||
These values are case insensitive.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Compatibility mode: generates an old-style key, without
|
||||
any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
|
||||
will include the key's creation date in the metadata stored
|
||||
@@ -157,53 +206,71 @@
|
||||
(publication date, activation date, etc). Keys that include
|
||||
this data may be incompatible with older versions of BIND; the
|
||||
<code class="option">-C</code> option suppresses them.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Indicates that the DNS record containing the key should have
|
||||
the specified class. If not specified, class IN is used.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record.
|
||||
The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-G</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate a key, but do not publish it or sign with it. This
|
||||
option is incompatible with -P and -A.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints a short summary of the options and arguments to
|
||||
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the directory in which the key files are to be written.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate KEY records rather than DNSKEY records.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the default TTL to use for this key when it is converted
|
||||
into a DNSKEY RR. If the key is imported into a zone,
|
||||
this is the TTL that will be used for it, unless there was
|
||||
already a DNSKEY RRset in place, in which case the existing TTL
|
||||
would take precedence. Setting the default TTL to
|
||||
<code class="literal">0</code> or <code class="literal">none</code> removes it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the protocol value for the key. The protocol
|
||||
is a number between 0 and 255. The default is 3 (DNSSEC).
|
||||
Other possible values for this argument are listed in
|
||||
RFC 2535 and its successors.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate a key as an explicit successor to an existing key.
|
||||
The name, algorithm, size, and type of the key will be set
|
||||
to match the predecessor. The activation date of the new
|
||||
@@ -211,35 +278,47 @@
|
||||
one. The publication date will be set to the activation
|
||||
date minus the prepublication interval, which defaults to
|
||||
30 days.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Indicates the use of the key. <code class="option">type</code> must be
|
||||
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
|
||||
is AUTHCONF. AUTH refers to the ability to authenticate
|
||||
data, and CONF the ability to encrypt data.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-y</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Allows DNSSEC key files to be generated even if the key ID
|
||||
would collide with that of an existing key, in the event of
|
||||
either key being revoked. (This is only safe to use if you
|
||||
are sure you won't be using RFC 5011 trust anchor maintenance
|
||||
with either of the keys involved.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.11.9"></a><h2>TIMING OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
|
||||
<p>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
@@ -250,52 +329,67 @@
|
||||
is computed in seconds. To explicitly prevent a date from being
|
||||
set, use 'none' or 'never'.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it. If not set, and if the -G option has
|
||||
not been used, the default is "now".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the CDS and CDNSKEY records which match
|
||||
this key are to be published to the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it. If not set, and if the -G option has not been used, the
|
||||
default is "now".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the CDS and CDNSKEY records which match
|
||||
this key are to be deleted.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Sets the prepublication interval for a key. If set, then
|
||||
the publication and activation dates must be separated by at least
|
||||
this much time. If the activation date is specified but the
|
||||
@@ -304,69 +398,84 @@
|
||||
the publication date is specified but activation date isn't,
|
||||
then activation will be set to this much time after publication.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If the key is being created as an explicit successor to another
|
||||
key, then the default prepublication interval is 30 days;
|
||||
otherwise it is zero.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
As with date offsets, if the argument is followed by one of
|
||||
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
|
||||
interval is measured in years, months, weeks, days, hours,
|
||||
or minutes, respectively. Without a suffix, the interval is
|
||||
measured in seconds.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.11.10"></a><h2>GENERATED KEY FILES</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
|
||||
successfully,
|
||||
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
|
||||
to the standard output. This is an identification string for
|
||||
the key files it has generated.
|
||||
</p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
|
||||
</p></li>
|
||||
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p><code class="filename">nnnn</code> is the key name.
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p><code class="filename">aaa</code> is the numeric representation
|
||||
of the algorithm.
|
||||
</p></li>
|
||||
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p><code class="filename">iiiii</code> is the key identifier (or
|
||||
footprint).
|
||||
</p></li>
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
|
||||
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
|
||||
creates two files, with names based
|
||||
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
|
||||
contains the public key, and
|
||||
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
|
||||
private key.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="filename">.key</code> file contains a DNS KEY record
|
||||
that
|
||||
can be inserted into a zone file (directly or with a $INCLUDE
|
||||
statement).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="filename">.private</code> file contains
|
||||
algorithm-specific
|
||||
fields. For obvious security reasons, this file does not have
|
||||
general read permission.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.11.11"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 4034</em>,
|
||||
<em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -387,6 +496,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-keygen</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
|
||||
@@ -32,49 +32,102 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
|
||||
<p>
|
||||
<span class="application">dnssec-keygen</span>
|
||||
— DNSSEC key generation tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-d <em class="replaceable"><code>bits</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>policy</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-l <em class="replaceable"><code>file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-keygen</code>
|
||||
[<code class="option">-3</code>]
|
||||
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
|
||||
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
|
||||
[<code class="option">-C</code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
|
||||
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
|
||||
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
|
||||
[<code class="option">-G</code>]
|
||||
[<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
|
||||
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
|
||||
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
|
||||
[<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
{name}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.12.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-keygen</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-keygen</strong></span>
|
||||
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
|
||||
and RFC 4034. It can also generate keys for use with
|
||||
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
|
||||
(Transaction Key) as defined in RFC 2930.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">name</code> of the key is specified on the command
|
||||
line. For DNSSEC keys, this must match the name of the zone for
|
||||
which the key is being generated.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
|
||||
around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
|
||||
as needed to enforce defined security policies such as key rollover
|
||||
scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
|
||||
to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.12.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-3</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used with an algorithm that has both
|
||||
NSEC and NSEC3 versions, then the NSEC3 version will be
|
||||
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
|
||||
specifies the NSEC3RSASHA1 algorithm.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Selects the cryptographic algorithm. For DNSSEC keys, the value
|
||||
of <code class="option">algorithm</code> must be one of RSASHA1,
|
||||
NSEC3RSASHA1, RSASHA256, RSASHA512,
|
||||
@@ -83,42 +136,43 @@
|
||||
his value will automatically set the <code class="option">-T KEY</code>
|
||||
option as well.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
These values are case insensitive. In some cases, abbreviations
|
||||
are supported, such as ECDSA256 for ECDSAP256SHA256 and
|
||||
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
|
||||
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
|
||||
will be used instead.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This parameter <span class="emphasis"><em>must</em></span> be specified except
|
||||
when using the <code class="option">-S</code> option, which copies the
|
||||
algorithm from the predecessor key.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
In prior releases, HMAC algorithms could be generated for
|
||||
use as TSIG keys, but that feature has been removed as of
|
||||
BIND 9.13.0. Use <span class="command"><strong>tsig-keygen</strong></span> to generate
|
||||
TSIG keys.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies the number of bits in the key. The choice of key
|
||||
size depends on the algorithm used. RSA keys must be
|
||||
between 1024 and 4096 bits. Diffie Hellman keys must be between
|
||||
128 and 4096 bits. Elliptic curve algorithms don't need this
|
||||
parameter.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If the key size is not specified, some algorithms have
|
||||
pre-defined defaults. For instance, RSA keys have a default
|
||||
size of 2048 bits.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Compatibility mode: generates an old-style key, without any
|
||||
timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
|
||||
will include the key's creation date in the metadata stored with
|
||||
@@ -126,25 +180,30 @@
|
||||
(publication date, activation date, etc). Keys that include this
|
||||
data may be incompatible with older versions of BIND; the
|
||||
<code class="option">-C</code> option suppresses them.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Indicates that the DNS record containing the key should have
|
||||
the specified class. If not specified, class IN is used.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
|
||||
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
|
||||
DH size is between 128 and 4096. This option is ignored for
|
||||
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies the cryptographic hardware to use, when applicable.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When BIND is built with OpenSSL PKCS#11 support, this defaults
|
||||
to the string "pkcs11", which identifies an OpenSSL engine
|
||||
that can drive a cryptographic accelerator or hardware service
|
||||
@@ -152,50 +211,61 @@
|
||||
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
|
||||
provider library specified via "--with-pkcs11".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record.
|
||||
The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-G</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate a key, but do not publish it or sign with it. This
|
||||
option is incompatible with -P and -A.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If generating a Diffie Hellman key, use this generator.
|
||||
Allowed values are 2 and 5. If no generator
|
||||
is specified, a known prime from RFC 2539 will be used
|
||||
if possible; otherwise the default is 2.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints a short summary of the options and arguments to
|
||||
<span class="command"><strong>dnssec-keygen</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the directory in which the key files are to be written.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Create keys for a specific dnssec-policy. If a policy uses
|
||||
multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
|
||||
multiple keys. This will also create a ".state" file to keep
|
||||
track of the key state.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This option creates keys according to the dnssec-policy
|
||||
configuration, hence it cannot be used together with many of
|
||||
the other options that <span class="command"><strong>dnssec-keygen</strong></span>
|
||||
provides.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the default TTL to use for this key when it is converted
|
||||
into a DNSKEY RR. If the key is imported into a zone,
|
||||
this is the TTL that will be used for it, unless there was
|
||||
@@ -204,30 +274,38 @@
|
||||
is no existing DNSKEY RRset, the TTL will default to the
|
||||
SOA TTL. Setting the default TTL to <code class="literal">0</code>
|
||||
or <code class="literal">none</code> is the same as leaving it unset.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Provide a configuration file that contains a dnssec-policy
|
||||
statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the owner type of the key. The value of
|
||||
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
|
||||
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
|
||||
with a host (KEY)), USER (for a key associated with a
|
||||
user(KEY)) or OTHER (DNSKEY). These values are case
|
||||
insensitive. Defaults to ZONE for DNSKEY generation.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the protocol value for the generated key, for use
|
||||
with <code class="option">-T KEY</code>. The protocol is a number between 0
|
||||
and 255. The default is 3 (DNSSEC). Other possible values for
|
||||
this argument are listed in RFC 2535 and its successors.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Quiet mode: Suppresses unnecessary output, including
|
||||
progress indication. Without this option, when
|
||||
<span class="command"><strong>dnssec-keygen</strong></span> is run interactively
|
||||
@@ -239,9 +317,11 @@
|
||||
round of the Miller-Rabin primality test; a space
|
||||
means that the number has passed all the tests and is
|
||||
a satisfactory key.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Create a new key which is an explicit successor to an
|
||||
existing key. The name, algorithm, size, and type of the
|
||||
key will be set to match the existing key. The activation
|
||||
@@ -249,41 +329,55 @@
|
||||
the existing one. The publication date will be set to the
|
||||
activation date minus the prepublication interval, which
|
||||
defaults to 30 days.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the strength value of the key. The strength is
|
||||
a number between 0 and 15, and currently has no defined
|
||||
purpose in DNSSEC.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the resource record type to use for the key.
|
||||
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
|
||||
default is DNSKEY when using a DNSSEC algorithm, but it can be
|
||||
overridden to KEY for use with SIG(0).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Indicates the use of the key, for use with <code class="option">-T
|
||||
KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
|
||||
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
|
||||
refers to the ability to authenticate data, and CONF the ability
|
||||
to encrypt data.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.12.9"></a><h2>TIMING OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
|
||||
<p>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
@@ -294,54 +388,69 @@
|
||||
is computed in seconds. To explicitly prevent a date from being
|
||||
set, use 'none' or 'never'.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it. If not set, and if the -G option has
|
||||
not been used, the default is "now".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which CDS and CDNSKEY records that match this
|
||||
key are to be published to the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it. If not set, and if the -G option has not been used, the
|
||||
default is "now". If set, if and -P is not set, then
|
||||
the publication date will be set to the activation date
|
||||
minus the prepublication interval.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the CDS and CDNSKEY records that match this
|
||||
key are to be deleted.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Sets the prepublication interval for a key. If set, then
|
||||
the publication and activation dates must be separated by at least
|
||||
this much time. If the activation date is specified but the
|
||||
@@ -350,42 +459,51 @@
|
||||
the publication date is specified but activation date isn't,
|
||||
then activation will be set to this much time after publication.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If the key is being created as an explicit successor to another
|
||||
key, then the default prepublication interval is 30 days;
|
||||
otherwise it is zero.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
As with date offsets, if the argument is followed by one of
|
||||
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
|
||||
interval is measured in years, months, weeks, days, hours,
|
||||
or minutes, respectively. Without a suffix, the interval is
|
||||
measured in seconds.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.12.10"></a><h2>GENERATED KEYS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
When <span class="command"><strong>dnssec-keygen</strong></span> completes
|
||||
successfully,
|
||||
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
|
||||
to the standard output. This is an identification string for
|
||||
the key it has generated.
|
||||
</p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
|
||||
</p></li>
|
||||
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p><code class="filename">nnnn</code> is the key name.
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p><code class="filename">aaa</code> is the numeric representation
|
||||
of the
|
||||
algorithm.
|
||||
</p></li>
|
||||
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p><code class="filename">iiiii</code> is the key identifier (or
|
||||
footprint).
|
||||
</p></li>
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
<p><span class="command"><strong>dnssec-keygen</strong></span>
|
||||
<p><span class="command"><strong>dnssec-keygen</strong></span>
|
||||
creates two files, with names based
|
||||
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
|
||||
contains the public key, and
|
||||
@@ -393,7 +511,7 @@
|
||||
private
|
||||
key.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
|
||||
When a zone is being signed by <span class="command"><strong>named</strong></span>
|
||||
or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
|
||||
@@ -401,49 +519,56 @@
|
||||
the <code class="filename">.key</code> file can be inserted into a zone file
|
||||
manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="filename">.private</code> file contains
|
||||
algorithm-specific
|
||||
fields. For obvious security reasons, this file does not have
|
||||
general read permission.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.12.11"></a><h2>EXAMPLE</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
To generate an ECDSAP256SHA256 zone-signing key for the zone
|
||||
<strong class="userinput"><code>example.com</code></strong>, issue the command:
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The command would print a string of the form:
|
||||
</p>
|
||||
<p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
|
||||
<p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
|
||||
the files <code class="filename">Kexample.com.+013+26160.key</code>
|
||||
and
|
||||
<code class="filename">Kexample.com.+013+26160.private</code>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To generate a matching key-signing key, issue the command:
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.12.12"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 2539</em>,
|
||||
<em class="citetitle">RFC 2845</em>,
|
||||
<em class="citetitle">RFC 4034</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -464,6 +589,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-keymgr</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
|
||||
@@ -32,24 +32,48 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-keymgr"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-keymgr</span> — Ensures correct DNSKEY coverage for a zone based on a defined policy</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-keymgr</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-c <em class="replaceable"><code>file</code></em></code>] [<code class="option">-f</code>] [<code class="option">-k</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-z</code>] [<code class="option">-g <em class="replaceable"><code>path</code></em></code>] [<code class="option">-s <em class="replaceable"><code>path</code></em></code>] [zone...]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.13.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">dnssec-keymgr</span>
|
||||
— Ensures correct DNSKEY coverage for a zone based on a defined policy
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-keymgr</code>
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>file</code></em></code>]
|
||||
[<code class="option">-f</code>]
|
||||
[<code class="option">-k</code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-v</code>]
|
||||
[<code class="option">-z</code>]
|
||||
[<code class="option">-g <em class="replaceable"><code>path</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>path</code></em></code>]
|
||||
[zone...]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.13.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
|
||||
to facilitate the key rollover process for zones handled by
|
||||
BIND. It uses the BIND commands for manipulating DNSSEC key
|
||||
metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
|
||||
<span class="command"><strong>dnssec-settime</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
DNSSEC policy can be read from a configuration file (default
|
||||
<code class="filename">/etc/dnssec-policy.conf</code>), from which the
|
||||
key parameters, publication and rollover schedule, and desired
|
||||
@@ -58,14 +82,14 @@
|
||||
per-zone basis, or to set a "<code class="literal">default</code>" policy
|
||||
used for all zones.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
|
||||
keys for one or more zones, comparing their timing metadata against
|
||||
the policies for those zones. If key settings do not conform to the
|
||||
DNSSEC policy (for example, because the policy has been changed),
|
||||
they are automatically corrected.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
A zone policy can specify a duration for which we want to
|
||||
ensure the key correctness (<code class="option">coverage</code>). It can
|
||||
also specify a rollover period (<code class="option">roll-period</code>).
|
||||
@@ -73,43 +97,47 @@
|
||||
coverage period ends, then a successor key will automatically be
|
||||
created and added to the end of the key series.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If zones are specified on the command line,
|
||||
<span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.
|
||||
If a specified zone does not already have keys in place, then
|
||||
keys will be generated for it according to policy.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If zones are <span class="emphasis"><em>not</em></span> specified on the command
|
||||
line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the
|
||||
key directory (either the current working directory or the directory
|
||||
set by the <code class="option">-K</code> option), and check the keys for
|
||||
all the zones represented in the directory.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Key times that are in the past will not be updated unless
|
||||
the <code class="option">-f</code> is used (see below). Key inactivation
|
||||
and deletion times that are less than five minutes in the future
|
||||
will be delayed by five minutes.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
It is expected that this tool will be run automatically and
|
||||
unattended (for example, by <span class="command"><strong>cron</strong></span>).
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.13.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If <code class="option">-c</code> is specified, then the DNSSEC
|
||||
policy is read from <code class="option">file</code>. (If not
|
||||
specified, then the policy is read from
|
||||
<code class="filename">/etc/dnssec-policy.conf</code>; if that file
|
||||
doesn't exist, a built-in global default policy is used.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-f</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Force: allow updating of key events even if they are
|
||||
already in the past. This is not recommended for use with
|
||||
zones in which keys have already been published. However,
|
||||
@@ -118,58 +146,77 @@
|
||||
keys have not been published in a zone as yet, then this
|
||||
option can be used to clean them up and turn them into a
|
||||
proper series of keys with appropriate rollover intervals.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
|
||||
Used for testing.
|
||||
See also the <code class="option">-s</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
|
||||
and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the directory in which keys can be found. Defaults to the
|
||||
current working directory.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Only apply policies to KSK keys.
|
||||
See also the <code class="option">-z</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
|
||||
and <span class="command"><strong>dnssec-settime</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
|
||||
Used for testing.
|
||||
See also the <code class="option">-g</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Only apply policies to ZSK keys.
|
||||
See also the <code class="option">-k</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.13.9"></a><h2>POLICY CONFIGURATION</h2>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="filename">dnssec-policy.conf</code> file can specify three kinds
|
||||
of policies:
|
||||
</p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem"><p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
<span class="emphasis"><em>Policy classes</em></span>
|
||||
(<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
|
||||
can be inherited by zone policies or other policy classes; these
|
||||
@@ -178,16 +225,20 @@
|
||||
1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
|
||||
specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
|
||||
used for zones that had unusually high security needs.
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
<span class="emphasis"><em>Algorithm policies:</em></span>
|
||||
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
|
||||
override default per-algorithm settings. For example, by default,
|
||||
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
|
||||
can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
|
||||
new key sizes would then be used for any key of type RSASHA256.
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
<span class="emphasis"><em>Zone policies:</em></span>
|
||||
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
|
||||
set policy for a single zone by name. A zone policy can inherit
|
||||
@@ -195,21 +246,25 @@
|
||||
Zone names beginning with digits (i.e., 0-9) must be quoted.
|
||||
If a zone does not have its own policy then the
|
||||
"<code class="literal">default</code>" policy applies.
|
||||
</p></li>
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
<p>
|
||||
<p>
|
||||
Options that can be specified in policies:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
|
||||
<em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The key algorithm. If no policy is defined, the default is
|
||||
RSASHA256.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>coverage</strong></span>
|
||||
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The length of time to ensure that keys will be correct; no action
|
||||
will be taken to create new keys to be activated after this time.
|
||||
This can be represented as a number of seconds, or as a duration
|
||||
@@ -217,89 +272,119 @@
|
||||
A default value for this option can be set in algorithm policies
|
||||
as well as in policy classes or zone policies.
|
||||
If no policy is configured, the default is six months.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>directory</strong></span>
|
||||
<em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the directory in which keys should be stored.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
|
||||
<em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the number of bits to use in creating keys.
|
||||
The keytype is either "zsk" or "ksk".
|
||||
A default value for this option can be set in algorithm policies
|
||||
as well as in policy classes or zone policies. If no policy is
|
||||
configured, the default is 2048 bits for RSA keys.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
|
||||
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The key TTL. If no policy is defined, the default is one hour.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
|
||||
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
How long after inactivation a key should be deleted from the zone.
|
||||
Note: If <code class="option">roll-period</code> is not set, this value is
|
||||
ignored. The keytype is either "zsk" or "ksk".
|
||||
A default duration for this option can be set in algorithm
|
||||
policies as well as in policy classes or zone policies. The default
|
||||
is one month.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
|
||||
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
How long before activation a key should be published. Note: If
|
||||
<code class="option">roll-period</code> is not set, this value is ignored.
|
||||
The keytype is either "zsk" or "ksk".
|
||||
A default duration for this option can be set in algorithm policies
|
||||
as well as in policy classes or zone policies. The default is
|
||||
one month.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
|
||||
<em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
How frequently keys should be rolled over.
|
||||
The keytype is either "zsk" or "ksk".
|
||||
A default duration for this option can be set in algorithm policies
|
||||
as well as in policy classes or zone policies. If no policy is
|
||||
configured, the default is one year for ZSKs. KSKs do not
|
||||
roll over by default.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
|
||||
<em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Not yet implemented.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.13.10"></a><h2>REMAINING WORK</h2>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem"><p>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
|
||||
and <code class="option">-D sync</code> options to
|
||||
<span class="command"><strong>dnssec-keygen</strong></span> and
|
||||
<span class="command"><strong>dnssec-settime</strong></span>. Check the parent zone
|
||||
(as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
|
||||
safe for the key to roll.
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
Allow configuration of standby keys and use of the REVOKE bit,
|
||||
for keys that use RFC 5011 semantics.
|
||||
</p></li>
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.13.11"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-coverage</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-coverage</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-settime</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-checkds</span>(8)
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -320,6 +405,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-revoke</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
|
||||
@@ -32,52 +32,88 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-revoke</span> — set the REVOKED bit on a DNSSEC key</p>
|
||||
<p>
|
||||
<span class="application">dnssec-revoke</span>
|
||||
— set the REVOKED bit on a DNSSEC key
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-revoke</code>
|
||||
[<code class="option">-hr</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
|
||||
[<code class="option">-f</code>]
|
||||
[<code class="option">-R</code>]
|
||||
{keyfile}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.14.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-revoke</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-revoke</strong></span>
|
||||
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
|
||||
in RFC 5011, and creates a new pair of key files containing the
|
||||
now-revoked key.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.14.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Emit usage message and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the directory in which the key files are to reside.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
After writing the new keyset files remove the original keyset
|
||||
files.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies the cryptographic hardware to use, when applicable.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When BIND is built with OpenSSL PKCS#11 support, this defaults
|
||||
to the string "pkcs11", which identifies an OpenSSL engine
|
||||
that can drive a cryptographic accelerator or hardware service
|
||||
@@ -85,27 +121,36 @@
|
||||
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
|
||||
provider library specified via "--with-pkcs11".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-f</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
|
||||
write the new key pair even if a file already exists matching
|
||||
the algorithm and key ID of the revoked key.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-R</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the key tag of the key with the REVOKE bit set but do
|
||||
not revoke the key.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.14.9"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 5011</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -126,6 +171,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-settime</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
|
||||
@@ -32,17 +32,55 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-settime"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-settime</span> — set the key timing metadata for a DNSSEC key</p>
|
||||
<p>
|
||||
<span class="application">dnssec-settime</span>
|
||||
— set the key timing metadata for a DNSSEC key
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-s</code>] [<code class="option">-g <em class="replaceable"><code>state</code></em></code>] [<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>] {keyfile}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-settime</code>
|
||||
[<code class="option">-f</code>]
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
|
||||
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
|
||||
[<code class="option">-s</code>]
|
||||
[<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
|
||||
[<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
[<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
|
||||
{keyfile}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.15.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-settime</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-settime</strong></span>
|
||||
reads a DNSSEC private key file and sets the key timing metadata
|
||||
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
|
||||
<code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
|
||||
@@ -51,23 +89,23 @@
|
||||
determine when a key is to be published, whether it should be
|
||||
used for signing a zone, etc.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If none of these options is set on the command line,
|
||||
then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
|
||||
metadata already stored in the key.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When key metadata fields are changed, both files of a key
|
||||
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
|
||||
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Metadata fields are stored in the private file. A human-readable
|
||||
description of the metadata is also placed in comments in the key
|
||||
file. The private file's permissions are always set to be
|
||||
inaccessible to anyone other than the owner (mode 0600).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When working with state files, it is possible to update the timing
|
||||
metadata in those files as well with <code class="option">-s</code>. If this
|
||||
option is used you can also update key states with <code class="option">-d</code>
|
||||
@@ -75,21 +113,25 @@
|
||||
or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
|
||||
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
You can also set the goal state of the key with <code class="option">-g</code>.
|
||||
This should be either HIDDEN or OMNIPRESENT (representing whether the
|
||||
key should be removed from the zone, or published).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
It is NOT RECOMMENDED to manipulate state files manually except for
|
||||
testing purposes.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.15.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-f</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Force an update of an old-format key with no metadata fields.
|
||||
Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
|
||||
fail when attempting to update a legacy key. With this option,
|
||||
@@ -98,13 +140,17 @@
|
||||
set to the present time. If no other values are specified,
|
||||
then the key's publication and activation dates will also
|
||||
be set to the present time.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the directory in which the key files are to reside.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the default TTL to use for this key when it is converted
|
||||
into a DNSKEY RR. If the key is imported into a zone,
|
||||
this is the TTL that will be used for it, unless there was
|
||||
@@ -113,25 +159,32 @@
|
||||
is no existing DNSKEY RRset, the TTL will default to the
|
||||
SOA TTL. Setting the default TTL to <code class="literal">0</code>
|
||||
or <code class="literal">none</code> removes it from the key.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Emit usage message and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies the cryptographic hardware to use, when applicable.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When BIND is built with OpenSSL PKCS#11 support, this defaults
|
||||
to the string "pkcs11", which identifies an OpenSSL engine
|
||||
that can drive a cryptographic accelerator or hardware service
|
||||
@@ -139,12 +192,14 @@
|
||||
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
|
||||
provider library specified via "--with-pkcs11".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.15.9"></a><h2>TIMING OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
@@ -154,49 +209,65 @@
|
||||
days, hours, or minutes, respectively. Without a suffix, the offset
|
||||
is computed in seconds. To unset a date, use 'none' or 'never'.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which CDS and CDNSKEY records that match this
|
||||
key are to be published to the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the date on which the CDS and CDNSKEY records that match this
|
||||
key are to be deleted.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Select a key for which the key being modified will be an
|
||||
explicit successor. The name, algorithm, size, and type of the
|
||||
predecessor key must exactly match those of the key being
|
||||
@@ -204,10 +275,11 @@
|
||||
to the inactivation date of the predecessor. The publication
|
||||
date will be set to the activation date minus the prepublication
|
||||
interval, which defaults to 30 days.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Sets the prepublication interval for a key. If set, then
|
||||
the publication and activation dates must be separated by at least
|
||||
this much time. If the activation date is specified but the
|
||||
@@ -216,69 +288,90 @@
|
||||
the publication date is specified but activation date isn't,
|
||||
then activation will be set to this much time after publication.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If the key is being set to be an explicit successor to another
|
||||
key, then the default prepublication interval is 30 days;
|
||||
otherwise it is zero.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
As with date offsets, if the argument is followed by one of
|
||||
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
|
||||
interval is measured in years, months, weeks, days, hours,
|
||||
or minutes, respectively. Without a suffix, the interval is
|
||||
measured in seconds.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.15.10"></a><h2>KEY STATE OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
|
||||
These should not be set manually except for testing purposes.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-s</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When setting key timing data, also update the state file.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-g</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the DS state for this key, and when it was last changed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the DNSKEY state for this key, and when it was last changed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the RRSIG (KSK) state for this key, and when it was last
|
||||
changed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the RRSIG (ZSK) state for this key, and when it was last
|
||||
changed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.15.11"></a><h2>PRINTING OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
|
||||
timing metadata associated with a key.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-u</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print times in UNIX epoch format.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print a specific metadata value or set of metadata values.
|
||||
The <code class="option">-p</code> option may be followed by one or more
|
||||
of the following letters or strings to indicate which value
|
||||
@@ -292,17 +385,25 @@
|
||||
<code class="option">D</code> for the deletion date, and
|
||||
<code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
|
||||
To print all of the metadata, use <code class="option">-p all</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.15.12"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 5011</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -323,6 +424,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-signzone</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
|
||||
@@ -32,17 +32,71 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
|
||||
<p>
|
||||
<span class="application">dnssec-signzone</span>
|
||||
— DNSSEC zone signing tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-Q</code>] [<code class="option">-q</code>] [<code class="option">-R</code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-signzone</code>
|
||||
[<code class="option">-a</code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-D</code>]
|
||||
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
|
||||
[<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
|
||||
[<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
|
||||
[<code class="option">-g</code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
|
||||
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
|
||||
[<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
|
||||
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
|
||||
[<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
|
||||
[<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
|
||||
[<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
|
||||
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
|
||||
[<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
|
||||
[<code class="option">-P</code>]
|
||||
[<code class="option">-Q</code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-R</code>]
|
||||
[<code class="option">-S</code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
|
||||
[<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-t</code>]
|
||||
[<code class="option">-u</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
|
||||
[<code class="option">-x</code>]
|
||||
[<code class="option">-z</code>]
|
||||
[<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
|
||||
[<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
|
||||
[<code class="option">-A</code>]
|
||||
{zonefile}
|
||||
[key...]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.16.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-signzone</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-signzone</strong></span>
|
||||
signs a zone. It generates
|
||||
NSEC and RRSIG records and produces a signed version of the
|
||||
zone. The security status of delegations from the signed zone
|
||||
@@ -50,34 +104,46 @@
|
||||
determined by the presence or absence of a
|
||||
<code class="filename">keyset</code> file for each child zone.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.16.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Verify all generated signatures.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the DNS class of the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Compatibility mode: Generate a
|
||||
<code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
|
||||
file in addition to
|
||||
<code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
|
||||
when signing a zone, for use by older versions of
|
||||
<span class="command"><strong>dnssec-signzone</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Look for <code class="filename">dsset-</code> or
|
||||
<code class="filename">keyset-</code> files in <code class="option">directory</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Output only those record types automatically managed by
|
||||
<span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
|
||||
NSEC3 and NSEC3PARAM records. If smart signing
|
||||
@@ -86,15 +152,16 @@
|
||||
zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
|
||||
cannot be combined with <code class="option">-O raw</code>,
|
||||
<code class="option">-O map</code>, or serial number updating.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
When applicable, specifies the hardware to use for
|
||||
cryptographic operations, such as a secure key store used
|
||||
for signing.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When BIND is built with OpenSSL PKCS#11 support, this defaults
|
||||
to the string "pkcs11", which identifies an OpenSSL engine
|
||||
that can drive a cryptographic accelerator or hardware service
|
||||
@@ -102,25 +169,32 @@
|
||||
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
|
||||
provider library specified via "--with-pkcs11".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-g</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate DS records for child zones from
|
||||
<code class="filename">dsset-</code> or <code class="filename">keyset-</code>
|
||||
file. Existing DS records will be removed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Key repository: Specify a directory to search for DNSSEC keys.
|
||||
If not specified, defaults to the current directory.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Treat specified key as a key signing key ignoring any
|
||||
key flags. This option may be specified multiple times.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the maximum TTL for the signed zone.
|
||||
Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
|
||||
input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
|
||||
@@ -133,9 +207,11 @@
|
||||
<code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
|
||||
(Note: This option is incompatible with <code class="option">-D</code>,
|
||||
because it modifies non-DNSSEC data in the output zone.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the date and time when the generated RRSIG records
|
||||
become valid. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number
|
||||
@@ -144,9 +220,11 @@
|
||||
indicated by +N, which is N seconds from the current time.
|
||||
If no <code class="option">start-time</code> is specified, the current
|
||||
time minus 1 hour (to allow for clock skew) is used.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the date and time when the generated RRSIG records
|
||||
expire. As with <code class="option">start-time</code>, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
@@ -156,10 +234,11 @@
|
||||
specified, 30 days from the start time is used as a default.
|
||||
<code class="option">end-time</code> must be later than
|
||||
<code class="option">start-time</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specify the date and time when the generated RRSIG records
|
||||
for the DNSKEY RRset will expire. This is to be used in cases
|
||||
when the DNSKEY signatures need to persist longer than
|
||||
@@ -167,7 +246,7 @@
|
||||
of the KSK is kept offline and the KSK signature is to be
|
||||
refreshed manually.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
As with <code class="option">start-time</code>, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
to the start time is indicated with +N, which is N seconds from
|
||||
@@ -178,28 +257,34 @@
|
||||
30 days from the start time.) <code class="option">extended end-time</code>
|
||||
must be later than <code class="option">start-time</code>.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The name of the output file containing the signed zone. The
|
||||
default is to append <code class="filename">.signed</code> to
|
||||
the input filename. If <code class="option">output-file</code> is
|
||||
set to <code class="literal">"-"</code>, then the signed zone is
|
||||
written to the standard output, with a default output
|
||||
format of "full".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints a short summary of the options and arguments to
|
||||
<span class="command"><strong>dnssec-signzone</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
When a previously-signed zone is passed as input, records
|
||||
may be resigned. The <code class="option">interval</code> option
|
||||
specifies the cycle interval as an offset from the current
|
||||
@@ -207,7 +292,7 @@
|
||||
cycle interval, it is retained. Otherwise, it is considered
|
||||
to be expiring soon, and it will be replaced.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The default cycle interval is one quarter of the difference
|
||||
between the signature end and start times. So if neither
|
||||
<code class="option">end-time</code> or <code class="option">start-time</code>
|
||||
@@ -218,9 +303,10 @@
|
||||
are due to expire in less than 7.5 days, they would be
|
||||
replaced.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The format of the input zone file.
|
||||
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
|
||||
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
|
||||
@@ -229,10 +315,11 @@
|
||||
format containing updates can be signed directly.
|
||||
The use of this option does not make much sense for
|
||||
non-dynamic zones.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
When signing a zone with a fixed signature lifetime, all
|
||||
RRSIG records issued at the time of signing expires
|
||||
simultaneously. If the zone is incrementally signed, i.e.
|
||||
@@ -243,55 +330,72 @@
|
||||
expire time, thus spreading incremental signature
|
||||
regeneration over time.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Signature lifetime jitter also to some extent benefits
|
||||
validators and servers by spreading out cache expiration,
|
||||
i.e. if large numbers of RRSIGs don't expire at the same time
|
||||
from all caches there will be less congestion than if all
|
||||
validators need to refetch at mostly the same time.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When writing a signed zone to "raw" or "map" format, set the
|
||||
"source serial" value in the header to the specified serial
|
||||
number. (This is expected to be used primarily for testing
|
||||
purposes.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the number of threads to use. By default, one
|
||||
thread is started for each detected CPU.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
The SOA serial number format of the signed zone.
|
||||
Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
|
||||
<span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
|
||||
and <span class="command"><strong>"date"</strong></span>.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
|
||||
<dd><p>Do not modify the SOA serial number.</p></dd>
|
||||
<dd>
|
||||
<p>Do not modify the SOA serial number.</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
|
||||
<dd><p>Increment the SOA serial number using RFC 1982
|
||||
arithmetic.</p></dd>
|
||||
<dd>
|
||||
<p>Increment the SOA serial number using RFC 1982
|
||||
arithmetic.</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
|
||||
<dd><p>Set the SOA serial number to the number of seconds
|
||||
since epoch.</p></dd>
|
||||
<dd>
|
||||
<p>Set the SOA serial number to the number of seconds
|
||||
since epoch.</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
|
||||
<dd><p>Set the SOA serial number to today's date in
|
||||
YYYYMMDDNN format.</p></dd>
|
||||
<dd>
|
||||
<p>Set the SOA serial number to today's date in
|
||||
YYYYMMDDNN format.</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</dd>
|
||||
|
||||
</dd>
|
||||
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The zone origin. If not specified, the name of the zone file
|
||||
is assumed to be the origin.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The format of the output file containing the signed zone.
|
||||
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
|
||||
which is the standard textual representation of the zone;
|
||||
@@ -304,26 +408,27 @@
|
||||
the raw zone file: if N is 0, the raw file can be read by
|
||||
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
|
||||
can be read by release 9.9.0 or higher; the default is 1.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-P</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Disable post sign verification tests.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The post sign verification test ensures that for each algorithm
|
||||
in use there is at least one non revoked self signed KSK key,
|
||||
that all revoked KSK keys are self signed, and that all records
|
||||
in the zone are signed by the algorithm.
|
||||
This option skips these tests.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-Q</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Remove signatures from keys that are no longer active.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Normally, when a previously-signed zone is passed as input
|
||||
to the signer, and a DNSKEY record has been removed and
|
||||
replaced with a new one, signatures from the old key
|
||||
@@ -335,9 +440,10 @@
|
||||
enables ZSK rollover using the procedure described in
|
||||
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Quiet mode: Suppresses unnecessary output. Without this
|
||||
option, when <span class="command"><strong>dnssec-signzone</strong></span> is run it
|
||||
will print to standard output the number of keys in use,
|
||||
@@ -345,78 +451,94 @@
|
||||
and other status information, and finally the filename
|
||||
containing the signed zone. With it, that output is
|
||||
suppressed, leaving only the filename.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-R</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Remove signatures from keys that are no longer published.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This option is similar to <code class="option">-Q</code>, except it
|
||||
forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
|
||||
keys that are no longer published. This enables ZSK rollover
|
||||
using the procedure described in RFC 4641, section 4.2.1.2
|
||||
("Double Signature Zone Signing Key Rollover").
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-S</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
|
||||
search the key repository for keys that match the zone being
|
||||
signed, and to include them in the zone if appropriate.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When a key is found, its timing metadata is examined to
|
||||
determine how it should be used, according to the following
|
||||
rules. Each successive rule takes priority over the prior
|
||||
ones:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If no timing metadata has been set for the key, the key is
|
||||
published in the zone and used to sign the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If the key's publication date is set and is in the past, the
|
||||
key is published in the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If the key's activation date is set and in the past, the
|
||||
key is published (regardless of publication date) and
|
||||
used to sign the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If the key's revocation date is set and in the past, and the
|
||||
key is published, then the key is revoked, and the revoked key
|
||||
is used to sign the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If either of the key's unpublication or deletion dates are set
|
||||
and in the past, the key is NOT published or used to sign the
|
||||
zone, regardless of any other metadata.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If key's sync publication date is set and in the past,
|
||||
synchronization records (type CDS and/or CDNSKEY) are
|
||||
created.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
If key's sync deletion date is set and in the past,
|
||||
synchronization records (type CDS and/or CDNSKEY) are
|
||||
removed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a TTL to be used for new DNSKEY records imported
|
||||
into the zone from the key repository. If not
|
||||
specified, the default is the TTL value from the zone's SOA
|
||||
@@ -428,82 +550,103 @@
|
||||
them, or if any of the imported DNSKEY records had a default
|
||||
TTL value. In the event of a a conflict between TTL values in
|
||||
imported keys, the shortest one is used.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print statistics at completion.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-u</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Update NSEC/NSEC3 chain when re-signing a previously signed
|
||||
zone. With this option, a zone signed with NSEC can be
|
||||
switched to NSEC3, or a zone signed with NSEC3 can
|
||||
be switch to NSEC or to NSEC3 with different parameters.
|
||||
Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
|
||||
retain the existing chain when re-signing.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-x</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with
|
||||
key-signing keys, and omit signatures from zone-signing
|
||||
keys. (This is similar to the
|
||||
<span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
|
||||
<span class="command"><strong>named</strong></span>.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Ignore KSK flag on key when determining what to sign. This
|
||||
causes KSK-flagged keys to sign all records, not just the
|
||||
DNSKEY RRset. (This is similar to the
|
||||
<span class="command"><strong>update-check-ksk no;</strong></span> zone option in
|
||||
<span class="command"><strong>named</strong></span>.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Generate an NSEC3 chain with the given hex encoded salt.
|
||||
A dash (<em class="replaceable"><code>salt</code></em>) can
|
||||
be used to indicate that no salt is to be used when generating the NSEC3 chain.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When generating an NSEC3 chain, use this many iterations. The
|
||||
default is 10.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-A</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
When generating an NSEC3 chain set the OPTOUT flag on all
|
||||
NSEC3 records and do not generate NSEC3 records for insecure
|
||||
delegations.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Using this option twice (i.e., <code class="option">-AA</code>)
|
||||
turns the OPTOUT flag off for all records. This is useful
|
||||
when using the <code class="option">-u</code> option to modify an NSEC3
|
||||
chain which previously had OPTOUT set.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">zonefile</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The file containing the zone to be signed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">key</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify which keys should be used to sign the zone. If
|
||||
no keys are specified, then the zone will be examined
|
||||
for DNSKEY records at the zone apex. If these are found and
|
||||
there are matching private keys, in the current directory,
|
||||
then these will be used for signing.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.16.9"></a><h2>EXAMPLE</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The following command signs the <strong class="userinput"><code>example.com</code></strong>
|
||||
zone with the ECDSAP256SHA256 key generated by key generated by
|
||||
<span class="command"><strong>dnssec-keygen</strong></span> (Kexample.com.+013+17247).
|
||||
@@ -517,13 +660,13 @@
|
||||
Kexample.com.+013+17247
|
||||
db.example.com.signed
|
||||
%</pre>
|
||||
<p>
|
||||
<p>
|
||||
In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
|
||||
the file <code class="filename">db.example.com.signed</code>. This
|
||||
file should be referenced in a zone statement in a
|
||||
<code class="filename">named.conf</code> file.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This example re-signs a previously signed zone with default parameters.
|
||||
The private keys are assumed to be in the current directory.
|
||||
</p>
|
||||
@@ -531,14 +674,19 @@ db.example.com.signed
|
||||
% dnssec-signzone -o example.com db.example.com
|
||||
db.example.com.signed
|
||||
%</pre>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.16.10"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -559,6 +707,6 @@ db.example.com.signed
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-verify</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
|
||||
@@ -32,35 +32,65 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnssec-verify"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
|
||||
<p>
|
||||
<span class="application">dnssec-verify</span>
|
||||
— DNSSEC zone verification tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-q</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnssec-verify</code>
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
|
||||
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
|
||||
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">-x</code>]
|
||||
[<code class="option">-z</code>]
|
||||
{zonefile}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.17.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>dnssec-verify</strong></span>
|
||||
|
||||
<p><span class="command"><strong>dnssec-verify</strong></span>
|
||||
verifies that a zone is fully signed for each algorithm found
|
||||
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
|
||||
chains are complete.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.17.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the DNS class of the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specifies the cryptographic hardware to use, when applicable.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When BIND is built with OpenSSL PKCS#11 support, this defaults
|
||||
to the string "pkcs11", which identifies an OpenSSL engine
|
||||
that can drive a cryptographic accelerator or hardware service
|
||||
@@ -68,9 +98,10 @@
|
||||
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
|
||||
provider library specified via "--with-pkcs11".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The format of the input zone file.
|
||||
Possible formats are <span class="command"><strong>"text"</strong></span> (default)
|
||||
and <span class="command"><strong>"raw"</strong></span>.
|
||||
@@ -79,41 +110,52 @@
|
||||
format containing updates can be verified independently.
|
||||
The use of this option does not make much sense for
|
||||
non-dynamic zones.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The zone origin. If not specified, the name of the zone file
|
||||
is assumed to be the origin.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints version information.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Quiet mode: Suppresses output. Without this option, when
|
||||
<span class="command"><strong>dnssec-verify</strong></span> is run it will print to
|
||||
standard output the number of keys in use, the algorithms
|
||||
used to verify the zone was signed correctly and other
|
||||
status information. With it, all non-error output is
|
||||
suppressed, and only the exit code will indicate success.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-x</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Only verify that the DNSKEY RRset is signed with key-signing
|
||||
keys. Without this flag, it is assumed that the DNSKEY RRset
|
||||
will be signed by all active keys. When this flag is set,
|
||||
it will not be an error if the DNSKEY RRset is not signed
|
||||
by zone-signing keys. This corresponds to the <code class="option">-x</code>
|
||||
option in <span class="command"><strong>dnssec-signzone</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Ignore the KSK flag on the keys when determining whether
|
||||
the zone if correctly signed. Without this flag it is
|
||||
assumed that there will be a non-revoked, self-signed
|
||||
@@ -121,7 +163,7 @@
|
||||
that RRsets other than DNSKEY RRset will be signed with
|
||||
a different DNSKEY without the KSK flag set.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
With this flag set, we only require that for each algorithm,
|
||||
there will be at least one non-revoked, self-signed DNSKEY,
|
||||
regardless of the KSK flag state, and that other RRsets
|
||||
@@ -130,21 +172,28 @@
|
||||
for both purposes. This corresponds to the <code class="option">-z</code>
|
||||
option in <span class="command"><strong>dnssec-signzone</strong></span>.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">zonefile</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The file containing the zone to be signed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.17.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-signzone</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 4033</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -165,6 +214,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnstap-read</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
|
||||
@@ -32,17 +32,37 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.dnstap-read"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnstap-read</span> — print dnstap data in human-readable form</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnstap-read</code> [<code class="option">-m</code>] [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-y</code>] {<em class="replaceable"><code>file</code></em>}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.18.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">dnstap-read</span>
|
||||
— print dnstap data in human-readable form
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">dnstap-read</code>
|
||||
[<code class="option">-m</code>]
|
||||
[<code class="option">-p</code>]
|
||||
[<code class="option">-x</code>]
|
||||
[<code class="option">-y</code>]
|
||||
{<em class="replaceable"><code>file</code></em>}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.18.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>dnstap-read</strong></span>
|
||||
reads <span class="command"><strong>dnstap</strong></span> data from a specified file
|
||||
and prints it in a human-readable format. By default,
|
||||
@@ -50,41 +70,59 @@
|
||||
format, but if the <code class="option">-y</code> option is specified,
|
||||
then a longer and more detailed YAML format is used instead.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.18.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-m</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Trace memory allocations; used for debugging memory leaks.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
After printing the <span class="command"><strong>dnstap</strong></span> data, print
|
||||
the text form of the DNS message that was encapsulated in the
|
||||
<span class="command"><strong>dnstap</strong></span> frame.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-x</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
After printing the <span class="command"><strong>dnstap</strong></span> data, print
|
||||
a hex dump of the wire form of the DNS message that was
|
||||
encapsulated in the <span class="command"><strong>dnstap</strong></span> frame.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-y</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print <span class="command"><strong>dnstap</strong></span> data in a detailed YAML
|
||||
format.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.18.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">rndc</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -105,6 +143,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>filter-aaaa.so</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.dnstap-read.html" title="dnstap-read">
|
||||
@@ -32,23 +32,36 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.filter-aaaa"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">filter-aaaa.so</span> — filter AAAA in DNS responses when A is present</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">plugin query "filter-aaaa.so"</code> [<em class="replaceable"><code>{ parameters }</code></em>];
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.19.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">filter-aaaa.so</span>
|
||||
— filter AAAA in DNS responses when A is present
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">plugin query "filter-aaaa.so"</code>
|
||||
[<em class="replaceable"><code>{ parameters }</code></em>];
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.19.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="command"><strong>filter-aaaa.so</strong></span> is a query plugin module for
|
||||
<span class="command"><strong>named</strong></span>, enabling <span class="command"><strong>named</strong></span>
|
||||
to omit some IPv6 addresses when responding to clients.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Until BIND 9.12, this feature was implemented natively in
|
||||
<span class="command"><strong>named</strong></span> and enabled with the
|
||||
<span class="command"><strong>filter-aaaa</strong></span> ACL and the
|
||||
@@ -58,40 +71,43 @@
|
||||
passed as parameters to the <span class="command"><strong>filter-aaaa.so</strong></span>
|
||||
plugin, for example:
|
||||
</p>
|
||||
<pre class="programlisting">
|
||||
<pre class="programlisting">
|
||||
plugin query "/usr/local/lib/filter-aaaa.so" {
|
||||
filter-aaaa-on-v4 yes;
|
||||
filter-aaaa-on-v6 yes;
|
||||
filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
|
||||
};
|
||||
</pre>
|
||||
<p>
|
||||
<p>
|
||||
This module is intended to aid transition from IPv4 to IPv6 by
|
||||
withholding IPv6 addresses from DNS clients which are not connected
|
||||
to the IPv6 Internet, when the name being looked up has an IPv4
|
||||
address available. Use of this module is not recommended unless
|
||||
absolutely necessary.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Note: This mechanism can erroneously cause other servers not to
|
||||
give AAAA records to their clients. If a recursing server with
|
||||
both IPv6 and IPv4 network connections queries an authoritative
|
||||
server using this mechanism via IPv4, it will be denied AAAA
|
||||
records even if its client is using IPv6.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.19.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a list of client addresses for which AAAA
|
||||
filtering is to be applied. The default is
|
||||
<strong class="userinput"><code>any</code></strong>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
If set to <strong class="userinput"><code>yes</code></strong>, the DNS client is
|
||||
at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
|
||||
and if the response does not include DNSSEC signatures,
|
||||
@@ -99,36 +115,40 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
|
||||
This filtering applies to all responses and not only
|
||||
authoritative responses.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If set to <strong class="userinput"><code>break-dnssec</code></strong>,
|
||||
then AAAA records are deleted even when DNSSEC is
|
||||
enabled. As suggested by the name, this causes the
|
||||
response to fail to verify, because the DNSSEC protocol is
|
||||
designed to detect deletions.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
This mechanism can erroneously cause other servers not to
|
||||
give AAAA records to their clients. A recursing server with
|
||||
both IPv6 and IPv4 network connections that queries an
|
||||
authoritative server using this mechanism via IPv4 will be
|
||||
denied AAAA records even if its client is using IPv6.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
|
||||
except it filters AAAA responses to queries from IPv6
|
||||
clients instead of IPv4 clients. To filter all
|
||||
responses, set both options to <strong class="userinput"><code>yes</code></strong>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.19.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<p>
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -148,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>host</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.filter-aaaa.html" title="filter-aaaa.so">
|
||||
@@ -32,24 +32,57 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.host"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p>host — DNS lookup utility</p>
|
||||
<p>
|
||||
host
|
||||
— DNS lookup utility
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aACdlnrsTUwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [[<code class="option">-4</code>] | [<code class="option">-6</code>]] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">host</code>
|
||||
[<code class="option">-aACdlnrsTUwv</code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
|
||||
[<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
|
||||
[<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
|
||||
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
|
||||
[
|
||||
[<code class="option">-4</code>]
|
||||
| [<code class="option">-6</code>]
|
||||
]
|
||||
[<code class="option">-v</code>]
|
||||
[<code class="option">-V</code>]
|
||||
{name}
|
||||
[server]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.20.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>host</strong></span>
|
||||
|
||||
|
||||
<p><span class="command"><strong>host</strong></span>
|
||||
is a simple utility for performing DNS lookups.
|
||||
It is normally used to convert names to IP addresses and vice versa.
|
||||
When no arguments or options are given,
|
||||
<span class="command"><strong>host</strong></span>
|
||||
prints a short summary of its command line arguments and options.
|
||||
</p>
|
||||
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
|
||||
|
||||
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
|
||||
looked
|
||||
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
|
||||
IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
|
||||
@@ -61,67 +94,85 @@
|
||||
should query instead of the server or servers listed in
|
||||
<code class="filename">/etc/resolv.conf</code>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.20.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-4</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use IPv4 only for query transport.
|
||||
See also the <code class="option">-6</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-6</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use IPv6 only for query transport.
|
||||
See also the <code class="option">-4</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-a</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
"All". The <code class="option">-a</code> option is normally equivalent
|
||||
to <code class="option">-v -t <code class="literal">ANY</code></code>.
|
||||
It also affects the behaviour of the <code class="option">-l</code>
|
||||
list zone option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-A</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
"Almost all". The <code class="option">-A</code> option is equivalent
|
||||
to <code class="option">-a</code> except RRSIG, NSEC, and NSEC3
|
||||
records are omitted from the output.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Query class: This can be used to lookup HS (Hesiod) or CH
|
||||
(Chaosnet) class resource records. The default class is IN
|
||||
(Internet).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Check consistency: <span class="command"><strong>host</strong></span> will query the
|
||||
SOA records for zone <em class="parameter"><code>name</code></em> from all
|
||||
the listed authoritative name servers for that zone. The
|
||||
list of name servers is defined by the NS records that are
|
||||
found for the zone.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print debugging traces.
|
||||
Equivalent to the <code class="option">-v</code> verbose option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
List zone:
|
||||
The <span class="command"><strong>host</strong></span> command performs a zone transfer of
|
||||
zone <em class="parameter"><code>name</code></em> and prints out the NS,
|
||||
PTR and address records (A/AAAA).
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Together, the <code class="option">-l -a</code>
|
||||
options print all records in the zone.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The number of dots that have to be
|
||||
in <em class="parameter"><code>name</code></em> for it to be considered
|
||||
absolute. The default value is that defined using the
|
||||
@@ -131,9 +182,17 @@
|
||||
searched for in the domains listed in
|
||||
the <span class="type">search</span> or <span class="type">domain</span> directive
|
||||
in <code class="filename">/etc/resolv.conf</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the port on the server to query. The default is 53.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Non-recursive query:
|
||||
Setting this option clears the RD (recursion desired) bit
|
||||
in the query. This should mean that the name server
|
||||
@@ -144,30 +203,35 @@
|
||||
name server by making non-recursive queries and expecting
|
||||
to receive answers to those queries that can be
|
||||
referrals to other name servers.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Number of retries for UDP queries:
|
||||
If <em class="parameter"><code>number</code></em> is negative or zero, the
|
||||
number of retries will default to 1. The default value is
|
||||
1, or the value of the <em class="parameter"><code>attempts</code></em>
|
||||
option in <code class="filename">/etc/resolv.conf</code>, if set.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Do <span class="emphasis"><em>not</em></span> send the query to the next
|
||||
nameserver if any server responds with a SERVFAIL
|
||||
response, which is the reverse of normal stub resolver
|
||||
behavior.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Query type:
|
||||
The <em class="parameter"><code>type</code></em> argument can be any
|
||||
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When no query type is specified, <span class="command"><strong>host</strong></span>
|
||||
automatically selects an appropriate query type. By default, it
|
||||
looks for A, AAAA, and MX records.
|
||||
@@ -178,17 +242,18 @@
|
||||
address, <span class="command"><strong>host</strong></span> will query for PTR
|
||||
records.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If a query type of IXFR is chosen the starting serial
|
||||
number can be specified by appending an equal followed by
|
||||
the starting serial number
|
||||
(like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt>
|
||||
<span class="term">-T, </span><span class="term">-U</span>
|
||||
</dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
TCP/UDP:
|
||||
By default, <span class="command"><strong>host</strong></span> uses UDP when making
|
||||
queries. The <code class="option">-T</code> option makes it use a TCP
|
||||
@@ -196,55 +261,67 @@
|
||||
automatically selected for queries that require it, such
|
||||
as zone transfer (AXFR) requests. Type ANY queries default
|
||||
to TCP but can be forced to UDP initially using <code class="option">-U</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Memory usage debugging: the flag can
|
||||
be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
|
||||
or <em class="parameter"><code>trace</code></em>. You can specify
|
||||
the <code class="option">-m</code> option more than once to set
|
||||
multiple flags.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Verbose output.
|
||||
Equivalent to the <code class="option">-d</code> debug option.
|
||||
Verbose output can also be enabled by setting
|
||||
the <em class="parameter"><code>debug</code></em> option
|
||||
in <code class="filename">/etc/resolv.conf</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the version number and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-w</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Wait forever: The query timeout is set to the maximum possible.
|
||||
See also the <code class="option">-W</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
|
||||
seconds for a reply. If <em class="parameter"><code>wait</code></em> is
|
||||
less than one, the wait interval is set to one second.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
By default, <span class="command"><strong>host</strong></span> will wait for 5
|
||||
seconds for UDP responses and 10 seconds for TCP
|
||||
connections. These defaults can be overridden by
|
||||
the <em class="parameter"><code>timeout</code></em> option
|
||||
in <code class="filename">/etc/resolv.conf</code>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
See also the <code class="option">-w</code> option.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.20.9"></a><h2>IDN SUPPORT</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
|
||||
domain name) support, it can accept and display non-ASCII domain names.
|
||||
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
|
||||
@@ -255,18 +332,27 @@
|
||||
The IDN support is disabled if the variable is set when
|
||||
<span class="command"><strong>host</strong></span> runs.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.20.10"></a><h2>FILES</h2>
|
||||
<p><code class="filename">/etc/resolv.conf</code>
|
||||
|
||||
<p><code class="filename">/etc/resolv.conf</code>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.20.11"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dig</span>(1)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -287,6 +373,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>mdig</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.host.html" title="host">
|
||||
@@ -32,29 +32,69 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.mdig"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">mdig</span> — DNS pipelined lookup utility</p>
|
||||
<p>
|
||||
<span class="application">mdig</span>
|
||||
— DNS pipelined lookup utility
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">mdig</code> {@server} [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v</code>] [[<code class="option">-4</code>] | [<code class="option">-6</code>]] [<code class="option">-m</code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-i</code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [plusopt...]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">mdig</code> {-h}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">mdig</code> [@server] {global-opt...} {
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">mdig</code>
|
||||
{@server}
|
||||
[<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-v</code>]
|
||||
[
|
||||
[<code class="option">-4</code>]
|
||||
| [<code class="option">-6</code>]
|
||||
]
|
||||
[<code class="option">-m</code>]
|
||||
[<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
|
||||
[<code class="option">-i</code>]
|
||||
[<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
|
||||
[plusopt...]
|
||||
</p></div>
|
||||
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">mdig</code>
|
||||
{-h}
|
||||
</p></div>
|
||||
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">mdig</code>
|
||||
[@server]
|
||||
{global-opt...}
|
||||
{
|
||||
{local-opt...}
|
||||
{query}
|
||||
...}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
...}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.21.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>mdig</strong></span>
|
||||
|
||||
<p><span class="command"><strong>mdig</strong></span>
|
||||
is a multiple/pipelined query version of <span class="command"><strong>dig</strong></span>:
|
||||
instead of waiting for a response after sending each query,
|
||||
it begins by sending all queries. Responses are displayed in
|
||||
the order in which they are received, not in the order the
|
||||
corresponding queries were sent.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>mdig</strong></span> options are a subset of the
|
||||
<span class="command"><strong>dig</strong></span> options, and are divided into "anywhere
|
||||
options" which can occur anywhere, "global options" which must
|
||||
@@ -62,7 +102,8 @@
|
||||
and "local options" which apply to the next query on the command
|
||||
line.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The {@server} option is a mandatory global
|
||||
option. It is the name or IP address of the name server to query.
|
||||
(Unlike <span class="command"><strong>dig</strong></span>, this value is not retrieved from
|
||||
@@ -73,14 +114,16 @@
|
||||
<span class="command"><strong>mdig</strong></span> resolves that name before querying
|
||||
the name server.
|
||||
</p>
|
||||
<p><span class="command"><strong>mdig</strong></span>
|
||||
|
||||
<p><span class="command"><strong>mdig</strong></span>
|
||||
provides a number of query options which affect
|
||||
the way in which lookups are made and the results displayed. Some of
|
||||
these set or reset flag bits in the query header, some determine which
|
||||
sections of the answer get printed, and others determine the timeout
|
||||
and retry strategies.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Each query option is identified by a keyword preceded by a plus
|
||||
sign (<code class="literal">+</code>). Some keywords set or reset an
|
||||
option. These may be preceded by the string <code class="literal">no</code>
|
||||
@@ -88,10 +131,13 @@
|
||||
values to options like the timeout interval. They have the
|
||||
form <code class="option">+keyword=value</code>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.21.8"></a><h2>ANYWHERE OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
|
||||
<p>
|
||||
The <code class="option">-f</code> option makes <span class="command"><strong>mdig</strong></span>
|
||||
operate in batch mode by reading a list of lookup requests to
|
||||
process from the file <em class="parameter"><code>filename</code></em>. The file
|
||||
@@ -99,36 +145,45 @@
|
||||
file should be organized in the same way they would be presented
|
||||
as queries to <span class="command"><strong>mdig</strong></span> using the command-line interface.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <code class="option">-h</code> causes <span class="command"><strong>mdig</strong></span> to
|
||||
print the detailed help with the full list of options and exit.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <code class="option">-v</code> causes <span class="command"><strong>mdig</strong></span> to
|
||||
print the version number and exit.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.21.9"></a><h2>GLOBAL OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
|
||||
<p>
|
||||
The <code class="option">-4</code> option forces <span class="command"><strong>mdig</strong></span> to
|
||||
only use IPv4 query transport.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <code class="option">-6</code> option forces <span class="command"><strong>mdig</strong></span> to
|
||||
only use IPv6 query transport.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <code class="option">-b</code> option sets the source IP address of the
|
||||
query to <em class="parameter"><code>address</code></em>. This must be a valid
|
||||
address on one of the host's network interfaces or "0.0.0.0" or
|
||||
"::". An optional port may be specified by appending
|
||||
"#<port>"
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <code class="option">-m</code> option enables memory usage debugging.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <code class="option">-p</code> option is used when a non-standard port
|
||||
number is to be queried.
|
||||
<em class="parameter"><code>port#</code></em> is the port number
|
||||
@@ -137,51 +192,69 @@
|
||||
test a name server that has been configured to listen for
|
||||
queries on a non-standard port number.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The global query options are:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Display [do not display] the additional section of a
|
||||
reply. The default is to display it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set or clear all display flags.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Display [do not display] the answer section of a
|
||||
reply. The default is to display it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Display [do not display] the authority section of a
|
||||
reply. The default is to display it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Attempt to display the contents of messages which are
|
||||
malformed. The default is to not display malformed
|
||||
answers.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Display [do not display] the CLASS when printing the
|
||||
record.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Toggle the display of comment lines in the output.
|
||||
The default is to print comments.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]continue</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Continue on errors (e.g. timeouts).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Toggle the display of cryptographic fields in DNSSEC
|
||||
records. The contents of these field are unnecessary
|
||||
to debug most DNSSEC validation failures and removing
|
||||
@@ -190,41 +263,53 @@
|
||||
are replaced by the string "[omitted]" or in the
|
||||
DNSKEY case the key id is displayed as the replacement,
|
||||
e.g. "[ key id = value ]".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+dscp[=value]</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the DSCP code point to be used when sending the
|
||||
query. Valid DSCP code points are in the range
|
||||
[0..63]. By default no code point is explicitly set.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print records like the SOA records in a verbose
|
||||
multi-line format with human-readable comments. The
|
||||
default is to print each record on a single line, to
|
||||
facilitate machine parsing of the <span class="command"><strong>mdig</strong></span>
|
||||
output.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]question</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print [do not print] the question section of a query
|
||||
when an answer is returned. The default is to print
|
||||
the question section as a comment.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Toggle the display of per-record comments in the
|
||||
output (for example, human-readable key information
|
||||
about DNSKEY records). The default is not to print
|
||||
record comments unless multiline mode is active.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Provide a terse answer. The default is to print the
|
||||
answer in a verbose form.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+split=W</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Split long hex- or base64-formatted fields in resource
|
||||
records into chunks of <em class="parameter"><code>W</code></em>
|
||||
characters (where <em class="parameter"><code>W</code></em> is rounded
|
||||
@@ -233,54 +318,70 @@
|
||||
<em class="parameter"><code>+split=0</code></em> causes fields not to
|
||||
be split at all. The default is 56 characters, or
|
||||
44 characters when multiline mode is active.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use [do not use] TCP when querying name servers. The
|
||||
default behavior is to use UDP.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Display [do not display] the TTL when printing the
|
||||
record.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]ttlunits</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Display [do not display] the TTL in friendly human-readable
|
||||
time units of "s", "m", "h", "d", and "w", representing
|
||||
seconds, minutes, hours, days and weeks. Implies +ttlid.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use [do not use] TCP when querying name servers. This
|
||||
alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
|
||||
is provided for backwards compatibility. The "vc"
|
||||
stands for "virtual circuit".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the responses in a detailed YAML format.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.21.10"></a><h2>LOCAL OPTIONS</h2>
|
||||
<p>
|
||||
|
||||
|
||||
<p>
|
||||
The <code class="option">-c</code> option sets the query class to
|
||||
<em class="parameter"><code>class</code></em>. It can be any valid query class
|
||||
which is supported in BIND 9. The default query class is "IN".
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <code class="option">-t</code> option sets the query type to
|
||||
<em class="parameter"><code>type</code></em>. It can be any valid query type
|
||||
which is supported in BIND 9. The default query type is "A",
|
||||
unless the <code class="option">-x</code> option is supplied to indicate
|
||||
a reverse lookup with the "PTR" query type.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Reverse lookups — mapping addresses to names — are
|
||||
simplified by the <code class="option">-x</code> option.
|
||||
<em class="parameter"><code>addr</code></em> is an IPv4
|
||||
@@ -291,20 +392,26 @@
|
||||
By default, IPv6 addresses are looked up using nibble format
|
||||
under the IP6.ARPA domain.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The local query options are:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the "aa" flag in the query.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set [do not set] the AD (authentic data) bit in the
|
||||
query. This requests the server to return whether
|
||||
all of the answer and authority sections have all
|
||||
@@ -314,87 +421,110 @@
|
||||
from a OPT-OUT range. AD=0 indicate that some part
|
||||
of the answer was insecure or not validated. This
|
||||
bit is set by default.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the UDP message buffer size advertised using EDNS0
|
||||
to <em class="parameter"><code>B</code></em> bytes. The maximum and
|
||||
minimum sizes of this buffer are 65535 and 0 respectively.
|
||||
Values outside this range are rounded up or down
|
||||
appropriately. Values other than zero will cause a
|
||||
EDNS query to be sent.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set [do not set] the CD (checking disabled) bit in
|
||||
the query. This requests the server to not perform
|
||||
DNSSEC validation of responses.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Send a COOKIE EDNS option, with optional value.
|
||||
Replaying a COOKIE from a previous response will allow
|
||||
the server to identify a previous client. The default
|
||||
is <code class="option">+nocookie</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Requests DNSSEC records be sent by setting the DNSSEC
|
||||
OK bit (DO) in the OPT record in the additional section
|
||||
of the query.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the EDNS version to query with. Valid values
|
||||
are 0 to 255. Setting the EDNS version will cause
|
||||
a EDNS query to be sent. <code class="option">+noedns</code>
|
||||
clears the remembered EDNS version. EDNS is set to
|
||||
0 by default.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the must-be-zero EDNS flags bits (Z bits) to the
|
||||
specified value. Decimal, hex and octal encodings are
|
||||
accepted. Setting a named flag (e.g. DO) will silently be
|
||||
ignored. By default, no Z bits are set.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify EDNS option with code point <code class="option">code</code>
|
||||
and optionally payload of <code class="option">value</code> as a
|
||||
hexadecimal string. <code class="option">+noednsopt</code>
|
||||
clears the EDNS options to be sent.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]expire</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Send an EDNS Expire option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Include an EDNS name server ID request when sending
|
||||
a query.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Toggle the setting of the RD (recursion desired) bit
|
||||
in the query. This bit is set by default, which means
|
||||
<span class="command"><strong>mdig</strong></span> normally sends recursive
|
||||
queries.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+retry=T</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the number of times to retry UDP queries to
|
||||
server to <em class="parameter"><code>T</code></em> instead of the
|
||||
default, 2. Unlike <em class="parameter"><code>+tries</code></em>,
|
||||
this does not include the initial query.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Send (don't send) an EDNS Client Subnet option with the
|
||||
specified IP address or network prefix.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<span class="command"><strong>mdig +subnet=0.0.0.0/0</strong></span>, or simply
|
||||
<span class="command"><strong>mdig +subnet=0</strong></span> for short, sends an EDNS
|
||||
client-subnet option with an empty address and a source
|
||||
@@ -403,50 +533,64 @@
|
||||
<span class="emphasis"><em>not</em></span> be used when resolving
|
||||
this query.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+timeout=T</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the timeout for a query to
|
||||
<em class="parameter"><code>T</code></em> seconds. The default
|
||||
timeout is 5 seconds for UDP transport and 10 for TCP.
|
||||
An attempt to set <em class="parameter"><code>T</code></em> to less
|
||||
than 1 will result
|
||||
in a query timeout of 1 second being applied.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+tries=T</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the number of times to try UDP queries to server
|
||||
to <em class="parameter"><code>T</code></em> instead of the default,
|
||||
3. If <em class="parameter"><code>T</code></em> is less than or equal
|
||||
to zero, the number of tries is silently rounded up
|
||||
to 1.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+udptimeout=T</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the timeout between UDP query retries.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print all RDATA in unknown RR type presentation format
|
||||
(RFC 3597). The default is to print RDATA for known types
|
||||
in the type's presentation format.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set [do not set] the last unassigned DNS header flag in a
|
||||
DNS query. This flag is off by default.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.21.11"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dig</span>(1)
|
||||
</span>,
|
||||
<em class="citetitle">RFC1035</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -466,6 +610,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>named-checkconf</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.mdig.html" title="mdig">
|
||||
@@ -32,26 +32,45 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.named-checkconf"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">named-checkconf</span> — named configuration file syntax checking tool</p>
|
||||
<p>
|
||||
<span class="application">named-checkconf</span>
|
||||
— named configuration file syntax checking tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-chjlvz</code>] [<code class="option">-p</code>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-checkconf</code>
|
||||
[<code class="option">-chjlvz</code>]
|
||||
[<code class="option">-p</code>
|
||||
[<code class="option">-x</code>
|
||||
]] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
]]
|
||||
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
|
||||
{filename}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.22.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>named-checkconf</strong></span>
|
||||
|
||||
<p><span class="command"><strong>named-checkconf</strong></span>
|
||||
checks the syntax, but not the semantics, of a
|
||||
<span class="command"><strong>named</strong></span> configuration file. The file is parsed
|
||||
and checked for syntax errors, along with all files included by it.
|
||||
If no file is specified, <code class="filename">/etc/named.conf</code> is read
|
||||
by default.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Note: files that <span class="command"><strong>named</strong></span> reads in separate
|
||||
parser contexts, such as <code class="filename">rndc.key</code> and
|
||||
<code class="filename">bind.keys</code>, are not automatically read
|
||||
@@ -61,53 +80,72 @@
|
||||
successful. <span class="command"><strong>named-checkconf</strong></span> can be run
|
||||
on these files explicitly, however.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.22.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the usage summary and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-j</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When loading a zonefile read the journal if it exists.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
List all the configured zones. Each line of output
|
||||
contains the zone name, class (e.g. IN), view, and type
|
||||
(e.g. master or slave).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Check "core" configuration only. This suppresses the loading
|
||||
of plugin modules, and causes all parameters to
|
||||
<span class="command"><strong>plugin</strong></span> statements to be ignored.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Ignore warnings on deprecated options.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print out the <code class="filename">named.conf</code> and included files
|
||||
in canonical form if no errors were detected.
|
||||
See also the <code class="option">-x</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Chroot to <code class="filename">directory</code> so that include
|
||||
directives in the configuration file are processed as if
|
||||
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the version of the <span class="command"><strong>named-checkconf</strong></span>
|
||||
program and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-x</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When printing the configuration files in canonical
|
||||
form, obscure shared secrets by replacing them with
|
||||
strings of question marks ('?'). This allows the
|
||||
@@ -115,33 +153,47 @@
|
||||
files to be shared — for example, when submitting
|
||||
bug reports — without compromising private data.
|
||||
This option cannot be used without <code class="option">-p</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Perform a test load of all master zones found in
|
||||
<code class="filename">named.conf</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">filename</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The name of the configuration file to be checked. If not
|
||||
specified, it defaults to <code class="filename">/etc/named.conf</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.22.9"></a><h2>RETURN VALUES</h2>
|
||||
<p><span class="command"><strong>named-checkconf</strong></span>
|
||||
|
||||
<p><span class="command"><strong>named-checkconf</strong></span>
|
||||
returns an exit status of 1 if
|
||||
errors were detected and 0 otherwise.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.22.10"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named-checkzone</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -162,6 +214,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>named-checkzone</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
|
||||
@@ -32,24 +32,94 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.named-checkzone"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> — zone file validity checking or converting tool</p>
|
||||
<p>
|
||||
<span class="application">named-checkzone</span>,
|
||||
<span class="application">named-compilezone</span>
|
||||
— zone file validity checking or converting tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-checkzone</code>
|
||||
[<code class="option">-d</code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-j</code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-v</code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
|
||||
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
|
||||
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
|
||||
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
|
||||
[<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
|
||||
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
|
||||
[<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-D</code>]
|
||||
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
|
||||
{zonename}
|
||||
{filename}
|
||||
</p></div>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-compilezone</code>
|
||||
[<code class="option">-d</code>]
|
||||
[<code class="option">-j</code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-v</code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
|
||||
[<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
|
||||
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
|
||||
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
|
||||
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
|
||||
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
|
||||
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-D</code>]
|
||||
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
|
||||
{<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
|
||||
{zonename}
|
||||
{filename}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.23.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>named-checkzone</strong></span>
|
||||
|
||||
<p><span class="command"><strong>named-checkzone</strong></span>
|
||||
checks the syntax and integrity of a zone file. It performs the
|
||||
same checks as <span class="command"><strong>named</strong></span> does when loading a
|
||||
zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for
|
||||
checking zone files before configuring them into a name server.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<span class="command"><strong>named-compilezone</strong></span> is similar to
|
||||
<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
|
||||
zone contents to a specified file in a specified format.
|
||||
@@ -60,45 +130,62 @@
|
||||
least be as strict as those specified in the
|
||||
<span class="command"><strong>named</strong></span> configuration file.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.23.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-d</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Enable debugging.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the usage summary and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Quiet mode - exit code only.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the version of the <span class="command"><strong>named-checkzone</strong></span>
|
||||
program and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-j</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When loading a zone file, read the journal if it exists.
|
||||
The journal file name is assumed to be the zone file name
|
||||
appended with the string <code class="filename">.jnl</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When loading the zone file read the journal from the given
|
||||
file, if it exists. (Implies -j.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the class of the zone. If not specified, "IN" is assumed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Perform post-load zone integrity checks. Possible modes are
|
||||
<span class="command"><strong>"full"</strong></span> (default),
|
||||
<span class="command"><strong>"full-sibling"</strong></span>,
|
||||
@@ -106,19 +193,19 @@
|
||||
<span class="command"><strong>"local-sibling"</strong></span> and
|
||||
<span class="command"><strong>"none"</strong></span>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Mode <span class="command"><strong>"full"</strong></span> checks that MX records
|
||||
refer to A or AAAA record (both in-zone and out-of-zone
|
||||
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
|
||||
checks MX records which refer to in-zone hostnames.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
|
||||
refer to A or AAAA record (both in-zone and out-of-zone
|
||||
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
|
||||
checks SRV records which refer to in-zone hostnames.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
|
||||
records refer to A or AAAA record (both in-zone and out-of-zone
|
||||
hostnames). It also checks that glue address records
|
||||
@@ -127,31 +214,33 @@
|
||||
refer to in-zone hostnames or that some required glue exists,
|
||||
that is when the nameserver is in a child zone.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Mode <span class="command"><strong>"full-sibling"</strong></span> and
|
||||
<span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
|
||||
checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
|
||||
and <span class="command"><strong>"local"</strong></span> respectively.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Mode <span class="command"><strong>"none"</strong></span> disables the checks.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the format of the zone file.
|
||||
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
|
||||
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Specify the format of the output file specified.
|
||||
For <span class="command"><strong>named-checkzone</strong></span>,
|
||||
this does not cause any effects unless it dumps the zone
|
||||
contents.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
|
||||
which is the standard textual representation of the zone,
|
||||
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
|
||||
@@ -162,9 +251,10 @@
|
||||
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
|
||||
can be read by release 9.9.0 or higher; the default is 1.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Perform <span class="command"><strong>"check-names"</strong></span> checks with the
|
||||
specified failure mode.
|
||||
Possible modes are <span class="command"><strong>"fail"</strong></span>
|
||||
@@ -172,38 +262,48 @@
|
||||
<span class="command"><strong>"warn"</strong></span>
|
||||
(default for <span class="command"><strong>named-checkzone</strong></span>) and
|
||||
<span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets a maximum permissible TTL for the input file.
|
||||
Any record with a TTL higher than this value will cause
|
||||
the zone to be rejected. This is similar to using the
|
||||
<span class="command"><strong>max-zone-ttl</strong></span> option in
|
||||
<code class="filename">named.conf</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When compiling a zone to "raw" or "map" format, set the
|
||||
"source serial" value in the header to the specified serial
|
||||
number. (This is expected to be used primarily for testing
|
||||
purposes.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify whether MX records should be checked to see if they
|
||||
are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>,
|
||||
<span class="command"><strong>"warn"</strong></span> (default) and
|
||||
<span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Check if a MX record refers to a CNAME.
|
||||
Possible modes are <span class="command"><strong>"fail"</strong></span>,
|
||||
<span class="command"><strong>"warn"</strong></span> (default) and
|
||||
<span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify whether NS records should be checked to see if they
|
||||
are addresses.
|
||||
Possible modes are <span class="command"><strong>"fail"</strong></span>
|
||||
@@ -211,24 +311,30 @@
|
||||
<span class="command"><strong>"warn"</strong></span>
|
||||
(default for <span class="command"><strong>named-checkzone</strong></span>) and
|
||||
<span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Write zone output to <code class="filename">filename</code>.
|
||||
If <code class="filename">filename</code> is <code class="filename">-</code> then
|
||||
write to standard out.
|
||||
This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Check for records that are treated as different by DNSSEC but
|
||||
are semantically equal in plain DNS.
|
||||
Possible modes are <span class="command"><strong>"fail"</strong></span>,
|
||||
<span class="command"><strong>"warn"</strong></span> (default) and
|
||||
<span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the style of the dumped zone file.
|
||||
Possible styles are <span class="command"><strong>"full"</strong></span> (default)
|
||||
and <span class="command"><strong>"relative"</strong></span>.
|
||||
@@ -241,75 +347,102 @@
|
||||
contents.
|
||||
It also does not have any meaning if the output format
|
||||
is not text.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Check if a SRV record refers to a CNAME.
|
||||
Possible modes are <span class="command"><strong>"fail"</strong></span>,
|
||||
<span class="command"><strong>"warn"</strong></span> (default) and
|
||||
<span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Chroot to <code class="filename">directory</code> so that
|
||||
include
|
||||
directives in the configuration file are processed as if
|
||||
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Check if Sender Policy Framework (SPF) records exist
|
||||
and issues a warning if an SPF-formatted TXT record is
|
||||
not also present. Possible modes are <span class="command"><strong>"warn"</strong></span>
|
||||
(default), <span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
chdir to <code class="filename">directory</code> so that
|
||||
relative
|
||||
filenames in master file $INCLUDE directives work. This
|
||||
is similar to the directory clause in
|
||||
<code class="filename">named.conf</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Dump zone file in canonical format.
|
||||
This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify whether to check for non-terminal wildcards.
|
||||
Non-terminal wildcards are almost always the result of a
|
||||
failure to understand the wildcard matching algorithm (RFC 1034).
|
||||
Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
|
||||
and
|
||||
<span class="command"><strong>"ignore"</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">zonename</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The domain name of the zone being checked.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">filename</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The name of the zone file.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.23.9"></a><h2>RETURN VALUES</h2>
|
||||
<p><span class="command"><strong>named-checkzone</strong></span>
|
||||
|
||||
<p><span class="command"><strong>named-checkzone</strong></span>
|
||||
returns an exit status of 1 if
|
||||
errors were detected and 0 otherwise.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.23.10"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named-checkconf</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">RFC 1035</em>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -330,6 +463,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>named-journalprint</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
|
||||
@@ -32,22 +32,38 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.named-journalprint"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">named-journalprint</span> — print zone journal in human-readable form</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.24.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">named-journalprint</span>
|
||||
— print zone journal in human-readable form
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-journalprint</code>
|
||||
{<em class="replaceable"><code>journal</code></em>}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.24.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>named-journalprint</strong></span>
|
||||
prints the contents of a zone journal file in a human-readable
|
||||
form.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Journal files are automatically created by <span class="command"><strong>named</strong></span>
|
||||
when changes are made to dynamic zones (e.g., by
|
||||
<span class="command"><strong>nsupdate</strong></span>). They record each addition
|
||||
@@ -58,22 +74,29 @@
|
||||
<code class="filename">.jnl</code> to the name of the corresponding
|
||||
zone file.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<span class="command"><strong>named-journalprint</strong></span> converts the contents of a given
|
||||
journal file into a human-readable text format. Each line begins
|
||||
with "add" or "del", to indicate whether the record was added or
|
||||
deleted, and continues with the resource record in master-file
|
||||
format.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.24.8"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">nsupdate</span>(1)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -94,6 +117,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>named-nzd2nzf</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
|
||||
@@ -32,19 +32,34 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.named-nzd2nzf"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">named-nzd2nzf</span> —
|
||||
Convert an NZD database to NZF text format
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-nzd2nzf</code> {filename}</p></div>
|
||||
</div>
|
||||
<div class="refsect1">
|
||||
<a name="id-1.13.25.6"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">named-nzd2nzf</span>
|
||||
—
|
||||
Convert an NZD database to NZF text format
|
||||
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-nzd2nzf</code>
|
||||
{filename}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsect1">
|
||||
<a name="id-1.13.25.6"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>named-nzd2nzf</strong></span> converts an NZD database to NZF
|
||||
format and prints it to standard output. This can be used to
|
||||
review the configuration of zones that were added to
|
||||
@@ -53,28 +68,37 @@
|
||||
when rolling back from a newer version
|
||||
of BIND to an older version.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1">
|
||||
</div>
|
||||
|
||||
<div class="refsect1">
|
||||
<a name="id-1.13.25.7"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">filename</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The name of the <code class="filename">.nzd</code> file whose contents
|
||||
should be printed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1">
|
||||
</div>
|
||||
|
||||
<div class="refsect1">
|
||||
<a name="id-1.13.25.8"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1">
|
||||
</div>
|
||||
|
||||
<div class="refsect1">
|
||||
<a name="id-1.13.25.9"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -95,6 +119,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>named-rrchecker</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.named-nzd2nzf.html" title="named-nzd2nzf">
|
||||
@@ -32,50 +32,75 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.named-rrchecker"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">named-rrchecker</span> — syntax checker for individual DNS resource records</p>
|
||||
<p>
|
||||
<span class="application">named-rrchecker</span>
|
||||
— syntax checker for individual DNS resource records
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-rrchecker</code> [<code class="option">-h</code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-u</code>] [<code class="option">-C</code>] [<code class="option">-T</code>] [<code class="option">-P</code>]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named-rrchecker</code>
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
|
||||
[<code class="option">-p</code>]
|
||||
[<code class="option">-u</code>]
|
||||
[<code class="option">-C</code>]
|
||||
[<code class="option">-T</code>]
|
||||
[<code class="option">-P</code>]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.26.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>named-rrchecker</strong></span>
|
||||
|
||||
<p><span class="command"><strong>named-rrchecker</strong></span>
|
||||
read a individual DNS resource record from standard input and checks if it
|
||||
is syntactically correct.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">-h</code> prints out the help menu.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">-o <em class="replaceable"><code>origin</code></em></code>
|
||||
option specifies a origin to be used when interpreting the record.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">-p</code> prints out the resulting record in canonical
|
||||
form. If there is no canonical form defined then the record will be
|
||||
printed in unknown record format.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">-u</code> prints out the resulting record in unknown record
|
||||
form.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">-C</code>, <code class="option">-T</code> and <code class="option">-P</code>
|
||||
print out the known class, standard type and private type mnemonics
|
||||
respectively.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.26.8"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<em class="citetitle">RFC 1034</em>,
|
||||
<em class="citetitle">RFC 1035</em>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -96,6 +121,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>named.conf</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
|
||||
@@ -32,42 +32,59 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.named.conf"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><code class="filename">named.conf</code> — configuration file for <span class="command"><strong>named</strong></span></p>
|
||||
<p>
|
||||
<code class="filename">named.conf</code>
|
||||
— configuration file for <span class="command"><strong>named</strong></span>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named.conf</code>
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><code class="filename">named.conf</code> is the configuration file
|
||||
|
||||
<p><code class="filename">named.conf</code> is the configuration file
|
||||
for
|
||||
<span class="command"><strong>named</strong></span>. Statements are enclosed
|
||||
in braces and terminated with a semi-colon. Clauses in
|
||||
the statements are also semi-colon terminated. The usual
|
||||
comment styles are supported:
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
C style: /* */
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
C++ style: // to end of line
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Unix style: # to end of line
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.8"></a><h2>ACL</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.9"></a><h2>CONTROLS</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
controls {<br>
|
||||
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
|
||||
* ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow<br>
|
||||
@@ -80,19 +97,21 @@ controls
|
||||
<em class="replaceable"><code>boolean</code></em> ];<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.10"></a><h2>DLZ</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
dlz <em class="replaceable"><code>string</code></em> {<br>
|
||||
database <em class="replaceable"><code>string</code></em>;<br>
|
||||
search <em class="replaceable"><code>boolean</code></em>;<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.11"></a><h2>DNSSEC-POLICY</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
|
||||
dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
|
||||
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited )<br>
|
||||
@@ -109,26 +128,29 @@ dnssec-policy
|
||||
zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.12"></a><h2>DYNDB</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
|
||||
<em class="replaceable"><code>unspecified-text</code></em> };<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.13"></a><h2>KEY</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
key <em class="replaceable"><code>string</code></em> {<br>
|
||||
algorithm <em class="replaceable"><code>string</code></em>;<br>
|
||||
secret <em class="replaceable"><code>string</code></em>;<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
logging {<br>
|
||||
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
|
||||
channel <em class="replaceable"><code>string</code></em> {<br>
|
||||
@@ -145,29 +167,32 @@ logging
|
||||
};<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
|
||||
<p>Deprecated - see DNSSEC-KEYS.</p>
|
||||
<div class="literallayout"><p><br>
|
||||
<p>Deprecated - see DNSSEC-KEYS.</p>
|
||||
<div class="literallayout"><p><br>
|
||||
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
|
||||
| initial-key | static-ds |<br>
|
||||
initial-ds ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
|
||||
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
|
||||
<em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
|
||||
port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
|
||||
<em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
options {<br>
|
||||
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
|
||||
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
|
||||
@@ -463,17 +488,19 @@ options
|
||||
zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
|
||||
} ];<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.19"></a><h2>SERVER</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
server <em class="replaceable"><code>netprefix</code></em> {<br>
|
||||
bogus <em class="replaceable"><code>boolean</code></em>;<br>
|
||||
edns <em class="replaceable"><code>boolean</code></em>;<br>
|
||||
@@ -507,10 +534,11 @@ server
|
||||
transfers <em class="replaceable"><code>integer</code></em>;<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
statistics-channels {<br>
|
||||
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
|
||||
* ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
|
||||
@@ -518,28 +546,31 @@ statistics-channels
|
||||
} ];<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.21"></a><h2>TRUST-ANCHORS</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
|
||||
initial-key | static-ds | initial-ds )<br>
|
||||
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
|
||||
<em class="replaceable"><code>quoted_string</code></em>; ... };<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.22"></a><h2>TRUSTED-KEYS</h2>
|
||||
<p>Deprecated - see DNSSEC-KEYS.</p>
|
||||
<div class="literallayout"><p><br>
|
||||
<p>Deprecated - see DNSSEC-KEYS.</p>
|
||||
<div class="literallayout"><p><br>
|
||||
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
|
||||
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
|
||||
<em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.23"></a><h2>VIEW</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
|
||||
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
|
||||
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
|
||||
@@ -915,10 +946,11 @@ view
|
||||
zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.24"></a><h2>ZONE</h2>
|
||||
<div class="literallayout"><p><br>
|
||||
<div class="literallayout"><p><br>
|
||||
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
|
||||
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
|
||||
allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
|
||||
@@ -1014,22 +1046,37 @@ zone
|
||||
zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
|
||||
};<br>
|
||||
</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.25"></a><h2>FILES</h2>
|
||||
<p><code class="filename">/etc/named.conf</code>
|
||||
|
||||
<p><code class="filename">/etc/named.conf</code>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.27.26"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">ddns-confgen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named-checkconf</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">rndc</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">rndc-confgen</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -1050,6 +1097,6 @@ zone
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>named</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.named.conf.html" title="named.conf">
|
||||
@@ -32,46 +32,93 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.named"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">named</span> — Internet domain name server</p>
|
||||
<p>
|
||||
<span class="application">named</span>
|
||||
— Internet domain name server
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named</code> [[<code class="option">-4</code>] | [<code class="option">-6</code>]] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-D <em class="replaceable"><code>string</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>] [<code class="option">-M <em class="replaceable"><code>option</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">named</code>
|
||||
[
|
||||
[<code class="option">-4</code>]
|
||||
| [<code class="option">-6</code>]
|
||||
]
|
||||
[<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
|
||||
[<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
|
||||
[<code class="option">-D <em class="replaceable"><code>string</code></em></code>]
|
||||
[<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>]
|
||||
[<code class="option">-f</code>]
|
||||
[<code class="option">-g</code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>]
|
||||
[<code class="option">-M <em class="replaceable"><code>option</code></em></code>]
|
||||
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
|
||||
[<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
|
||||
[<code class="option">-s</code>]
|
||||
[<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
|
||||
[<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>]
|
||||
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
|
||||
[<code class="option">-v</code>]
|
||||
[<code class="option">-V</code>]
|
||||
[<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>]
|
||||
[<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.28.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>named</strong></span>
|
||||
|
||||
<p><span class="command"><strong>named</strong></span>
|
||||
is a Domain Name System (DNS) server,
|
||||
part of the BIND 9 distribution from ISC. For more
|
||||
information on the DNS, see RFCs 1033, 1034, and 1035.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When invoked without arguments, <span class="command"><strong>named</strong></span>
|
||||
will
|
||||
read the default configuration file
|
||||
<code class="filename">/etc/named.conf</code>, read any initial
|
||||
data, and listen for queries.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.28.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-4</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use IPv4 only even if the host machine is capable of IPv6.
|
||||
<code class="option">-4</code> and <code class="option">-6</code> are mutually
|
||||
exclusive.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-6</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use IPv6 only even if the host machine is capable of IPv4.
|
||||
<code class="option">-4</code> and <code class="option">-6</code> are mutually
|
||||
exclusive.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use <em class="replaceable"><code>config-file</code></em> as the
|
||||
configuration file instead of the default,
|
||||
<code class="filename">/etc/named.conf</code>. To
|
||||
@@ -81,28 +128,33 @@
|
||||
<code class="option">directory</code> option in the configuration
|
||||
file, <em class="replaceable"><code>config-file</code></em> should be
|
||||
an absolute pathname.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
|
||||
Debugging traces from <span class="command"><strong>named</strong></span> become
|
||||
more verbose as the debug level increases.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>string</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies a string that is used to identify a instance of
|
||||
<span class="command"><strong>named</strong></span> in a process listing. The contents
|
||||
of <em class="replaceable"><code>string</code></em> are
|
||||
not examined.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
When applicable, specifies the hardware to use for
|
||||
cryptographic operations, such as a secure key store used
|
||||
for signing.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
When BIND is built with OpenSSL PKCS#11 support, this defaults
|
||||
to the string "pkcs11", which identifies an OpenSSL engine
|
||||
that can drive a cryptographic accelerator or hardware service
|
||||
@@ -110,23 +162,30 @@
|
||||
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
|
||||
provider library specified via "--with-pkcs11".
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-f</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Run the server in the foreground (i.e. do not daemonize).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-g</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Run the server in the foreground and force all logging
|
||||
to <code class="filename">stderr</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>logfile</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Log to the file <code class="option">logfile</code> by default
|
||||
instead of the system log.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-M <em class="replaceable"><code>option</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the default memory context options. If set to
|
||||
<em class="replaceable"><code>external</code></em>,
|
||||
this causes the internal memory manager to be bypassed
|
||||
@@ -138,9 +197,11 @@
|
||||
disables this behavior, and is the default unless
|
||||
<span class="command"><strong>named</strong></span> has been compiled with developer
|
||||
options.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Turn on memory usage debugging flags. Possible flags are
|
||||
<em class="replaceable"><code>usage</code></em>,
|
||||
<em class="replaceable"><code>trace</code></em>,
|
||||
@@ -149,46 +210,51 @@
|
||||
<em class="replaceable"><code>mctx</code></em>.
|
||||
These correspond to the ISC_MEM_DEBUGXXXX flags described in
|
||||
<code class="filename"><isc/mem.h></code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Create <em class="replaceable"><code>#cpus</code></em> worker threads
|
||||
to take advantage of multiple CPUs. If not specified,
|
||||
<span class="command"><strong>named</strong></span> will try to determine the
|
||||
number of CPUs present and create one thread per CPU.
|
||||
If it is unable to determine the number of CPUs, a
|
||||
single worker thread will be created.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Listen for queries on port <em class="replaceable"><code>port</code></em>. If not
|
||||
specified, the default is port 53.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Write memory usage statistics to <code class="filename">stdout</code> on exit.
|
||||
</p>
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<h3 class="title">Note</h3>
|
||||
<p>
|
||||
<p>
|
||||
This option is mainly of interest to BIND 9 developers
|
||||
and may be removed or changed in a future release.
|
||||
</p>
|
||||
</div>
|
||||
</dd>
|
||||
</div>
|
||||
</dd>
|
||||
<dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Allow <span class="command"><strong>named</strong></span> to use up to
|
||||
<em class="replaceable"><code>#max-socks</code></em> sockets.
|
||||
The default value is 21000 on systems built with default
|
||||
configuration options, and 4096 on systems built with
|
||||
"configure --with-tuning=small".
|
||||
</p>
|
||||
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<h3 class="title">Warning</h3>
|
||||
<p>
|
||||
<p>
|
||||
This option should be unnecessary for the vast majority
|
||||
of users.
|
||||
The use of this option could even be harmful because the
|
||||
@@ -203,18 +269,18 @@
|
||||
<span class="command"><strong>named</strong></span> reserves some file descriptors
|
||||
for its internal use.
|
||||
</p>
|
||||
</div>
|
||||
</dd>
|
||||
</div>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd>
|
||||
<p>Chroot
|
||||
<p>Chroot
|
||||
to <em class="replaceable"><code>directory</code></em> after
|
||||
processing the command line arguments, but before
|
||||
reading the configuration file.
|
||||
</p>
|
||||
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<h3 class="title">Warning</h3>
|
||||
<p>
|
||||
<p>
|
||||
This option should be used in conjunction with the
|
||||
<code class="option">-u</code> option, as chrooting a process
|
||||
running as root doesn't enhance security on most
|
||||
@@ -222,10 +288,11 @@
|
||||
defined allows a process with root privileges to
|
||||
escape a chroot jail.
|
||||
</p>
|
||||
</div>
|
||||
</dd>
|
||||
</div>
|
||||
</dd>
|
||||
<dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use <em class="replaceable"><code>#listeners</code></em>
|
||||
worker threads to listen for incoming UDP packets on each
|
||||
address. If not specified, <span class="command"><strong>named</strong></span> will
|
||||
@@ -238,17 +305,18 @@
|
||||
be increased as high as that value, but no higher.
|
||||
On Windows, the number of UDP listeners is hardwired to 1
|
||||
and this option has no effect.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
|
||||
<dd>
|
||||
<p>Setuid
|
||||
<p>Setuid
|
||||
to <em class="replaceable"><code>user</code></em> after completing
|
||||
privileged operations, such as creating sockets that
|
||||
listen on privileged ports.
|
||||
</p>
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<h3 class="title">Note</h3>
|
||||
<p>
|
||||
<p>
|
||||
On Linux, <span class="command"><strong>named</strong></span> uses the kernel's
|
||||
capability mechanism to drop all root privileges
|
||||
except the ability to <code class="function">bind(2)</code> to
|
||||
@@ -261,18 +329,23 @@
|
||||
later, since previous kernels did not allow privileges
|
||||
to be retained after <code class="function">setuid(2)</code>.
|
||||
</p>
|
||||
</div>
|
||||
</dd>
|
||||
</div>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Report the version number and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Report the version number and build options, and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-X <em class="replaceable"><code>lock-file</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Acquire a lock on the specified file at runtime; this
|
||||
helps to prevent duplicate <span class="command"><strong>named</strong></span> instances
|
||||
from running simultaneously.
|
||||
@@ -280,54 +353,68 @@
|
||||
option in <code class="filename">named.conf</code>.
|
||||
If set to <code class="literal">none</code>, the lock file check
|
||||
is disabled.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Load data from <em class="replaceable"><code>cache-file</code></em> into the
|
||||
cache of the default view.
|
||||
</p>
|
||||
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||||
<h3 class="title">Warning</h3>
|
||||
<p>
|
||||
<p>
|
||||
This option must not be used. It is only of interest
|
||||
to BIND 9 developers and may be removed or changed in a
|
||||
future release.
|
||||
</p>
|
||||
</div>
|
||||
</dd>
|
||||
</div>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.28.9"></a><h2>SIGNALS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
In routine operation, signals should not be used to control
|
||||
the nameserver; <span class="command"><strong>rndc</strong></span> should be used
|
||||
instead.
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">SIGHUP</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Force a reload of the server.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">SIGINT, SIGTERM</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Shut down the server.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The result of sending any other signals to the server is undefined.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.28.10"></a><h2>CONFIGURATION</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The <span class="command"><strong>named</strong></span> configuration file is too complex
|
||||
to describe in detail here. A complete description is provided
|
||||
in the
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>named</strong></span> inherits the <code class="function">umask</code>
|
||||
(file creation mode mask) from the parent process. If files
|
||||
created by <span class="command"><strong>named</strong></span>, such as journal files,
|
||||
@@ -335,32 +422,56 @@
|
||||
should be set explicitly in the script used to start the
|
||||
<span class="command"><strong>named</strong></span> process.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.28.11"></a><h2>FILES</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The default configuration file.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The default process-id file.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.28.12"></a><h2>SEE ALSO</h2>
|
||||
<p><em class="citetitle">RFC 1033</em>,
|
||||
|
||||
<p><em class="citetitle">RFC 1033</em>,
|
||||
<em class="citetitle">RFC 1034</em>,
|
||||
<em class="citetitle">RFC 1035</em>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named-checkconf</span>
|
||||
(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named-checkzone</span>
|
||||
(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">rndc</span>
|
||||
(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named.conf</span>
|
||||
(5)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -381,6 +492,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>nsec3hash</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.named.html" title="named">
|
||||
@@ -32,23 +32,50 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.nsec3hash"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">nsec3hash</span> — generate NSEC3 hash</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">nsec3hash -r</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>flags</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.29.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">nsec3hash</span>
|
||||
— generate NSEC3 hash
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">nsec3hash</code>
|
||||
{<em class="replaceable"><code>salt</code></em>}
|
||||
{<em class="replaceable"><code>algorithm</code></em>}
|
||||
{<em class="replaceable"><code>iterations</code></em>}
|
||||
{<em class="replaceable"><code>domain</code></em>}
|
||||
</p></div>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">nsec3hash -r</code>
|
||||
{<em class="replaceable"><code>algorithm</code></em>}
|
||||
{<em class="replaceable"><code>flags</code></em>}
|
||||
{<em class="replaceable"><code>iterations</code></em>}
|
||||
{<em class="replaceable"><code>salt</code></em>}
|
||||
{<em class="replaceable"><code>domain</code></em>}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.29.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>nsec3hash</strong></span> generates an NSEC3 hash based on
|
||||
a set of NSEC3 parameters. This can be used to check the validity
|
||||
of NSEC3 records in a signed zone.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
If this command is invoked as <span class="command"><strong>nsec3hash -r</strong></span>,
|
||||
it takes arguments in an order matching the first four fields
|
||||
of an NSEC3 record, followed by the domain name: algorithm, flags,
|
||||
@@ -56,43 +83,59 @@
|
||||
paste a portion of an NSEC3 or NSEC3PARAM record into a command
|
||||
line to confirm the correctness of an NSEC3 hash.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.29.8"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">salt</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The salt provided to the hash algorithm.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">algorithm</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
A number indicating the hash algorithm. Currently the
|
||||
only supported hash algorithm for NSEC3 is SHA-1, which is
|
||||
indicated by the number 1; consequently "1" is the only
|
||||
useful value for this argument.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">flags</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Provided for compatibility with NSEC3 record presentation
|
||||
format, but ignored since the flags do not affect the hash.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">iterations</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The number of additional times the hash should be performed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">domain</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The domain name to be hashed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.29.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 5155</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -112,6 +155,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>nslookup</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.nsec3hash.html" title="nsec3hash">
|
||||
@@ -32,17 +32,35 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.nslookup"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p>nslookup — query Internet name servers interactively</p>
|
||||
<p>
|
||||
nslookup
|
||||
— query Internet name servers interactively
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [<code class="option">-option</code>] [name | -] [server]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">nslookup</code>
|
||||
[<code class="option">-option</code>]
|
||||
[name | -]
|
||||
[server]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.30.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>Nslookup</strong></span>
|
||||
|
||||
<p><span class="command"><strong>Nslookup</strong></span>
|
||||
is a program to query Internet domain name servers. <span class="command"><strong>Nslookup</strong></span>
|
||||
has two modes: interactive and non-interactive. Interactive mode allows
|
||||
the user to query name servers for information about various hosts and
|
||||
@@ -51,29 +69,37 @@
|
||||
used to print just the name and requested information for a host or
|
||||
domain.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.30.8"></a><h2>ARGUMENTS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Interactive mode is entered in the following cases:
|
||||
</p>
|
||||
<div class="orderedlist"><ol class="orderedlist" type="a">
|
||||
<li class="listitem"><p>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
when no arguments are given (the default name server will be used)
|
||||
</p></li>
|
||||
<li class="listitem"><p>
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
when the first argument is a hyphen (-) and the second argument is
|
||||
the host name or Internet address of a name server.
|
||||
</p></li>
|
||||
</p>
|
||||
</li>
|
||||
</ol></div>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Non-interactive mode is used when the name or Internet address of the
|
||||
host to be looked up is given as the first argument. The optional second
|
||||
argument specifies the host name or address of a name server.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Options can also be specified on the command line if they precede the
|
||||
arguments and are prefixed with a hyphen. For example, to
|
||||
change the default query type to host information, and the initial
|
||||
@@ -86,238 +112,283 @@ nslookup -query=hinfo -timeout=10
|
||||
<p>
|
||||
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">-version</code> option causes
|
||||
<span class="command"><strong>nslookup</strong></span> to print the version
|
||||
number and immediately exits.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.30.9"></a><h2>INTERACTIVE COMMANDS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Look up information for host using the current default server or
|
||||
using server, if specified. If host is an Internet address and
|
||||
the query type is A or PTR, the name of the host is returned.
|
||||
If host is a name and does not have a trailing period, the
|
||||
search list is used to qualify the name.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
To look up a host not in the current domain, append a period to
|
||||
the name.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
|
||||
<dd><p></p></dd>
|
||||
<dd>
|
||||
<p></p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
|
||||
server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
|
||||
the current default server. If an authoritative answer can't be
|
||||
found, the names of servers that might have the answer are
|
||||
returned.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">root</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
not implemented
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">finger</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
not implemented
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">ls</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
not implemented
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">view</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
not implemented
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">help</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
not implemented
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">?</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
not implemented
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">exit</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Exits the program.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">set</code>
|
||||
<em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
This command is used to change state information that affects
|
||||
the lookups. Valid keywords are:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="constant">all</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints the current values of the frequently used
|
||||
options to <span class="command"><strong>set</strong></span>.
|
||||
Information about the current default
|
||||
server and host is also printed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Change the query class to one of:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="constant">IN</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
the Internet class
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">CH</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
the Chaos class
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">HS</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
the Hesiod class
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">ANY</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
wildcard
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
The class specifies the protocol group of the information.
|
||||
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = IN; abbreviation = cl)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Turn on or off the display of the full response packet and
|
||||
any intermediate response packets when searching.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Turn debugging mode on or off. This displays more about
|
||||
what nslookup is doing.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = nod2)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sets the search list to <em class="replaceable"><code>name</code></em>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
If the lookup request contains at least one period but
|
||||
doesn't end with a trailing period, append the domain
|
||||
names in the domain search list to the request until an
|
||||
answer is received.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = search)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = 53; abbreviation = po)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
|
||||
<dd><p></p></dd>
|
||||
<dd>
|
||||
<p></p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Change the type of the information query.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = A and then AAAA; abbreviations = q, ty)
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
<span class="bold"><strong>Note:</strong></span> It is
|
||||
only possible to specify one query type, only
|
||||
the default behavior looks up both when an
|
||||
alternative is not specified.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Tell the name server to query other servers if it does not
|
||||
have the
|
||||
information.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = recurse; abbreviation = [no]rec)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the number of dots (label separators) in a domain
|
||||
that will disable searching. Absolute names always
|
||||
stop searching.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the number of retries to number.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Change the initial timeout interval for waiting for a
|
||||
reply to number seconds.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Always use a virtual circuit when sending requests to the
|
||||
server.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = novc)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Try the next nameserver if a nameserver responds with
|
||||
SERVFAIL or a referral (nofail) or terminate query
|
||||
(fail) on such a response.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
(Default = nofail)
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.30.10"></a><h2>RETURN VALUES</h2>
|
||||
<p>
|
||||
<p>
|
||||
<span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
|
||||
if any query failed, and 0 otherwise.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.30.11"></a><h2>IDN SUPPORT</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
|
||||
domain name) support, it can accept and display non-ASCII domain names.
|
||||
<span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
|
||||
@@ -329,19 +400,29 @@ nslookup -query=hinfo -timeout=10
|
||||
<span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
|
||||
a tty.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.30.12"></a><h2>FILES</h2>
|
||||
<p><code class="filename">/etc/resolv.conf</code>
|
||||
|
||||
<p><code class="filename">/etc/resolv.conf</code>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.30.13"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">dig</span>(1)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">host</span>(1)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -362,6 +443,6 @@ nslookup -query=hinfo -timeout=10
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>nsupdate</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.nslookup.html" title="nslookup">
|
||||
@@ -32,17 +32,54 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.nsupdate"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">nsupdate</span> — Dynamic DNS update utility</p>
|
||||
<p>
|
||||
<span class="application">nsupdate</span>
|
||||
— Dynamic DNS update utility
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [<code class="option">-i</code>] [<code class="option">-L <em class="replaceable"><code>level</code></em></code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [[<code class="option">-4</code>] | [<code class="option">-6</code>]] [filename]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">nsupdate</code>
|
||||
[<code class="option">-d</code>]
|
||||
[<code class="option">-D</code>]
|
||||
[<code class="option">-i</code>]
|
||||
[<code class="option">-L <em class="replaceable"><code>level</code></em></code>]
|
||||
[
|
||||
[<code class="option">-g</code>]
|
||||
| [<code class="option">-o</code>]
|
||||
| [<code class="option">-l</code>]
|
||||
| [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>]
|
||||
| [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]
|
||||
]
|
||||
[<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>]
|
||||
[<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>]
|
||||
[<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>]
|
||||
[<code class="option">-v</code>]
|
||||
[<code class="option">-T</code>]
|
||||
[<code class="option">-P</code>]
|
||||
[<code class="option">-V</code>]
|
||||
[
|
||||
[<code class="option">-4</code>]
|
||||
| [<code class="option">-6</code>]
|
||||
]
|
||||
[filename]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.31.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>nsupdate</strong></span>
|
||||
|
||||
<p><span class="command"><strong>nsupdate</strong></span>
|
||||
is used to submit Dynamic DNS Update requests as defined in RFC 2136
|
||||
to a name server.
|
||||
This allows resource records to be added or removed from a zone
|
||||
@@ -51,27 +88,27 @@
|
||||
one
|
||||
resource record.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Zones that are under dynamic control via
|
||||
<span class="command"><strong>nsupdate</strong></span>
|
||||
or a DHCP server should not be edited by hand.
|
||||
Manual edits could
|
||||
conflict with dynamic updates and cause data to be lost.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The resource records that are dynamically added or removed with
|
||||
<span class="command"><strong>nsupdate</strong></span>
|
||||
have to be in the same zone.
|
||||
Requests are sent to the zone's master server.
|
||||
This is identified by the MNAME field of the zone's SOA record.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Transaction signatures can be used to authenticate the Dynamic
|
||||
DNS updates. These use the TSIG resource record type described
|
||||
in RFC 2845 or the SIG(0) record described in RFC 2535 and
|
||||
RFC 2931 or GSS-TSIG as described in RFC 3645.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
TSIG relies on
|
||||
a shared secret that should only be known to
|
||||
<span class="command"><strong>nsupdate</strong></span> and the name server.
|
||||
@@ -86,45 +123,59 @@
|
||||
uses the <code class="option">-y</code> or <code class="option">-k</code> options
|
||||
to provide the TSIG shared secret. These options are mutually exclusive.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
SIG(0) uses public key cryptography.
|
||||
To use a SIG(0) key, the public key must be stored in a KEY
|
||||
record in a zone served by the name server.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
|
||||
is switched on with the <code class="option">-g</code> flag. A
|
||||
non-standards-compliant variant of GSS-TSIG used by Windows
|
||||
2000 can be switched on with the <code class="option">-o</code> flag.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.31.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-4</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use IPv4 only.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-6</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use IPv6 only.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-d</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Debug mode. This provides tracing information about the
|
||||
update requests that are made and the replies received
|
||||
from the name server.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-D</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Extra debug mode.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Force interactive mode, even when standard input is not a terminal.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The file containing the TSIG authentication key.
|
||||
Keyfiles may be in two formats: a single file containing
|
||||
a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
|
||||
@@ -136,9 +187,11 @@
|
||||
The <code class="option">-k</code> may also be used to specify a SIG(0) key used
|
||||
to authenticate Dynamic DNS update requests. In this case, the key
|
||||
specified is not an HMAC-MD5 key.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Local-host only mode. This sets the server address to
|
||||
localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
|
||||
address cannot be overridden). Connections to the local server will
|
||||
@@ -147,72 +200,89 @@
|
||||
local master zone has set <span class="command"><strong>update-policy</strong></span> to
|
||||
<span class="command"><strong>local</strong></span>. The location of this key file can be
|
||||
overridden with the <code class="option">-k</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the logging debug level. If zero, logging is disabled.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the port to use for connections to a name server. The
|
||||
default is 53.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-P</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the list of private BIND-specific resource record
|
||||
types whose format is understood
|
||||
by <span class="command"><strong>nsupdate</strong></span>. See also
|
||||
the <code class="option">-T</code> option.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The number of UDP retries. The default is 3. If zero, only
|
||||
one update request will be made.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The maximum time an update request can take before it is
|
||||
aborted. The default is 300 seconds. Zero can be used to
|
||||
disable the timeout.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-T</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Print the list of IANA standard resource record types
|
||||
whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
|
||||
<span class="command"><strong>nsupdate</strong></span> will exit after the lists are
|
||||
printed. The <code class="option">-T</code> option can be combined
|
||||
with the <code class="option">-P</code> option.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
|
||||
decimal value of the type with no leading zeros. The rdata,
|
||||
if present, will be parsed using the UNKNOWN rdata format,
|
||||
(<backslash> <hash> <space> <length>
|
||||
<space> <hexstring>).
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The UDP retry interval. The default is 3 seconds. If zero,
|
||||
the interval will be computed from the timeout interval and
|
||||
number of UDP retries.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use TCP even for small update requests.
|
||||
By default, <span class="command"><strong>nsupdate</strong></span>
|
||||
uses UDP to send update requests to the name server unless they are too
|
||||
large to fit in a UDP request in which case TCP will be used.
|
||||
TCP may be preferable when a batch of update requests is made.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-V</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print the version number and exit.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Literal TSIG authentication key.
|
||||
<em class="parameter"><code>keyname</code></em> is the name of the key, and
|
||||
<em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
|
||||
@@ -224,19 +294,23 @@
|
||||
is not specified, the default is <code class="literal">hmac-md5</code>
|
||||
or if MD5 was disabled <code class="literal">hmac-sha256</code>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
NOTE: Use of the <code class="option">-y</code> option is discouraged because the
|
||||
shared secret is supplied as a command line argument in clear text.
|
||||
This may be visible in the output from
|
||||
<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">ps</span>(1)
|
||||
</span>
|
||||
or in a history file maintained by the user's shell.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.31.9"></a><h2>INPUT FORMAT</h2>
|
||||
<p><span class="command"><strong>nsupdate</strong></span>
|
||||
|
||||
<p><span class="command"><strong>nsupdate</strong></span>
|
||||
reads input from
|
||||
<em class="parameter"><code>filename</code></em>
|
||||
or standard input.
|
||||
@@ -250,7 +324,7 @@
|
||||
Updates will be rejected if the tests for the prerequisite conditions
|
||||
fail.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Every update request consists of zero or more prerequisites
|
||||
and zero or more updates.
|
||||
This allows a suitably authenticated update request to proceed if some
|
||||
@@ -260,7 +334,7 @@
|
||||
accumulated commands to be sent as one Dynamic DNS update request to the
|
||||
name server.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The command formats and their meaning are as follows:
|
||||
</p>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
@@ -269,7 +343,8 @@
|
||||
{servername}
|
||||
[port]
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sends all dynamic update requests to the name server
|
||||
<em class="parameter"><code>servername</code></em>.
|
||||
When no server statement is provided,
|
||||
@@ -285,13 +360,15 @@
|
||||
If no port number is specified, the default DNS port number of
|
||||
53 is
|
||||
used.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>local</strong></span>
|
||||
{address}
|
||||
[port]
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sends all dynamic update requests using the local
|
||||
<em class="parameter"><code>address</code></em>.
|
||||
|
||||
@@ -303,12 +380,14 @@
|
||||
can additionally be used to make requests come from a specific
|
||||
port.
|
||||
If no port number is specified, the system will assign one.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>zone</strong></span>
|
||||
{zonename}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies that all updates are to be made to the zone
|
||||
<em class="parameter"><code>zonename</code></em>.
|
||||
If no
|
||||
@@ -317,32 +396,38 @@
|
||||
<span class="command"><strong>nsupdate</strong></span>
|
||||
will attempt determine the correct zone to update based on the
|
||||
rest of the input.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>class</strong></span>
|
||||
{classname}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the default class.
|
||||
If no <em class="parameter"><code>class</code></em> is specified, the
|
||||
default class is
|
||||
<em class="parameter"><code>IN</code></em>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>ttl</strong></span>
|
||||
{seconds}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the default time to live for records to be added.
|
||||
The value <em class="parameter"><code>none</code></em> will clear the default
|
||||
ttl.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>key</strong></span>
|
||||
[hmac:] {keyname}
|
||||
{secret}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies that all updates are to be TSIG-signed using the
|
||||
<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
|
||||
If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
|
||||
@@ -351,66 +436,80 @@
|
||||
<code class="literal">hmac-sha256</code>. The <span class="command"><strong>key</strong></span>
|
||||
command overrides any key specified on the command line via
|
||||
<code class="option">-y</code> or <code class="option">-k</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>gsstsig</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use GSS-TSIG to sign the updated. This is equivalent to
|
||||
specifying <code class="option">-g</code> on the command line.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>oldgsstsig</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Use the Windows 2000 version of GSS-TSIG to sign the updated.
|
||||
This is equivalent to specifying <code class="option">-o</code> on the
|
||||
command line.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>realm</strong></span>
|
||||
{[<span class="optional">realm_name</span>]}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
|
||||
than the default realm in <code class="filename">krb5.conf</code>. If no
|
||||
realm is specified the saved realm is cleared.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>check-names</strong></span>
|
||||
{[<span class="optional">yes_or_no</span>]}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Turn on or off check-names processing on records to
|
||||
be added. Check-names has no effect on prerequisites
|
||||
or records to be deleted. By default check-names
|
||||
processing is on. If check-names processing fails
|
||||
the record will not be added to the UPDATE message.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span>
|
||||
{domain-name}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Requires that no resource record of any type exists with name
|
||||
<em class="parameter"><code>domain-name</code></em>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span>
|
||||
{domain-name}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Requires that
|
||||
<em class="parameter"><code>domain-name</code></em>
|
||||
exists (has as at least one resource record, of any type).
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span>
|
||||
{domain-name}
|
||||
[class]
|
||||
{type}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Requires that no resource record exists of the specified
|
||||
<em class="parameter"><code>type</code></em>,
|
||||
<em class="parameter"><code>class</code></em>
|
||||
@@ -419,14 +518,16 @@
|
||||
If
|
||||
<em class="parameter"><code>class</code></em>
|
||||
is omitted, IN (internet) is assumed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
|
||||
{domain-name}
|
||||
[class]
|
||||
{type}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
This requires that a resource record of the specified
|
||||
<em class="parameter"><code>type</code></em>,
|
||||
<em class="parameter"><code>class</code></em>
|
||||
@@ -436,7 +537,8 @@
|
||||
If
|
||||
<em class="parameter"><code>class</code></em>
|
||||
is omitted, IN (internet) is assumed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
|
||||
{domain-name}
|
||||
@@ -444,7 +546,8 @@
|
||||
{type}
|
||||
{data...}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
The
|
||||
<em class="parameter"><code>data</code></em>
|
||||
from each set of prerequisites of this form
|
||||
@@ -465,7 +568,8 @@
|
||||
are written in the standard text representation of the resource
|
||||
record's
|
||||
RDATA.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
|
||||
{domain-name}
|
||||
@@ -473,7 +577,8 @@
|
||||
[class]
|
||||
[type [data...]]
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Deletes any resource records named
|
||||
<em class="parameter"><code>domain-name</code></em>.
|
||||
If
|
||||
@@ -486,7 +591,8 @@
|
||||
is not supplied. The
|
||||
<em class="parameter"><code>ttl</code></em>
|
||||
is ignored, and is only allowed for compatibility.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>[<span class="optional">update</span>] add</strong></span>
|
||||
{domain-name}
|
||||
@@ -495,62 +601,80 @@
|
||||
{type}
|
||||
{data...}
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Adds a new resource record with the specified
|
||||
<em class="parameter"><code>ttl</code></em>,
|
||||
<em class="parameter"><code>class</code></em>
|
||||
and
|
||||
<em class="parameter"><code>data</code></em>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>show</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Displays the current message, containing all of the
|
||||
prerequisites and
|
||||
updates specified since the last send.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>send</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Sends the current message. This is equivalent to entering a
|
||||
blank line.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>answer</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Displays the answer.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>debug</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Turn on debugging.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>version</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print version number.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">
|
||||
<span class="command"><strong>help</strong></span>
|
||||
</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Print a list of commands.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
Lines beginning with a semicolon are comments and are ignored.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.31.10"></a><h2>EXAMPLES</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The examples below show how
|
||||
<span class="command"><strong>nsupdate</strong></span>
|
||||
could be used to insert and delete resource records from the
|
||||
@@ -571,7 +695,7 @@
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Any A records for
|
||||
<span class="type">oldhost.example.com</span>
|
||||
are deleted.
|
||||
@@ -588,7 +712,7 @@
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The prerequisite condition gets the name server to check that there
|
||||
are no resource records of any type for
|
||||
<span class="type">nickname.example.com</span>.
|
||||
@@ -601,33 +725,50 @@
|
||||
(The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
|
||||
RRSIG, DNSKEY and NSEC records.)
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.31.11"></a><h2>FILES</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
used to identify default name server
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
sets the default TSIG key for use in local-only mode
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
base-64 encoding of HMAC-MD5 key created by
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
|
||||
</p></dd>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
base-64 encoding of HMAC-MD5 key created by
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
|
||||
</p></dd>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>.
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.31.12"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
<em class="citetitle">RFC 2136</em>,
|
||||
<em class="citetitle">RFC 3007</em>,
|
||||
<em class="citetitle">RFC 2104</em>,
|
||||
@@ -635,20 +776,29 @@
|
||||
<em class="citetitle">RFC 1034</em>,
|
||||
<em class="citetitle">RFC 2535</em>,
|
||||
<em class="citetitle">RFC 2931</em>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">ddns-confgen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keygen</span>(8)
|
||||
</span>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.31.13"></a><h2>BUGS</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The TSIG key is redundantly stored in two separate files.
|
||||
This is a consequence of nsupdate using the DST library
|
||||
for its cryptographic operations, and may change in future
|
||||
releases.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -668,6 +818,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>pkcs11-destroy</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.nsupdate.html" title="nsupdate">
|
||||
@@ -32,70 +32,116 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.pkcs11-destroy"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">pkcs11-destroy</span> — destroy PKCS#11 objects</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em> | -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.32.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">pkcs11-destroy</span>
|
||||
— destroy PKCS#11 objects
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">pkcs11-destroy</code>
|
||||
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
|
||||
{
|
||||
-i <em class="replaceable"><code>ID</code></em>
|
||||
| -l <em class="replaceable"><code>label</code></em>
|
||||
}
|
||||
[<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
|
||||
[<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.32.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>pkcs11-destroy</strong></span> destroys keys stored in a
|
||||
PKCS#11 device, identified by their <code class="option">ID</code> or
|
||||
<code class="option">label</code>.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Matching keys are displayed before being destroyed. By default,
|
||||
there is a five second delay to allow the user to interrupt the
|
||||
process before the destruction takes place.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.32.8"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the PKCS#11 provider module. This must be the full
|
||||
path to a shared library object implementing the PKCS#11 API
|
||||
for the device.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Open the session with the given PKCS#11 slot. The default is
|
||||
slot 0.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Destroy keys with the given object ID.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Destroy keys with the given label.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the PIN for the device. If no PIN is provided on the
|
||||
command line, <span class="command"><strong>pkcs11-destroy</strong></span> will prompt for it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify how long to pause before carrying out key destruction.
|
||||
The default is five seconds. If set to <code class="literal">0</code>,
|
||||
destruction will be immediate.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.32.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-list</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-tokens</span>(8)
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -116,6 +162,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>pkcs11-keygen</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
|
||||
@@ -32,95 +32,154 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">pkcs11-keygen</span> — generate keys on a PKCS#11 device</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-e</code>] [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-q</code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] {label}</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.33.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">pkcs11-keygen</span>
|
||||
— generate keys on a PKCS#11 device
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">pkcs11-keygen</code>
|
||||
{-a <em class="replaceable"><code>algorithm</code></em>}
|
||||
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
|
||||
[<code class="option">-e</code>]
|
||||
[<code class="option">-i <em class="replaceable"><code>id</code></em></code>]
|
||||
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
|
||||
[<code class="option">-P</code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
|
||||
[<code class="option">-q</code>]
|
||||
[<code class="option">-S</code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
|
||||
{label}
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.33.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
|
||||
a new key pair with the given <code class="option">label</code> (which must be
|
||||
unique) and with <code class="option">keysize</code> bits of prime.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.33.8"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the key algorithm class: Supported classes are RSA,
|
||||
DSA, DH, ECC and ECX. In addition to these strings, the
|
||||
<code class="option">algorithm</code> can be specified as a DNSSEC
|
||||
signing algorithm that will be used with this key; for
|
||||
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
|
||||
to ECC, and ED25519 to ECX. The default class is "RSA".
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Create the key pair with <code class="option">keysize</code> bits of
|
||||
prime. For ECC keys, the only valid values are 256 and 384,
|
||||
and the default is 256. For ECX kyes, the only valid values
|
||||
are 256 and 456, and the default is 256.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-e</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
For RSA keys only, use a large exponent.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Create key objects with id. The id is either
|
||||
an unsigned short 2 byte or an unsigned long 4 byte number.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the PKCS#11 provider module. This must be the full
|
||||
path to a shared library object implementing the PKCS#11 API
|
||||
for the device.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-P</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Set the new private key to be non-sensitive and extractable.
|
||||
The allows the private key data to be read from the PKCS#11
|
||||
device. The default is for private keys to be sensitive and
|
||||
non-extractable.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the PIN for the device. If no PIN is provided on
|
||||
the command line, <span class="command"><strong>pkcs11-keygen</strong></span> will
|
||||
prompt for it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Quiet mode: suppress unnecessary output.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-S</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
For Diffie-Hellman (DH) keys only, use a special prime of
|
||||
768, 1024 or 1536 bit size and base (aka generator) 2.
|
||||
If not specified, bit size will default to 1024.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Open the session with the given PKCS#11 slot. The default is
|
||||
slot 0.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.33.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-keyfromlabel</span>(8)</span>
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-destroy</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-list</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-tokens</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">dnssec-keyfromlabel</span>(8)
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -141,6 +200,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>pkcs11-list</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
|
||||
@@ -32,17 +32,38 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.pkcs11-list"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">pkcs11-list</span> — list PKCS#11 objects</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">pkcs11-list</code> [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [-i <em class="replaceable"><code>ID</code></em>] [-l <em class="replaceable"><code>label</code></em>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.34.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">pkcs11-list</span>
|
||||
— list PKCS#11 objects
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">pkcs11-list</code>
|
||||
[<code class="option">-P</code>]
|
||||
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
|
||||
[-i <em class="replaceable"><code>ID</code></em>]
|
||||
[-l <em class="replaceable"><code>label</code></em>]
|
||||
[<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.34.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>pkcs11-list</strong></span>
|
||||
lists the PKCS#11 objects with <code class="option">ID</code> or
|
||||
<code class="option">label</code> or by default all objects.
|
||||
@@ -51,49 +72,72 @@
|
||||
attribute is also displayed, as either <code class="literal">true</code>,
|
||||
<code class="literal">false</code>, or <code class="literal">never</code>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.34.8"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-P</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
List only the public objects. (Note that on some PKCS#11
|
||||
devices, all objects are private.)
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the PKCS#11 provider module. This must be the full
|
||||
path to a shared library object implementing the PKCS#11 API
|
||||
for the device.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Open the session with the given PKCS#11 slot. The default is
|
||||
slot 0.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
List only key objects with the given object ID.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
List only key objects with the given label.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the PIN for the device. If no PIN is provided on the
|
||||
command line, <span class="command"><strong>pkcs11-list</strong></span> will prompt for it.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.34.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-destroy</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-tokens</span>(8)
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -114,6 +158,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>pkcs11-tokens</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.pkcs11-list.html" title="pkcs11-list">
|
||||
@@ -32,45 +32,77 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.pkcs11-tokens"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">pkcs11-tokens</span> — list PKCS#11 available tokens</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-v</code>]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.35.7"></a><h2>DESCRIPTION</h2>
|
||||
<p>
|
||||
<span class="application">pkcs11-tokens</span>
|
||||
— list PKCS#11 available tokens
|
||||
</p>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">pkcs11-tokens</code>
|
||||
[<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
|
||||
[<code class="option">-v</code>]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.35.7"></a><h2>DESCRIPTION</h2>
|
||||
|
||||
<p>
|
||||
<span class="command"><strong>pkcs11-tokens</strong></span>
|
||||
lists the PKCS#11 available tokens with defaults from the slot/token
|
||||
scan performed at application initialization.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.35.8"></a><h2>ARGUMENTS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specify the PKCS#11 provider module. This must be the full
|
||||
path to a shared library object implementing the PKCS#11 API
|
||||
for the device.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-v</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Make the PKCS#11 libisc initialization verbose.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.35.9"></a><h2>SEE ALSO</h2>
|
||||
<p>
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>
|
||||
|
||||
<p>
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-destroy</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-keygen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">pkcs11-list</span>(8)
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -91,6 +123,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>rndc-confgen</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
|
||||
@@ -32,17 +32,42 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">rndc-confgen</span> — rndc key generation tool</p>
|
||||
<p>
|
||||
<span class="application">rndc-confgen</span>
|
||||
— rndc key generation tool
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">rndc-confgen</code>
|
||||
[<code class="option">-a</code>]
|
||||
[<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
|
||||
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
|
||||
[<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
|
||||
[<code class="option">-h</code>]
|
||||
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
|
||||
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
|
||||
[<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
|
||||
[<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
|
||||
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.36.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><span class="command"><strong>rndc-confgen</strong></span>
|
||||
|
||||
<p><span class="command"><strong>rndc-confgen</strong></span>
|
||||
generates configuration files
|
||||
for <span class="command"><strong>rndc</strong></span>. It can be used as a
|
||||
convenient alternative to writing the
|
||||
@@ -55,13 +80,17 @@
|
||||
avoid the need for a <code class="filename">rndc.conf</code> file
|
||||
and a <span class="command"><strong>controls</strong></span> statement altogether.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.36.8"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
|
||||
|
||||
<div class="variablelist"><dl class="variablelist">
|
||||
<dt><span class="term">-a</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<p>
|
||||
Do automatic <span class="command"><strong>rndc</strong></span> configuration.
|
||||
This creates a file <code class="filename">rndc.key</code>
|
||||
in <code class="filename">/etc</code> (or whatever
|
||||
@@ -76,7 +105,7 @@
|
||||
<span class="command"><strong>named</strong></span> on the local host
|
||||
with no further configuration.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
|
||||
BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
|
||||
drop-in
|
||||
@@ -84,7 +113,7 @@
|
||||
with no changes to the existing BIND 8
|
||||
<code class="filename">named.conf</code> file.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If a more elaborate configuration than that
|
||||
generated by <span class="command"><strong>rndc-confgen -a</strong></span>
|
||||
is required, for example if rndc is to be used remotely,
|
||||
@@ -95,58 +124,75 @@
|
||||
<code class="filename">named.conf</code>
|
||||
as directed.
|
||||
</p>
|
||||
</dd>
|
||||
</dd>
|
||||
<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the algorithm to use for the TSIG key. Available
|
||||
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
|
||||
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the size of the authentication key in bits.
|
||||
Must be between 1 and 512 bits; the default is the
|
||||
hash size.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Used with the <span class="command"><strong>-a</strong></span> option to specify
|
||||
an alternate location for <code class="filename">rndc.key</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Prints a short summary of the options and arguments to
|
||||
<span class="command"><strong>rndc-confgen</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the key name of the rndc authentication key.
|
||||
This must be a valid domain name.
|
||||
The default is <code class="constant">rndc-key</code>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the command channel port where <span class="command"><strong>named</strong></span>
|
||||
listens for connections from <span class="command"><strong>rndc</strong></span>.
|
||||
The default is 953.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the IP address where <span class="command"><strong>named</strong></span>
|
||||
listens for command channel connections from
|
||||
<span class="command"><strong>rndc</strong></span>. The default is the loopback
|
||||
address 127.0.0.1.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Used with the <span class="command"><strong>-a</strong></span> option to specify
|
||||
a directory where <span class="command"><strong>named</strong></span> will run
|
||||
chrooted. An additional copy of the <code class="filename">rndc.key</code>
|
||||
will be written relative to this directory so that
|
||||
it will be found by the chrooted <span class="command"><strong>named</strong></span>.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
|
||||
<dd><p>
|
||||
<dd>
|
||||
<p>
|
||||
Used with the <span class="command"><strong>-a</strong></span> option to set the
|
||||
owner
|
||||
of the <code class="filename">rndc.key</code> file generated.
|
||||
@@ -154,34 +200,46 @@
|
||||
<span class="command"><strong>-t</strong></span> is also specified only the file
|
||||
in
|
||||
the chroot area has its owner changed.
|
||||
</p></dd>
|
||||
</p>
|
||||
</dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.36.9"></a><h2>EXAMPLES</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
To allow <span class="command"><strong>rndc</strong></span> to be used with
|
||||
no manual configuration, run
|
||||
</p>
|
||||
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
|
||||
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To print a sample <code class="filename">rndc.conf</code> file and
|
||||
corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
|
||||
statements to be manually inserted into <code class="filename">named.conf</code>,
|
||||
run
|
||||
</p>
|
||||
<p><strong class="userinput"><code>rndc-confgen</code></strong>
|
||||
<p><strong class="userinput"><code>rndc-confgen</code></strong>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.36.10"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">rndc</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">rndc.conf</span>(5)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">named</span>(8)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -202,6 +260,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>rndc.conf</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
||||
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||||
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
|
||||
<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
|
||||
@@ -32,17 +32,32 @@
|
||||
</div>
|
||||
<div class="refentry">
|
||||
<a name="man.rndc.conf"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><code class="filename">rndc.conf</code> — rndc configuration file</p>
|
||||
<p>
|
||||
<code class="filename">rndc.conf</code>
|
||||
— rndc configuration file
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
|
||||
|
||||
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
<div class="cmdsynopsis"><p>
|
||||
<code class="command">rndc.conf</code>
|
||||
</p></div>
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.37.7"></a><h2>DESCRIPTION</h2>
|
||||
<p><code class="filename">rndc.conf</code> is the configuration file
|
||||
|
||||
<p><code class="filename">rndc.conf</code> is the configuration file
|
||||
for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
|
||||
utility. This file has a similar structure and syntax to
|
||||
<code class="filename">named.conf</code>. Statements are enclosed
|
||||
@@ -50,21 +65,21 @@
|
||||
the statements are also semi-colon terminated. The usual
|
||||
comment styles are supported:
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
C style: /* */
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
C++ style: // to end of line
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
Unix style: # to end of line
|
||||
</p>
|
||||
<p><code class="filename">rndc.conf</code> is much simpler than
|
||||
<p><code class="filename">rndc.conf</code> is much simpler than
|
||||
<code class="filename">named.conf</code>. The file uses three
|
||||
statements: an options statement, a server statement
|
||||
and a key statement.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">options</code> statement contains five clauses.
|
||||
The <code class="option">default-server</code> clause is followed by the
|
||||
name or address of a name server. This host will be used when
|
||||
@@ -87,7 +102,7 @@
|
||||
can be used to set the IPv4 and IPv6 source addresses
|
||||
respectively.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
After the <code class="option">server</code> keyword, the server
|
||||
statement includes a string which is the hostname or address
|
||||
for a name server. The statement has three possible clauses:
|
||||
@@ -101,7 +116,7 @@
|
||||
of supplied then these will be used to specify the IPv4 and IPv6
|
||||
source addresses respectively.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
The <code class="option">key</code> statement begins with an identifying
|
||||
string, the name of the key. The statement has two clauses.
|
||||
<code class="option">algorithm</code> identifies the authentication algorithm
|
||||
@@ -112,7 +127,7 @@
|
||||
the base-64 encoding of the algorithm's authentication key. The
|
||||
base-64 string is enclosed in double quotes.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
There are two common ways to generate the base-64 string for the
|
||||
secret. The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
|
||||
can
|
||||
@@ -125,10 +140,13 @@
|
||||
ship with BIND 9 but is available on many systems. See the
|
||||
EXAMPLE section for sample command lines for each.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.37.8"></a><h2>EXAMPLE</h2>
|
||||
<pre class="programlisting">
|
||||
|
||||
|
||||
<pre class="programlisting">
|
||||
options {
|
||||
default-server localhost;
|
||||
default-key samplekey;
|
||||
@@ -136,14 +154,14 @@
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
<pre class="programlisting">
|
||||
<pre class="programlisting">
|
||||
server localhost {
|
||||
key samplekey;
|
||||
};
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
<pre class="programlisting">
|
||||
<pre class="programlisting">
|
||||
server testserver {
|
||||
key testkey;
|
||||
addresses { localhost port 5353; };
|
||||
@@ -151,7 +169,7 @@
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
<pre class="programlisting">
|
||||
<pre class="programlisting">
|
||||
key samplekey {
|
||||
algorithm hmac-sha256;
|
||||
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
|
||||
@@ -159,7 +177,7 @@
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
<pre class="programlisting">
|
||||
<pre class="programlisting">
|
||||
key testkey {
|
||||
algorithm hmac-sha256;
|
||||
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
|
||||
@@ -167,7 +185,8 @@
|
||||
</pre>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
In the above example, <span class="command"><strong>rndc</strong></span> will by
|
||||
default use
|
||||
the server at localhost (127.0.0.1) and the key called samplekey.
|
||||
@@ -177,16 +196,16 @@
|
||||
uses the HMAC-SHA256 algorithm and its secret clause contains the
|
||||
base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
|
||||
connect to server on localhost port 5353 using the key testkey.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
|
||||
</p>
|
||||
<p><strong class="userinput"><code>rndc-confgen</code></strong>
|
||||
<p><strong class="userinput"><code>rndc-confgen</code></strong>
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
A complete <code class="filename">rndc.conf</code> file, including
|
||||
the
|
||||
randomly generated key, will be written to the standard
|
||||
@@ -194,30 +213,41 @@
|
||||
<code class="option">controls</code> statements for
|
||||
<code class="filename">named.conf</code> are also printed.
|
||||
</p>
|
||||
<p>
|
||||
<p>
|
||||
To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
|
||||
</p>
|
||||
<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
|
||||
<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.37.9"></a><h2>NAME SERVER CONFIGURATION</h2>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
The name server must be configured to accept rndc connections and
|
||||
to recognize the key specified in the <code class="filename">rndc.conf</code>
|
||||
file, using the controls statement in <code class="filename">named.conf</code>.
|
||||
See the sections on the <code class="option">controls</code> statement in the
|
||||
BIND 9 Administrator Reference Manual for details.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsection">
|
||||
</div>
|
||||
|
||||
<div class="refsection">
|
||||
<a name="id-1.13.37.10"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
|
||||
|
||||
<p><span class="citerefentry">
|
||||
<span class="refentrytitle">rndc</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">rndc-confgen</span>(8)
|
||||
</span>,
|
||||
<span class="citerefentry">
|
||||
<span class="refentrytitle">mmencode</span>(1)
|
||||
</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="navfooter">
|
||||
<hr>
|
||||
@@ -238,6 +268,6 @@
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.0 (Development Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.17.1 (Development Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -15,7 +15,7 @@
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="id-1.2"></a>Release Notes for BIND Version 9.17.0</h2></div></div></div>
|
||||
<a name="id-1.2"></a>Release Notes for BIND Version 9.17.1</h2></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
@@ -72,6 +72,100 @@
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.17.1"></a>Notes for BIND 9.17.1</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-security"></a>Security Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
DNS rebinding protection was ineffective when BIND 9 is configured as
|
||||
a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
Klein. [GL #1574]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-known"></a>Known Issues</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
We have received reports that in some circumstances, receipt of an
|
||||
IXFR can cause the processing of queries to slow significantly. Some
|
||||
of these were related to RPZ processing, which has been fixed in this
|
||||
release (see below). Others appear to occur where there are
|
||||
NSEC3-related changes (such as an operator changing the NSEC3 salt
|
||||
used in the hash calculation). These are being investigated.
|
||||
[GL #1685]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-new"></a>New Features</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
A new option, <span class="command"><strong>nsdname-wait-recurse</strong></span>, has been added
|
||||
to the <span class="command"><strong>response-policy</strong></span> clause in the configuration
|
||||
file. When set to <span class="command"><strong>no</strong></span>, RPZ NSDNAME rules are only
|
||||
applied if the authoritative nameservers for the query name have been
|
||||
looked up and are present in the cache. If this information is not
|
||||
present, the RPZ NSDNAME rules are ignored, but the information is
|
||||
looked up in the background and applied to subsequent queries. The
|
||||
default is <span class="command"><strong>yes</strong></span>, meaning that RPZ NSDNAME rules
|
||||
should always be applied, even if the information needs to be looked
|
||||
up first. [GL #1138]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-changes"></a>Feature Changes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
The previous DNSSEC sign statistics used lots of memory. The number of
|
||||
keys to track is reduced to four per zone, which should be enough for
|
||||
99% of all signed zones. [GL #1179]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.1-bugs"></a>Bug Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
When an RPZ policy zone was updated via zone transfer and a large
|
||||
number of records was deleted, <span class="command"><strong>named</strong></span> could become
|
||||
nonresponsive for a short period while deleted names were removed from
|
||||
the RPZ summary database. This database cleanup is now done
|
||||
incrementally over a longer period of time, reducing such delays.
|
||||
[GL #1447]
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
When trying to migrate an already-signed zone from
|
||||
<span class="command"><strong>auto-dnssec maintain</strong></span> to one based on
|
||||
<span class="command"><strong>dnssec-policy</strong></span>, the existing keys were immediately
|
||||
deleted and replaced with new ones. As the key rollover timing
|
||||
constraints were not being followed, it was possible that some clients
|
||||
would not have been able to validate responses until all old DNSSEC
|
||||
information had timed out from caches. BIND now looks at the time
|
||||
metadata of the existing keys and incorporates it into its DNSSEC
|
||||
policy operation. [GL #1706]
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
@@ -96,7 +190,8 @@
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
When a secondary server receives a large incremental zone
|
||||
transfer (IXFR), it can have a negative impact on query
|
||||
@@ -112,7 +207,21 @@
|
||||
to the size of a full zone transfer. The default is
|
||||
<code class="literal">100%</code>. [GL #1515]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
A new RPZ option <span class="command"><strong>nsdname-wait-recurse</strong></span>
|
||||
controls whether RPZ-NSDNAME rules should always be applied
|
||||
even if the names of authoritative name servers for the query
|
||||
name need to be looked up recurively first. The default is
|
||||
<strong class="userinput"><code>yes</code></strong>. Setting it to
|
||||
<strong class="userinput"><code>no</code></strong> speeds up initial responses by skipping
|
||||
RPZ-NSDNAME rules when name server domain names are not yet
|
||||
in the cache. The names will be looked up in the background and
|
||||
the rule will be applied for subsequent queries. [GL #1138]
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
|
||||
Binary file not shown.
@@ -1,4 +1,4 @@
|
||||
Release Notes for BIND Version 9.17.0
|
||||
Release Notes for BIND Version 9.17.1
|
||||
|
||||
Introduction
|
||||
|
||||
@@ -36,6 +36,59 @@ www.isc.org/download/. There you will find additional information about
|
||||
each release, source code, and pre-compiled versions for Microsoft Windows
|
||||
operating systems.
|
||||
|
||||
Notes for BIND 9.17.1
|
||||
|
||||
Security Fixes
|
||||
|
||||
* DNS rebinding protection was ineffective when BIND 9 is configured as
|
||||
a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
Klein. [GL #1574]
|
||||
|
||||
Known Issues
|
||||
|
||||
* We have received reports that in some circumstances, receipt of an
|
||||
IXFR can cause the processing of queries to slow significantly. Some
|
||||
of these were related to RPZ processing, which has been fixed in this
|
||||
release (see below). Others appear to occur where there are
|
||||
NSEC3-related changes (such as an operator changing the NSEC3 salt
|
||||
used in the hash calculation). These are being investigated. [GL
|
||||
#1685]
|
||||
|
||||
New Features
|
||||
|
||||
* A new option, nsdname-wait-recurse, has been added to the
|
||||
response-policy clause in the configuration file. When set to no, RPZ
|
||||
NSDNAME rules are only applied if the authoritative nameservers for
|
||||
the query name have been looked up and are present in the cache. If
|
||||
this information is not present, the RPZ NSDNAME rules are ignored,
|
||||
but the information is looked up in the background and applied to
|
||||
subsequent queries. The default is yes, meaning that RPZ NSDNAME rules
|
||||
should always be applied, even if the information needs to be looked
|
||||
up first. [GL #1138]
|
||||
|
||||
Feature Changes
|
||||
|
||||
* The previous DNSSEC sign statistics used lots of memory. The number of
|
||||
keys to track is reduced to four per zone, which should be enough for
|
||||
99% of all signed zones. [GL #1179]
|
||||
|
||||
Bug Fixes
|
||||
|
||||
* When an RPZ policy zone was updated via zone transfer and a large
|
||||
number of records was deleted, named could become nonresponsive for a
|
||||
short period while deleted names were removed from the RPZ summary
|
||||
database. This database cleanup is now done incrementally over a
|
||||
longer period of time, reducing such delays. [GL #1447]
|
||||
|
||||
* When trying to migrate an already-signed zone from auto-dnssec
|
||||
maintain to one based on dnssec-policy, the existing keys were
|
||||
immediately deleted and replaced with new ones. As the key rollover
|
||||
timing constraints were not being followed, it was possible that some
|
||||
clients would not have been able to validate responses until all old
|
||||
DNSSEC information had timed out from caches. BIND now looks at the
|
||||
time metadata of the existing keys and incorporates it into its DNSSEC
|
||||
policy operation. [GL #1706]
|
||||
|
||||
Notes for BIND 9.17.0
|
||||
|
||||
Known Issues
|
||||
@@ -62,6 +115,14 @@ New Features
|
||||
percentage value representing the ratio of IXFR size to the size of a
|
||||
full zone transfer. The default is 100%. [GL #1515]
|
||||
|
||||
* A new RPZ option nsdname-wait-recurse controls whether RPZ-NSDNAME
|
||||
rules should always be applied even if the names of authoritative name
|
||||
servers for the query name need to be looked up recurively first. The
|
||||
default is yes. Setting it to no speeds up initial responses by
|
||||
skipping RPZ-NSDNAME rules when name server domain names are not yet
|
||||
in the cache. The names will be looked up in the background and the
|
||||
rule will be applied for subsequent queries. [GL #1138]
|
||||
|
||||
Feature Changes
|
||||
|
||||
* The system-provided POSIX Threads read-write lock implementation is
|
||||
|
||||
@@ -339,10 +339,11 @@ options {
|
||||
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
|
||||
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
|
||||
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
|
||||
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
|
||||
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
|
||||
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
|
||||
dnsrps-options { <unspecified-text> } ];
|
||||
nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean>
|
||||
] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ]
|
||||
[ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
|
||||
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
|
||||
} ];
|
||||
rfc2308-type1 <boolean>; // ancient
|
||||
root-delegation-only [ exclude { <string>; ... } ];
|
||||
root-key-sentinel <boolean>;
|
||||
@@ -689,10 +690,11 @@ view <string> [ <class> ] {
|
||||
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
|
||||
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
|
||||
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
|
||||
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
|
||||
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
|
||||
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
|
||||
dnsrps-options { <unspecified-text> } ];
|
||||
nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean>
|
||||
] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ]
|
||||
[ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
|
||||
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
|
||||
} ];
|
||||
rfc2308-type1 <boolean>; // ancient
|
||||
root-delegation-only [ exclude { <string>; ... } ];
|
||||
root-key-sentinel <boolean>;
|
||||
|
||||
@@ -306,10 +306,11 @@ options {
|
||||
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
|
||||
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
|
||||
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
|
||||
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
|
||||
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
|
||||
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
|
||||
dnsrps-options { <unspecified-text> } ];
|
||||
nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean>
|
||||
] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ]
|
||||
[ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
|
||||
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
|
||||
} ];
|
||||
root-delegation-only [ exclude { <string>; ... } ];
|
||||
root-key-sentinel <boolean>;
|
||||
rrset-order { [ class <string> ] [ type <string> ] [ name
|
||||
@@ -621,10 +622,11 @@ view <string> [ <class> ] {
|
||||
nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
|
||||
break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
|
||||
min-update-interval <duration> ] [ min-ns-dots <integer> ] [
|
||||
nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
|
||||
[ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
|
||||
nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
|
||||
dnsrps-options { <unspecified-text> } ];
|
||||
nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean>
|
||||
] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ]
|
||||
[ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
|
||||
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
|
||||
} ];
|
||||
root-delegation-only [ exclude { <string>; ... } ];
|
||||
root-key-sentinel <boolean>;
|
||||
rrset-order { [ class <string> ] [ type <string> ] [ name
|
||||
|
||||
@@ -11,6 +11,6 @@
|
||||
# 9.13/9.14: 1300-1499
|
||||
# 9.15/9.16: 1500-1699
|
||||
# 9.17/9.18: 1700-1899
|
||||
LIBINTERFACE = 1700
|
||||
LIBINTERFACE = 1701
|
||||
LIBREVISION = 0
|
||||
LIBAGE = 0
|
||||
|
||||
@@ -11,6 +11,6 @@
|
||||
# 9.13/9.14: 1300-1499
|
||||
# 9.15/9.16: 1500-1699
|
||||
# 9.17/9.18: 1700-1899
|
||||
LIBINTERFACE = 1700
|
||||
LIBINTERFACE = 1701
|
||||
LIBREVISION = 0
|
||||
LIBAGE = 0
|
||||
|
||||
@@ -12,5 +12,5 @@
|
||||
# 9.15/9.16: 1500-1699
|
||||
# 9.17/9.18: 1700-1899
|
||||
LIBINTERFACE = 1700
|
||||
LIBREVISION = 0
|
||||
LIBREVISION = 1
|
||||
LIBAGE = 0
|
||||
|
||||
@@ -12,5 +12,5 @@
|
||||
# 9.15/9.16: 1500-1699
|
||||
# 9.17/9.18: 1700-1899
|
||||
LIBINTERFACE = 1700
|
||||
LIBREVISION = 0
|
||||
LIBREVISION = 1
|
||||
LIBAGE = 0
|
||||
|
||||
@@ -11,6 +11,6 @@
|
||||
# 9.13/9.14: 1300-1499
|
||||
# 9.15/9.16: 1500-1699
|
||||
# 9.17/9.18: 1700-1899
|
||||
LIBINTERFACE = 1700
|
||||
LIBINTERFACE = 1701
|
||||
LIBREVISION = 0
|
||||
LIBAGE = 0
|
||||
|
||||
Reference in New Issue
Block a user