of authoritative servers that drop EDNS and/or CD
requests. Also fallback to EDNS/512 and plain DNS
faster for zones with less than 3 servers. [RT #16187]
have been retrieve when the socket event is freed.
[RT #16122]
2038. [bug] dig/nslookup/host was unlinking from wrong list
when handling errors. [RT #16122]
consistancy. Default acache-enable off in BIND 9.4
as it requires memory usage to be configured.
It may be enabled by default in BIND 9.5 once we
have more experience with it.
validation from rndc. This is useful for the
mobile hosts where the current connection point
breaks DNSSEC (firewall/proxy). [RT #15592]
rndc validation newstate [view]
to the builtin acls "localnets" and "localhost".
This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.
The best fix is for full BCP 38 deployment to
remove spoofed traffic.
32769. [RT #15807]
Note: care should be taken to ensure you upgrade
both named and dnssec-signzone at the same time for
zones with DLV records where named is the master
server for the zone. Also any zones that contain
DLV records should be removed when upgrading a slave
zone. You do not however have to upgrade all
servers for a zone with DLV records simultaniously.
512 byte receive buffer if the initial EDNS queries
fail. [RT #14852]
1953. [func] The maximum EDNS UDP response named will send can
now be set in named.conf (max-udp-size). This is
independent of the advertised receive buffer
(edns-udp-size). [RT #14852]
validation if all the queries have timed out.
[RT #15528]
1938. [bug] The validator was not correctly handling unsecure
negative responses at or below a SEP. [RT #15528]
1934. [func] Validate pending NS RRsets, in the authority section,
prior to returning them if it can be done without
requiring DNSKEYs to be fetched. [RT #15430]
friends. Note: RFC 1918 zones are not yet covered by
this but are likely to be in a future release.
New options: empty-server, empty-contact,
empty-zones-enable and disable-empty-zone.
iteration self tuning. The covers nodes clean from
the cache per iteration, nodes written to disk when
rewriting a master file and nodes destroyed per
iteration when destroying a zone or a cache.
[RT #14996]
improving loading performance. The masterfile-format
option in named.conf can be used to specify a
non-default format. A separate command
named-compilezone was provided to generate zone files
in the new format. Additionally, the -I and -O options
for dnssec-signzone specify the input and output
formats.
improving loading performance. The masterfile-format
option in named.conf can be used to specify a
non-default format. A new separate command
named-compilezone was provided to generate zone files
in a new format.
improving loading performance. The masterfile-format
option in named.conf can be used to specify a
non-default format. A new separate command
named-compilezone was provided to generate zone files
in a new format.
provided __asm version of assembly code for atomic atomic operations
for better compatibility.
(this is a temporary resolution so that this one won't block other tests.
we'll revisit this change when we figure out performance implication of
the __asm version.)
architecture dependent atomic operations (when
available), improving response performance on
multi-processor machines significantly.
x86, x86_64, alpha, and sparc64 are currently
supported.
(pulled down from the head)
named-checkzone has extended checking of NS, MX and
SRV record and the hosts they reference.
named has extended post zone load checks.
New zone options: check-mx and integrity-check.
[RT #4940]
for each 16 bit piece of the IPv6 address. The text
representation of a IPv6 address has been tighted
to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
[RT #5662]
DNAME was encountered when fetching glue from a
secure namespace. [RT #13501]
1805. [bug] Pending status was not being cleared when DLV was
active. [RT #13501]
incrementing the reference counter to the entry. Otherwise, the
entry could leak when dns_acache_setentry() fails. This must be
corrected in some way if not by this change. [RT #13339]
VS: ----------------------------------------------------------------------
an internal cache framework for additional section
content to improve response performance. Several
configuration options were provided to control the
behavior.
(merged into 9_4)
allow-query be used to specify the default zone
access level rather than having to have every
zone override the global value. allow-query-cache
can be set at both the options and view levels.
If allow-query-cache is not set allow-query applies.
negative response. [RT #12506]
1719. [bug] named was not correctly caching a RFC 2308 Type 1
negative response. [RT #12506]
1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
responses when looking for the zone / master server.
[RT #12506]
1676. [port] Solaris 8 has if_nametoindex().
1675. [bug] match any returned scope when a scope is not specified
on non global scope address in resolv.conf.
1674. [bug] getaddrinfo() failed to set sin6_scope_id correctly
on some platforms.
DNSKEY, NXT vs NSEC and SIG vs RRSIG.
1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
and DH. Tighten which options apply to KEY and
DNSKEY records.
error.
1653. [func] Add key type checking to dst_key_fromfilename(),
DST_TYPE_KEY should be used to read TSIG, TKEY and
SIG(0) keys.
1652. [bug] TKEY still uses KEY.
insensitive.
1599. [bug] Fix memory leak on error path when checking named.conf.
1598. [func] Specify that certain parts of the namespace must
be secure (dnssec-must-be-secure).
When loading the zone file read the journal if it exists.
.TP
.TP3n
\-c \fIclass\fR
Specify the class of the zone. If not specified "IN" is assumed.
.TP
.TP3n
\-i \fImode\fR
Perform post load zone integrity checks. Possible modes are
\fB"full"\fR
@@ -108,20 +111,20 @@ respectively.
Mode
\fB"none"\fR
disables the checks.
.TP
.TP3n
\-f \fIformat\fR
Specify the format of the zone file. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR.
.TP
.TP3n
\-F \fIformat\fR
Specify the format of the output file specified. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR. For
\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
.TP
.TP3n
\-k \fImode\fR
Perform
\fB"check\-name"\fR
@@ -133,21 +136,21 @@ checks with the specified failure mode. Possible modes are
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR.
.TP
.TP3n
\-m \fImode\fR
Specify whether MX records should be checked to see if they are addresses. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.TP
.TP3n
\-M \fImode\fR
Check if a MX record refers to a CNAME. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.TP
.TP3n
\-n \fImode\fR
Specify whether NS records should be checked to see if they are addresses. Possible modes are
\fB"fail"\fR
@@ -157,51 +160,51 @@ Specify whether NS records should be checked to see if they are addresses. Possi
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR.
.TP
.TP3n
\-o \fIfilename\fR
Write zone output to
\fIfilename\fR. This is mandatory for
\fBnamed\-compilezone\fR.
.TP
.TP3n
\-s \fIstyle\fR
Specify the style of the dumped zone file. Possible styles are
\fB"full"\fR
(default) and
\fB"default"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the default format is more human\-readable and is thus suitable for editing by hand. For
\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For
\fBnamed\-checkzone\fR
this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
.TP
.TP3n
\-S \fImode\fR
Check if a SRV record refers to a CNAME. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.TP
.TP3n
\-t \fIdirectory\fR
chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
.TP
.TP3n
\-w \fIdirectory\fR
chdir to
\fIdirectory\fR
so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
\fInamed.conf\fR.
.TP
.TP3n
\-D
Dump zone file in canonical format. This is always enabled for
\fBnamed\-compilezone\fR.
.TP
.TP3n
\-W \fImode\fR
Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
\fIserver\fR
@@ -86,10 +91,10 @@ argument is provided,
consults
\fI/etc/resolv.conf\fR
and queries the name servers listed there. The reply from the name server that responds is displayed.
.TP
.TP3n
\fBname\fR
is the name of the resource record that is to be looked up.
.TP
.TP3n
\fBtype\fR
indicates what type of query is required \(em ANY, A, MX, SIG, etc.
\fItype\fR
@@ -206,18 +211,18 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k
no
to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
\fB+keyword=value\fR. The query options are:
.TP
.TP3n
\fB+[no]tcp\fR
Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
.TP
.TP3n
\fB+[no]vc\fR
Use [do not use] TCP when querying name servers. This alternate syntax to
\fI+[no]tcp\fR
is provided for backwards compatibility. The "vc" stands for "virtual circuit".
.TP
.TP3n
\fB+[no]ignore\fR
Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
.TP
.TP3n
\fB+domain=somename\fR
Set the search list to contain the single domain
\fIsomename\fR, as if specified in a
@@ -226,38 +231,38 @@ directive in
\fI/etc/resolv.conf\fR, and enable search list processing as if the
\fI+search\fR
option were given.
.TP
.TP3n
\fB+[no]search\fR
Use [do not use] the search list defined by the searchlist or domain directive in
\fIresolv.conf\fR
(if any). The search list is not used by default.
.TP
.TP3n
\fB+[no]showsearch\fR
Perform [do not perform] a search showing intermediate results.
.TP
.TP3n
\fB+[no]defname\fR
Deprecated, treated as a synonym for
\fI+[no]search\fR
.TP
.TP3n
\fB+[no]aaonly\fR
Sets the "aa" flag in the query.
.TP
.TP3n
\fB+[no]aaflag\fR
A synonym for
\fI+[no]aaonly\fR.
.TP
.TP3n
\fB+[no]adflag\fR
Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
.TP
.TP3n
\fB+[no]cdflag\fR
Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
.TP
.TP3n
\fB+[no]cl\fR
Display [do not display] the CLASS when printing the record.
.TP
.TP3n
\fB+[no]ttlid\fR
Display [do not display] the TTL when printing the record.
.TP
.TP3n
\fB+[no]recurse\fR
Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
\fBdig\fR
@@ -266,74 +271,74 @@ normally sends recursive queries. Recursion is automatically disabled when the
or
\fI+trace\fR
query options are used.
.TP
.TP3n
\fB+[no]nssearch\fR
When this option is set,
\fBdig\fR
attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
.TP
.TP3n
\fB+[no]trace\fR
Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
\fBdig\fR
makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
.TP
.TP3n
\fB+[no]cmd\fR
toggles the printing of the initial comment in the output identifying the version of
\fBdig\fR
and the query options that have been applied. This comment is printed by default.
.TP
.TP3n
\fB+[no]short\fR
Provide a terse answer. The default is to print the answer in a verbose form.
.TP
.TP3n
\fB+[no]identify\fR
Show [or do not show] the IP address and port number that supplied the answer when the
\fI+short\fR
option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
.TP
.TP3n
\fB+[no]comments\fR
Toggle the display of comment lines in the output. The default is to print comments.
.TP
.TP3n
\fB+[no]stats\fR
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
.TP
.TP3n
\fB+[no]qr\fR
Print [do not print] the query as it is sent. By default, the query is not printed.
.TP
.TP3n
\fB+[no]question\fR
Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
.TP
.TP3n
\fB+[no]answer\fR
Display [do not display] the answer section of a reply. The default is to display it.
.TP
.TP3n
\fB+[no]authority\fR
Display [do not display] the authority section of a reply. The default is to display it.
.TP
.TP3n
\fB+[no]additional\fR
Display [do not display] the additional section of a reply. The default is to display it.
.TP
.TP3n
\fB+[no]all\fR
Set or clear all display flags.
.TP
.TP3n
\fB+time=T\fR
Sets the timeout for a query to
\fIT\fR
seconds. The default time out is 5 seconds. An attempt to set
\fIT\fR
to less than 1 will result in a query timeout of 1 second being applied.
.TP
.TP3n
\fB+tries=T\fR
Sets the number of times to try UDP queries to server to
\fIT\fR
instead of the default, 3. If
\fIT\fR
is less than or equal to zero, the number of tries is silently rounded up to 1.
.TP
.TP3n
\fB+retry=T\fR
Sets the number of times to retry UDP queries to server to
\fIT\fR
instead of the default, 2. Unlike
\fI+tries\fR, this does not include the initial query.
.TP
.TP3n
\fB+ndots=D\fR
Set the number of dots that have to appear in
\fIname\fR
@@ -346,34 +351,34 @@ or
\fBdomain\fR
directive in
\fI/etc/resolv.conf\fR.
.TP
.TP3n
\fB+bufsize=B\fR
Set the UDP message buffer size advertised using EDNS0 to
\fIB\fR
bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
.TP
.TP3n
\fB+edns=#\fR
Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
\fB+noedns\fR
clears the remembered EDNS version.
.TP
.TP3n
\fB+[no]multiline\fR
Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdig\fR
output.
.TP
.TP3n
\fB+[no]fail\fR
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
.TP
.TP3n
\fB+[no]besteffort\fR
Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
.TP
.TP3n
\fB+[no]dnssec\fR
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
.TP
.TP3n
\fB+[no]sigchase\fR
Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
.TP
.TP3n
\fB+trusted\-key=####\fR
Specifies a file containing trusted keys to be used with
\fB+sigchase\fR. Each DNSKEY record must be on its own line.
@@ -387,7 +392,7 @@ then
in the current directory.
.sp
Requires dig be compiled with \-DDIG_SIGCHASE.
.TP
.TP3n
\fB+[no]topdown\fR
When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
.SH"MULTIPLE QUERIES"
@@ -406,9 +411,11 @@ A global set of query options, which should be applied to all queries, can also
\fB+[no]cmd\fR
option) can be overridden by a query\-specific set of query options. For example:
.sp
.RS3n
.nf
dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
.fi
.RE
.sp
shows how
\fBdig\fR
@@ -449,3 +456,5 @@ RFC1035.
.SH"BUGS"
.PP
There are probably too many query options.
.SH"COPYRIGHT"
Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
@@ -39,26 +42,28 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use
.SH"ARGUMENTS"
.PP
Interactive mode is entered in the following cases:
.TP3
.TP3n
1.
when no arguments are given (the default name server will be used)
.TP
.TP3n
2.
when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
.sp
.RE
.PP
Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
.PP
Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
.sp
To look up a host not in the current domain, append a period to the name.
.TP
.TP3n
\fBserver\fR\fIdomain\fR
.TP
.TP3n
\fBlserver\fR\fIdomain\fR
Change the default server to
\fIdomain\fR;
@@ -67,112 +72,112 @@ uses the initial server to look up information about
\fIdomain\fR, while
\fBserver\fR
uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
.TP
.TP3n
\fBroot\fR
not implemented
.TP
.TP3n
\fBfinger\fR
not implemented
.TP
.TP3n
\fBls\fR
not implemented
.TP
.TP3n
\fBview\fR
not implemented
.TP
.TP3n
\fBhelp\fR
not implemented
.TP
.TP3n
\fB?\fR
not implemented
.TP
.TP3n
\fBexit\fR
Exits the program.
.TP
.TP3n
\fBset\fR\fIkeyword\fR\fI[=value]\fR
This command is used to change state information that affects the lookups. Valid keywords are:
.RS
.TP
.RS3n
.TP3n
\fBall\fR
Prints the current values of the frequently used options to
\fBset\fR. Information about the current default server and host is also printed.
.TP
.TP3n
\fBclass=\fR\fIvalue\fR
Change the query class to one of:
.RS
.TP
.RS3n
.TP3n
\fBIN\fR
the Internet class
.TP
.TP3n
\fBCH\fR
the Chaos class
.TP
.TP3n
\fBHS\fR
the Hesiod class
.TP
.TP3n
\fBANY\fR
wildcard
.RE
.IP
.IP""3n
The class specifies the protocol group of the information.
.sp
(Default = IN; abbreviation = cl)
.TP
.TP3n
\fB\fR\fB\fI[no]\fR\fR\fBdebug\fR
Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
.sp
(Default = nodebug; abbreviation =
[no]deb)
.TP
.TP3n
\fB\fR\fB\fI[no]\fR\fR\fBd2\fR
Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
.sp
(Default = nod2)
.TP
.TP3n
\fBdomain=\fR\fIname\fR
Sets the search list to
\fIname\fR.
.TP
.TP3n
\fB\fR\fB\fI[no]\fR\fR\fBsearch\fR
If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
.sp
(Default = search)
.TP
.TP3n
\fBport=\fR\fIvalue\fR
Change the default TCP/UDP name server port to
\fIvalue\fR.
.sp
(Default = 53; abbreviation = po)
.TP
.TP3n
\fBquerytype=\fR\fIvalue\fR
.TP
.TP3n
\fBtype=\fR\fIvalue\fR
Change the type of the information query.
.sp
(Default = A; abbreviations = q, ty)
.TP
.TP3n
\fB\fR\fB\fI[no]\fR\fR\fBrecurse\fR
Tell the name server to query other servers if it does not have the information.
.sp
(Default = recurse; abbreviation = [no]rec)
.TP
.TP3n
\fBretry=\fR\fInumber\fR
Set the number of retries to number.
.TP
.TP3n
\fBtimeout=\fR\fInumber\fR
Change the initial timeout interval for waiting for a reply to number seconds.
.TP
.TP3n
\fB\fR\fB\fI[no]\fR\fR\fBvc\fR
Always use a virtual circuit when sending requests to the server.
.sp
(Default = novc)
.TP
.TP3n
\fB\fR\fB\fI[no]\fR\fR\fBfail\fR
Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
.sp
(Default = nofail)
.RE
.IP
.IP""3n
.SH"FILES"
.PP
\fI/etc/resolv.conf\fR
@@ -184,3 +189,5 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
.SH"AUTHOR"
.PP
Andrew Cherenson
.SH"COPYRIGHT"
Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
.SH"OPTIONS"
.TP
.TP3n
\-a \fIalgorithm\fR
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR
@@ -45,37 +48,37 @@ must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5.
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
.sp
Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
.TP
.TP3n
\-b \fIkeysize\fR
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
.TP
.TP3n
\-n \fInametype\fR
Specifies the owner type of the key. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
.TP
.TP3n
\-c \fIclass\fR
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
.TP
.TP3n
\-e
If generating an RSAMD5/RSASHA1 key, use a large exponent.
.TP
.TP3n
\-f \fIflag\fR
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
.TP
.TP3n
\-g \fIgenerator\fR
If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
.TP
.TP3n
\-h
Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR.
.TP
.TP3n
\-k
Generate KEY records rather than DNSKEY records.
.TP
.TP3n
\-p \fIprotocol\fR
Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
.TP
.TP3n
\-r \fIrandomdev\fR
Specifies the source of randomness. If the operating system does not provide a
\fI/dev/random\fR
@@ -84,15 +87,15 @@ or equivalent device, the default source of randomness is keyboard input.
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.TP
.TP3n
\-s \fIstrength\fR
Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
.TP
.TP3n
\-t \fItype\fR
Indicates the use of the key.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
.TP
.TP3n
\-v \fIlevel\fR
Sets the debugging level.
.SH"GENERATED KEYS"
@@ -102,18 +105,20 @@ When
completes successfully, it prints a string of the form
\fIKnnnn.+aaa+iiiii\fR
to the standard output. This is an identification string for the key it has generated.
.TP3
.TP3n
\(bu
\fInnnn\fR
is the key name.
.TP
.TP3n
\(bu
\fIaaa\fR
is the numeric representation of the algorithm.
.TP
.TP3n
\(bu
\fIiiiii\fR
is the key identifier (or footprint).
.sp
.RE
.PP
\fBdnssec\-keygen\fR
creates two file, with names based on the printed string.
@@ -162,3 +167,5 @@ RFC 2539.
.SH"AUTHOR"
.PP
Internet Systems Consortium
.SH"COPYRIGHT"
Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
@@ -38,49 +41,49 @@ signs a zone. It generates NSEC and RRSIG records and produces a signed version
\fIkeyset\fR
file for each child zone.
.SH"OPTIONS"
.TP
.TP3n
\-a
Verify all generated signatures.
.TP
.TP3n
\-c \fIclass\fR
Specifies the DNS class of the zone.
.TP
.TP3n
\-k \fIkey\fR
Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
.TP
.TP3n
\-l \fIdomain\fR
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
.TP
.TP3n
\-d \fIdirectory\fR
Look for
\fIkeyset\fR
files in
\fBdirectory\fR
as the directory
.TP
.TP3n
\-g
Generate DS records for child zones from keyset files. Existing DS records will be removed.
.TP
.TP3n
\-s \fIstart\-time\fR
Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
\fBstart\-time\fR
is specified, the current time minus 1 hour (to allow for clock skew) is used.
.TP
.TP3n
\-e \fIend\-time\fR
Specify the date and time when the generated RRSIG records expire. As with
\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
\fBend\-time\fR
is specified, 30 days from the start time is used as a default.
.TP
.TP3n
\-f \fIoutput\-file\fR
The name of the output file containing the signed zone. The default is to append
\fI.signed\fR
to the input file.
.TP
.TP3n
\-h
Prints a short summary of the options and arguments to
\fBdnssec\-signzone\fR.
.TP
.TP3n
\-i \fIinterval\fR
When a previously signed zone is passed as input, records may be resigned. The
\fBinterval\fR
@@ -93,23 +96,23 @@ or
are specified,
\fBdnssec\-signzone\fR
generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
.TP
.TP3n
\-I \fIinput\-format\fR
The format of the input zone file. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
.TP
.TP3n
\-j \fIjitter\fR
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously signed zone is passed as input to the signer, all expired signatures has to be regenerated at about the same time. The
\fBjitter\fR
option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
.sp
Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
.TP
.TP3n
\-n \fIncpus\fR
Specifies the number of threads to use. By default, one thread is started for each detected CPU.
.TP
.TP3n
\-N \fIsoa\-serial\-format\fR
The SOA serial number format of the signed zone. Possible formats are
\fB"keep"\fR
@@ -117,30 +120,30 @@ The SOA serial number format of the signed zone. Possible formats are
\fB"increment"\fR
and
\fB"unixtime"\fR.
.RS
.TP
.RS3n
.TP3n
\fB"keep"\fR
Do not modify the SOA serial number.
.TP
.TP3n
\fB"increment"\fR
Increment the SOA serial number using RFC 1982 arithmetics.
.TP
.TP3n
\fB"unixtime"\fR
Set the SOA serial number to the number of seconds since epoch.
.RE
.TP
.TP3n
\-o \fIorigin\fR
The zone origin. If not specified, the name of the zone file is assumed to be the origin.
.TP
.TP3n
\-O \fIoutput\-format\fR
The format of the output file containing the signed zone. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR.
.TP
.TP3n
\-p
Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
.TP
.TP3n
\-r \fIrandomdev\fR
Specifies the source of randomness. If the operating system does not provide a
\fI/dev/random\fR
@@ -149,19 +152,19 @@ or equivalent device, the default source of randomness is keyboard input.
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.TP
.TP3n
\-t
Print statistics at completion.
.TP
.TP3n
\-v \fIlevel\fR
Sets the debugging level.
.TP
.TP3n
\-z
Ignore KSK flag on key when determining what to sign.
.TP
.TP3n
zonefile
The file containing the zone to be signed.
.TP
.TP3n
key
The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
.SH"EXAMPLE"
@@ -193,3 +196,5 @@ RFC 2535.
.SH"AUTHOR"
.PP
Internet Systems Consortium
.SH"COPYRIGHT"
Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
@@ -57,41 +60,41 @@ entries are present, or if forwarding fails,
\fBlwresd\fR
resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
.SH"OPTIONS"
.TP
.TP3n
\-C \fIconfig\-file\fR
Use
\fIconfig\-file\fR
as the configuration file instead of the default,
\fI/etc/resolv.conf\fR.
.TP
.TP3n
\-d \fIdebug\-level\fR
Set the daemon's debug level to
\fIdebug\-level\fR. Debugging traces from
\fBlwresd\fR
become more verbose as the debug level increases.
.TP
.TP3n
\-f
Run the server in the foreground (i.e. do not daemonize).
.TP
.TP3n
\-g
Run the server in the foreground and force all logging to
\fIstderr\fR.
.TP
.TP3n
\-n \fI#cpus\fR
Create
\fI#cpus\fR
worker threads to take advantage of multiple CPUs. If not specified,
\fBlwresd\fR
will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
.TP
.TP3n
\-P \fIport\fR
Listen for lightweight resolver queries on port
\fIport\fR. If not specified, the default is port 921.
.TP
.TP3n
\-p \fIport\fR
Send DNS lookups to port
\fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
.TP
.TP3n
\-s
Write memory usage statistics to
\fIstdout\fR
@@ -100,7 +103,7 @@ on exit.
.B"Note:"
This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
.RE
.TP
.TP3n
\-t \fIdirectory\fR
\fBchroot()\fR
to
@@ -114,20 +117,20 @@ option, as chrooting a process running as root doesn't enhance security on most
\fBchroot()\fR
is defined allows a process with root privileges to escape a chroot jail.
.RE
.TP
.TP3n
\-u \fIuser\fR
\fBsetuid()\fR
to
\fIuser\fR
after completing privileged operations, such as creating sockets that listen on privileged ports.
.TP
.TP3n
\-v
Report the version number and exit.
.SH"FILES"
.TP
.TP3n
\fI/etc/resolv.conf\fR
The default configuration file.
.TP
.TP3n
\fI/var/run/lwresd.pid\fR
The default process\-id file.
.SH"SEE ALSO"
@@ -138,3 +141,5 @@ The default process\-id file.
.SH"AUTHOR"
.PP
Internet Systems Consortium
.SH"COPYRIGHT"
Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
@@ -41,21 +44,21 @@ When invoked without arguments,
will read the default configuration file
\fI/etc/named.conf\fR, read any initial data, and listen for queries.
.SH"OPTIONS"
.TP
.TP3n
\-4
Use IPv4 only even if the host machine is capable of IPv6.
\fB\-4\fR
and
\fB\-6\fR
are mutually exclusive.
.TP
.TP3n
\-6
Use IPv6 only even if the host machine is capable of IPv4.
\fB\-4\fR
and
\fB\-6\fR
are mutually exclusive.
.TP
.TP3n
\-c \fIconfig\-file\fR
Use
\fIconfig\-file\fR
@@ -65,31 +68,31 @@ as the configuration file instead of the default,
option in the configuration file,
\fIconfig\-file\fR
should be an absolute pathname.
.TP
.TP3n
\-d \fIdebug\-level\fR
Set the daemon's debug level to
\fIdebug\-level\fR. Debugging traces from
\fBnamed\fR
become more verbose as the debug level increases.
.TP
.TP3n
\-f
Run the server in the foreground (i.e. do not daemonize).
.TP
.TP3n
\-g
Run the server in the foreground and force all logging to
\fIstderr\fR.
.TP
.TP3n
\-n \fI#cpus\fR
Create
\fI#cpus\fR
worker threads to take advantage of multiple CPUs. If not specified,
\fBnamed\fR
will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
.TP
.TP3n
\-p \fIport\fR
Listen for queries on port
\fIport\fR. If not specified, the default is port 53.
.TP
.TP3n
\-s
Write memory usage statistics to
\fIstdout\fR
@@ -98,7 +101,7 @@ on exit.
.B"Note:"
This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
.RE
.TP
.TP3n
\-t \fIdirectory\fR
\fBchroot()\fR
to
@@ -112,7 +115,7 @@ option, as chrooting a process running as root doesn't enhance security on most
\fBchroot()\fR
is defined allows a process with root privileges to escape a chroot jail.
.RE
.TP
.TP3n
\-u \fIuser\fR
\fBsetuid()\fR
to
@@ -131,10 +134,10 @@ option only works when
is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
\fBsetuid()\fR.
.RE
.TP
.TP3n
\-v
Report the version number and exit.
.TP
.TP3n
\-x \fIcache\-file\fR
Load data from
\fIcache\-file\fR
@@ -148,10 +151,10 @@ This option must not be used. It is only of interest to BIND 9 developers and ma
In routine operation, signals should not be used to control the nameserver;
\fBrndc\fR
should be used instead.
.TP
.TP3n
SIGHUP
Force a reload of the server.
.TP
.TP3n
SIGINT, SIGTERM
Shut down the server.
.PP
@@ -163,10 +166,10 @@ The
configuration file is too complex to describe in detail here. A complete description is provided in the
<!-- $Id: named.docbook,v 1.13 2006/03/10 00:23:21 marka Exp $ -->
<!-- $Id: named.docbook,v 1.7.18.6 2006/01/17 23:49:31 marka Exp $ -->
<refentry id="man.named">
<refentryinfo>
<date>June 30, 2000</date>
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
