diff options
| author | Internet Software Consortium, Inc <@isc.org> | 2010-02-17 14:19:33 -0700 |
|---|---|---|
| committer | Internet Software Consortium, Inc <@isc.org> | 2010-02-17 14:19:33 -0700 |
| commit | 532901856c574b8edc5f1b0479353132060e985b (patch) | |
| tree | ef74daaa16db150220f752a0a02130bae50bcb1c | |
| parent | ee98af508e8628e0925fddd1de893f394f256c12 (diff) | |
| download | bind9-532901856c574b8edc5f1b0479353132060e985b.tar.gz | |
9.7.0
52 files changed, 3556 insertions, 1778 deletions
@@ -1,3 +1,21 @@ + --- 9.7.0 released --- + +2849. [bug] Don't treat errors from the xml2 library as fatal. + [RT #20945] + +2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and + README.rfc5011 into the ARM. [RT #20899] + +2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921] + +2846. [bug] EOF on unix domain sockets was not being handled + correctly. [RT #20731] + +2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903] + +2844. [doc] notify-delay default in ARM was wrong. It should have + been five (5) seconds. + --- 9.7.0rc2 released --- 2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from diff --git a/HISTORY b/HISTORY new file mode 100644 index 00000000..e98f9b41 --- /dev/null +++ b/HISTORY @@ -0,0 +1,313 @@ +Summary of functional enhancements from prior major releases of BIND 9: + +BIND 9.6.0 + + Full NSEC3 support + + Automatic zone re-signing + + New update-policy methods tcp-self and 6to4-self + + The BIND 8 resolver library, libbind, has been removed from the + BIND 9 distribution and is now available as a separate download. + + Change the default pid file location from /var/run to + /var/run/{named,lwresd} for improved chroot/setuid support. + +BIND 9.5.0 + + GSS-TSIG support (RFC 3645). + + DHCID support. + + Experimental http server and statistics support for named via xml. + + More detailed statistics counters including those supported in BIND 8. + + Faster ACL processing. + + Use Doxygen to generate internal documentation. + + Efficient LRU cache-cleaning mechanism. + + NSID support. + +BIND 9.4.0 + + Implemented "additional section caching (or acache)", an + internal cache framework for additional section content to + improve response performance. Several configuration options + were provided to control the behavior. + + New notify type 'master-only'. Enable notify for master + zones only. + + Accept 'notify-source' style syntax for query-source. + + rndc now allows addresses to be set in the server clauses. + + New option "allow-query-cache". This lets "allow-query" + be used to specify the default zone access level rather + than having to have every zone override the global value. + "allow-query-cache" can be set at both the options and view + levels. If "allow-query-cache" is not set then "allow-recursion" + is used if set, otherwise "allow-query" is used if set + unless "recursion no;" is set in which case "none;" is used, + otherwise the default (localhost; localnets;) is used. + + rndc: the source address can now be specified. + + ixfr-from-differences now takes master and slave in addition + to yes and no at the options and view levels. + + Allow the journal's name to be changed via named.conf. + + 'rndc notify zone [class [view]]' resend the NOTIFY messages + for the specified zone. + + 'dig +trace' now randomly selects the next servers to try. + Report if there is a bad delegation. + + Improve check-names error messages. + + Make public the function to read a key file, dst_key_read_public(). + + dig now returns the byte count for axfr/ixfr. + + allow-update is now settable at the options / view level. + + named-checkconf now checks the logging configuration. + + host now can turn on memory debugging flags with '-m'. + + Don't send notify messages to self. + + Perform sanity checks on NS records which refer to 'in zone' names. + + New zone option "notify-delay". Specify a minimum delay + between sets of NOTIFY messages. + + Extend adjusting TTL warning messages. + + Named and named-checkzone can now both check for non-terminal + wildcard records. + + "rndc freeze/thaw" now freezes/thaws all zones. + + named-checkconf now check acls to verify that they only + refer to existing acls. + + The server syntax has been extended to support a range of + servers. + + Report differences between hints and real NS rrset and + associated address records. + + Preserve the case of domain names in rdata during zone + transfers. + + Restructured the data locking framework using architecture + dependent atomic operations (when available), improving + response performance on multi-processor machines significantly. + x86, x86_64, alpha, powerpc, and mips are currently supported. + + UNIX domain controls are now supported. + + Add support for additional zone file formats for improving + loading performance. The masterfile-format option in + named.conf can be used to specify a non-default format. A + separate command named-compilezone was provided to generate + zone files in the new format. Additionally, the -I and -O + options for dnssec-signzone specify the input and output + formats. + + dnssec-signzone can now randomize signature end times + (dnssec-signzone -j jitter). + + Add support for CH A record. + + Add additional zone data constancy checks. named-checkzone + has extended checking of NS, MX and SRV record and the hosts + they reference. named has extended post zone load checks. + New zone options: check-mx and integrity-check. + + + edns-udp-size can now be overridden on a per server basis. + + dig can now specify the EDNS version when making a query. + + Added framework for handling multiple EDNS versions. + + Additional memory debugging support to track size and mctx + arguments. + + Detect duplicates of UDP queries we are recursing on and + drop them. New stats category "duplicates". + + "USE INTERNAL MALLOC" is now runtime selectable. + + The lame cache is now done on a <qname,qclass,qtype> basis + as some servers only appear to be lame for certain query + types. + + Limit the number of recursive clients that can be waiting + for a single query (<qname,qtype,qclass>) to resolve. New + options clients-per-query and max-clients-per-query. + + dig: report the number of extra bytes still left in the + packet after processing all the records. + + Support for IPSECKEY rdata type. + + Raise the UDP recieve buffer size to 32k if it is less than 32k. + + x86 and x86_64 now have seperate atomic locking implementations. + + named-checkconf now validates update-policy entries. + + Attempt to make the amount of work performed in a iteration + self tuning. The covers nodes clean from the cache per + iteration, nodes written to disk when rewriting a master + file and nodes destroyed per iteration when destroying a + zone or a cache. + + ISC string copy API. + + Automatic empty zone creation for D.F.IP6.ARPA and friends. + Note: RFC 1918 zones are not yet covered by this but are + likely to be in a future release. + + New options: empty-server, empty-contact, empty-zones-enable + and disable-empty-zone. + + dig now has a '-q queryname' and '+showsearch' options. + + host/nslookup now continue (default)/fail on SERVFAIL. + + dig now warns if 'RA' is not set in the answer when 'RD' + was set in the query. host/nslookup skip servers that fail + to set 'RA' when 'RD' is set unless a server is explicitly + set. + + Integrate contibuted DLZ code into named. + + Integrate contibuted IDN code from JPNIC. + + libbind: corresponds to that from BIND 8.4.7. + +BIND 9.3.0 + + DNSSEC is now DS based (RFC 3658). + See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*. + + DNSSEC lookaside validation. + + check-names is now implemented. + rrset-order in more complete. + + IPv4/IPv6 transition support, dual-stack-servers. + + IXFR deltas can now be generated when loading master files, + ixfr-from-differences. + + It is now possible to specify the size of a journal, max-journal-size. + + It is now possible to define a named set of master servers to be + used in masters clause, masters. + + The advertised EDNS UDP size can now be set, edns-udp-size. + + allow-v6-synthesis has been obsoleted. + + NOTE: + * Zones containing MD and MF will now be rejected. + * dig, nslookup name. now report "Not Implemented" as + NOTIMP rather than NOTIMPL. This will have impact on scripts + that are looking for NOTIMPL. + + libbind: corresponds to that from BIND 8.4.5. + +BIND 9.2.0 + + The size of the cache can now be limited using the + "max-cache-size" option. + + The server can now automatically convert RFC1886-style recursive + lookup requests into RFC2874-style lookups, when enabled using the + new option "allow-v6-synthesis". This allows stub resolvers that + support AAAA records but not A6 record chains or binary labels to + perform lookups in domains that make use of these IPv6 DNS + features. + + Performance has been improved. + + The man pages now use the more portable "man" macros rather than + the "mandoc" macros, and are installed by "make install". + + The named.conf parser has been completely rewritten. It now + supports "include" directives in more places such as inside "view" + statements, and it no longer has any reserved words. + + The "rndc status" command is now implemented. + + rndc can now be configured automatically. + + A BIND 8 compatible stub resolver library is now included in + lib/bind. + + OpenSSL has been removed from the distribution. This means that to + use DNSSEC, OpenSSL must be installed and the --with-openssl option + must be supplied to configure. This does not apply to the use of + TSIG, which does not require OpenSSL. + + The source distribution now builds on Windows. See + win32utils/readme1.txt and win32utils/win32-build.txt for details. + + This distribution also includes a new lightweight stub + resolver library and associated resolver daemon that fully + support forward and reverse lookups of both IPv4 and IPv6 + addresses. This library is considered experimental and + is not a complete replacement for the BIND 8 resolver library. + Applications that use the BIND 8 res_* functions to perform + DNS lookups or dynamic updates still need to be linked against + the BIND 8 libraries. For DNS lookups, they can also use the + new "getrrsetbyname()" API. + + BIND 9.2 is capable of acting as an authoritative server + for DNSSEC secured zones. This functionality is believed to + be stable and complete except for lacking support for + verifications involving wildcard records in secure zones. + + When acting as a caching server, BIND 9.2 can be configured + to perform DNSSEC secure resolution on behalf of its clients. + This part of the DNSSEC implementation is still considered + experimental. For detailed information about the state of the + DNSSEC implementation, see the file doc/misc/dnssec. + + There are a few known bugs: + + On some systems, IPv6 and IPv4 sockets interact in + unexpected ways. For details, see doc/misc/ipv6. + To reduce the impact of these problems, the server + no longer listens for requests on IPv6 addresses + by default. If you need to accept DNS queries over + IPv6, you must specify "listen-on-v6 { any; };" + in the named.conf options statement. + + FreeBSD prior to 4.2 (and 4.2 if running as non-root) + and OpenBSD prior to 2.8 log messages like + "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". + This is due to a bug in "/dev/random" and impacts the + server's DNSSEC support. + + OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and + OS X 10.2 (Darwin 6.0) reports errors like + "fcntl(3, F_SETFL, 4): Operation not supported by device". + This is due to a bug in "/dev/random" and impacts the + server's DNSSEC support. + + --with-libtool does not work on AIX. + + A bug in some versions of the Microsoft DNS server can cause zone + transfers from a BIND 9 server to a W2K server to fail. For details, + see the "Zone Transfers" section in doc/misc/migration. @@ -42,6 +42,12 @@ BIND 9 Stichting NLnet - NLnet Foundation Nominum, Inc. + For a summary of functional enhancements in previous + releases, see the HISTORY file. + + For a detailed list of user-visible changes from + previous releases, see the CHANGES file. + BIND 9.7.0 BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier @@ -60,383 +66,64 @@ BIND 9.7.0 - DNS rebinding attack prevention. - New default values for dnssec-keygen parameters. - Support for RFC 5011 automated trust anchor maintenance - (see README.rfc5011 for additional details). - Smart signing: simplified tools for zone signing and key maintenance. - The "statistics-channels" option is now available on Windows. - - A new DNSSEC-aware libdns API for use by non-BIND9 applications - (see README.libdns for details). - - On some platforms, named and other binaries can now print out - a stack backtrace on assertion failure, to aid in debugging. - - A "tools only" installation mode on Windows, which only installs - dig, host, nslookup and nsupdate. - - Improved PKCS#11 support, including Keyper support and explicit - OpenSSL engine selection (see README.pkcs11 for additional details). - - COMPATIBILITY NOTES: - - - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE, - ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then - you should ensure that all changes that are in progress have - completed prior to upgrading to BIND 9.7. BIND 9.7 implements - those features in a way which is not backwards compatible. - - - Prior releases had a bug which caused HMAC-SHA* keys with long - secrets to be used incorrectly. Fixing this bug means that older - versions of BIND 9 may fail to interoperate with this version - when using TSIG keys. If this occurs, the new "isc-hmac-fixup" - tool will convert a key with a long secret into a form that works - correctly with all versions of BIND 9. See the "isc-hmac-fixup" - man page for additional details. - - - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID. - It is possible for the new key ID to collide with that of a - different key. Newly generated keys will not have this problem, - as "dnssec-keygen" looks for potential collisions before - generating keys, but exercise caution if using key revokation - with keys that were generated by older versions of BIND 9. - See README.rfc5011 for more details. - - - A bug was fixed in which a key's scheduled inactivity date was - stored incorectly. Users who participated in the 9.7.0 BETA - test and had DNSSEC keys with scheduled inactivity dates will - need to reset those keys' dates using "dnssec-settime -I". - -BIND 9.6.0 - - BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier - releases, including: - - Full NSEC3 support - - Automatic zone re-signing - - New update-policy methods tcp-self and 6to4-self - - The BIND 8 resolver library, libbind, has been removed from the - BIND 9 distribution and is now available as a separate download. - - Change the default pid file location from /var/run to - /var/run/{named,lwresd} for improved chroot/setuid support. - -BIND 9.5.0 - - BIND 9.5.0 has a number of new features over 9.4, - including: - - GSS-TSIG support (RFC 3645). - - DHCID support. - - Experimental http server and statistics support for named via xml. - - More detailed statistics counters including those supported in BIND 8. - - Faster ACL processing. - - Use Doxygen to generate internal documentation. - - Efficient LRU cache-cleaning mechanism. - - NSID support. - -BIND 9.4.0 - - BIND 9.4.0 has a number of new features over 9.3, - including: - - Implemented "additional section caching (or acache)", an - internal cache framework for additional section content to - improve response performance. Several configuration options - were provided to control the behavior. - - New notify type 'master-only'. Enable notify for master - zones only. - - Accept 'notify-source' style syntax for query-source. - - rndc now allows addresses to be set in the server clauses. - - New option "allow-query-cache". This lets "allow-query" - be used to specify the default zone access level rather - than having to have every zone override the global value. - "allow-query-cache" can be set at both the options and view - levels. If "allow-query-cache" is not set then "allow-recursion" - is used if set, otherwise "allow-query" is used if set - unless "recursion no;" is set in which case "none;" is used, - otherwise the default (localhost; localnets;) is used. - - rndc: the source address can now be specified. - - ixfr-from-differences now takes master and slave in addition - to yes and no at the options and view levels. - - Allow the journal's name to be changed via named.conf. - - 'rndc notify zone [class [view]]' resend the NOTIFY messages - for the specified zone. - - 'dig +trace' now randomly selects the next servers to try. - Report if there is a bad delegation. - - Improve check-names error messages. - - Make public the function to read a key file, dst_key_read_public(). - - dig now returns the byte count for axfr/ixfr. - - allow-update is now settable at the options / view level. - - named-checkconf now checks the logging configuration. - - host now can turn on memory debugging flags with '-m'. - - Don't send notify messages to self. - - Perform sanity checks on NS records which refer to 'in zone' names. - - New zone option "notify-delay". Specify a minimum delay - between sets of NOTIFY messages. - - Extend adjusting TTL warning messages. - - Named and named-checkzone can now both check for non-terminal - wildcard records. - - "rndc freeze/thaw" now freezes/thaws all zones. - - named-checkconf now check acls to verify that they only - refer to existing acls. - - The server syntax has been extended to support a range of - servers. - - Report differences between hints and real NS rrset and - associated address records. - - Preserve the case of domain names in rdata during zone - transfers. - - Restructured the data locking framework using architecture - dependent atomic operations (when available), improving - response performance on multi-processor machines significantly. - x86, x86_64, alpha, powerpc, and mips are currently supported. - - UNIX domain controls are now supported. - - Add support for additional zone file formats for improving - loading performance. The masterfile-format option in - named.conf can be used to specify a non-default format. A - separate command named-compilezone was provided to generate - zone files in the new format. Additionally, the -I and -O - options for dnssec-signzone specify the input and output - formats. - - dnssec-signzone can now randomize signature end times - (dnssec-signzone -j jitter). - - Add support for CH A record. - - Add additional zone data constancy checks. named-checkzone - has extended checking of NS, MX and SRV record and the hosts - they reference. named has extended post zone load checks. - New zone options: check-mx and integrity-check. - - - edns-udp-size can now be overridden on a per server basis. - - dig can now specify the EDNS version when making a query. - - Added framework for handling multiple EDNS versions. - - Additional memory debugging support to track size and mctx - arguments. - - Detect duplicates of UDP queries we are recursing on and - drop them. New stats category "duplicates". - - "USE INTERNAL MALLOC" is now runtime selectable. - - The lame cache is now done on a <qname,qclass,qtype> basis - as some servers only appear to be lame for certain query - types. - - Limit the number of recursive clients that can be waiting - for a single query (<qname,qtype,qclass>) to resolve. New - options clients-per-query and max-clients-per-query. - - dig: report the number of extra bytes still left in the - packet after processing all the records. - - Support for IPSECKEY rdata type. - - Raise the UDP recieve buffer size to 32k if it is less than 32k. - - x86 and x86_64 now have seperate atomic locking implementations. - - named-checkconf now validates update-policy entries. - - Attempt to make the amount of work performed in a iteration - self tuning. The covers nodes clean from the cache per - iteration, nodes written to disk when rewriting a master - file and nodes destroyed per iteration when destroying a - zone or a cache. - - ISC string copy API. - - Automatic empty zone creation for D.F.IP6.ARPA and friends. - Note: RFC 1918 zones are not yet covered by this but are - likely to be in a future release. - - New options: empty-server, empty-contact, empty-zones-enable - and disable-empty-zone. - - dig now has a '-q queryname' and '+showsearch' options. - - host/nslookup now continue (default)/fail on SERVFAIL. - - dig now warns if 'RA' is not set in the answer when 'RD' - was set in the query. host/nslookup skip servers that fail - to set 'RA' when 'RD' is set unless a server is explicitly - set. - - Integrate contibuted DLZ code into named. - - Integrate contibuted IDN code from JPNIC. - - libbind: corresponds to that from BIND 8.4.7. - -BIND 9.3.0 - - BIND 9.3.0 has a number of new features over 9.2, - including: - - DNSSEC is now DS based (RFC 3658). - See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*. - - DNSSEC lookaside validation. - - check-names is now implemented. - rrset-order in more complete. - - IPv4/IPv6 transition support, dual-stack-servers. - - IXFR deltas can now be generated when loading master files, - ixfr-from-differences. - - It is now possible to specify the size of a journal, max-journal-size. - - It is now possible to define a named set of master servers to be - used in masters clause, masters. - - The advertised EDNS UDP size can now be set, edns-udp-size. - - allow-v6-synthesis has been obsoleted. - - NOTE: - * Zones containing MD and MF will now be rejected. - * dig, nslookup name. now report "Not Implemented" as - NOTIMP rather than NOTIMPL. This will have impact on scripts - that are looking for NOTIMPL. - - libbind: corresponds to that from BIND 8.4.5. - -BIND 9.2.0 - - BIND 9.2.0 has a number of new features over 9.1, - including: - - - The size of the cache can now be limited using the - "max-cache-size" option. - - - The server can now automatically convert RFC1886-style - recursive lookup requests into RFC2874-style lookups, - when enabled using the new option "allow-v6-synthesis". - This allows stub resolvers that support AAAA records - but not A6 record chains or binary labels to perform - lookups in domains that make use of these IPv6 DNS - features. - - - Performance has been improved. - - - The man pages now use the more portable "man" macros - rather than the "mandoc" macros, and are installed - by "make install". - - - The named.conf parser has been completely rewritten. - It now supports "include" directives in more - places such as inside "view" statements, and it no - longer has any reserved words. - - - The "rndc status" command is now implemented. - - - rndc can now be configured automatically. - - - A BIND 8 compatible stub resolver library is now - included in lib/bind. - - - OpenSSL has been removed from the distribution. This - means that to use DNSSEC, OpenSSL must be installed and - the --with-openssl option must be supplied to configure. - This does not apply to the use of TSIG, which does not - require OpenSSL. - - - The source distribution now builds on Windows. - See win32utils/readme1.txt and win32utils/win32-build.txt - for details. - - This distribution also includes a new lightweight stub - resolver library and associated resolver daemon that fully - support forward and reverse lookups of both IPv4 and IPv6 - addresses. This library is considered experimental and - is not a complete replacement for the BIND 8 resolver library. - Applications that use the BIND 8 res_* functions to perform - DNS lookups or dynamic updates still need to be linked against - the BIND 8 libraries. For DNS lookups, they can also use the - new "getrrsetbyname()" API. - - BIND 9.2 is capable of acting as an authoritative server - for DNSSEC secured zones. This functionality is believed to - be stable and complete except for lacking support for - verifications involving wildcard records in secure zones. - - When acting as a caching server, BIND 9.2 can be configured - to perform DNSSEC secure resolution on behalf of its clients. - This part of the DNSSEC implementation is still considered - experimental. For detailed information about the state of the - DNSSEC implementation, see the file doc/misc/dnssec. - - There are a few known bugs: - - On some systems, IPv6 and IPv4 sockets interact in - unexpected ways. For details, see doc/misc/ipv6. - To reduce the impact of these problems, the server - no longer listens for requests on IPv6 addresses - by default. If you need to accept DNS queries over - IPv6, you must specify "listen-on-v6 { any; };" - in the named.conf options statement. - - FreeBSD prior to 4.2 (and 4.2 if running as non-root) - and OpenBSD prior to 2.8 log messages like - "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". - This is due to a bug in "/dev/random" and impacts the - server's DNSSEC support. - - OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and - OS X 10.2 (Darwin 6.0) reports errors like - "fcntl(3, F_SETFL, 4): Operation not supported by device". - This is due to a bug in "/dev/random" and impacts the - server's DNSSEC support. - - --with-libtool does not work on AIX. - - A bug in some versions of the Microsoft DNS server can cause zone - transfers from a BIND 9 server to a W2K server to fail. For details, - see the "Zone Transfers" section in doc/misc/migration. - - For a detailed list of user-visible changes from - previous releases, see the CHANGES file. - + - A new DNSSEC-aware libdns API for use by non-BIND9 applications + - On some platforms, named and other binaries can now print out + a stack backtrace on assertion failure, to aid in debugging. + - A "tools only" installation mode on Windows, which only installs + dig, host, nslookup and nsupdate. + - Improved PKCS#11 support, including Keyper support and explicit + OpenSSL engine selection. + + Known issues in this release: + + - A validating resolver that has been incorrectly configured with + an invalid trust anchor will be unable to resolve names covered + by that trust anchor. In all current versions of BIND 9, such a + resolver will also generate significant unnecessary DNS traffic + while trying to validate. The latter problem will be addressed + in future BIND 9 releases. In the meantime, to avoid these + problems, exercise caution when configuring "trusted-keys": + make sure all keys are correct and current when you add them, + and update your configuration in a timely manner when keys + roll over. + + - In rare cases, DNSSEC validation can leak memory. When this + happens, it will cause an assertion failure when named exits, + but is otherwise harmless. A fix exists, but was too late for + this release; it will be included in BIND 9.7.1. + + Compatibility notes: + + - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE, + ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then + you should ensure that all changes that are in progress have + completed prior to upgrading to BIND 9.7. BIND 9.7 implements + those features in a way which is not backwards compatible. + + - Prior releases had a bug which caused HMAC-SHA* keys with long + secrets to be used incorrectly. Fixing this bug means that older + versions of BIND 9 may fail to interoperate with this version + when using TSIG keys. If this occurs, the new "isc-hmac-fixup" + tool will convert a key with a long secret into a form that works + correctly with all versions of BIND 9. See the "isc-hmac-fixup" + man page for additional details. + + - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID. + It is possible for the new key ID to collide with that of a + different key. Newly generated keys will not have this problem, + as "dnssec-keygen" looks for potential collisions before + generating keys, but exercise caution if using key revokation + with keys that were generated by older versions of BIND 9. See + the Administrator's Reference Manual, section 4.10 ("Dynamic + Trust Anchor Management") for more details. + + - A bug was fixed in which a key's scheduled inactivity date was + stored incorectly. Users who participated in the 9.7.0 BETA test + and had DNSSEC keys with scheduled inactivity dates will need to + reset those keys' dates using "dnssec-settime -I". Building @@ -456,9 +143,9 @@ Building Ubuntu 7.04, 7.10 Windows XP/2003/2008 - NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of - Windows, including Windows NT and Windows 2000, are no longer - supported. + NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of + Windows, including Windows NT and Windows 2000, are no longer + supported. We have recent reports from the user community that a supported version of BIND will build and run on the following systems: @@ -558,10 +245,10 @@ Building on the configure command line. The default is operating system dependent. - Support for the "fixed" rrset-order option can be enabled - or disabled by specifying "--enable-fixed-rrset" or - "--disable-fixed-rrset" on the configure command line. - The default is "disabled", to reduce memory footprint. + Support for the "fixed" rrset-order option can be enabled + or disabled by specifying "--enable-fixed-rrset" or + "--disable-fixed-rrset" on the configure command line. + The default is "disabled", to reduce memory footprint. If your operating system has integrated support for IPv6, it will be used automatically. If you have installed KAME IPv6 @@ -627,8 +314,8 @@ Documentation Frequently asked questions and their answers can be found in FAQ. - Additional information on various subjects can be found - in the other README files. + Additional information on various subjects can be found + in the other README files. Bug Reports and Mailing Lists diff --git a/README.dnssec b/README.dnssec deleted file mode 100644 index a3eda796..00000000 --- a/README.dnssec +++ /dev/null @@ -1,186 +0,0 @@ - - DNSSEC and Dynamic Zones - -As of BIND 9.7.0 it is possible to change a dynamic zone from -insecure to secure and back again. A secure zone can use either -NSEC or NSEC3 chains. - - Converting from insecure to secure - -Changing a zone from insecure to secure can be done in two ways: -using a dynamic DNS update, or the "auto-dnssec" zone option. - -For either method, you need to configure named so that it can see -the K* files which contain the public and private parts of the keys -that will be used to sign the zone. These files will have been -generated by dnssec-keygen. You can do this by placing them in -the key-directory, as specified in named.conf: - - zone example.net { - type master; - update-policy local; - file "dynamic/example.net/example.net"; - key-directory "dynamic/example.net"; - }; - -If one KSK and one ZSK DNSKEY key have been generated, this configuration -will cause all records in the zone to be signed with the ZSK, and the -DNSKEY RRset to be signed with the KSK as well. An NSEC chain will be -generated as part of the initial signing process. - - Dynamic DNS update method - -To insert the keys via dynamic update: - - % nsupdate - > ttl 3600 - > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= - > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= - > send - -While the update request will complete almost immediately, the zone -will not be completely signed until named has had time to walk the -zone and generate the NSEC and RRSIG records. The NSEC record at the -apex will be added last, to signal that there is a complete NSEC chain. - -If you wish to sign using NSEC3 instead of NSEC, you should add an -NSEC3PARAM record to the initial update request. If you wish the -NSEC3 chain to have the OPTOUT bit set, set it in the flags field -of the NSEC3PARAM record. - - % nsupdate - > ttl 3600 - > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= - > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= - > update add example.net NSEC3PARAM 1 1 100 1234567890 - > send - -Again, this update request will complete almost immediately; however, -the record won't show up until named has had a chance to build/remove -the relevant chain. A private type record will be created to record -the state of the operation (see below for more details), and will be -removed once the operation completes. - -While the initial signing and NSEC/NSEC3 chain generation is happening, -other updates are possible as well. - - Fully automatic zone signing - -To enable automatic signing, add the "auto-dnssec" option to the zone -statement in named.conf. "auto-dnssec" has two possible arguments: -"allow" or "maintain". - -With "auto-dnssec allow", named can search the key directory for keys -matching the zone, insert them into the zone, and use them to sign the -zone. It will do so only when it receives an "rndc sign <zonename>" -command. - -"auto-dnssec maintain" includes the above functionality, but will also -automatically adjust the zone's DNSKEY records on schedule according to the -keys' timing metadata (see the man pages for dnssec-keygen and -dnssec-settime for more information). If keys are present in the key -directory the first time the zone is loaded, it will be signed -immediately, without waiting for an "rndc sign" command. (This -command can still be used for unscheduled key changes, however.) - -Using the "auto-dnssec" option requires the zone to be configured to -allow dynamic updates, by adding an "allow-update" or "update-policy" -statement to the zone configuration. If this has not been done, the -configuration will fail. - - Private-type records - -The state of the signing process is signaled by private-type records -(with a default type value of 65534). When signing is complete, these -records will have a nonzero value for the final octet (for those records -which have a nonzero initial octet). - -The private type record format: -If the first octet is non-zero then the record indicates that the zone needs -to be signed with the key matching the record, or that all signatures that -match the record should be removed. - - algorithm (octet 1) - key id in network order (octet 2 and 3) - removal flag (octet 4) - complete flag (octet 5) - -Only records flagged as "complete" can be removed via dynamic update. -Attempts to remove other private type records will be silently ignored. - -If the first octet is zero (this is a reserved algorithm number -that should never appear in a DNSKEY record) then the record indicates -changes to the NSEC3 chains are in progress. The rest of the record -contains an NSEC3PARAM record. The flag field tells what operation -to perform based on the flag bits. - - 0x01 OPTOUT - 0x80 CREATE - 0x40 REMOVE - 0x20 NONSEC - - DNSKEY rollovers via UPDATE - -It is possible to perform key rollovers via dynamic update. You need -to add the K* files for the new keys so that named can find them. You -can then add the new DNSKEY RRs via dynamic update. Named will then cause -the zone to be signed with the new keys. When the signing is -complete the private type records will be updated so that the last -octet is non zero. - -If this is for a KSK you need to inform the parent and any trust -anchor repositories of the new KSK. - -You should then wait for the maximum TTL in the zone before removing the -old DNSKEY. If it is a KSK that is being updated, you also need to wait -for the DS RRset in the parent to be updated and its TTL to expire. -This ensures that all clients will be able to verify at least one -signature when you remove the old DNSKEY. - -The old DNSKEY can be removed via UPDATE. Take care to specify -the correct key. Named will clean out any signatures generated by -the old key after the update completes. - - NSEC3PARAM rollovers via UPDATE - -Add the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain -has been generated, the NSEC3PARAM flag field will be zero. At this -point you can remove the old NSEC3PARAM record. The old chain will -be removed after the update request completes. - - Converting from NSEC to NSEC3 - -To do this, you just need to add an NSEC3PARAM record. When the -conversion is complete, the NSEC chain will have been removed and -the NSEC3PARAM record will have a zero flag field. The NSEC3 chain -will be generated before the NSEC chain is destroyed. - - Converting from NSEC3 to NSEC - -To do this, remove all NSEC3PARAM records with a zero flag field. The -NSEC chain will be generated before the NSEC3 chain is removed. - - Converting from secure to insecure - -To do this, remove all the DNSKEY records. Any NSEC or NSEC3 chains -will be removed as well, along with associated NSEC3PARAM records. -This will take place after the update request completes. This -requires the "dnssec-secure-to-insecure" option to be set to "yes" -in named.conf. - - Periodic re-signing - -In any secure zone which supports dynamic updates, named will -periodically re-sign RRsets which have not been re-signed as -a result of some update action. The signature lifetimes will -be adjusted so as to spread the re-sign load over time rather than -all at once. - - NSEC3 and OPTOUT - -Named only supports creating new NSEC3 chains where all the NSEC3 -records in the zone have the same OPTOUT state. Named supports -UPDATES to zones where the NSEC3 records in the chain have mixed -OPTOUT state. Named does not support changing the OPTOUT state of -an individual NSEC3 record, the entire chain needs to be changed if -the OPTOUT state of an individual NSEC3 needs to be changed. diff --git a/README.libdns b/README.libdns deleted file mode 100644 index e00444f9..00000000 --- a/README.libdns +++ /dev/null @@ -1,275 +0,0 @@ - - BIND-9 DNS Library Support - -This version of BIND9 "exports" its internal libraries so that they -can be used by third-party applications more easily (we call them -"export" libraries in this document). In addition to all major -DNS-related APIs BIND9 is currently using, the export libraries -provide the following features: - -- The newly created "DNS client" module. This is a higher level API - that provides an interface to name resolution, single DNS - transaction with a particular server, and dynamic update. Regarding - name resolution, it supports advanced features such as DNSSEC - validation and caching. This module supports both synchronous and - asynchronous mode. -- The new "IRS" (Information Retrieval System) library. It provides - an interface to parse the traditional resolv.conf file and more - advanced, DNS-specific configuration file for the rest of this - package (see the description for the dns.conf file below). -- As part of the IRS library, newly implemented standard address-name - mapping functions, getaddrinfo() and getnameinfo(), are provided. - They use the DNSSEC-aware validating resolver backend, and could use - other advanced features of the BIND9 libraries such as caching. The - getaddrinfo() function resolves both A and AAAA RRs concurrently - (when the address family is unspecified). -- An experimental framework to support other event libraries than - BIND9's internal event task system. - -* Prerequisite - -GNU make is required to build the export libraries (other part of -BIND9 can still be built with other types of make). In the reminder -of this document, "make" means GNU make. Note that in some platforms -you may need to invoke a different command name than "make" -(e.g. "gmake") to indicate it's GNU make. - -* Compilation - -1. ./configure --enable-exportlib [other flags] -2. make - -This will create (in addition to usual BIND9 programs) and a separate -set of libraries under the lib/export directory. For example, -lib/export/dns/libdns.a is the archive file of the export version of -the BIND9 DNS library. - -Sample application programs using the libraries will also be built -under the lib/export/samples directory (see below). - -* Installation - -1. cd lib/export -2. make install (root privilege is normally required) - (make install at the top directory will do the same) - -This will install library object files under the directory specified -by the --with-export-libdir configure option (default: -EPREFIX/lib/bind9), and header files under the directory specified by -the --with-export-includedir configure option (default: -PREFIX/include/bind9). - -To see how to build your own application after the installation, see -lib/export/samples/Makefile-postinstall.in - -* Known Defects/Restrictions - -- Currently, win32 is not supported for the export library. (Normal - BIND9 application can be built as before). -- The "fixed" RRset order is not (currently) supported in the export - library. If you want to use "fixed" RRset order for, e.g. named - while still building the export library even without the fixed - order support, build them separately: - % ./configure --enable-fixed-rrset [other flags, but not --enable-exportlib] - % make (this doesn't have to be make) - % ./configure --enable-exportlib [other flags, but not --enable-fixed-rrset] - % cd lib/export - % make -- The client module and the IRS library currently do not support - DNSSEC validation using DLV (the underlying modules can handle it, - but there is no tunable interface to enable the feature). -- RFC5011 is not supported in the validating stub resolver of the - export library. In fact, it is not clear whether it should: trust - anchors would be a system-wide configuration which would be managed - by an administrator, while the stub resolver will be used by - ordinary applications run by a normal user. -- Not all common /etc/resolv.conf options are supported in the IRS library. - The only available options in this version are "debug" and "ndots". - -* The dns.conf File - -The IRS library supports an "advanced" configuration file related to -the DNS library for configuration parameters that would be beyond the -capability of the resolv.conf file. Specifically, it is intended to -provide DNSSEC related configuration parameters. - -By default the path to this configuration file is /etc/dns.conf. - -This module is very experimental and the configuration syntax or -library interfaces may change in future versions. Currently, only the -'trusted-keys' statement is supported, whose syntax is the same as the -same name of statement for named.conf. - -* Sample Applications - -Some sample application programs using this API are provided for -reference. The following is a brief description of these -applications. - -- sample: a simple stub resolver utility. - - It sends a query of a given name (of a given optional RR type) - to a specified recursive server, and prints the result as a list of - RRs. It can also act as a validating stub resolver if a trust - anchor is given via a set of command line options. - - Usage: sample [options] server_address hostname - - Options and Arguments: - -t RRtype - specify the RR type of the query. The default is the A RR. - [-a algorithm] [-e] -k keyname -K keystring - specify a command-line DNS key to validate the answer. For - example, to specify the following DNSKEY of example.com: - example.com. 3600 IN DNSKEY 257 3 5 xxx - specify the options as follows: - -e -k example.com -K "xxx" - -e means that this key is a zone's "key signing key" (as known - as "secure Entry point"). - when -a is omitted rsasha1 will be used by default. - -s domain:alt_server_address - specify a separate recursive server address for the specific - "domain". Example: -s example.com:2001:db8::1234 - server_address - an IP(v4/v6) address of the recursive server to which queries - are sent. - hostname - the domain name for the query - -- sample-async: a simple stub resolver, working asynchronously. - - Similar to "sample", but accepts a list of (query) domain names as a - separate file and resolves the names asynchronously. - - Usage: sample-async [-s server_address] [-t RR_type] input_file - Options and Arguments: - -s server_address - an IPv4 address of the recursive server to which queries are - sent. (IPv6 addresses are not supported in this implementation) - -t RR_type - specify the RR type of the queries. The default is the A RR. - input_file - a list of domain names to be resolved. each line consists of a - single domain name. Example: - www.example.com - mx.examle.net - ns.xxx.example - -- sample-request: a simple DNS transaction client. - - It sends a query to a specified server, and prints the response with - minimal processing. It doesn't act as a "stub resolver": it stops - the processing once it gets any response from the server, whether - it's a referral or an alias (CNAME or DNAME) that would require - further queries to get the ultimate answer. In other words, this - utility acts as a very simplified dig. - - Usage: sample-request [-t RRtype] server_address hostname - Options and Arguments: - -t RRtype - specify the RR type of the queries. The default is the A RR. - server_address - an IP(v4/v6) address of the recursive server to which the query is - sent. - hostname - the domain name for the query - -- sample-gai: getaddrinfo() and getnameinfo() test code. - - This is a test program to check getaddrinfo() and getnameinfo() - behavior. It takes a host name as an argument, calls getaddrinfo() - with the given host name, and calls getnameinfo() with the resulting - IP addresses returned by getaddrinfo(). If the dns.conf file exists - and defines a trust anchor, the underlying resolver will act as a - validating resolver, and getaddrinfo()/getnameinfo() will fail with - an EAI_INSECUREDATA error when DNSSEC validation fails. - - Usage: sample-gai hostname - -- sample-update: a simple dynamic update client program - - It accepts a single update command as a command-line argument, sends - an update request message to the authoritative server, and shows the - response from the server. In other words, this is a simplified - nsupdate. - - Usage: sample-update [options] (add|delete) "update data" - Options and Arguments: - -a auth_server - An IP address of the authoritative server that has authority - for the zone containing the update name. This should normally - be the primary authoritative server that accepts dynamic - updates. It can also be a secondary server that is configured - to forward update requests to the primary server. - -k keyfile - A TSIG key file to secure the update transaction. The keyfile - format is the same as that for the nsupdate utility. - -p prerequisite - A prerequisite for the update (only one prerequisite can be - specified). The prerequisite format is the same as that is - accepted by the nsupdate utility. - -r recursive_server - An IP address of a recursive server that this utility will - use. A recursive server may be necessary to identify the - authoritative server address to which the update request is - sent. - -z zonename - The domain name of the zone that contains - (add|delete) - Specify the type of update operation. Either "add" or "delete" - must be specified. - "update data" - Specify the data to be updated. A typical example of the data - would look like "name TTL RRtype RDATA". - - Note: in practice, either -a or -r must be specified. Others can - be optional; the underlying library routine tries to identify the - appropriate server and the zone name for the update. - - Examples: assuming the primary authoritative server of the - dynamic.example.com zone has an IPv6 address 2001:db8::1234, - + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1" - adds an A RR for foo.dynamic.example.com using the given key. - + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A" - removes all A RRs for foo.dynamic.example.com using the given key. - + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com" - removes all RRs for foo.dynamic.example.com using the given key. - -- nsprobe: domain/name server checker in terms of RFC4074. - - It checks a set of domains to see the name servers of the domains - behave correctly in terms of RFC4074. This is included in the set - of sample programs to show how the export library can be used in a - DNS-related application. - - Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file] - Options - -d - run in the "debug" mode. with this option nsprobe will dump - every RRs it receives. - -v - increase verbosity of other normal log messages. This can be - specified multiple times - -c cache_address - specify an IP address of a recursive (caching) name server. - nsprobe uses this server to get the NS RRset of each domain and - the A and/or AAAA RRsets for the name servers. The default - value is 127.0.0.1. - input_file - a file name containing a list of domain (zone) names to be - probed. when omitted the standard input will be used. Each - line of the input file specifies a single domain name such as - "example.com". In general this domain name must be the apex - name of some DNS zone (unlike normal "host names" such as - "www.example.com"). nsprobe first identifies the NS RRsets for - the given domain name, and sends A and AAAA queries to these - servers for some "widely used" names under the zone; - specifically, adding "www" and "ftp" to the zone name. - -* Library References - -As of this writing, there is no formal "manual" of the libraries, -except this document, header files (some of them provide pretty -detailed explanations), and sample application programs. - -; $Id: README.libdns,v 1.3 2009/09/15 19:12:03 jinmei Exp $ diff --git a/README.pkcs11 b/README.pkcs11 deleted file mode 100644 index 72ce281e..00000000 --- a/README.pkcs11 +++ /dev/null @@ -1,309 +0,0 @@ - - BIND 9 PKCS #11 (Cryptoki) support - -INTRODUCTION - -PKCS #11 (Public Key Cryptography Standard #11) defines a platform- -independent API for the control of hardware security modules (HSMs) -and other cryptographic support devices. - -BIND 9 is known to work with two HSMs: The Sun SCA 6000 cryptographic -acceleration board, tested under Solaris x86, and the AEP Keyper -network-attached key storage device, tested with Debian Linux, -Solaris x86 and Windows Server 2003. - -PREREQUISITES - -See the HSM vendor documentation for information about installing, -initializing, testing and troubleshooting the HSM. - -BIND 9 uses OpenSSL for cryptography, but stock OpenSSL does not -yet fully support PKCS #11. However, a PKCS #11 engine for OpenSSL -is available from the OpenSolaris project. It has been modified by -ISC to work with with BIND 9, and to provide new features such as -PIN management and key by reference. - -The patched OpenSSL depends on a "PKCS #11 provider". This is a shared -library object, providing a low-level PKCS #11 interface to the HSM -hardware. It is dynamically loaded by OpenSSL at runtime. The PKCS #11 -provider comes from the HSM vendor, and and is specific to the HSM to be -controlled. - -There are two "flavors" of PKCS #11 support provided by the patched -OpenSSL, one of which must be chosen at configuration time. The correct -choice depends on the HSM hardware: - - - Use 'crypto-accelerator' with HSMs that have hardware cryptographic - acceleration features, such as the SCA 6000 board. This causes OpenSSL - to run all supported cryptographic operations in the HSM. - - - Use 'sign-only' with HSMs that are designed to function primarily as - secure key storage devices, but lack hardware acceleration. These - devices are highly secure, but are not necessarily any faster at - cryptography than the system CPU--often, they are slower. It is - therefore most efficient to use them only for those cryptographic - functions that require access to the secured private key, such as - zone signing, and to use the system CPU for all other computationally- - intensive operations. The AEP Keyper is an example of such a device. - -The modified OpenSSL code is included in the BIND 9.7.0b1 release, in the -form of a context diff against OpenSSL 0.9.8l. Before building BIND 9 -with PKCS #11 support, it will be necessary to build OpenSSL with this -patch in place and inform it of the path to the HSM-specific PKCS #11 -provider library. - -Obtain OpenSSL 0.9.8l: - - wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz - -Extract the tarball: - - tar zxf openssl-0.9.8l.tar.gz - -Apply the patch from the BIND 9 release: - - patch -p1 -d openssl-0.9.8l \ - < bind-9.7.0b1/bin/pkcs11/openssl-0.9.8l-patch - -(Note that the patch file may not be compatible with the "patch" -utility on all operating systems. You may need to install GNU patch.) - -When building OpenSSL, place it in a non-standard location so that it -does not interfere with OpenSSL libraries elsewhere on the system. -In the following examples, we choose to install into "/opt/pkcs11/usr". -We will use this location when we configure BIND 9. - - EXAMPLE 1--BUILDING OPENSSL FOR THE AEP KEYPER ON LINUX: - - The AEP Keyper is a highly secure key storage device, but does - not provide hardware cryptographic acceleration. It can carry out - cryptographic operations, but it is probably slower than your - system's CPU. Therefore, we choose the 'sign-only' flavor when - building OpenSSL. - - The Keyper-specific PKCS #11 provider library is delivered with the - Keyper software. In this example, we place it /opt/pkcs11/usr/lib: - - cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so - - This library is only available for Linux as a 32-bit binary. If we are - compiling on a 64-bit Linux system, it is necessary to force a 32-bit - build, by specifying -m32 in the build options. - - Finally, the Keyper library requires threads, so we must specify -pthread. - - cd openssl-0.9.8l - ./Configure linux-generic32 -m32 -pthread \ - --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ - --pk11-flavor=sign-only \ - --prefix=/opt/pkcs11/usr - - After configuring, run "make" and "make test". If "make test" fails - with "pthread_atfork() not found", you forgot to add the -pthread - above. - - EXAMPLE 2--BUILDING OPENSSL FOR THE SCA 6000 ON SOLARIS: - - The SCA-6000 PKCS #11 provider is installed as a system library, - libpkcs11. It is a true crypto accelerator, up to 4 times faster - than any CPU, so the flavor shall be 'crypto-accelerator'. - - In this example, we are building on Solaris x86 on an AMD64 system. - - cd openssl-0.9.8l - ./Configure solaris64-x86_64-cc \ - --pk11-libname=/usr/lib/64/libpkcs11.so \ - --pk11-flavor=crypto-accelerator \ - --prefix=/opt/pkcs11/usr - - (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.) - - After configuring, run "make" and "make test". - -Once you have built OpenSSL, run "apps/openssl engine pkcs11" to confirm -that PKCS #11 support was compiled in correctly. The output should be -one of the following lines, depending on the flavor selected: - - (pkcs11) PKCS #11 engine support (sign only) - -Or: - - (pkcs11) PKCS #11 engine support (crypto accelerator) - -Next, run "apps/openssl engine pkcs11 -t". This will attempt to initialize -the PKCS #11 engine. If it is able to do so successfully, it will report -"[ available ]". - -If the output is correct, run "make install". - -BUILDING BIND 9 - -When building BIND 9, the location of the custom-built OpenSSL -library must be specified via configure. - - EXAMPLE 3--CONFIGURING BIND 9 FOR LINUX - - To link with the PKCS #11 provider, threads must be enabled in the - BIND 9 build. - - The PKCS #11 library for the AEP Keyper is currently only available as - a 32-bit binary. If we are building on a 64-bit host, we must force a - 32-bit build by adding "-m32" to the CC options on the "configure" - command line. - - cd ../bind-9.7.0b1 - ./configure CC="gcc -m32" --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so - - EXAMPLE 4--CONFIGURING BIND 9 FOR SOLARIS - - To link with the PKCS #11 provider, threads must be enabled in the - BIND 9 build. - - cd ../bind-9.7.0b1 - ./configure CC="cc -xarch=amd64" --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/usr/lib/64/libpkcs11.so - - (For a 32-bit build, omit CC="cc -xarch=amd64".) - -If configure complains about OpenSSL not working, you may have a 32/64-bit -architecture mismatch. Or, you may have incorrectly specified the path to -OpenSSL (it should be the same as the --prefix argument to the OpenSSL -Configure). - -After configuring, run "make", "make test" and "make install". - -PKCS #11 TOOLS - -BIND 9 includes a minimal set of tools to operate the HSM, including -"pkcs11-keygen" to generate a new key pair within the HSM, "pkcs11-list" -to list objects currently available, and "pkcs11-destroy" to remove -objects. - -In UNIX/Linux builds, these tools are built only if BIND 9 is configured -with the --with-pkcs11 option. (NOTE: If --with-pkcs11 is set to "yes", -rather than to the path of the PKCS #11 provider, then the tools will be -built but the provider will be left undefined. Use the -m option or the -PKCS11_PROVIDER environment variable to specify the path to the provider.) - -USING THE HSM - -First, we must set up the runtime environment so the OpenSSL and PKCS #11 -libraries can be loaded: - - export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH} - -When operating an AEP Keyper, it is also necessary to specify the -location of the "machine" file, which stores information about the Keyper -for use by PKCS #11 provider library. If the machine file is in -/opt/Keyper/PKCS11Provider/machine, use: - - export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider - -These environment variables must be set whenever running any tool -that uses the HSM, including pkcs11-keygen, pkcs11-list, pkcs11-destroy, -dnssec-keyfromlabel, dnssec-signzone, dnssec-keygen (which will use -the HSM for random number generation), and named. - -We can now create and use keys in the HSM. In this case, we will -create a 2048 bit key and give it the label "sample-ksk": - - pkcs11-keygen -b 2048 -l sample-ksk - -To confirm that the key exists: - - pkcs11-list - Enter PIN: - object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] - object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] - -Before using this key to sign a zone, we must create a pair of BIND 9 -key files. The "dnssec-keyfromlabel" utility does this. In this case, -we will be using the HSM key "sample-ksk" as the key-signing key for -"example.net": - - dnssec-keyfromlabel -l sample-ksk -f KSK example.net - -The resulting K*.key and K*.private files can now be used to sign the -zone. Unlike normal K* files, which contain both public and private -key data, these files will contain only the public key data, plus an -identifier for the private key which remains stored within the HSM. -The HSM handles signing with the private key. - -If you wish to generate a second key in the HSM for use as a zone-signing -key, follow the same procedure above, using a different keylabel, a -smaller key size, and omitting "-f KSK" from the dnssec-keyfromlabel -arguments: - - pkcs11-keygen -b 1024 -l sample-zsk - dnssec-keyfromlabel -l sample-zsk example.net - -Alternatively, you may prefer to generate a conventional on-disk key, -using dnssec-keygen: - - dnssec-keygen example.net - -This provides less security than an HSM key, but since HSMs can be -slow or cumbersome to use for security reasons, it may be more -efficient to reserve HSM keys for use in the less frequent -key-signing operation. The zone-signing key can be rolled more -frequently, if you wish, to compensate for a reduction in key -security. - -Now you can sign the zone. (Note: If not using the -S option to -dnssec-signzone, it will be necessary to add the contents of both -K*.key files to the zone master file before signing it.) - - dnssec-signzone -S example.net - Enter PIN: - Verifying the zone using the following algorithms: NSEC3RSASHA1. - Zone signing complete: - Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by - example.net.signed - -SPECIFYING THE ENGINE ON THE COMMAND LINE - -The OpenSSL engine can be specified in named and all of the dnssec-* -tools by using the "-E <engine>" command line option. If BIND 9 is built -with the --with-pkcs11 option, this option defaults to "pkcs11". -Specifying the engine will generally not be necessary unless for -some reason you wish to use a different OpenSSL engine. - -If you wish to disable use of the "pkcs11" engine--for troubleshooting -purposes, or because the HSM is unavailable--set the engine to the empty -string. For example: - - dnssec-signzone -E '' -S example.net - -This causes dnssec-signzone to run as if it were compiled without the ---with-pkcs11 option. - -RUNNING NAMED WITH AUTOMATIC ZONE RE-SIGNING - -If you want named to dynamically re-sign zones using HSM keys, and/or to -to sign new records inserted via nsupdate, then named must have access -to the HSM PIN. This can be accomplished by placing the PIN into the -openssl.cnf file (in the above examples, /opt/pkcs11/usr/ssl/openssl.cnf). - -The location of the openssl.cnf file can be overridden by setting the -OPENSSL_CONF environment variable before running named. - -Sample openssl.cnf: - - openssl_conf = openssl_def - [ openssl_def ] - engines = engine_section - [ engine_section ] - pkcs11 = pkcs11_section - [ pkcs11_section ] - PIN = <PLACE PIN HERE> - -This will also allow the dnssec-* tools to access the HSM without -PIN entry. (The pkcs11-* tools access the HSM directly, not via -OpenSSL, so a PIN will still be required to use them.) - -PLEASE NOTE: Placing the HSM's PIN in a text file in this manner -may reduce the security advantage of using an HSM. Be sure this -is what you want to do before configuring BIND 9 in this way. diff --git a/README.rfc5011 b/README.rfc5011 deleted file mode 100644 index 7cf34912..00000000 --- a/README.rfc5011 +++ /dev/null @@ -1,74 +0,0 @@ - - BIND 9 RFC 5011 support - -BIND 9.7.0 introduces support for RFC 5011, dynamic trust anchor -management. Using this feature allows named to keep track of changes to -critical DNSSEC keys without any need for the operator to make changes to -configuration files. - -VALIDATING RESOLVER -------------------- - -To configure a validating resolver to use RFC5011 to maintain a trust -anchor, configure the trust anchor using a "managed-keys" statement. -Information about this can be found in the ARM, in the section titled -"managed-keys Statement Definition". - -AUTHORITATIVE SERVER --------------------- - -To set up an authoritative zone for RFC5011 trust anchor maintenance, -generate two (or more) key signing keys (KSKs) for the zone. Sign the zone -with one of them; this is the "active" KSK. All KSK's which do not sign -the zone are "stand-by" keys. - -Any validating resolver which is configured to use the active KSK as an -RFC5011-managed trust anchor will take note of the stand-by KSKs in the -zone's DNSKEY RRset, and store them for future reference. The resolver -will recheck the zone periodically, and after 30 days, if the new key is -still there, then the key will be accepted by the resolver as a valid -trust anchor for the zone. Any time after this 30-day acceptance timer -has completed, the active KSK can be revoked, and the zone can be "rolled -over" to the newly accepted key. - -The easiest way to place a stand-by key in a zone is to use the "smart -signing" features of dnssec-keygen and dnssec-signzone. If a key with a -publication date in the past, but an activation date which is unset or in -the future, "dnssec-signzone -S" will include the DNSKEY record in the -zone, but will not sign with it: - - $ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net - $ dnssec-signzone -S -K keys example.net - -To revoke a key, the new command "dnssec-revoke" has been added. This adds -the REVOKED bit to the key flags and re-generates the K*.key and K*.private -files. - -After revoking the active key, the zone must be signed with both the -revoked KSK and the new active KSK. (Smart signing takes care of this -automatically.) - -Once a key has been revoked and used to sign the DNSKEY RRset in which it -appears, that key will never again be accepted as a valid trust anchor by -the resolver. However, validation can proceed using the new active key -(which had been accepted by the resolver when it was a stand-by key). - -See RFC 5011 for more details on key rollover scenarios. - -When a key has been revoked, its key ID changes, increasing by -128, and wrapping around at 65535. So, for example, the key -"Kexample.com.+005+10000" becomes "Kexample.com.+005+10128". - -If two keys have ID's exactly 128 apart, and one is revoked, then the -two key ID's will collide, causing several problems. To prevent this, -dnssec-keygen will not generate a new key if another key is present which -may collide. This checking will only occur if the new keys are written -to the same directory which holds all other keys in use for that zone. - -Older versions of BIND 9 did not have this precaution. Exercise caution if -using key revocation on keys that were generated by previous releases, or -if using keys stored in multiple directories or on multiple machines. - -It is expected that a future release of BIND 9 will address this problem -in a different way, by storing revoked keys with their original unrevoked -key ID's. diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8 index b2b33b51..0eaf97cd 100644 --- a/bin/dnssec/dnssec-settime.8 +++ b/bin/dnssec/dnssec-settime.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-settime.8,v 1.9 2009/11/03 21:58:30 tbox Exp $ +.\" $Id: dnssec-settime.8,v 1.9.24.3 2010/02/04 02:08:19 tbox Exp $ .\" .hy 0 .ad l @@ -131,7 +131,7 @@ for the publication date, \fBA\fR for the activation date, \fBR\fR -for the revokation date, +for the revocation date, \fBU\fR for the unpublication date, or \fBD\fR @@ -148,5 +148,5 @@ RFC 5011. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2009, 2010 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 70ad94ad..1c084bb2 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.19.34.5 2010/01/07 19:16:30 each Exp $ */ +/* $Id: dnssec-settime.c,v 1.19.34.6 2010/02/03 01:02:17 each Exp $ */ /*! \file */ @@ -80,7 +80,7 @@ usage(void) { fprintf(stderr, " -D date/[+-]offset/none: set/unset key " "deletion date\n"); fprintf(stderr, "Printing options:\n"); - fprintf(stderr, " -p C/P/A/R/U/D/all: print a particular time " + fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time " "value or values " "[default: all]\n"); fprintf(stderr, " -u: print times in unix epoch " diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook index 8c081379..b4db0528 100644 --- a/bin/dnssec/dnssec-settime.docbook +++ b/bin/dnssec/dnssec-settime.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-settime.docbook,v 1.7 2009/11/03 21:44:46 each Exp $ --> +<!-- $Id: dnssec-settime.docbook,v 1.7.24.2 2010/02/03 23:48:29 tbox Exp $ --> <refentry id="man.dnssec-settime"> <refentryinfo> <date>July 15, 2009</date> @@ -37,6 +37,7 @@ <docinfo> <copyright> <year>2009</year> + <year>2010</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -240,7 +241,7 @@ <option>C</option> for the creation date, <option>P</option> for the publication date, <option>A</option> for the activation date, - <option>R</option> for the revokation date, + <option>R</option> for the revocation date, <option>U</option> for the unpublication date, or <option>D</option> for the deletion date. To print all of the metadata, use <option>-p all</option>. diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index 935ec031..e3efc583 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-settime.html,v 1.9 2009/11/03 21:58:30 tbox Exp $ --> +<!-- $Id: dnssec-settime.html,v 1.9.24.3 2010/02/04 02:08:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543416"></a><h2>DESCRIPTION</h2> +<a name="id2543419"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-settime</strong></span> reads a DNSSEC private key file and sets the key timing metadata as specified by the <code class="option">-P</code>, <code class="option">-A</code>, @@ -57,7 +57,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543464"></a><h2>OPTIONS</h2> +<a name="id2543467"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-f</span></dt> <dd><p> @@ -88,7 +88,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543556"></a><h2>TIMING OPTIONS</h2> +<a name="id2543559"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -133,7 +133,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543654"></a><h2>PRINTING OPTIONS</h2> +<a name="id2543657"></a><h2>PRINTING OPTIONS</h2> <p> <span><strong class="command">dnssec-settime</strong></span> can also be used to print the timing metadata associated with a key. @@ -151,7 +151,7 @@ <code class="option">C</code> for the creation date, <code class="option">P</code> for the publication date, <code class="option">A</code> for the activation date, - <code class="option">R</code> for the revokation date, + <code class="option">R</code> for the revocation date, <code class="option">U</code> for the unpublication date, or <code class="option">D</code> for the deletion date. To print all of the metadata, use <code class="option">-p all</code>. @@ -159,7 +159,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543732"></a><h2>SEE ALSO</h2> +<a name="id2543735"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -167,7 +167,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543765"></a><h2>AUTHOR</h2> +<a name="id2543768"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 062fdb5d..c1a287cf 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: statschannel.c,v 1.24 2009/10/20 03:30:07 marka Exp $ */ +/* $Id: statschannel.c,v 1.24.40.2 2010/02/04 23:48:30 tbox Exp $ */ /*! \file */ @@ -71,6 +71,7 @@ stats_dumparg { int ncounters; /* used for general statistics */ int *counterindices; /* used for general statistics */ isc_uint64_t *countervalues; /* used for general statistics */ + isc_result_t result; } stats_dumparg_t; static isc_once_t once = ISC_ONCE_INIT; @@ -96,6 +97,8 @@ static const char *sockstats_xmldesc[isc_sockstatscounter_max]; #define sockstats_xmldesc NULL #endif /* HAVE_LIBXML2 */ +#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0) + /*% * Mapping arrays to represent statistics counters in the order of our * preference, regardless of the order of counter indices. For example, @@ -438,7 +441,7 @@ generalstat_dump(isc_statscounter_t counter, isc_uint64_t val, void *arg) { dumparg->countervalues[counter] = val; } -static void +static isc_result_t dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, const char *category, const char **desc, int ncounters, int *indices, isc_uint64_t *values, int options) @@ -449,6 +452,7 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, FILE *fp; #ifdef HAVE_LIBXML2 xmlTextWriterPtr writer; + int xmlrc; #endif #ifndef HAVE_LIBXML2 @@ -481,31 +485,41 @@ dump_counters(isc_stats_t *stats, statsformat_t type, void *arg, writer = arg; if (category != NULL) { - xmlTextWriterStartElement(writer, - ISC_XMLCHAR - category); - xmlTextWriterStartElement(writer, - ISC_XMLCHAR "name"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR - desc[index]); - xmlTextWriterEndElement(writer); /* name */ - - xmlTextWriterStartElement(writer, ISC_XMLCHAR - "counter"); + TRY0(xmlTextWriterStartElement(writer, + ISC_XMLCHAR + category)); + TRY0(xmlTextWriterStartElement(writer, + ISC_XMLCHAR + "name")); + TRY0(xmlTextWriterWriteString(writer, + ISC_XMLCHAR + desc[index])); + TRY0(xmlTextWriterEndElement(writer)); /* name */ + + TRY0(xmlTextWriterStartElement(writer, + ISC_XMLCHAR + "counter")); } else { - xmlTextWriterStartElement(writer, ISC_XMLCHAR - desc[index]); + TRY0(xmlTextWriterStartElement(writer, + ISC_XMLCHAR + desc[index])); } - xmlTextWriterWriteFormatString(writer, - "%" ISC_PRINT_QUADFORMAT - "u", value); - xmlTextWriterEndElement(writer); /* counter */ + TRY0(xmlTextWriterWriteFormatString(writer, + "%" + ISC_PRINT_QUADFORMAT + "u", value)); + TRY0(xmlTextWriterEndElement(writer)); /* counter */ if (category != NULL) - xmlTextWriterEndElement(writer); /* category */ + TRY0(xmlTextWriterEndElement(writer)); /* category */ #endif break; } } + return (ISC_R_SUCCESS); +#ifdef HAVE_LIBXML2 + error: + return (ISC_R_FAILURE); +#endif } static void @@ -516,6 +530,7 @@ rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) { FILE *fp; #ifdef HAVE_LIBXML2 xmlTextWriterPtr writer; + int xmlrc; #endif if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) @@ -535,22 +550,28 @@ rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) { #ifdef HAVE_LIBXML2 writer = dumparg->arg; - xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdtype"); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdtype")); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR typestr); - xmlTextWriterEndElement(writer); /* name */ + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name")); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR typestr)); + TRY0(xmlTextWriterEndElement(writer)); /* name */ - xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"); - xmlTextWriterWriteFormatString(writer, + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter")); + TRY0(xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u", - val); - xmlTextWriterEndElement(writer); /* counter */ + val)); + TRY0(xmlTextWriterEndElement(writer)); /* counter */ - xmlTextWriterEndElement(writer); /* rdtype */ + TRY0(xmlTextWriterEndElement(writer)); /* rdtype */ #endif break; } + return; +#ifdef HAVE_LIBXML2 + error: + dumparg->result = ISC_R_FAILURE; + return; +#endif } static void @@ -562,6 +583,7 @@ rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) { isc_boolean_t nxrrset = ISC_FALSE; #ifdef HAVE_LIBXML2 xmlTextWriterPtr writer; + int xmlrc; #endif if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) @@ -590,22 +612,28 @@ rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) { #ifdef HAVE_LIBXML2 writer = dumparg->arg; - xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset"); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); - xmlTextWriterWriteFormatString(writer, "%s%s", - nxrrset ? "!" : "", typestr); - xmlTextWriterEndElement(writer); /* name */ + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset")); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name")); + TRY0(xmlTextWriterWriteFormatString(writer, "%s%s", + nxrrset ? "!" : "", typestr)); + TRY0(xmlTextWriterEndElement(writer)); /* name */ - xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"); - xmlTextWriterWriteFormatString(writer, + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter")); + TRY0(xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u", - val); - xmlTextWriterEndElement(writer); /* counter */ + val)); + TRY0(xmlTextWriterEndElement(writer)); /* counter */ - xmlTextWriterEndElement(writer); /* rrset */ + TRY0(xmlTextWriterEndElement(writer)); /* rrset */ #endif break; } + return; +#ifdef HAVE_LIBXML2 + error: + dumparg->result = ISC_R_FAILURE; +#endif + } static void @@ -616,6 +644,7 @@ opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) { stats_dumparg_t *dumparg = arg; #ifdef HAVE_LIBXML2 xmlTextWriterPtr writer; + int xmlrc; #endif isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1); @@ -631,30 +660,35 @@ opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) { #ifdef HAVE_LIBXML2 writer = dumparg->arg; - xmlTextWriterStartElement(writer, ISC_XMLCHAR "opcode"); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "opcode")); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR codebuf); - xmlTextWriterEndElement(writer); /* name */ + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name")); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR codebuf)); + TRY0(xmlTextWriterEndElement(writer)); /* name */ - xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"); - xmlTextWriterWriteFormatString(writer, + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter")); + TRY0(xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u", - val); - xmlTextWriterEndElement(writer); /* counter */ + val)); + TRY0(xmlTextWriterEndElement(writer)); /* counter */ - xmlTextWriterEndElement(writer); /* opcode */ + TRY0(xmlTextWriterEndElement(writer)); /* opcode */ #endif break; } + return; + +#ifdef HAVE_LIBXML2 + error: + dumparg->result = ISC_R_FAILURE; + return; +#endif } #ifdef HAVE_LIBXML2 /* XXXMLG below here sucks. */ -#define TRY(a) do { result = (a); INSIST(result == ISC_R_SUCCESS); } while(0); -#define TRY0(a) do { xmlrc = (a); INSIST(xmlrc >= 0); } while(0); static isc_result_t zone_xmlrender(dns_zone_t *zone, void *arg) { @@ -664,49 +698,55 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { xmlTextWriterPtr writer = arg; isc_stats_t *zonestats; isc_uint64_t nsstat_values[dns_nsstatscounter_max]; + int xmlrc; + isc_result_t result; - xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone")); dns_zone_name(zone, buf, sizeof(buf)); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR buf); - xmlTextWriterEndElement(writer); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name")); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf)); + TRY0(xmlTextWriterEndElement(writer)); rdclass = dns_zone_getclass(zone); dns_rdataclass_format(rdclass, buf, sizeof(buf)); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdataclass"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR buf); - xmlTextWriterEndElement(writer); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdataclass")); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf)); + TRY0(xmlTextWriterEndElement(writer)); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial")); if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS) - xmlTextWriterWriteFormatString(writer, "%u", serial); + TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial)); else - xmlTextWriterWriteString(writer, ISC_XMLCHAR "-"); - xmlTextWriterEndElement(writer); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "-")); + TRY0(xmlTextWriterEndElement(writer)); zonestats = dns_zone_getrequeststats(zone); if (zonestats != NULL) { - xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"); - dump_counters(zonestats, statsformat_xml, writer, NULL, - nsstats_xmldesc, dns_nsstatscounter_max, - nsstats_index, nsstat_values, - ISC_STATSDUMP_VERBOSE); - xmlTextWriterEndElement(writer); /* counters */ + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters")); + result = dump_counters(zonestats, statsformat_xml, writer, NULL, + nsstats_xmldesc, dns_nsstatscounter_max, + nsstats_index, nsstat_values, + ISC_STATSDUMP_VERBOSE); + if (result != ISC_R_SUCCESS) + goto error; + TRY0(xmlTextWriterEndElement(writer)); /* counters */ } - xmlTextWriterEndElement(writer); /* zone */ + TRY0(xmlTextWriterEndElement(writer)); /* zone */ return (ISC_R_SUCCESS); + error: + return (ISC_R_FAILURE); } -static void +static isc_result_t generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"]; char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"]; isc_time_t now; - xmlTextWriterPtr writer; - xmlDocPtr doc; + xmlTextWriterPtr writer = NULL; + xmlDocPtr doc = NULL; int xmlrc; dns_view_t *view; stats_dumparg_t dumparg; @@ -715,12 +755,15 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { isc_uint64_t resstat_values[dns_resstatscounter_max]; isc_uint64_t zonestat_values[dns_zonestatscounter_max]; isc_uint64_t sockstat_values[isc_sockstatscounter_max]; + isc_result_t result; isc_time_now(&now); isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime); isc_time_formatISO8601(&now, nowstr, sizeof nowstr); writer = xmlNewTextWriterDoc(&doc, 0); + if (writer == NULL) + goto error; TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL)); TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet", ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\"")); @@ -744,27 +787,36 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { view = ISC_LIST_HEAD(server->viewlist); TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views")); while (view != NULL) { - xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view")); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name); - xmlTextWriterEndElement(writer); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name")); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name)); + TRY0(xmlTextWriterEndElement(writer)); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"); - dns_zt_apply(view->zonetable, ISC_FALSE, zone_xmlrender, - writer); - xmlTextWriterEndElement(writer); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones")); + result = dns_zt_apply(view->zonetable, ISC_TRUE, zone_xmlrender, + writer); + if (result != ISC_R_SUCCESS) + goto error; + TRY0(xmlTextWriterEndElement(writer)); if (view->resquerystats != NULL) { + dumparg.result = ISC_R_SUCCESS; dns_rdatatypestats_dump(view->resquerystats, rdtypestat_dump, &dumparg, 0); + if (dumparg.result != ISC_R_SUCCESS) + goto error; } if (view->resstats != NULL) { - dump_counters(view->resstats, statsformat_xml, writer, - "resstat", resstats_xmldesc, - dns_resstatscounter_max, resstats_index, - resstat_values, ISC_STATSDUMP_VERBOSE); + result = dump_counters(view->resstats, statsformat_xml, + writer, "resstat", + resstats_xmldesc, + dns_resstatscounter_max, + resstats_index, resstat_values, + ISC_STATSDUMP_VERBOSE); + if (result != ISC_R_SUCCESS) + goto error; } cachestats = dns_db_getrrsetstats(view->cachedb); @@ -775,12 +827,15 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { ISC_XMLCHAR "name", ISC_XMLCHAR dns_cache_getname(view->cache))); + dumparg.result = ISC_R_SUCCESS; dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, &dumparg, 0); + if (dumparg.result != ISC_R_SUCCESS) + goto error; TRY0(xmlTextWriterEndElement(writer)); /* cache */ } - xmlTextWriterEndElement(writer); /* view */ + TRY0(xmlTextWriterEndElement(writer)); /* view */ view = ISC_LIST_NEXT(view, link); } @@ -795,44 +850,63 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server")); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime); - xmlTextWriterEndElement(writer); - xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"); - xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr); - xmlTextWriterEndElement(writer); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time")); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime)); + TRY0(xmlTextWriterEndElement(writer)); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time")); + TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr)); + TRY0(xmlTextWriterEndElement(writer)); TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "requests")); + dumparg.result = ISC_R_SUCCESS; dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg, 0); - xmlTextWriterEndElement(writer); /* requests */ + if (dumparg.result != ISC_R_SUCCESS) + goto error; + TRY0(xmlTextWriterEndElement(writer)); /* requests */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "queries-in")); + dumparg.result = ISC_R_SUCCESS; dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump, &dumparg, 0); - xmlTextWriterEndElement(writer); /* queries-in */ - - dump_counters(server->nsstats, statsformat_xml, writer, - "nsstat", nsstats_xmldesc, dns_nsstatscounter_max, - nsstats_index, nsstat_values, ISC_STATSDUMP_VERBOSE); + if (dumparg.result != ISC_R_SUCCESS) + goto error; + TRY0(xmlTextWriterEndElement(writer)); /* queries-in */ + + result = dump_counters(server->nsstats, statsformat_xml, writer, + "nsstat", nsstats_xmldesc, + dns_nsstatscounter_max, + nsstats_index, nsstat_values, + ISC_STATSDUMP_VERBOSE); + if (result != ISC_R_SUCCESS) + goto error; - dump_counters(server->zonestats, statsformat_xml, writer, "zonestat", - zonestats_xmldesc, dns_zonestatscounter_max, - zonestats_index, zonestat_values, ISC_STATSDUMP_VERBOSE); + result = dump_counters(server->zonestats, statsformat_xml, writer, + "zonestat", zonestats_xmldesc, + dns_zonestatscounter_max, zonestats_index, + zonestat_values, ISC_STATSDUMP_VERBOSE); + if (result != ISC_R_SUCCESS) + goto error; /* * Most of the common resolver statistics entries are 0, so we don't * use the verbose dump here. */ - dump_counters(server->resolverstats, statsformat_xml, writer, "resstat", - resstats_xmldesc, dns_resstatscounter_max, resstats_index, - resstat_values, 0); + result = dump_counters(server->resolverstats, statsformat_xml, writer, + "resstat", resstats_xmldesc, + dns_resstatscounter_max, resstats_index, + resstat_values, 0); + if (result != ISC_R_SUCCESS) + goto error; - dump_counters(server->sockstats, statsformat_xml, writer, "sockstat", - sockstats_xmldesc, isc_sockstatscounter_max, - sockstats_index, sockstat_values, ISC_STATSDUMP_VERBOSE); + result = dump_counters(server->sockstats, statsformat_xml, writer, + "sockstat", sockstats_xmldesc, + isc_sockstatscounter_max, sockstats_index, + sockstat_values, ISC_STATSDUMP_VERBOSE); + if (result != ISC_R_SUCCESS) + goto error; - xmlTextWriterEndElement(writer); /* server */ + TRY0(xmlTextWriterEndElement(writer)); /* server */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory")); isc_mem_renderxml(writer); @@ -848,6 +922,14 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 1); xmlFreeDoc(doc); + return (ISC_R_SUCCESS); + + error: + if (writer != NULL) + xmlFreeTextWriter(writer); + if (doc != NULL) + xmlFreeDoc(doc); + return (ISC_R_FAILURE); } static void @@ -866,21 +948,24 @@ render_index(const char *url, const char *querystring, void *arg, unsigned char *msg; int msglen; ns_server_t *server = arg; + isc_result_t result; UNUSED(url); UNUSED(querystring); - generatexml(server, &msglen, &msg); + result = generatexml(server, &msglen, &msg); - *retcode = 200; - *retmsg = "OK"; - *mimetype = "text/xml"; - isc_buffer_reinit(b, msg, msglen); - isc_buffer_add(b, msglen); - *freecb = wrap_xmlfree; - *freecb_args = NULL; + if (result == ISC_R_SUCCESS) { + *retcode = 200; + *retmsg = "OK"; + *mimetype = "text/xml"; + isc_buffer_reinit(b, msg, msglen); + isc_buffer_add(b, msglen); + *freecb = wrap_xmlfree; + *freecb_args = NULL; + } - return (ISC_R_SUCCESS); + return (result); } #endif /* HAVE_LIBXML2 */ @@ -1281,20 +1366,20 @@ ns_stats_dump(ns_server_t *server, FILE *fp) { } fprintf(fp, "++ Name Server Statistics ++\n"); - dump_counters(server->nsstats, statsformat_file, fp, NULL, - nsstats_desc, dns_nsstatscounter_max, nsstats_index, - nsstat_values, 0); + (void) dump_counters(server->nsstats, statsformat_file, fp, NULL, + nsstats_desc, dns_nsstatscounter_max, + nsstats_index, nsstat_values, 0); fprintf(fp, "++ Zone Maintenance Statistics ++\n"); - dump_counters(server->zonestats, statsformat_file, fp, NULL, - zonestats_desc, dns_zonestatscounter_max, - zonestats_index, zonestat_values, 0); + (void) dump_counters(server->zonestats, statsformat_file, fp, NULL, + zonestats_desc, dns_zonestatscounter_max, + zonestats_index, zonestat_values, 0); fprintf(fp, "++ Resolver Statistics ++\n"); fprintf(fp, "[Common]\n"); - dump_counters(server->resolverstats, statsformat_file, fp, NULL, - resstats_desc, dns_resstatscounter_max, resstats_index, - resstat_values, 0); + (void) dump_counters(server->resolverstats, statsformat_file, fp, NULL, + resstats_desc, dns_resstatscounter_max, + resstats_index, resstat_values, 0); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { @@ -1304,9 +1389,9 @@ ns_stats_dump(ns_server_t *server, FILE *fp) { fprintf(fp, "[View: default]\n"); else fprintf(fp, "[View: %s]\n", view->name); - dump_counters(view->resstats, statsformat_file, fp, NULL, - resstats_desc, dns_resstatscounter_max, - resstats_index, resstat_values, 0); + (void) dump_counters(view->resstats, statsformat_file, fp, NULL, + resstats_desc, dns_resstatscounter_max, + resstats_index, resstat_values, 0); } fprintf(fp, "++ Cache DB RRsets ++\n"); @@ -1335,9 +1420,9 @@ ns_stats_dump(ns_server_t *server, FILE *fp) { } fprintf(fp, "++ Socket I/O Statistics ++\n"); - dump_counters(server->sockstats, statsformat_file, fp, NULL, - sockstats_desc, isc_sockstatscounter_max, sockstats_index, - sockstat_values, 0); + (void) dump_counters(server->sockstats, statsformat_file, fp, NULL, + sockstats_desc, isc_sockstatscounter_max, + sockstats_index, sockstat_values, 0); fprintf(fp, "++ Per Zone Query Statistics ++\n"); zone = NULL; @@ -1358,9 +1443,10 @@ ns_stats_dump(ns_server_t *server, FILE *fp) { fprintf(fp, " (view: %s)", view->name); fprintf(fp, "]\n"); - dump_counters(zonestats, statsformat_file, fp, NULL, - nsstats_desc, dns_nsstatscounter_max, - nsstats_index, nsstat_values, 0); + (void) dump_counters(zonestats, statsformat_file, fp, + NULL, nsstats_desc, + dns_nsstatscounter_max, + nsstats_index, nsstat_values, 0); } } diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 5661a036..9700f12a 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.3 2010/01/07 23:48:15 tbox Exp $ --> +<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.5 2010/02/03 01:32:43 each Exp $ --> <book xmlns:xi="http://www.w3.org/2001/XInclude"> <title>BIND 9 Administrator Reference Manual</title> @@ -2655,6 +2655,13 @@ options { </sect2> </sect1> + + <xi:include href="dnssec.xml"/> + + <xi:include href="managed-keys.xml"/> + + <xi:include href="pkcs11.xml"/> + <sect1> <title>IPv6 Support in <acronym>BIND</acronym> 9</title> @@ -8437,7 +8444,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <listitem> <para> The delay, in seconds, between sending sets of notify - messages for a zone. The default is zero. + messages for a zone. The default is five (5) seconds. </para> </listitem> </varlistentry> @@ -9187,7 +9194,7 @@ deny-answer-aliases { "example.net"; }; </sect2> - <sect2> + <sect2 id="trusted-keys"> <title><command>trusted-keys</command> Statement Grammar</title> <programlisting><command>trusted-keys</command> { @@ -9248,7 +9255,7 @@ deny-answer-aliases { "example.net"; }; </programlisting> </sect2> - <sect2> + <sect2 id="managed-keys"> <title><command>managed-keys</command> Statement Definition and Usage</title> <para> @@ -15650,8 +15657,12 @@ zone "example.com" { </bibliography> </sect2> </sect1> + + <xi:include href="libdns.xml"/> + </appendix> + <reference id="Bv9ARM.ch10"> <title>Manual pages</title> <xi:include href="../../bin/dig/dig.docbook"/> diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 259fbe00..306cb6ac 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch04.html,v 1.103.22.1 2010/01/08 02:08:24 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch04.html,v 1.103.22.3 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -68,10 +68,38 @@ <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572065">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572331">Address Lookups Using AAAA Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572353">Address to Name Lookups Using Nibble Format</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605770">Converting from insecure to secure</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563550">Dynamic DNS update method</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563587">Fully automatic zone signing</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563662">Private-type records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563768">DNSKEY rollovers via UPDATE</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563801">NSEC3PARAM rollovers via UPDATE</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563811">Converting from NSEC to NSEC3</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563820">Converting from NSEC3 to NSEC</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Converting from secure to insecure</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563939">Periodic re-signing</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563948">NSEC3 and OPTOUT</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605417">Validating Resolver</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605440">Authoritative Server</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607939">Prerequisites</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606230">Building BIND 9 with PKCS#11</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606325">PKCS #11 Tools</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606356">Using the HSM</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608124">Specifying the engine on the command line</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608443">Running named with automatic zone re-signing</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572077">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572344">Address Lookups Using AAAA Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572434">Address to Name Lookups Using Nibble Format</a></span></dt> </dl></dd> </dl> </div> @@ -1019,7 +1047,676 @@ options { </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2572065"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div> +<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div> +<p>As of BIND 9.7.0 it is possible to change a dynamic zone + from insecure to signed and back again. A secure zone can use + either NSEC or NSEC3 chains.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2605770"></a>Converting from insecure to secure</h3></div></div></div></div> +<p>Changing a zone from insecure to secure can be done in two + ways: using a dynamic DNS update, or the + <span><strong class="command">auto-dnssec</strong></span> zone option.</p> +<p>For either method, you need to configure + <span><strong class="command">named</strong></span> so that it can see the + <code class="filename">K*</code> files which contain the public and private + parts of the keys that will be used to sign the zone. These files + will have been generated by + <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them + in the key-directory, as specified in + <code class="filename">named.conf</code>:</p> +<pre class="programlisting"> + zone example.net { + type master; + update-policy local; + file "dynamic/example.net/example.net"; + key-directory "dynamic/example.net"; + }; +</pre> +<p>If one KSK and one ZSK DNSKEY key have been generated, this + configuration will cause all records in the zone to be signed + with the ZSK, and the DNSKEY RRset to be signed with the KSK as + well. An NSEC chain will be generated as part of the initial + signing process.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563550"></a>Dynamic DNS update method</h3></div></div></div></div> +<p>To insert the keys via dynamic update:</p> +<pre class="screen"> + % nsupdate + > ttl 3600 + > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= + > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= + > send +</pre> +<p>While the update request will complete almost immediately, + the zone will not be completely signed until + <span><strong class="command">named</strong></span> has had time to walk the zone and + generate the NSEC and RRSIG records. The NSEC record at the apex + will be added last, to signal that there is a complete NSEC + chain.</p> +<p>If you wish to sign using NSEC3 instead of NSEC, you should + add an NSEC3PARAM record to the initial update request. If you + wish the NSEC3 chain to have the OPTOUT bit set, set it in the + flags field of the NSEC3PARAM record.</p> +<pre class="screen"> + % nsupdate + > ttl 3600 + > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= + > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= + > update add example.net NSEC3PARAM 1 1 100 1234567890 + > send +</pre> +<p>Again, this update request will complete almost + immediately; however, the record won't show up until + <span><strong class="command">named</strong></span> has had a chance to build/remove the + relevant chain. A private type record will be created to record + the state of the operation (see below for more details), and will + be removed once the operation completes.</p> +<p>While the initial signing and NSEC/NSEC3 chain generation + is happening, other updates are possible as well.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563587"></a>Fully automatic zone signing</h3></div></div></div></div> +<p>To enable automatic signing, add the + <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in + <code class="filename">named.conf</code>. + <span><strong class="command">auto-dnssec</strong></span> has two possible arguments: + <code class="constant">allow</code> or + <code class="constant">maintain</code>.</p> +<p>With + <span><strong class="command">auto-dnssec allow</strong></span>, + <span><strong class="command">named</strong></span> can search the key directory for keys + matching the zone, insert them into the zone, and use them to + sign the zone. It will do so only when it receives an + <span><strong class="command">rndc sign <zonename></strong></span> command.</p> +<p> + + <span><strong class="command">auto-dnssec maintain</strong></span> includes the above + functionality, but will also automatically adjust the zone's + DNSKEY records on schedule according to the keys' timing metadata. + (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) + If keys are present in the key directory the first time the zone + is loaded, it will be signed immediately, without waiting for an + <span><strong class="command">rndc sign</strong></span> command. (This command can still be + used for unscheduled key changes, however.)</p> +<p>Using the + <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be + configured to allow dynamic updates, by adding an + <span><strong class="command">allow-update</strong></span> or + <span><strong class="command">update-policy</strong></span> statement to the zone + configuration. If this has not been done, the configuration will + fail.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563662"></a>Private-type records</h3></div></div></div></div> +<p>The state of the signing process is signaled by + private-type records (with a default type value of 65534). When + signing is complete, these records will have a nonzero value for + the final octet (for those records which have a nonzero initial + octet).</p> +<p>The private type record format: If the first octet is + non-zero then the record indicates that the zone needs to be + signed with the key matching the record, or that all signatures + that match the record should be removed.</p> +<p> + </p> +<div class="literallayout"><p><br> +<br> + algorithm (octet 1)<br> + key id in network order (octet 2 and 3)<br> + removal flag (octet 4)<br> + complete flag (octet 5)<br> +</p></div> +<p> + </p> +<p>Only records flagged as "complete" can be removed via + dynamic update. Attempts to remove other private type records + will be silently ignored.</p> +<p>If the first octet is zero (this is a reserved algorithm + number that should never appear in a DNSKEY record) then the + record indicates changes to the NSEC3 chains are in progress. The + rest of the record contains an NSEC3PARAM record. The flag field + tells what operation to perform based on the flag bits.</p> +<p> + </p> +<div class="literallayout"><p><br> +<br> + 0x01 OPTOUT<br> + 0x80 CREATE<br> + 0x40 REMOVE<br> + 0x20 NONSEC<br> +</p></div> +<p> + </p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563768"></a>DNSKEY rollovers via UPDATE</h3></div></div></div></div> +<p>It is possible to perform key rollovers via dynamic update. + You need to add the + <code class="filename">K*</code> files for the new keys so that + <span><strong class="command">named</strong></span> can find them. You can then add the new + DNSKEY RRs via dynamic update. + <span><strong class="command">named</strong></span> will then cause the zone to be signed + with the new keys. When the signing is complete the private type + records will be updated so that the last octet is non + zero.</p> +<p>If this is for a KSK you need to inform the parent and any + trust anchor repositories of the new KSK.</p> +<p>You should then wait for the maximum TTL in the zone before + removing the old DNSKEY. If it is a KSK that is being updated, + you also need to wait for the DS RRset in the parent to be + updated and its TTL to expire. This ensures that all clients will + be able to verify at least one signature when you remove the old + DNSKEY.</p> +<p>The old DNSKEY can be removed via UPDATE. Take care to + specify the correct key. + <span><strong class="command">named</strong></span> will clean out any signatures generated + by the old key after the update completes.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563801"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div> +<p>Add the new NSEC3PARAM record via dynamic update. When the + new NSEC3 chain has been generated, the NSEC3PARAM flag field + will be zero. At this point you can remove the old NSEC3PARAM + record. The old chain will be removed after the update request + completes.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563811"></a>Converting from NSEC to NSEC3</h3></div></div></div></div> +<p>To do this, you just need to add an NSEC3PARAM record. When + the conversion is complete, the NSEC chain will have been removed + and the NSEC3PARAM record will have a zero flag field. The NSEC3 + chain will be generated before the NSEC chain is + destroyed.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563820"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div> +<p>To do this, use <span><strong class="command">nsupdate</strong></span> to + remove all NSEC3PARAM records with a zero flag + field. The NSEC chain will be generated before the NSEC3 chain is + removed.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563901"></a>Converting from secure to insecure</h3></div></div></div></div> +<p>To convert a signed zone to unsigned using dynamic DNS, + delete all the DNSKEY records from the zone apex using + <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains, + and associated NSEC3PARAM records will be removed automatically. + This will take place after the update request completes.</p> +<p> This requires the + <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to + <strong class="userinput"><code>yes</code></strong> in + <code class="filename">named.conf</code>.</p> +<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span> + zone statement is used, it should be removed or changed to + <span><strong class="command">allow</strong></span> instead (or it will re-sign). + </p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563939"></a>Periodic re-signing</h3></div></div></div></div> +<p>In any secure zone which supports dynamic updates, named + will periodically re-sign RRsets which have not been re-signed as + a result of some update action. The signature lifetimes will be + adjusted so as to spread the re-sign load over time rather than + all at once.</p> +<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> +<a name="id2563948"></a>NSEC3 and OPTOUT</h3></div></div></div></div> +<p> + <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains + where all the NSEC3 records in the zone have the same OPTOUT + state. + <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3 + records in the chain have mixed OPTOUT state. + <span><strong class="command">named</strong></span> does not support changing the OPTOUT + state of an individual NSEC3 record, the entire chain needs to be + changed if the OPTOUT state of an individual NSEC3 needs to be + changed.</p> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div> +<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust + anchor management. Using this feature allows + <span><strong class="command">named</strong></span> to keep track of changes to critical + DNSSEC keys without any need for the operator to make changes to + configuration files.</p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2605417"></a>Validating Resolver</h3></div></div></div> +<p>To configure a validating resolver to use RFC 5011 to + maintain a trust anchor, configure the trust anchor using a + <span><strong class="command">managed-keys</strong></span> statement. Information about + this can be found in + <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition + and Usage">the section called “<span><strong class="command">managed-keys</strong></span> Statement Definition + and Usage”</a>.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2605440"></a>Authoritative Server</h3></div></div></div> +<p>To set up an authoritative zone for RFC 5011 trust anchor + maintenance, generate two (or more) key signing keys (KSKs) for + the zone. Sign the zone with one of them; this is the "active" + KSK. All KSK's which do not sign the zone are "stand-by" + keys.</p> +<p>Any validating resolver which is configured to use the + active KSK as an RFC 5011-managed trust anchor will take note + of the stand-by KSKs in the zone's DNSKEY RRset, and store them + for future reference. The resolver will recheck the zone + periodically, and after 30 days, if the new key is still there, + then the key will be accepted by the resolver as a valid trust + anchor for the zone. Any time after this 30-day acceptance + timer has completed, the active KSK can be revoked, and the + zone can be "rolled over" to the newly accepted key.</p> +<p>The easiest way to place a stand-by key in a zone is to + use the "smart signing" features of + <span><strong class="command">dnssec-keygen</strong></span> and + <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication + date in the past, but an activation date which is unset or in + the future, " + <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY + record in the zone, but will not sign with it:</p> +<pre class="screen"> +$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong> +$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong> +</pre> +<p>To revoke a key, the new command + <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the + REVOKED bit to the key flags and re-generates the + <code class="filename">K*.key</code> and + <code class="filename">K*.private</code> files.</p> +<p>After revoking the active key, the zone must be signed + with both the revoked KSK and the new active KSK. (Smart + signing takes care of this automatically.)</p> +<p>Once a key has been revoked and used to sign the DNSKEY + RRset in which it appears, that key will never again be + accepted as a valid trust anchor by the resolver. However, + validation can proceed using the new active key (which had been + accepted by the resolver when it was a stand-by key).</p> +<p>See RFC 5011 for more details on key rollover + scenarios.</p> +<p>When a key has been revoked, its key ID changes, + increasing by 128, and wrapping around at 65535. So, for + example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes + "<code class="filename">Kexample.com.+005+10128</code>".</p> +<p>If two keys have ID's exactly 128 apart, and one is + revoked, then the two key ID's will collide, causing several + problems. To prevent this, + <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if + another key is present which may collide. This checking will + only occur if the new keys are written to the same directory + which holds all other keys in use for that zone.</p> +<p>Older versions of BIND 9 did not have this precaution. + Exercise caution if using key revocation on keys that were + generated by previous releases, or if using keys stored in + multiple directories or on multiple machines.</p> +<p>It is expected that a future release of BIND 9 will + address this problem in a different way, by storing revoked + keys with their original unrevoked key ID's.</p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div> +<p>PKCS #11 (Public Key Cryptography Standard #11) defines a + platform- independent API for the control of hardware security + modules (HSMs) and other cryptographic support devices.</p> +<p>BIND 9 is known to work with two HSMs: The Sun SCA 6000 + cryptographic acceleration board, tested under Solaris x86, and + the AEP Keyper network-attached key storage device, tested with + Debian Linux, Solaris x86 and Windows Server 2003.</p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2607939"></a>Prerequisites</h3></div></div></div> +<p>See the HSM vendor documentation for information about + installing, initializing, testing and troubleshooting the + HSM.</p> +<p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL + does not yet fully support PKCS #11. However, a PKCS #11 engine + for OpenSSL is available from the OpenSolaris project. It has + been modified by ISC to work with with BIND 9, and to provide + new features such as PIN management and key by + reference.</p> +<p>The patched OpenSSL depends on a "PKCS #11 provider". + This is a shared library object, providing a low-level PKCS #11 + interface to the HSM hardware. It is dynamically loaded by + OpenSSL at runtime. The PKCS #11 provider comes from the HSM + vendor, and and is specific to the HSM to be controlled.</p> +<p>There are two "flavors" of PKCS #11 support provided by + the patched OpenSSL, one of which must be chosen at + configuration time. The correct choice depends on the HSM + hardware:</p> +<div class="itemizedlist"><ul type="disc"> +<li><p>Use 'crypto-accelerator' with HSMs that have hardware + cryptographic acceleration features, such as the SCA 6000 + board. This causes OpenSSL to run all supported + cryptographic operations in the HSM.</p></li> +<li><p>Use 'sign-only' with HSMs that are designed to + function primarily as secure key storage devices, but lack + hardware acceleration. These devices are highly secure, but + are not necessarily any faster at cryptography than the + system CPU — often, they are slower. It is therefore + most efficient to use them only for those cryptographic + functions that require access to the secured private key, + such as zone signing, and to use the system CPU for all + other computationally-intensive operations. The AEP Keyper + is an example of such a device.</p></li> +</ul></div> +<p>The modified OpenSSL code is included in the BIND 9.7.0 + release, in the form of a context diff against the latest OpenSSL. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> + The latest OpenSSL version at the time of the BIND release + is 0.9.8l. + ISC will provide an updated patch as new versions of OpenSSL + are released. The version number in the following examples + is expected to change.</div> +<p> + Before building BIND 9 with PKCS #11 support, it will be + necessary to build OpenSSL with this patch in place and inform + it of the path to the HSM-specific PKCS #11 provider + library.</p> +<p>Obtain OpenSSL 0.9.8l:</p> +<pre class="screen"> +$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8l.tar.gz</a></code></strong> +</pre> +<p>Extract the tarball:</p> +<pre class="screen"> +$ <strong class="userinput"><code>tar zxf openssl-0.9.8l.tar.gz</code></strong> +</pre> +<p>Apply the patch from the BIND 9 release:</p> +<pre class="screen"> +$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8l \ + < bind-9.7.0/bin/pkcs11/openssl-0.9.8l-patch</code></strong> +</pre> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3>(Note that the patch file may not be compatible with the + "patch" utility on all operating systems. You may need to + install GNU patch.)</div> +<p>When building OpenSSL, place it in a non-standard + location so that it does not interfere with OpenSSL libraries + elsewhere on the system. In the following examples, we choose + to install into "/opt/pkcs11/usr". We will use this location + when we configure BIND 9.</p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2580318"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div> +<p>The AEP Keyper is a highly secure key storage device, + but does not provide hardware cryptographic acceleration. It + can carry out cryptographic operations, but it is probably + slower than your system's CPU. Therefore, we choose the + 'sign-only' flavor when building OpenSSL.</p> +<p>The Keyper-specific PKCS #11 provider library is + delivered with the Keyper software. In this example, we place + it /opt/pkcs11/usr/lib:</p> +<pre class="screen"> +$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong> +</pre> +<p>This library is only available for Linux as a 32-bit + binary. If we are compiling on a 64-bit Linux system, it is + necessary to force a 32-bit build, by specifying -m32 in the + build options.</p> +<p>Finally, the Keyper library requires threads, so we + must specify -pthread.</p> +<pre class="screen"> +$ <strong class="userinput"><code>cd openssl-0.9.8l</code></strong> +$ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \ + --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ + --pk11-flavor=sign-only \ + --prefix=/opt/pkcs11/usr</code></strong> +</pre> +<p>After configuring, run "<span><strong class="command">make</strong></span>" + and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make + test</strong></span>" fails with "pthread_atfork() not found", you forgot to + add the -pthread above.</p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2606056"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div> +<p>The SCA-6000 PKCS #11 provider is installed as a system + library, libpkcs11. It is a true crypto accelerator, up to 4 + times faster than any CPU, so the flavor shall be + 'crypto-accelerator'.</p> +<p>In this example, we are building on Solaris x86 on an + AMD64 system.</p> +<pre class="screen"> +$ <strong class="userinput"><code>cd openssl-0.9.8l</code></strong> +$ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \ + --pk11-libname=/usr/lib/64/libpkcs11.so \ + --pk11-flavor=crypto-accelerator \ + --prefix=/opt/pkcs11/usr</code></strong> +</pre> +<p>(For a 32-bit build, use "solaris-x86-cc" and + /usr/lib/libpkcs11.so.)</p> +<p>After configuring, run + <span><strong class="command">make</strong></span> and + <span><strong class="command">make test</strong></span>.</p> +<p>Once you have built OpenSSL, run + "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm + that PKCS #11 support was compiled in correctly. The output + should be one of the following lines, depending on the flavor + selected:</p> +<pre class="screen"> + (pkcs11) PKCS #11 engine support (sign only) +</pre> +<p>Or:</p> +<pre class="screen"> + (pkcs11) PKCS #11 engine support (crypto accelerator) +</pre> +<p>Next, run + "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will + attempt to initialize the PKCS #11 engine. If it is able to + do so successfully, it will report + “<span class="quote"><code class="literal">[ available ]</code></span>”.</p> +<p>If the output is correct, run + "<span><strong class="command">make install</strong></span>" which will install the + modified OpenSSL suite to + <code class="filename">/opt/pkcs11/usr</code>.</p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2606230"></a>Building BIND 9 with PKCS#11</h3></div></div></div> +<p>When building BIND 9, the location of the custom-built + OpenSSL library must be specified via configure.</p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2606238"></a>Configuring BIND 9 for Linux</h4></div></div></div> +<p>To link with the PKCS #11 provider, threads must be + enabled in the BIND 9 build.</p> +<p>The PKCS #11 library for the AEP Keyper is currently + only available as a 32-bit binary. If we are building on a + 64-bit host, we must force a 32-bit build by adding "-m32" to + the CC options on the "configure" command line.</p> +<pre class="screen"> +$ <strong class="userinput"><code>cd ../bind-9.7.0</code></strong> +$ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \ + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong> +</pre> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2606269"></a>Configuring BIND 9 for Solaris</h4></div></div></div> +<p>To link with the PKCS #11 provider, threads must be + enabled in the BIND 9 build.</p> +<pre class="screen"> +$ <strong class="userinput"><code>cd ../bind-9.7.0</code></strong> +$ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \ + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong> +</pre> +<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p> +<p>If configure complains about OpenSSL not working, you + may have a 32/64-bit architecture mismatch. Or, you may have + incorrectly specified the path to OpenSSL (it should be the + same as the --prefix argument to the OpenSSL + Configure).</p> +</div> +<p>After configuring, run + "<span><strong class="command">make</strong></span>", + "<span><strong class="command">make test</strong></span>" and + "<span><strong class="command">make install</strong></span>".</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2606325"></a>PKCS #11 Tools</h3></div></div></div> +<p>BIND 9 includes a minimal set of tools to operate the + HSM, including + <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair + within the HSM, + <span><strong class="command">pkcs11-list</strong></span> to list objects currently + available, and + <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p> +<p>In UNIX/Linux builds, these tools are built only if BIND + 9 is configured with the --with-pkcs11 option. (NOTE: If + --with-pkcs11 is set to "yes", rather than to the path of the + PKCS #11 provider, then the tools will be built but the + provider will be left undefined. Use the -m option or the + PKCS11_PROVIDER environment variable to specify the path to the + provider.)</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2606356"></a>Using the HSM</h3></div></div></div> +<p>First, we must set up the runtime environment so the + OpenSSL and PKCS #11 libraries can be loaded:</p> +<pre class="screen"> +$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong> +</pre> +<p>When operating an AEP Keyper, it is also necessary to + specify the location of the "machine" file, which stores + information about the Keyper for use by PKCS #11 provider + library. If the machine file is in + <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>, + use:</p> +<pre class="screen"> +$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong> +</pre> +<p>These environment variables must be set whenever running + any tool that uses the HSM, including + <span><strong class="command">pkcs11-keygen</strong></span>, + <span><strong class="command">pkcs11-list</strong></span>, + <span><strong class="command">pkcs11-destroy</strong></span>, + <span><strong class="command">dnssec-keyfromlabel</strong></span>, + <span><strong class="command">dnssec-signzone</strong></span>, + <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for + random number generation), and + <span><strong class="command">named</strong></span>.</p> +<p>We can now create and use keys in the HSM. In this case, + we will create a 2048 bit key and give it the label + "sample-ksk":</p> +<pre class="screen"> +$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong> +</pre> +<p>To confirm that the key exists:</p> +<pre class="screen"> +$ <strong class="userinput"><code>pkcs11-list</code></strong> +Enter PIN: +object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] +object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] +</pre> +<p>Before using this key to sign a zone, we must create a + pair of BIND 9 key files. The "dnssec-keyfromlabel" utility + does this. In this case, we will be using the HSM key + "sample-ksk" as the key-signing key for "example.net":</p> +<pre class="screen"> +$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong> +</pre> +<p>The resulting K*.key and K*.private files can now be used + to sign the zone. Unlike normal K* files, which contain both + public and private key data, these files will contain only the + public key data, plus an identifier for the private key which + remains stored within the HSM. The HSM handles signing with the + private key.</p> +<p>If you wish to generate a second key in the HSM for use + as a zone-signing key, follow the same procedure above, using a + different keylabel, a smaller key size, and omitting "-f KSK" + from the dnssec-keyfromlabel arguments:</p> +<pre class="screen"> +$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong> +$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong> +</pre> +<p>Alternatively, you may prefer to generate a conventional + on-disk key, using dnssec-keygen:</p> +<pre class="screen"> +$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong> +</pre> +<p>This provides less security than an HSM key, but since + HSMs can be slow or cumbersome to use for security reasons, it + may be more efficient to reserve HSM keys for use in the less + frequent key-signing operation. The zone-signing key can be + rolled more frequently, if you wish, to compensate for a + reduction in key security.</p> +<p>Now you can sign the zone. (Note: If not using the -S + option to + <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add + the contents of both + <code class="filename">K*.key</code> files to the zone master file before + signing it.)</p> +<pre class="screen"> +$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong> +Enter PIN: +Verifying the zone using the following algorithms: +NSEC3RSASHA1. +Zone signing complete: +Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by +example.net.signed +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2608124"></a>Specifying the engine on the command line</h3></div></div></div> +<p>The OpenSSL engine can be specified in + <span><strong class="command">named</strong></span> and all of the BIND + <span><strong class="command">dnssec-*</strong></span> tools by using the "-E + <engine>" command line option. If BIND 9 is built with + the --with-pkcs11 option, this option defaults to "pkcs11". + Specifying the engine will generally not be necessary unless + for some reason you wish to use a different OpenSSL + engine.</p> +<p>If you wish to disable use of the "pkcs11" engine — + for troubleshooting purposes, or because the HSM is unavailable + — set the engine to the empty string. For example:</p> +<pre class="screen"> +$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong> +</pre> +<p>This causes + <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled + without the --with-pkcs11 option.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2608443"></a>Running named with automatic zone re-signing</h3></div></div></div> +<p>If you want + <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM + keys, and/or to to sign new records inserted via nsupdate, then + named must have access to the HSM PIN. This can be accomplished + by placing the PIN into the openssl.cnf file (in the above + examples, + <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p> +<p>The location of the openssl.cnf file can be overridden by + setting the OPENSSL_CONF environment variable before running + named.</p> +<p>Sample openssl.cnf:</p> +<pre class="programlisting"> + openssl_conf = openssl_def + [ openssl_def ] + engines = engine_section + [ engine_section ] + pkcs11 = pkcs11_section + [ pkcs11_section ] + PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em> +</pre> +<p>This will also allow the dnssec-* tools to access the HSM + without PIN entry. (The pkcs11-* tools access the HSM directly, + not via OpenSSL, so a PIN will still be required to use + them.)</p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p>Placing the HSM's PIN in a text file in + this manner may reduce the security advantage of using an + HSM. Be sure this is what you want to do before configuring + OpenSSL in this way.</p> +</div> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2572077"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 fully supports all currently defined forms of IPv6 name to address and address to name @@ -1057,7 +1754,7 @@ options { </p> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2572331"></a>Address Lookups Using AAAA Records</h3></div></div></div> +<a name="id2572344"></a>Address Lookups Using AAAA Records</h3></div></div></div> <p> The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire @@ -1076,7 +1773,7 @@ host 3600 IN AAAA 2001:db8::1 </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2572353"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div> +<a name="id2572434"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div> <p> When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index bc5d02a1..a1690f75 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch05.html,v 1.84.22.1 2010/01/08 02:08:24 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch05.html,v 1.84.22.2 2010/02/03 02:08:10 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -45,13 +45,13 @@ <div class="toc"> <p><b>Table of Contents</b></p> <dl> -<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572467">The Lightweight Resolver Library</a></span></dt> <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> </dl> </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2572454"></a>The Lightweight Resolver Library</h2></div></div></div> +<a name="id2572467"></a>The Lightweight Resolver Library</h2></div></div></div> <p> Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index a76ee137..7173ab89 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch06.html,v 1.249.4.2 2010/01/08 02:08:24 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch06.html,v 1.249.4.4 2010/02/03 02:08:10 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -48,58 +48,58 @@ <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573932">Comment Syntax</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573945">Comment Syntax</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574518"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574531"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575136"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575153"><span><strong class="command">include</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575148"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575165"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575200"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575290"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575416"><span><strong class="command">logging</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575189"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575212"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575303"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575429"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577483"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577557"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577689"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577733"><span><strong class="command">masters</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577496"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577570"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577702"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577746"><span><strong class="command">masters</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577748"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577761"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588122"><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588203"><span><strong class="command">statistics-channels</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588277"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588328"><span><strong class="command">trusted-keys</strong></span> Statement Definition +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588411"><span><strong class="command">trusted-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588375"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588494"><span><strong class="command">managed-keys</strong></span> Statement Definition +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588458"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588867"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588952"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590440"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590525"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593176">Zone File</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593193">Zone File</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595406">Discussion of MX Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595424">Discussion of MX Records</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595954">Inverse Mapping in IPv4</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596149">Other Zone File Directives</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596422"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596039">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596166">Other Zone File Directives</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596439"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> @@ -477,7 +477,7 @@ <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573630"></a>Syntax</h4></div></div></div> +<a name="id2573643"></a>Syntax</h4></div></div></div> <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; [<span class="optional"> address_match_list_element; ... </span>] <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | @@ -486,7 +486,7 @@ </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573658"></a>Definition and Usage</h4></div></div></div> +<a name="id2573671"></a>Definition and Usage</h4></div></div></div> <p> Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -570,7 +570,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2573932"></a>Comment Syntax</h3></div></div></div> +<a name="id2573945"></a>Comment Syntax</h3></div></div></div> <p> The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear @@ -580,7 +580,7 @@ </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573947"></a>Syntax</h4></div></div></div> +<a name="id2573960"></a>Syntax</h4></div></div></div> <p> </p> <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre> @@ -596,7 +596,7 @@ </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573977"></a>Definition and Usage</h4></div></div></div> +<a name="id2573990"></a>Definition and Usage</h4></div></div></div> <p> Comments may appear anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration file. @@ -848,7 +848,7 @@ </p> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574518"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2574531"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { address_match_list }; @@ -930,7 +930,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574776"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2574789"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">controls</strong></span> { [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> } @@ -1054,12 +1054,12 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575136"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2575148"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575153"></a><span><strong class="command">include</strong></span> Statement Definition and +<a name="id2575165"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">include</strong></span> statement inserts the @@ -1074,7 +1074,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575176"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2575189"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> { algorithm <em class="replaceable"><code>string</code></em>; secret <em class="replaceable"><code>string</code></em>; @@ -1083,7 +1083,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575200"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2575212"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">key</strong></span> statement defines a shared secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) @@ -1130,7 +1130,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575290"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2575303"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">logging</strong></span> { [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em> @@ -1154,7 +1154,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575416"></a><span><strong class="command">logging</strong></span> Statement Definition and +<a name="id2575429"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">logging</strong></span> statement configures a @@ -1188,7 +1188,7 @@ </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2575468"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> +<a name="id2575481"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> <p> All log output goes to one or more <span class="emphasis"><em>channels</em></span>; you can make as many of them as you want. @@ -1753,7 +1753,7 @@ category notify { null; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2576964"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> +<a name="id2576977"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> <p> The <span><strong class="command">query-errors</strong></span> category is specifically intended for debugging purposes: To identify @@ -1981,7 +1981,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577483"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2577496"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> <p> This is the grammar of the <span><strong class="command">lwres</strong></span> statement in the <code class="filename">named.conf</code> file: @@ -1997,7 +1997,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577557"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2577570"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">lwres</strong></span> statement configures the name @@ -2048,7 +2048,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577689"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2577702"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"> <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; @@ -2056,7 +2056,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577733"></a><span><strong class="command">masters</strong></span> Statement Definition and +<a name="id2577746"></a><span><strong class="command">masters</strong></span> Statement Definition and Usage</h3></div></div></div> <p><span><strong class="command">masters</strong></span> lists allow for a common set of masters to be easily used by @@ -2065,7 +2065,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577748"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2577761"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> <p> This is the grammar of the <span><strong class="command">options</strong></span> statement in the <code class="filename">named.conf</code> file: @@ -3517,7 +3517,7 @@ options { </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2582836"></a>Forwarding</h4></div></div></div> +<a name="id2582849"></a>Forwarding</h4></div></div></div> <p> The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3561,7 +3561,7 @@ options { </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583031"></a>Dual-stack Servers</h4></div></div></div> +<a name="id2583044"></a>Dual-stack Servers</h4></div></div></div> <p> Dual-stack servers are used as servers of last resort to work around @@ -3758,7 +3758,7 @@ options { </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583468"></a>Interfaces</h4></div></div></div> +<a name="id2583481"></a>Interfaces</h4></div></div></div> <p> The interfaces and ports that the server will answer queries from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes @@ -4210,7 +4210,7 @@ avoid-v6-udp-ports {}; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2584672"></a>UDP Port Lists</h4></div></div></div> +<a name="id2584684"></a>UDP Port Lists</h4></div></div></div> <p> <span><strong class="command">use-v4-udp-ports</strong></span>, <span><strong class="command">avoid-v4-udp-ports</strong></span>, @@ -4252,7 +4252,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2584731"></a>Operating System Resource Limits</h4></div></div></div> +<a name="id2584744"></a>Operating System Resource Limits</h4></div></div></div> <p> The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4414,7 +4414,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2585222"></a>Periodic Task Intervals</h4></div></div></div> +<a name="id2585235"></a>Periodic Task Intervals</h4></div></div></div> <div class="variablelist"><dl> <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> <dd><p> @@ -4960,7 +4960,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> <dd><p> The delay, in seconds, between sending sets of notify - messages for a zone. The default is zero. + messages for a zone. The default is five (5) seconds. </p></dd> </dl></div> </div> @@ -5210,7 +5210,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2587165"></a>Content Filtering</h4></div></div></div> +<a name="id2587315"></a>Content Filtering</h4></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5540,7 +5540,7 @@ deny-answer-aliases { "example.net"; }; </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2588122"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<a name="id2588203"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">statistics-channels</strong></span> statement @@ -5591,7 +5591,7 @@ deny-answer-aliases { "example.net"; }; </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2588277"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> +<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] @@ -5600,7 +5600,7 @@ deny-answer-aliases { "example.net"; }; </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2588328"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition +<a name="id2588411"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">trusted-keys</strong></span> statement defines @@ -5640,7 +5640,7 @@ deny-answer-aliases { "example.net"; }; </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2588375"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2588458"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] @@ -5649,7 +5649,7 @@ deny-answer-aliases { "example.net"; }; </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2588494"></a><span><strong class="command">managed-keys</strong></span> Statement Definition +<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">managed-keys</strong></span> statement, like @@ -5775,7 +5775,7 @@ deny-answer-aliases { "example.net"; }; </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2588867"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2588952"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">view</strong></span> statement is a powerful feature @@ -6055,10 +6055,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2590440"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2590525"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2590448"></a>Zone Types</h4></div></div></div> +<a name="id2590533"></a>Zone Types</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -6269,7 +6269,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2590807"></a>Class</h4></div></div></div> +<a name="id2590892"></a>Class</h4></div></div></div> <p> The zone's name may optionally be followed by a class. If a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), @@ -6291,7 +6291,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2590840"></a>Zone Options</h4></div></div></div> +<a name="id2590994"></a>Zone Options</h4></div></div></div> <div class="variablelist"><dl> <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> <dd><p> @@ -6962,7 +6962,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2593176"></a>Zone File</h2></div></div></div> +<a name="id2593193"></a>Zone File</h2></div></div></div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> @@ -6975,7 +6975,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2593262"></a>Resource Records</h4></div></div></div> +<a name="id2593211"></a>Resource Records</h4></div></div></div> <p> A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -7712,7 +7712,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2594886"></a>Textual expression of RRs</h4></div></div></div> +<a name="id2594903"></a>Textual expression of RRs</h4></div></div></div> <p> RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -7915,7 +7915,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2595406"></a>Discussion of MX Records</h3></div></div></div> +<a name="id2595424"></a>Discussion of MX Records</h3></div></div></div> <p> As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -8171,7 +8171,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2595954"></a>Inverse Mapping in IPv4</h3></div></div></div> +<a name="id2596039"></a>Inverse Mapping in IPv4</h3></div></div></div> <p> Reverse name resolution (that is, translation from IP address to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain @@ -8232,7 +8232,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2596149"></a>Other Zone File Directives</h3></div></div></div> +<a name="id2596166"></a>Other Zone File Directives</h3></div></div></div> <p> The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -8247,7 +8247,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2596171"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> +<a name="id2596257"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> <p> When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -8258,7 +8258,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2596256"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> +<a name="id2596273"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> <p> Syntax: <span><strong class="command">$ORIGIN</strong></span> <em class="replaceable"><code>domain-name</code></em> @@ -8287,7 +8287,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2596316"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> +<a name="id2596333"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> <p> Syntax: <span><strong class="command">$INCLUDE</strong></span> <em class="replaceable"><code>filename</code></em> @@ -8323,7 +8323,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2596386"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> +<a name="id2596403"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> <p> Syntax: <span><strong class="command">$TTL</strong></span> <em class="replaceable"><code>default-ttl</code></em> @@ -8342,7 +8342,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2596422"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> +<a name="id2596439"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> <p> Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> @@ -8766,7 +8766,7 @@ HOST-127.EXAMPLE. MX 0 . </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2597444"></a>Name Server Statistics Counters</h4></div></div></div> +<a name="id2597529"></a>Name Server Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -9323,7 +9323,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2598917"></a>Zone Maintenance Statistics Counters</h4></div></div></div> +<a name="id2599002"></a>Zone Maintenance Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -9477,7 +9477,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2599436"></a>Resolver Statistics Counters</h4></div></div></div> +<a name="id2599453"></a>Resolver Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -9860,7 +9860,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600458"></a>Socket I/O Statistics Counters</h4></div></div></div> +<a name="id2600475"></a>Socket I/O Statistics Counters</h4></div></div></div> <p> Socket I/O statistics counters are defined per socket types, which are @@ -10015,7 +10015,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600900"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> +<a name="id2600917"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> <p> Most statistics counters that were available in <span><strong class="command">BIND</strong></span> 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 02d84d46..2742c2fb 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch07.html,v 1.220.4.2 2010/01/08 02:08:25 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch07.html,v 1.220.4.3 2010/02/03 02:08:11 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -46,10 +46,10 @@ <p><b>Table of Contents</b></p> <dl> <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601142"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601159"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601223">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601283">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601308">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601368">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> </dl> @@ -122,7 +122,7 @@ zone "example.com" { </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2601142"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> +<a name="id2601159"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> </h2></div></div></div> <p> On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> @@ -148,7 +148,7 @@ zone "example.com" { </p> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2601223"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div> +<a name="id2601308"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div> <p> In order for a <span><strong class="command">chroot</strong></span> environment to @@ -176,7 +176,7 @@ zone "example.com" { </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2601283"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div> +<a name="id2601368"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div> <p> Prior to running the <span><strong class="command">named</strong></span> daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 578609e7..1aae0d76 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch08.html,v 1.220.4.2 2010/01/08 02:08:25 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch08.html,v 1.220.4.3 2010/02/03 02:08:11 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -45,18 +45,18 @@ <div class="toc"> <p><b>Table of Contents</b></p> <dl> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601363">Common Problems</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601368">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601380">Incrementing and Changing the Serial Number</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601397">Where Can I Get Help?</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601448">Common Problems</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601453">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601465">Incrementing and Changing the Serial Number</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601482">Where Can I Get Help?</a></span></dt> </dl> </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2601363"></a>Common Problems</h2></div></div></div> +<a name="id2601448"></a>Common Problems</h2></div></div></div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2601368"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div> +<a name="id2601453"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div> <p> The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@ </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2601380"></a>Incrementing and Changing the Serial Number</h2></div></div></div> +<a name="id2601465"></a>Incrementing and Changing the Serial Number</h2></div></div></div> <p> Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@ </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2601397"></a>Where Can I Get Help?</h2></div></div></div> +<a name="id2601482"></a>Where Can I Get Help?</h2></div></div></div> <p> The Internet Systems Consortium (<acronym class="acronym">ISC</acronym>) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a8e96f8a..50726b4e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch09.html,v 1.222.4.2 2010/01/08 02:08:25 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch09.html,v 1.222.4.4 2010/02/04 02:08:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -45,21 +45,31 @@ <div class="toc"> <p><b>Table of Contents</b></p> <dl> -<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601595">Acknowledgments</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601612">Acknowledgments</a></span></dt> <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601835">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601921">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt> <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605047">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605064">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607411">Prerequisite</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607420">Compilation</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605329">Installation</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605360">Known Defects/Restrictions</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606529">The dns.conf File</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606555">Sample Applications</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607528">Library References</a></span></dt> </dl></dd> </dl> </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2601595"></a>Acknowledgments</h2></div></div></div> +<a name="id2601612"></a>Acknowledgments</h2></div></div></div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> <a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> @@ -162,7 +172,7 @@ </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2601835"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div> +<a name="id2601921"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div> @@ -250,17 +260,17 @@ </p> <div class="bibliography"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2602023"></a>Bibliography</h4></div></div></div> +<a name="id2602040"></a>Bibliography</h4></div></div></div> <div class="bibliodiv"> <h3 class="title">Standards</h3> <div class="biblioentry"> -<a name="id2602034"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p> +<a name="id2602051"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p> </div> <div class="biblioentry"> -<a name="id2602057"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p> +<a name="id2602074"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p> </div> <div class="biblioentry"> -<a name="id2602081"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Implementation and +<a name="id2602098"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Implementation and Specification</i>. </span><span class="pubdate">November 1987. </span></p> </div> </div> @@ -268,42 +278,42 @@ <h3 class="title"> <a name="proposed_standards"></a>Proposed Standards</h3> <div class="biblioentry"> -<a name="id2602117"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym> +<a name="id2602134"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym> Specification</i>. </span><span class="pubdate">July 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2602144"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym> +<a name="id2602161"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym> Queries</i>. </span><span class="pubdate">March 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2602169"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p> +<a name="id2602186"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2602194"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p> +<a name="id2602211"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2602217"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p> +<a name="id2602234"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2602273"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p> +<a name="id2602290"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2602299"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p> +<a name="id2602316"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2602326"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p> +<a name="id2602343"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2602388"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id2602405"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2602418"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id2602435"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2602448"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p> +<a name="id2602465"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2602474"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret +<a name="id2602491"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p> </div> @@ -312,19 +322,19 @@ <h3 class="title"> <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3> <div class="biblioentry"> -<a name="id2602556"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p> +<a name="id2602573"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2602583"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p> +<a name="id2602600"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p> </div> <div class="biblioentry"> -<a name="id2602619"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p> +<a name="id2602636"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p> </div> <div class="biblioentry"> -<a name="id2602684"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p> +<a name="id2602701"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p> </div> <div class="biblioentry"> -<a name="id2602749"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS +<a name="id2602766"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p> </div> </div> @@ -332,146 +342,146 @@ <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym> Implementation</h3> <div class="biblioentry"> -<a name="id2602823"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely +<a name="id2602840"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2602849"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation +<a name="id2602866"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2602917"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p> +<a name="id2602934"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2602952"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym> +<a name="id2602969"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym> Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p> </div> </div> <div class="bibliodiv"> <h3 class="title">Resource Record Types</h3> <div class="biblioentry"> -<a name="id2602998"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p> +<a name="id2603015"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p> </div> <div class="biblioentry"> -<a name="id2603056"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p> +<a name="id2603073"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2603093"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using +<a name="id2603178"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2603128"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the +<a name="id2603213"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the Domain Name System</i>. </span><span class="pubdate">January 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2603251"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the +<a name="id2603268"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the Location of Services.</i>. </span><span class="pubdate">October 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2603289"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to +<a name="id2603306"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to Distribute MIXER Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2603315"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p> +<a name="id2603332"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2603340"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id2603357"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2603367"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id2603384"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2603394"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id2603411"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2603433"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id2603450"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2603463"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id2603480"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2603493"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p> +<a name="id2603510"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2603536"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id2603553"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2603569"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p> +<a name="id2603586"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2603595"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p> +<a name="id2603612"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2603619"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP +<a name="id2603636"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP version 6</i>. </span><span class="pubdate">October 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2603676"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p> +<a name="id2603693"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p> </div> </div> <div class="bibliodiv"> <h3 class="title"> <acronym class="acronym">DNS</acronym> and the Internet</h3> <div class="biblioentry"> -<a name="id2603708"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names +<a name="id2603725"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names and Other Types</i>. </span><span class="pubdate">April 1989. </span></p> </div> <div class="biblioentry"> -<a name="id2603734"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and +<a name="id2603751"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and Support</i>. </span><span class="pubdate">October 1989. </span></p> </div> <div class="biblioentry"> -<a name="id2603756"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p> +<a name="id2603773"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2603780"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p> +<a name="id2603797"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2603826"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p> +<a name="id2603843"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2603849"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p> +<a name="id2603866"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p> </div> </div> <div class="bibliodiv"> <h3 class="title"> <acronym class="acronym">DNS</acronym> Operations</h3> <div class="biblioentry"> -<a name="id2603907"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p> +<a name="id2603924"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p> </div> <div class="biblioentry"> -<a name="id2603930"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File +<a name="id2603947"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2603957"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and +<a name="id2603974"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2603984"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p> +<a name="id2604001"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p> </div> <div class="biblioentry"> -<a name="id2604020"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for +<a name="id2604105"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for Network Services.</i>. </span><span class="pubdate">October 1997. </span></p> </div> </div> <div class="bibliodiv"> <h3 class="title">Internationalized Domain Names</h3> <div class="biblioentry"> -<a name="id2604066"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names, +<a name="id2604151"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2604098"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p> +<a name="id2604183"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2604212"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p> +<a name="id2604229"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2604247"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode +<a name="id2604264"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p> </div> @@ -487,47 +497,47 @@ </p> </div> <div class="biblioentry"> -<a name="id2604292"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String +<a name="id2604309"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String Attributes</i>. </span><span class="pubdate">May 1993. </span></p> </div> <div class="biblioentry"> -<a name="id2604314"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p> +<a name="id2604331"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2604340"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load +<a name="id2604357"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load Balancing</i>. </span><span class="pubdate">April 1995. </span></p> </div> <div class="biblioentry"> -<a name="id2604365"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p> +<a name="id2604382"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2604389"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p> +<a name="id2604406"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2604435"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p> +<a name="id2604452"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p> </div> <div class="biblioentry"> -<a name="id2604458"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p> +<a name="id2604475"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2604485"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via +<a name="id2604502"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p> </div> <div class="biblioentry"> -<a name="id2604510"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p> +<a name="id2604528"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p> </div> </div> <div class="bibliodiv"> <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3> <div class="biblioentry"> -<a name="id2604554"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical +<a name="id2604571"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical Location</i>. </span><span class="pubdate">November 1994. </span></p> </div> <div class="biblioentry"> -<a name="id2604612"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p> +<a name="id2604629"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2604638"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation +<a name="id2604656"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p> </div> </div> @@ -541,39 +551,39 @@ </p> </div> <div class="biblioentry"> -<a name="id2604686"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p> +<a name="id2604704"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2604726"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p> +<a name="id2604743"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p> </div> <div class="biblioentry"> -<a name="id2604753"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p> +<a name="id2604770"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p> </div> <div class="biblioentry"> -<a name="id2604782"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC) +<a name="id2604800"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC) Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p> </div> <div class="biblioentry"> -<a name="id2604808"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p> +<a name="id2604825"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p> </div> <div class="biblioentry"> -<a name="id2604835"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p> +<a name="id2604852"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p> </div> <div class="biblioentry"> -<a name="id2604871"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p> +<a name="id2604888"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2604907"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p> +<a name="id2604924"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p> </div> <div class="biblioentry"> -<a name="id2604934"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p> +<a name="id2604951"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p> </div> <div class="biblioentry"> -<a name="id2604961"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record +<a name="id2604978"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p> </div> <div class="biblioentry"> -<a name="id2605005"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p> +<a name="id2605022"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p> </div> </div> </div> @@ -594,16 +604,481 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2605047"></a>Other Documents About <acronym class="acronym">BIND</acronym> +<a name="id2605064"></a>Other Documents About <acronym class="acronym">BIND</acronym> </h3></div></div></div> <p></p> <div class="bibliography"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2605057"></a>Bibliography</h4></div></div></div> +<a name="id2605074"></a>Bibliography</h4></div></div></div> <div class="biblioentry"> -<a name="id2605059"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p> +<a name="id2605076"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p> +</div> +</div> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div> +<p>This version of BIND 9 "exports" its internal libraries so + that they can be used by third-party applications more easily (we + call them "export" libraries in this document). In addition to + all major DNS-related APIs BIND 9 is currently using, the export + libraries provide the following features:</p> +<div class="itemizedlist"><ul type="disc"> +<li><p>The newly created "DNS client" module. This is a higher + level API that provides an interface to name resolution, + single DNS transaction with a particular server, and dynamic + update. Regarding name resolution, it supports advanced + features such as DNSSEC validation and caching. This module + supports both synchronous and asynchronous mode.</p></li> +<li><p>The new "IRS" (Information Retrieval System) library. + It provides an interface to parse the traditional resolv.conf + file and more advanced, DNS-specific configuration file for + the rest of this package (see the description for the + dns.conf file below).</p></li> +<li><p>As part of the IRS library, newly implemented standard + address-name mapping functions, getaddrinfo() and + getnameinfo(), are provided. They use the DNSSEC-aware + validating resolver backend, and could use other advanced + features of the BIND 9 libraries such as caching. The + getaddrinfo() function resolves both A and AAAA RRs + concurrently (when the address family is unspecified).</p></li> +<li><p>An experimental framework to support other event + libraries than BIND 9's internal event task system.</p></li> +</ul></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2607411"></a>Prerequisite</h3></div></div></div> +<p>GNU make is required to build the export libraries (other + part of BIND 9 can still be built with other types of make). In + the reminder of this document, "make" means GNU make. Note that + in some platforms you may need to invoke a different command name + than "make" (e.g. "gmake") to indicate it's GNU make.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2607420"></a>Compilation</h3></div></div></div> +<pre class="screen"> +$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong> +$ <strong class="userinput"><code>make</code></strong> +</pre> +<p> + This will create (in addition to usual BIND 9 programs) and a + separate set of libraries under the lib/export directory. For + example, <code class="filename">lib/export/dns/libdns.a</code> is the archive file of the + export version of the BIND 9 DNS library. Sample application + programs using the libraries will also be built under the + lib/export/samples directory (see below).</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2605329"></a>Installation</h3></div></div></div> +<pre class="screen"> +$ <strong class="userinput"><code>cd lib/export</code></strong> +$ <strong class="userinput"><code>make install</code></strong> +</pre> +<p> + This will install library object files under the directory + specified by the --with-export-libdir configure option (default: + EPREFIX/lib/bind9), and header files under the directory + specified by the --with-export-includedir configure option + (default: PREFIX/include/bind9). + Root privilege is normally required. + "<span><strong class="command">make install</strong></span>" at the top directory will do the + same. + </p> +<p> + To see how to build your own + application after the installation, see + <code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2605360"></a>Known Defects/Restrictions</h3></div></div></div> +<div class="itemizedlist"><ul type="disc"> +<li><p>Currently, win32 is not supported for the export + library. (Normal BIND 9 application can be built as + before).</p></li> +<li> +<p>The "fixed" RRset order is not (currently) supported in + the export library. If you want to use "fixed" RRset order + for, e.g. <span><strong class="command">named</strong></span> while still building the + export library even without the fixed order support, build + them separately: + </p> +<pre class="screen"> +$ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong> +$ <strong class="userinput"><code>make</code></strong> +$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong> +$ <strong class="userinput"><code>cd lib/export</code></strong> +$ <strong class="userinput"><code>make</code></strong> +</pre> +<p> + </p> +</li> +<li><p>The client module and the IRS library currently do not + support DNSSEC validation using DLV (the underlying modules + can handle it, but there is no tunable interface to enable + the feature).</p></li> +<li><p>RFC 5011 is not supported in the validating stub + resolver of the export library. In fact, it is not clear + whether it should: trust anchors would be a system-wide + configuration which would be managed by an administrator, + while the stub resolver will be used by ordinary applications + run by a normal user.</p></li> +<li><p>Not all common <code class="filename">/etc/resolv.conf</code> + options are supported + in the IRS library. The only available options in this + version are "debug" and "ndots".</p></li> +</ul></div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2606529"></a>The dns.conf File</h3></div></div></div> +<p>The IRS library supports an "advanced" configuration file + related to the DNS library for configuration parameters that + would be beyond the capability of the + <code class="filename">resolv.conf</code> file. + Specifically, it is intended to provide DNSSEC related + configuration parameters. By default the path to this + configuration file is <code class="filename">/etc/dns.conf</code>. + This module is very + experimental and the configuration syntax or library interfaces + may change in future versions. Currently, only the + <span><strong class="command">trusted-keys</strong></span> + statement is supported, whose syntax is the same as the same name + of statement for <code class="filename">named.conf</code>. (See + <a href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called “<span><strong class="command">trusted-keys</strong></span> Statement Grammar”</a> for details.)</p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2606555"></a>Sample Applications</h3></div></div></div> +<p>Some sample application programs using this API are + provided for reference. The following is a brief description of + these applications. + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2606564"></a>sample: a simple stub resolver utility</h4></div></div></div> +<p> + It sends a query of a given name (of a given optional RR type) to a + specified recursive server, and prints the result as a list of + RRs. It can also act as a validating stub resolver if a trust + anchor is given via a set of command line options.</p> +<p> + Usage: sample [options] server_address hostname + </p> +<p> + Options and Arguments: + </p> +<div class="variablelist"><dl> +<dt><span class="term"> + -t RRtype + </span></dt> +<dd><p> + specify the RR type of the query. The default is the A RR. + </p></dd> +<dt><span class="term"> + [-a algorithm] [-e] -k keyname -K keystring + </span></dt> +<dd> +<p> + specify a command-line DNS key to validate the answer. For + example, to specify the following DNSKEY of example.com: +</p> +<div class="literallayout"><p><br> + example.com. 3600 IN DNSKEY 257 3 5 xxx<br> +</p></div> +<p> + specify the options as follows: +</p> +<pre class="screen"> +<strong class="userinput"><code> + -e -k example.com -K "xxx" +</code></strong> +</pre> +<p> + -e means that this key is a zone's "key signing key" (as known + as "secure Entry point"). + When -a is omitted rsasha1 will be used by default. + </p> +</dd> +<dt><span class="term"> + -s domain:alt_server_address + </span></dt> +<dd><p> + specify a separate recursive server address for the specific + "domain". Example: -s example.com:2001:db8::1234 + </p></dd> +<dt><span class="term">server_address</span></dt> +<dd><p> + an IP(v4/v6) address of the recursive server to which queries + are sent. + </p></dd> +<dt><span class="term">hostname</span></dt> +<dd><p> + the domain name for the query + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2606654"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div> +<p> + Similar to "sample", but accepts a list + of (query) domain names as a separate file and resolves the names + asynchronously.</p> +<p> + Usage: sample-async [-s server_address] [-t RR_type] input_file</p> +<p> + Options and Arguments: + </p> +<div class="variablelist"><dl> +<dt><span class="term"> + -s server_address + </span></dt> +<dd> + an IPv4 address of the recursive server to which queries are sent. + (IPv6 addresses are not supported in this implementation) + </dd> +<dt><span class="term"> + -t RR_type + </span></dt> +<dd> + specify the RR type of the queries. The default is the A + RR. + </dd> +<dt><span class="term"> + input_file + </span></dt> +<dd> + a list of domain names to be resolved. each line + consists of a single domain name. Example: + <div class="literallayout"><p><br> + www.example.com<br> + mx.examle.net<br> + ns.xxx.example<br> +</p></div> +</dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2606708"></a>sample-request: a simple DNS transaction client</h4></div></div></div> +<p> + It sends a query to a specified server, and + prints the response with minimal processing. It doesn't act as a + "stub resolver": it stops the processing once it gets any + response from the server, whether it's a referral or an alias + (CNAME or DNAME) that would require further queries to get the + ultimate answer. In other words, this utility acts as a very + simplified <span><strong class="command">dig</strong></span>. + </p> +<p> + Usage: sample-request [-t RRtype] server_address hostname + </p> +<p> + Options and Arguments: + </p> +<div class="variablelist"><dl> +<dt><span class="term"> + -t RRtype + </span></dt> +<dd><p> + specify the RR type of + the queries. The default is the A RR. + </p></dd> +<dt><span class="term"> + server_address + </span></dt> +<dd><p> + an IP(v4/v6) + address of the recursive server to which the query is sent. + </p></dd> +<dt><span class="term"> + hostname + </span></dt> +<dd><p> + the domain name for the query + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2607250"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div> +<p> + This is a test program + to check getaddrinfo() and getnameinfo() behavior. It takes a + host name as an argument, calls getaddrinfo() with the given host + name, and calls getnameinfo() with the resulting IP addresses + returned by getaddrinfo(). If the dns.conf file exists and + defines a trust anchor, the underlying resolver will act as a + validating resolver, and getaddrinfo()/getnameinfo() will fail + with an EAI_INSECUREDATA error when DNSSEC validation fails. + </p> +<p> + Usage: sample-gai hostname + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2607265"></a>sample-update: a simple dynamic update client program</h4></div></div></div> +<p> + It accepts a single update command as a + command-line argument, sends an update request message to the + authoritative server, and shows the response from the server. In + other words, this is a simplified <span><strong class="command">nsupdate</strong></span>. + </p> +<p> + Usage: sample-update [options] (add|delete) "update data" + </p> +<p> + Options and Arguments: + </p> +<div class="variablelist"><dl> +<dt><span class="term"> + -a auth_server + </span></dt> +<dd><p> + An IP address of the authoritative server that has authority + for the zone containing the update name. This should normally + be the primary authoritative server that accepts dynamic + updates. It can also be a secondary server that is configured + to forward update requests to the primary server. + </p></dd> +<dt><span class="term"> + -k keyfile + </span></dt> +<dd><p> + A TSIG key file to secure the update transaction. The keyfile + format is the same as that for the nsupdate utility. + </p></dd> +<dt><span class="term"> + -p prerequisite + </span></dt> +<dd><p> + A prerequisite for the update (only one prerequisite can be + specified). The prerequisite format is the same as that is + accepted by the nsupdate utility. + </p></dd> +<dt><span class="term"> + -r recursive_server + </span></dt> +<dd><p> + An IP address of a recursive server that this utility will + use. A recursive server may be necessary to identify the + authoritative server address to which the update request is + sent. + </p></dd> +<dt><span class="term"> + -z zonename + </span></dt> +<dd><p> + The domain name of the zone that contains + </p></dd> +<dt><span class="term"> + (add|delete) + </span></dt> +<dd><p> + Specify the type of update operation. Either "add" or "delete" + must be specified. + </p></dd> +<dt><span class="term"> + "update data" + </span></dt> +<dd><p> + Specify the data to be updated. A typical example of the data + would look like "name TTL RRtype RDATA". + </p></dd> +</dl></div> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3>In practice, either -a or -r must be specified. Others can + be optional; the underlying library routine tries to identify the + appropriate server and the zone name for the update.</div> +<p> + Examples: assuming the primary authoritative server of the + dynamic.example.com zone has an IPv6 address 2001:db8::1234, + </p> +<pre class="screen"> +$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre> +<p> + adds an A RR for foo.dynamic.example.com using the given key. + </p> +<pre class="screen"> +$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre> +<p> + removes all A RRs for foo.dynamic.example.com using the given key. + </p> +<pre class="screen"> +$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre> +<p> + removes all RRs for foo.dynamic.example.com using the given key. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2607464"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div> +<p> + It checks a set + of domains to see the name servers of the domains behave + correctly in terms of RFC 4074. This is included in the set of + sample programs to show how the export library can be used in a + DNS-related application. + </p> +<p> + Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file] + </p> +<p> + Options + </p> +<div class="variablelist"><dl> +<dt><span class="term"> + -d + </span></dt> +<dd><p> + run in the "debug" mode. with this option nsprobe will dump + every RRs it receives. + </p></dd> +<dt><span class="term"> + -v + </span></dt> +<dd><p> + increase verbosity of other normal log messages. This can be + specified multiple times + </p></dd> +<dt><span class="term"> + -c cache_address + </span></dt> +<dd><p> + specify an IP address of a recursive (caching) name server. + nsprobe uses this server to get the NS RRset of each domain and + the A and/or AAAA RRsets for the name servers. The default + value is 127.0.0.1. + </p></dd> +<dt><span class="term"> + input_file + </span></dt> +<dd><p> + a file name containing a list of domain (zone) names to be + probed. when omitted the standard input will be used. Each + line of the input file specifies a single domain name such as + "example.com". In general this domain name must be the apex + name of some DNS zone (unlike normal "host names" such as + "www.example.com"). nsprobe first identifies the NS RRsets for + the given domain name, and sends A and AAAA queries to these + servers for some "widely used" names under the zone; + specifically, adding "www" and "ftp" to the zone name. + </p></dd> +</dl></div> </div> </div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2607528"></a>Library References</h3></div></div></div> +<p>As of this writing, there is no formal "manual" of the + libraries, except this document, header files (some of them + provide pretty detailed explanations), and sample application + programs.</p> </div> </div> </div> diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index c66282bc..533f113c 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.html,v 1.239.4.2 2010/01/08 02:08:24 tbox Exp $ --> +<!-- $Id: Bv9ARM.html,v 1.239.4.4 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -111,15 +111,43 @@ <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572065">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572331">Address Lookups Using AAAA Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572353">Address to Name Lookups Using Nibble Format</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605770">Converting from insecure to secure</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563550">Dynamic DNS update method</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563587">Fully automatic zone signing</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563662">Private-type records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563768">DNSKEY rollovers via UPDATE</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563801">NSEC3PARAM rollovers via UPDATE</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563811">Converting from NSEC to NSEC3</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563820">Converting from NSEC3 to NSEC</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Converting from secure to insecure</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563939">Periodic re-signing</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563948">NSEC3 and OPTOUT</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605417">Validating Resolver</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605440">Authoritative Server</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607939">Prerequisites</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606230">Building BIND 9 with PKCS#11</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606325">PKCS #11 Tools</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606356">Using the HSM</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608124">Specifying the engine on the command line</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608443">Running named with automatic zone re-signing</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572077">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572344">Address Lookups Using AAAA Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572434">Address to Name Lookups Using Nibble Format</a></span></dt> </dl></dd> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572467">The Lightweight Resolver Library</a></span></dt> <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt> @@ -127,58 +155,58 @@ <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573932">Comment Syntax</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573945">Comment Syntax</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574518"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574531"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575136"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575153"><span><strong class="command">include</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575148"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575165"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575200"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575290"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575416"><span><strong class="command">logging</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575189"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575212"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575303"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575429"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577483"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577557"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577689"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577733"><span><strong class="command">masters</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577496"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577570"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577702"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577746"><span><strong class="command">masters</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577748"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577761"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588122"><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588203"><span><strong class="command">statistics-channels</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588277"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588328"><span><strong class="command">trusted-keys</strong></span> Statement Definition +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588411"><span><strong class="command">trusted-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588375"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588494"><span><strong class="command">managed-keys</strong></span> Statement Definition +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588458"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588867"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588952"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590440"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590525"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593176">Zone File</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593193">Zone File</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595406">Discussion of MX Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595424">Discussion of MX Records</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595954">Inverse Mapping in IPv4</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596149">Other Zone File Directives</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596422"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596039">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596166">Other Zone File Directives</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596439"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> @@ -187,31 +215,41 @@ <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt> <dd><dl> <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601142"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601159"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601223">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601283">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601308">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601368">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> </dl></dd> <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601363">Common Problems</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601368">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601380">Incrementing and Changing the Serial Number</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601397">Where Can I Get Help?</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601448">Common Problems</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601453">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601465">Incrementing and Changing the Serial Number</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601482">Where Can I Get Help?</a></span></dt> </dl></dd> <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt> <dd><dl> -<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601595">Acknowledgments</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601612">Acknowledgments</a></span></dt> <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601835">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601921">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt> <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605047">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605064">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607411">Prerequisite</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607420">Compilation</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605329">Installation</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605360">Known Defects/Restrictions</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606529">The dns.conf File</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606555">Sample Applications</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607528">Library References</a></span></dt> </dl></dd> </dl></dd> <dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt> diff --git a/doc/arm/dnssec.xml b/doc/arm/dnssec.xml new file mode 100644 index 00000000..8dca8be7 --- /dev/null +++ b/doc/arm/dnssec.xml @@ -0,0 +1,244 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec.xml,v 1.2.2.2 2010/02/03 23:48:29 tbox Exp $ --> + +<sect1 id="dnssec.dynamic.zones"> + <title>DNSSEC, Dynamic Zones, and Automatic Signing</title> + <para>As of BIND 9.7.0 it is possible to change a dynamic zone + from insecure to signed and back again. A secure zone can use + either NSEC or NSEC3 chains.</para> + <sect2> + <title>Converting from insecure to secure</title> + </sect2> + <para>Changing a zone from insecure to secure can be done in two + ways: using a dynamic DNS update, or the + <command>auto-dnssec</command> zone option.</para> + <para>For either method, you need to configure + <command>named</command> so that it can see the + <filename>K*</filename> files which contain the public and private + parts of the keys that will be used to sign the zone. These files + will have been generated by + <command>dnssec-keygen</command>. You can do this by placing them + in the key-directory, as specified in + <filename>named.conf</filename>:</para> + <programlisting> + zone example.net { + type master; + update-policy local; + file "dynamic/example.net/example.net"; + key-directory "dynamic/example.net"; + }; +</programlisting> + <para>If one KSK and one ZSK DNSKEY key have been generated, this + configuration will cause all records in the zone to be signed + with the ZSK, and the DNSKEY RRset to be signed with the KSK as + well. An NSEC chain will be generated as part of the initial + signing process.</para> + <sect2> + <title>Dynamic DNS update method</title> + </sect2> + <para>To insert the keys via dynamic update:</para> + <screen> + % nsupdate + > ttl 3600 + > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= + > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= + > send +</screen> + <para>While the update request will complete almost immediately, + the zone will not be completely signed until + <command>named</command> has had time to walk the zone and + generate the NSEC and RRSIG records. The NSEC record at the apex + will be added last, to signal that there is a complete NSEC + chain.</para> + <para>If you wish to sign using NSEC3 instead of NSEC, you should + add an NSEC3PARAM record to the initial update request. If you + wish the NSEC3 chain to have the OPTOUT bit set, set it in the + flags field of the NSEC3PARAM record.</para> + <screen> + % nsupdate + > ttl 3600 + > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= + > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= + > update add example.net NSEC3PARAM 1 1 100 1234567890 + > send +</screen> + <para>Again, this update request will complete almost + immediately; however, the record won't show up until + <command>named</command> has had a chance to build/remove the + relevant chain. A private type record will be created to record + the state of the operation (see below for more details), and will + be removed once the operation completes.</para> + <para>While the initial signing and NSEC/NSEC3 chain generation + is happening, other updates are possible as well.</para> + <sect2> + <title>Fully automatic zone signing</title> + </sect2> + <para>To enable automatic signing, add the + <command>auto-dnssec</command> option to the zone statement in + <filename>named.conf</filename>. + <command>auto-dnssec</command> has two possible arguments: + <constant>allow</constant> or + <constant>maintain</constant>.</para> + <para>With + <command>auto-dnssec allow</command>, + <command>named</command> can search the key directory for keys + matching the zone, insert them into the zone, and use them to + sign the zone. It will do so only when it receives an + <command>rndc sign <zonename></command> command.</para> + <para> + <!-- TODO: this is repeated in the ARM --> + <command>auto-dnssec maintain</command> includes the above + functionality, but will also automatically adjust the zone's + DNSKEY records on schedule according to the keys' timing metadata. + (See <xref linkend="man.dnssec-keygen"/> and + <xref linkend="man.dnssec-settime"/> for more information.) + If keys are present in the key directory the first time the zone + is loaded, it will be signed immediately, without waiting for an + <command>rndc sign</command> command. (This command can still be + used for unscheduled key changes, however.)</para> + <para>Using the + <command>auto-dnssec</command> option requires the zone to be + configured to allow dynamic updates, by adding an + <command>allow-update</command> or + <command>update-policy</command> statement to the zone + configuration. If this has not been done, the configuration will + fail.</para> + <sect2> + <title>Private-type records</title> + </sect2> + <para>The state of the signing process is signaled by + private-type records (with a default type value of 65534). When + signing is complete, these records will have a nonzero value for + the final octet (for those records which have a nonzero initial + octet).</para> + <para>The private type record format: If the first octet is + non-zero then the record indicates that the zone needs to be + signed with the key matching the record, or that all signatures + that match the record should be removed.</para> + <para> + <literallayout> +<!-- TODO: how to format this? --> + algorithm (octet 1) + key id in network order (octet 2 and 3) + removal flag (octet 4) + complete flag (octet 5) +</literallayout> + </para> + <para>Only records flagged as "complete" can be removed via + dynamic update. Attempts to remove other private type records + will be silently ignored.</para> + <para>If the first octet is zero (this is a reserved algorithm + number that should never appear in a DNSKEY record) then the + record indicates changes to the NSEC3 chains are in progress. The + rest of the record contains an NSEC3PARAM record. The flag field + tells what operation to perform based on the flag bits.</para> + <para> + <literallayout> +<!-- TODO: how to format this? --> + 0x01 OPTOUT + 0x80 CREATE + 0x40 REMOVE + 0x20 NONSEC +</literallayout> + </para> + <sect2> + <title>DNSKEY rollovers via UPDATE</title> + </sect2> + <para>It is possible to perform key rollovers via dynamic update. + You need to add the + <filename>K*</filename> files for the new keys so that + <command>named</command> can find them. You can then add the new + DNSKEY RRs via dynamic update. + <command>named</command> will then cause the zone to be signed + with the new keys. When the signing is complete the private type + records will be updated so that the last octet is non + zero.</para> + <para>If this is for a KSK you need to inform the parent and any + trust anchor repositories of the new KSK.</para> + <para>You should then wait for the maximum TTL in the zone before + removing the old DNSKEY. If it is a KSK that is being updated, + you also need to wait for the DS RRset in the parent to be + updated and its TTL to expire. This ensures that all clients will + be able to verify at least one signature when you remove the old + DNSKEY.</para> + <para>The old DNSKEY can be removed via UPDATE. Take care to + specify the correct key. + <command>named</command> will clean out any signatures generated + by the old key after the update completes.</para> + <sect2> + <title>NSEC3PARAM rollovers via UPDATE</title> + </sect2> + <para>Add the new NSEC3PARAM record via dynamic update. When the + new NSEC3 chain has been generated, the NSEC3PARAM flag field + will be zero. At this point you can remove the old NSEC3PARAM + record. The old chain will be removed after the update request + completes.</para> + <sect2> + <title>Converting from NSEC to NSEC3</title> + </sect2> + <para>To do this, you just need to add an NSEC3PARAM record. When + the conversion is complete, the NSEC chain will have been removed + and the NSEC3PARAM record will have a zero flag field. The NSEC3 + chain will be generated before the NSEC chain is + destroyed.</para> + <sect2> + <title>Converting from NSEC3 to NSEC</title> + </sect2> + <para>To do this, use <command>nsupdate</command> to + remove all NSEC3PARAM records with a zero flag + field. The NSEC chain will be generated before the NSEC3 chain is + removed.</para> + <sect2> + <title>Converting from secure to insecure</title> + </sect2> + <para>To convert a signed zone to unsigned using dynamic DNS, + delete all the DNSKEY records from the zone apex using + <command>nsupdate</command>. All signatures, NSEC or NSEC3 chains, + and associated NSEC3PARAM records will be removed automatically. + This will take place after the update request completes.</para> + <para> This requires the + <command>dnssec-secure-to-insecure</command> option to be set to + <userinput>yes</userinput> in + <filename>named.conf</filename>.</para> + <para>In addition, if the <command>auto-dnssec maintain</command> + zone statement is used, it should be removed or changed to + <command>allow</command> instead (or it will re-sign). + </para> + <sect2> + <title>Periodic re-signing</title> + </sect2> + <para>In any secure zone which supports dynamic updates, named + will periodically re-sign RRsets which have not been re-signed as + a result of some update action. The signature lifetimes will be + adjusted so as to spread the re-sign load over time rather than + all at once.</para> + <sect2> + <title>NSEC3 and OPTOUT</title> + </sect2> + <para> + <command>named</command> only supports creating new NSEC3 chains + where all the NSEC3 records in the zone have the same OPTOUT + state. + <command>named</command> supports UPDATES to zones where the NSEC3 + records in the chain have mixed OPTOUT state. + <command>named</command> does not support changing the OPTOUT + state of an individual NSEC3 record, the entire chain needs to be + changed if the OPTOUT state of an individual NSEC3 needs to be + changed.</para> +</sect1> diff --git a/doc/arm/libdns.xml b/doc/arm/libdns.xml new file mode 100644 index 00000000..5c2022f1 --- /dev/null +++ b/doc/arm/libdns.xml @@ -0,0 +1,530 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<sect1 id="bind9.library"> + <title>BIND 9 DNS Library Support</title> + <para>This version of BIND 9 "exports" its internal libraries so + that they can be used by third-party applications more easily (we + call them "export" libraries in this document). In addition to + all major DNS-related APIs BIND 9 is currently using, the export + libraries provide the following features:</para> + <itemizedlist> + <listitem> + <para>The newly created "DNS client" module. This is a higher + level API that provides an interface to name resolution, + single DNS transaction with a particular server, and dynamic + update. Regarding name resolution, it supports advanced + features such as DNSSEC validation and caching. This module + supports both synchronous and asynchronous mode.</para> + </listitem> + <listitem> + <para>The new "IRS" (Information Retrieval System) library. + It provides an interface to parse the traditional resolv.conf + file and more advanced, DNS-specific configuration file for + the rest of this package (see the description for the + dns.conf file below).</para> + </listitem> + <listitem> + <para>As part of the IRS library, newly implemented standard + address-name mapping functions, getaddrinfo() and + getnameinfo(), are provided. They use the DNSSEC-aware + validating resolver backend, and could use other advanced + features of the BIND 9 libraries such as caching. The + getaddrinfo() function resolves both A and AAAA RRs + concurrently (when the address family is unspecified).</para> + </listitem> + <listitem> + <para>An experimental framework to support other event + libraries than BIND 9's internal event task system.</para> + </listitem> + </itemizedlist> + <sect2> + <title>Prerequisite</title> + <para>GNU make is required to build the export libraries (other + part of BIND 9 can still be built with other types of make). In + the reminder of this document, "make" means GNU make. Note that + in some platforms you may need to invoke a different command name + than "make" (e.g. "gmake") to indicate it's GNU make.</para> + </sect2> + <sect2> + <title>Compilation</title> + <screen> +$ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput> +$ <userinput>make</userinput> +</screen> + <para> + This will create (in addition to usual BIND 9 programs) and a + separate set of libraries under the lib/export directory. For + example, <filename>lib/export/dns/libdns.a</filename> is the archive file of the + export version of the BIND 9 DNS library. Sample application + programs using the libraries will also be built under the + lib/export/samples directory (see below).</para> + </sect2> + <sect2> + <title>Installation</title> + <screen> +$ <userinput>cd lib/export</userinput> +$ <userinput>make install</userinput> +</screen> + <para> + This will install library object files under the directory + specified by the --with-export-libdir configure option (default: + EPREFIX/lib/bind9), and header files under the directory + specified by the --with-export-includedir configure option + (default: PREFIX/include/bind9). + Root privilege is normally required. + "<command>make install</command>" at the top directory will do the + same. + </para> + <para> + To see how to build your own + application after the installation, see + <filename>lib/export/samples/Makefile-postinstall.in</filename>.</para> + </sect2> + <sect2> + <title>Known Defects/Restrictions</title> + <itemizedlist> + <listitem> +<!-- TODO: what about AIX? --> + <para>Currently, win32 is not supported for the export + library. (Normal BIND 9 application can be built as + before).</para> + </listitem> + <listitem> + <para>The "fixed" RRset order is not (currently) supported in + the export library. If you want to use "fixed" RRset order + for, e.g. <command>named</command> while still building the + export library even without the fixed order support, build + them separately: + <screen> +$ <userinput>./configure --enable-fixed-rrset <replaceable>[other flags, but not --enable-exportlib]</replaceable></userinput> +$ <userinput>make</userinput> +$ <userinput>./configure --enable-exportlib <replaceable>[other flags, but not --enable-fixed-rrset]</replaceable></userinput> +$ <userinput>cd lib/export</userinput> +$ <userinput>make</userinput> +</screen> + </para> + </listitem> + <listitem> + <para>The client module and the IRS library currently do not + support DNSSEC validation using DLV (the underlying modules + can handle it, but there is no tunable interface to enable + the feature).</para> + </listitem> + <listitem> + <para>RFC 5011 is not supported in the validating stub + resolver of the export library. In fact, it is not clear + whether it should: trust anchors would be a system-wide + configuration which would be managed by an administrator, + while the stub resolver will be used by ordinary applications + run by a normal user.</para> + </listitem> + <listitem> + <para>Not all common <filename>/etc/resolv.conf</filename> + options are supported + in the IRS library. The only available options in this + version are "debug" and "ndots".</para> + </listitem> + </itemizedlist> + </sect2> + <sect2> + <title>The dns.conf File</title> + <para>The IRS library supports an "advanced" configuration file + related to the DNS library for configuration parameters that + would be beyond the capability of the + <filename>resolv.conf</filename> file. + Specifically, it is intended to provide DNSSEC related + configuration parameters. By default the path to this + configuration file is <filename>/etc/dns.conf</filename>. + This module is very + experimental and the configuration syntax or library interfaces + may change in future versions. Currently, only the + <command>trusted-keys</command> + statement is supported, whose syntax is the same as the same name + of statement for <filename>named.conf</filename>. (See + <xref linkend="trusted-keys" /> for details.)</para> + </sect2> + <sect2> + <title>Sample Applications</title> + <para>Some sample application programs using this API are + provided for reference. The following is a brief description of + these applications. + </para> + <sect3> + <title>sample: a simple stub resolver utility</title> + <para> + It sends a query of a given name (of a given optional RR type) to a + specified recursive server, and prints the result as a list of + RRs. It can also act as a validating stub resolver if a trust + anchor is given via a set of command line options.</para> + <para> + Usage: sample [options] server_address hostname + </para> + <para> + Options and Arguments: + </para> + <variablelist> + <varlistentry> + <term> + -t RRtype + </term> + <listitem><para> + specify the RR type of the query. The default is the A RR. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + [-a algorithm] [-e] -k keyname -K keystring + </term> + <listitem><para> + specify a command-line DNS key to validate the answer. For + example, to specify the following DNSKEY of example.com: +<literallayout> + example.com. 3600 IN DNSKEY 257 3 5 xxx +</literallayout> + specify the options as follows: +<screen> +<userinput> + -e -k example.com -K "xxx" +</userinput> +</screen> + -e means that this key is a zone's "key signing key" (as known + as "secure Entry point"). + When -a is omitted rsasha1 will be used by default. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + -s domain:alt_server_address + </term> + <listitem><para> + specify a separate recursive server address for the specific + "domain". Example: -s example.com:2001:db8::1234 + </para></listitem> + </varlistentry> + <varlistentry> + <term>server_address</term> + <listitem><para> + an IP(v4/v6) address of the recursive server to which queries + are sent. + </para></listitem> + </varlistentry> + <varlistentry> + <term>hostname</term> + <listitem><para> + the domain name for the query + </para></listitem> + </varlistentry> + </variablelist> + </sect3> + <sect3> + <title>sample-async: a simple stub resolver, working asynchronously</title> + <para> + Similar to "sample", but accepts a list + of (query) domain names as a separate file and resolves the names + asynchronously.</para> + <para> + Usage: sample-async [-s server_address] [-t RR_type] input_file</para> + <para> + Options and Arguments: + </para> + <variablelist> + <varlistentry> + <term> + -s server_address + </term> + <listitem> + an IPv4 address of the recursive server to which queries are sent. + (IPv6 addresses are not supported in this implementation) + </listitem> + </varlistentry> + <varlistentry> + <term> + -t RR_type + </term> + <listitem> + specify the RR type of the queries. The default is the A + RR. + </listitem> + </varlistentry> + <varlistentry> + <term> + input_file + </term> + <listitem> + a list of domain names to be resolved. each line + consists of a single domain name. Example: + <literallayout> + www.example.com + mx.examle.net + ns.xxx.example +</literallayout> + </listitem> + </varlistentry> + </variablelist> + </sect3> + <sect3> + <title>sample-request: a simple DNS transaction client</title> + <para> + It sends a query to a specified server, and + prints the response with minimal processing. It doesn't act as a + "stub resolver": it stops the processing once it gets any + response from the server, whether it's a referral or an alias + (CNAME or DNAME) that would require further queries to get the + ultimate answer. In other words, this utility acts as a very + simplified <command>dig</command>. + </para> + <para> + Usage: sample-request [-t RRtype] server_address hostname + </para> + <para> + Options and Arguments: + </para> + <variablelist> + <varlistentry> + <term> + -t RRtype + </term> + <listitem> + <para> + specify the RR type of + the queries. The default is the A RR. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + server_address + </term> + <listitem> + <para> + an IP(v4/v6) + address of the recursive server to which the query is sent. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + hostname + </term> + <listitem> + <para> + the domain name for the query + </para> + </listitem> + </varlistentry> + </variablelist> + </sect3> + <sect3> + <title>sample-gai: getaddrinfo() and getnameinfo() test code</title> + <para> + This is a test program + to check getaddrinfo() and getnameinfo() behavior. It takes a + host name as an argument, calls getaddrinfo() with the given host + name, and calls getnameinfo() with the resulting IP addresses + returned by getaddrinfo(). If the dns.conf file exists and + defines a trust anchor, the underlying resolver will act as a + validating resolver, and getaddrinfo()/getnameinfo() will fail + with an EAI_INSECUREDATA error when DNSSEC validation fails. + </para> + <para> + Usage: sample-gai hostname + </para> + </sect3> + <sect3> + <title>sample-update: a simple dynamic update client program</title> + <para> + It accepts a single update command as a + command-line argument, sends an update request message to the + authoritative server, and shows the response from the server. In + other words, this is a simplified <command>nsupdate</command>. + </para> + <para> + Usage: sample-update [options] (add|delete) "update data" + </para> + <para> + Options and Arguments: + </para> + <variablelist> + <varlistentry> + <term> + -a auth_server + </term> + <listitem><para> + An IP address of the authoritative server that has authority + for the zone containing the update name. This should normally + be the primary authoritative server that accepts dynamic + updates. It can also be a secondary server that is configured + to forward update requests to the primary server. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + -k keyfile + </term> + <listitem><para> + A TSIG key file to secure the update transaction. The keyfile + format is the same as that for the nsupdate utility. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + -p prerequisite + </term> + <listitem><para> + A prerequisite for the update (only one prerequisite can be + specified). The prerequisite format is the same as that is + accepted by the nsupdate utility. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + -r recursive_server + </term> + <listitem><para> + An IP address of a recursive server that this utility will + use. A recursive server may be necessary to identify the + authoritative server address to which the update request is + sent. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + -z zonename + </term> + <listitem><para> + The domain name of the zone that contains + </para></listitem> + </varlistentry> + <varlistentry> + <term> + (add|delete) + </term> + <listitem><para> + Specify the type of update operation. Either "add" or "delete" + must be specified. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + "update data" + </term> + <listitem><para> + Specify the data to be updated. A typical example of the data + would look like "name TTL RRtype RDATA". + </para></listitem> + </varlistentry> + </variablelist> + + <note>In practice, either -a or -r must be specified. Others can + be optional; the underlying library routine tries to identify the + appropriate server and the zone name for the update.</note> + + <para> + Examples: assuming the primary authoritative server of the + dynamic.example.com zone has an IPv6 address 2001:db8::1234, + </para> + <screen> +$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</userinput></screen> + <para> + adds an A RR for foo.dynamic.example.com using the given key. + </para> + <screen> +$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</userinput></screen> + <para> + removes all A RRs for foo.dynamic.example.com using the given key. + </para> + <screen> +$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen> + <para> + removes all RRs for foo.dynamic.example.com using the given key. + </para> + </sect3> + <sect3> + <title>nsprobe: domain/name server checker in terms of RFC 4074</title> + <para> + It checks a set + of domains to see the name servers of the domains behave + correctly in terms of RFC 4074. This is included in the set of + sample programs to show how the export library can be used in a + DNS-related application. + </para> + <para> + Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file] + </para> + <para> + Options + </para> + + <variablelist> + <varlistentry> + <term> + -d + </term> + <listitem><para> + run in the "debug" mode. with this option nsprobe will dump + every RRs it receives. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + -v + </term> + <listitem><para> + increase verbosity of other normal log messages. This can be + specified multiple times + </para></listitem> + </varlistentry> + <varlistentry> + <term> + -c cache_address + </term> + <listitem><para> + specify an IP address of a recursive (caching) name server. + nsprobe uses this server to get the NS RRset of each domain and + the A and/or AAAA RRsets for the name servers. The default + value is 127.0.0.1. + </para></listitem> + </varlistentry> + <varlistentry> + <term> + input_file + </term> + <listitem><para> + a file name containing a list of domain (zone) names to be + probed. when omitted the standard input will be used. Each + line of the input file specifies a single domain name such as + "example.com". In general this domain name must be the apex + name of some DNS zone (unlike normal "host names" such as + "www.example.com"). nsprobe first identifies the NS RRsets for + the given domain name, and sends A and AAAA queries to these + servers for some "widely used" names under the zone; + specifically, adding "www" and "ftp" to the zone name. + </para></listitem> + </varlistentry> + </variablelist> + </sect3> + </sect2> + <sect2> + <title>Library References</title> + <para>As of this writing, there is no formal "manual" of the + libraries, except this document, header files (some of them + provide pretty detailed explanations), and sample application + programs.</para> + </sect2> +</sect1> +<!-- $Id: libdns.xml,v 1.2.2.2 2010/02/03 23:48:29 tbox Exp $ --> diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 0bf82d4a..efe0b199 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.arpaname.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.arpaname.html,v 1.2.4.7 2010/02/04 02:08:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,20 +50,20 @@ <div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2613190"></a><h2>DESCRIPTION</h2> +<a name="id2612434"></a><h2>DESCRIPTION</h2> <p> <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names. </p> </div> <div class="refsect1" lang="en"> -<a name="id2613205"></a><h2>SEE ALSO</h2> +<a name="id2612449"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2613219"></a><h2>AUTHOR</h2> +<a name="id2612462"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index aeed4b8e..df75b751 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.ddns-confgen.html,v 1.40.4.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.ddns-confgen.html,v 1.40.4.6 2010/02/04 02:08:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2638336"></a><h2>DESCRIPTION</h2> +<a name="id2640788"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">ddns-confgen</strong></span> generates a key for use by <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named</strong></span>. It simplifies configuration @@ -77,7 +77,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2638491"></a><h2>OPTIONS</h2> +<a name="id2640875"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd><p> @@ -144,7 +144,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2638760"></a><h2>SEE ALSO</h2> +<a name="id2645104"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, @@ -152,7 +152,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2638798"></a><h2>AUTHOR</h2> +<a name="id2645142"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index fafebe92..8d4b4a4d 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dig.html,v 1.138.4.2 2010/01/08 02:08:26 tbox Exp $ --> +<!-- $Id: man.dig.html,v 1.138.4.4 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -52,7 +52,7 @@ <div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2563925"></a><h2>DESCRIPTION</h2> +<a name="id2608836"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2580199"></a><h2>SIMPLE USAGE</h2> +<a name="id2608931"></a><h2>SIMPLE USAGE</h2> <p> A typical invocation of <span><strong class="command">dig</strong></span> looks like: </p> @@ -144,7 +144,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2580310"></a><h2>OPTIONS</h2> +<a name="id2609110"></a><h2>OPTIONS</h2> <p> The <code class="option">-b</code> option sets the source IP address of the query to <em class="parameter"><code>address</code></em>. This must be a valid @@ -248,7 +248,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2632262"></a><h2>QUERY OPTIONS</h2> +<a name="id2660721"></a><h2>QUERY OPTIONS</h2> <p><span><strong class="command">dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -573,7 +573,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2633262"></a><h2>MULTIPLE QUERIES</h2> +<a name="id2661789"></a><h2>MULTIPLE QUERIES</h2> <p> The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports @@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2633348"></a><h2>IDN SUPPORT</h2> +<a name="id2661875"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2633377"></a><h2>FILES</h2> +<a name="id2661904"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> <p><code class="filename">${HOME}/.digrc</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2633466"></a><h2>SEE ALSO</h2> +<a name="id2661925"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, @@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2633504"></a><h2>BUGS</h2> +<a name="id2661962"></a><h2>BUGS</h2> <p> There are probably too many query options. </p> diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index bbde3499..a995f392 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-dsfromkey.html,v 1.50.4.2 2010/01/08 02:08:23 tbox Exp $ --> +<!-- $Id: man.dnssec-dsfromkey.html,v 1.50.4.4 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -51,14 +51,14 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2606181"></a><h2>DESCRIPTION</h2> +<a name="id2610610"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-dsfromkey</strong></span> outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). </p> </div> <div class="refsect1" lang="en"> -<a name="id2606195"></a><h2>OPTIONS</h2> +<a name="id2610624"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-1</span></dt> <dd><p> @@ -119,7 +119,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2606452"></a><h2>EXAMPLE</h2> +<a name="id2610949"></a><h2>EXAMPLE</h2> <p> To build the SHA-256 DS RR from the <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> @@ -134,7 +134,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2606488"></a><h2>FILES</h2> +<a name="id2610985"></a><h2>FILES</h2> <p> The keyfile can be designed by the key identification <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name @@ -148,13 +148,13 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2606598"></a><h2>CAVEAT</h2> +<a name="id2611027"></a><h2>CAVEAT</h2> <p> A keyfile error can give a "file not found" even if the file exists. </p> </div> <div class="refsect1" lang="en"> -<a name="id2606608"></a><h2>SEE ALSO</h2> +<a name="id2611036"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -164,7 +164,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2606715"></a><h2>AUTHOR</h2> +<a name="id2611622"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 3c9177cd..cb3316cb 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83.4.3 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83.4.5 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2607019"></a><h2>DESCRIPTION</h2> +<a name="id2612131"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keyfromlabel</strong></span> gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -63,7 +63,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2607040"></a><h2>OPTIONS</h2> +<a name="id2612151"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> @@ -182,7 +182,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2608158"></a><h2>TIMING OPTIONS</h2> +<a name="id2614021"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -229,7 +229,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2610168"></a><h2>GENERATED KEY FILES</h2> +<a name="id2614119"></a><h2>GENERATED KEY FILES</h2> <p> When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes successfully, @@ -268,7 +268,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2651085"></a><h2>SEE ALSO</h2> +<a name="id2614281"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -276,7 +276,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2651118"></a><h2>AUTHOR</h2> +<a name="id2614314"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index c83bff82..e90125c1 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-keygen.html,v 1.152.4.3 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.dnssec-keygen.html,v 1.152.4.5 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2608560"></a><h2>DESCRIPTION</h2> +<a name="id2613125"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2608580"></a><h2>OPTIONS</h2> +<a name="id2613145"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> @@ -256,7 +256,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2660619"></a><h2>TIMING OPTIONS</h2> +<a name="id2663751"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -303,7 +303,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2660922"></a><h2>GENERATED KEYS</h2> +<a name="id2663917"></a><h2>GENERATED KEYS</h2> <p> When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, @@ -349,7 +349,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2661030"></a><h2>EXAMPLE</h2> +<a name="id2664093"></a><h2>EXAMPLE</h2> <p> To generate a 768-bit DSA key for the domain <strong class="userinput"><code>example.com</code></strong>, the following command would be @@ -370,7 +370,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2661086"></a><h2>SEE ALSO</h2> +<a name="id2664218"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2539</em>, @@ -379,7 +379,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2661117"></a><h2>AUTHOR</h2> +<a name="id2664249"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 217d2efd..6ba61479 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-revoke.html,v 1.35.4.3 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.dnssec-revoke.html,v 1.35.4.5 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2609060"></a><h2>DESCRIPTION</h2> +<a name="id2614376"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-revoke</strong></span> reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2609074"></a><h2>OPTIONS</h2> +<a name="id2614390"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-h</span></dt> <dd><p> @@ -91,14 +91,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2609181"></a><h2>SEE ALSO</h2> +<a name="id2614498"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 5011</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2609206"></a><h2>AUTHOR</h2> +<a name="id2614522"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index b778af86..20dd97be 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-settime.html,v 1.30.4.3 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.dnssec-settime.html,v 1.30.4.5 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2609702"></a><h2>DESCRIPTION</h2> +<a name="id2614615"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-settime</strong></span> reads a DNSSEC private key file and sets the key timing metadata as specified by the <code class="option">-P</code>, <code class="option">-A</code>, @@ -75,7 +75,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2609761"></a><h2>OPTIONS</h2> +<a name="id2614674"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-f</span></dt> <dd><p> @@ -106,7 +106,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2610469"></a><h2>TIMING OPTIONS</h2> +<a name="id2615041"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -151,7 +151,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2610567"></a><h2>PRINTING OPTIONS</h2> +<a name="id2615139"></a><h2>PRINTING OPTIONS</h2> <p> <span><strong class="command">dnssec-settime</strong></span> can also be used to print the timing metadata associated with a key. @@ -169,7 +169,7 @@ <code class="option">C</code> for the creation date, <code class="option">P</code> for the publication date, <code class="option">A</code> for the activation date, - <code class="option">R</code> for the revokation date, + <code class="option">R</code> for the revocation date, <code class="option">U</code> for the unpublication date, or <code class="option">D</code> for the deletion date. To print all of the metadata, use <code class="option">-p all</code>. @@ -177,7 +177,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2610852"></a><h2>SEE ALSO</h2> +<a name="id2615219"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -185,7 +185,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2610885"></a><h2>AUTHOR</h2> +<a name="id2615457"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index e5fda458..4c93e082 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-signzone.html,v 1.152.4.3 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.dnssec-signzone.html,v 1.152.4.5 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2612066"></a><h2>DESCRIPTION</h2> +<a name="id2617044"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2612085"></a><h2>OPTIONS</h2> +<a name="id2617063"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> @@ -397,7 +397,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2662105"></a><h2>EXAMPLE</h2> +<a name="id2665240"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> @@ -427,14 +427,14 @@ db.example.com.signed %</pre> </div> <div class="refsect1" lang="en"> -<a name="id2662252"></a><h2>SEE ALSO</h2> +<a name="id2665319"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2662277"></a><h2>AUTHOR</h2> +<a name="id2665412"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 21885b8b..a0608f71 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.genrandom.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.genrandom.html,v 1.2.4.7 2010/02/04 02:08:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">genrandom</code> {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2638850"></a><h2>DESCRIPTION</h2> +<a name="id2612562"></a><h2>DESCRIPTION</h2> <p> <span><strong class="command">genrandom</strong></span> generates a file containing a specified quantity of pseudo-random @@ -59,7 +59,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2638865"></a><h2>ARGUMENTS</h2> +<a name="id2648758"></a><h2>ARGUMENTS</h2> <div class="variablelist"><dl> <dt><span class="term">size</span></dt> <dd><p> @@ -72,14 +72,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2638900"></a><h2>SEE ALSO</h2> +<a name="id2648793"></a><h2>SEE ALSO</h2> <p> <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>, <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span> </p> </div> <div class="refsect1" lang="en"> -<a name="id2638926"></a><h2>AUTHOR</h2> +<a name="id2648820"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index dc783775..9bce126e 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.host.html,v 1.136.4.2 2010/01/08 02:08:26 tbox Exp $ --> +<!-- $Id: man.host.html,v 1.136.4.4 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2605431"></a><h2>DESCRIPTION</h2> +<a name="id2609314"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">host</strong></span> is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2607242"></a><h2>IDN SUPPORT</h2> +<a name="id2609691"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">host</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2607271"></a><h2>FILES</h2> +<a name="id2609720"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2607285"></a><h2>SEE ALSO</h2> +<a name="id2609734"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. </p> diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index fbcefeb9..23a9c998 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.isc-hmac-fixup.html,v 1.1.2.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.isc-hmac-fixup.html,v 1.1.2.6 2010/02/04 02:08:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2643593"></a><h2>DESCRIPTION</h2> +<a name="id2613346"></a><h2>DESCRIPTION</h2> <p> Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2643621"></a><h2>SECURITY CONSIDERATIONS</h2> +<a name="id2613373"></a><h2>SECURITY CONSIDERATIONS</h2> <p> Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span> are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2643637"></a><h2>SEE ALSO</h2> +<a name="id2649434"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2104</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2643654"></a><h2>AUTHOR</h2> +<a name="id2649451"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index bae1246f..747380c4 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.named-checkconf.html,v 1.146.4.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.named-checkconf.html,v 1.146.4.6 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2612385"></a><h2>DESCRIPTION</h2> +<a name="id2617909"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named-checkconf</strong></span> checks the syntax, but not the semantics, of a <span><strong class="command">named</strong></span> configuration file. The file is parsed @@ -70,7 +70,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2612455"></a><h2>OPTIONS</h2> +<a name="id2617979"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-h</span></dt> <dd><p> @@ -109,21 +109,21 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2612589"></a><h2>RETURN VALUES</h2> +<a name="id2626169"></a><h2>RETURN VALUES</h2> <p><span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2612603"></a><h2>SEE ALSO</h2> +<a name="id2626183"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2612633"></a><h2>AUTHOR</h2> +<a name="id2626213"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 2965763d..14183283 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.named-checkzone.html,v 1.154.4.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.named-checkzone.html,v 1.154.4.6 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -51,7 +51,7 @@ <div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2613378"></a><h2>DESCRIPTION</h2> +<a name="id2631122"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of a zone file. It performs the same checks as <span><strong class="command">named</strong></span> does when loading a @@ -71,7 +71,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2613428"></a><h2>OPTIONS</h2> +<a name="id2665510"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-d</span></dt> <dd><p> @@ -265,14 +265,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2665809"></a><h2>RETURN VALUES</h2> +<a name="id2666281"></a><h2>RETURN VALUES</h2> <p><span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2665891"></a><h2>SEE ALSO</h2> +<a name="id2666295"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <em class="citetitle">RFC 1035</em>, @@ -280,7 +280,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2665924"></a><h2>AUTHOR</h2> +<a name="id2666328"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 691616d0..6724ad5c 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.named-journalprint.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.named-journalprint.html,v 1.2.4.7 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2610712"></a><h2>DESCRIPTION</h2> +<a name="id2610775"></a><h2>DESCRIPTION</h2> <p> <span><strong class="command">named-journalprint</strong></span> prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2614444"></a><h2>SEE ALSO</h2> +<a name="id2635943"></a><h2>SEE ALSO</h2> <p> <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>, @@ -84,7 +84,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2614475"></a><h2>AUTHOR</h2> +<a name="id2635974"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index c18bad7b..da7865f3 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.named.html,v 1.156.4.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.named.html,v 1.156.4.6 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2613748"></a><h2>DESCRIPTION</h2> +<a name="id2631355"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2613779"></a><h2>OPTIONS</h2> +<a name="id2631386"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-4</span></dt> <dd><p> @@ -246,7 +246,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2614401"></a><h2>SIGNALS</h2> +<a name="id2636445"></a><h2>SIGNALS</h2> <p> In routine operation, signals should not be used to control the nameserver; <span><strong class="command">rndc</strong></span> should be used @@ -267,7 +267,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2635204"></a><h2>CONFIGURATION</h2> +<a name="id2637793"></a><h2>CONFIGURATION</h2> <p> The <span><strong class="command">named</strong></span> configuration file is too complex to describe in detail here. A complete description is provided @@ -284,7 +284,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2635253"></a><h2>FILES</h2> +<a name="id2637842"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> <dd><p> @@ -297,7 +297,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2635297"></a><h2>SEE ALSO</h2> +<a name="id2637885"></a><h2>SEE ALSO</h2> <p><em class="citetitle">RFC 1033</em>, <em class="citetitle">RFC 1034</em>, <em class="citetitle">RFC 1035</em>, @@ -310,7 +310,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2669978"></a><h2>AUTHOR</h2> +<a name="id2668130"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 90294a57..684b6feb 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -14,7 +14,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.nsec3hash.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.nsec3hash.html,v 1.2.4.7 2010/02/04 02:08:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -48,7 +48,7 @@ <div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2646089"></a><h2>DESCRIPTION</h2> +<a name="id2650521"></a><h2>DESCRIPTION</h2> <p> <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2646104"></a><h2>ARGUMENTS</h2> +<a name="id2650536"></a><h2>ARGUMENTS</h2> <div class="variablelist"><dl> <dt><span class="term">salt</span></dt> <dd><p> @@ -80,14 +80,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2646166"></a><h2>SEE ALSO</h2> +<a name="id2650598"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 5155</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2646183"></a><h2>AUTHOR</h2> +<a name="id2650615"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 219a41b0..8cb502f9 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.nsupdate.html,v 1.80.4.5 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.nsupdate.html,v 1.80.4.7 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2614750"></a><h2>DESCRIPTION</h2> +<a name="id2636590"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -210,7 +210,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2619044"></a><h2>INPUT FORMAT</h2> +<a name="id2637402"></a><h2>INPUT FORMAT</h2> <p><span><strong class="command">nsupdate</strong></span> reads input from <em class="parameter"><code>filename</code></em> @@ -474,7 +474,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2672983"></a><h2>EXAMPLES</h2> +<a name="id2669086"></a><h2>EXAMPLES</h2> <p> The examples below show how <span><strong class="command">nsupdate</strong></span> @@ -528,7 +528,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2673033"></a><h2>FILES</h2> +<a name="id2669137"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> <dd><p> @@ -551,7 +551,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2673116"></a><h2>SEE ALSO</h2> +<a name="id2669288"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">RFC 2136</em>, <em class="citetitle">RFC 3007</em>, @@ -566,7 +566,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2673174"></a><h2>BUGS</h2> +<a name="id2669346"></a><h2>BUGS</h2> <p> The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index fdaf9480..3085907b 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.rndc-confgen.html,v 1.160.4.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.rndc-confgen.html,v 1.160.4.6 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2637536"></a><h2>DESCRIPTION</h2> +<a name="id2639783"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">rndc-confgen</strong></span> generates configuration files for <span><strong class="command">rndc</strong></span>. It can be used as a @@ -66,7 +66,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2637738"></a><h2>OPTIONS</h2> +<a name="id2639849"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd> @@ -173,7 +173,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2638193"></a><h2>EXAMPLES</h2> +<a name="id2645424"></a><h2>EXAMPLES</h2> <p> To allow <span><strong class="command">rndc</strong></span> to be used with no manual configuration, run @@ -190,7 +190,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2639341"></a><h2>SEE ALSO</h2> +<a name="id2645480"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, @@ -198,7 +198,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2639380"></a><h2>AUTHOR</h2> +<a name="id2645518"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 41ca9787..43c3131f 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.rndc.conf.html,v 1.161.4.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.rndc.conf.html,v 1.161.4.6 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2611242"></a><h2>DESCRIPTION</h2> +<a name="id2611305"></a><h2>DESCRIPTION</h2> <p><code class="filename">rndc.conf</code> is the configuration file for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2636331"></a><h2>EXAMPLE</h2> +<a name="id2639193"></a><h2>EXAMPLE</h2> <pre class="programlisting"> options { default-server localhost; @@ -209,7 +209,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2637272"></a><h2>NAME SERVER CONFIGURATION</h2> +<a name="id2639383"></a><h2>NAME SERVER CONFIGURATION</h2> <p> The name server must be configured to accept rndc connections and to recognize the key specified in the <code class="filename">rndc.conf</code> @@ -219,7 +219,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2637298"></a><h2>SEE ALSO</h2> +<a name="id2639477"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, @@ -227,7 +227,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2637336"></a><h2>AUTHOR</h2> +<a name="id2639515"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index cd59e490..aa88635d 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.rndc.html,v 1.159.4.4 2010/01/20 02:08:51 tbox Exp $ --> +<!-- $Id: man.rndc.html,v 1.159.4.6 2010/02/04 02:08:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2623637"></a><h2>DESCRIPTION</h2> +<a name="id2638445"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">rndc</strong></span> controls the operation of a name server. It supersedes the <span><strong class="command">ndc</strong></span> utility @@ -79,7 +79,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2623687"></a><h2>OPTIONS</h2> +<a name="id2638496"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt> <dd><p> @@ -151,7 +151,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2635654"></a><h2>LIMITATIONS</h2> +<a name="id2638721"></a><h2>LIMITATIONS</h2> <p><span><strong class="command">rndc</strong></span> does not yet support all the commands of the BIND 8 <span><strong class="command">ndc</strong></span> utility. @@ -165,7 +165,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2635685"></a><h2>SEE ALSO</h2> +<a name="id2638752"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, @@ -175,7 +175,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2635740"></a><h2>AUTHOR</h2> +<a name="id2638807"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/managed-keys.xml b/doc/arm/managed-keys.xml new file mode 100644 index 00000000..2279d883 --- /dev/null +++ b/doc/arm/managed-keys.xml @@ -0,0 +1,100 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: managed-keys.xml,v 1.2.2.2 2010/02/03 23:48:29 tbox Exp $ --> + +<sect1 id="rfc5011.support"> + <title>Dynamic Trust Anchor Management</title> + <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust + anchor management. Using this feature allows + <command>named</command> to keep track of changes to critical + DNSSEC keys without any need for the operator to make changes to + configuration files.</para> + <sect2> + <title>Validating Resolver</title> + <!-- TODO: command tag is overloaded for configuration and executables --> + <para>To configure a validating resolver to use RFC 5011 to + maintain a trust anchor, configure the trust anchor using a + <command>managed-keys</command> statement. Information about + this can be found in + <xref linkend="managed-keys" />.</para> + <!-- TODO: managed-keys examples +also in DNSSEC section above here in ARM --> + </sect2> + <sect2> + <title>Authoritative Server</title> + <para>To set up an authoritative zone for RFC 5011 trust anchor + maintenance, generate two (or more) key signing keys (KSKs) for + the zone. Sign the zone with one of them; this is the "active" + KSK. All KSK's which do not sign the zone are "stand-by" + keys.</para> + <para>Any validating resolver which is configured to use the + active KSK as an RFC 5011-managed trust anchor will take note + of the stand-by KSKs in the zone's DNSKEY RRset, and store them + for future reference. The resolver will recheck the zone + periodically, and after 30 days, if the new key is still there, + then the key will be accepted by the resolver as a valid trust + anchor for the zone. Any time after this 30-day acceptance + timer has completed, the active KSK can be revoked, and the + zone can be "rolled over" to the newly accepted key.</para> + <para>The easiest way to place a stand-by key in a zone is to + use the "smart signing" features of + <command>dnssec-keygen</command> and + <command>dnssec-signzone</command>. If a key with a publication + date in the past, but an activation date which is unset or in + the future, " + <command>dnssec-signzone -S</command>" will include the DNSKEY + record in the zone, but will not sign with it:</para> + <screen> +$ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput> +$ <userinput>dnssec-signzone -S -K keys example.net</userinput> +</screen> + <para>To revoke a key, the new command + <command>dnssec-revoke</command> has been added. This adds the + REVOKED bit to the key flags and re-generates the + <filename>K*.key</filename> and + <filename>K*.private</filename> files.</para> + <para>After revoking the active key, the zone must be signed + with both the revoked KSK and the new active KSK. (Smart + signing takes care of this automatically.)</para> + <para>Once a key has been revoked and used to sign the DNSKEY + RRset in which it appears, that key will never again be + accepted as a valid trust anchor by the resolver. However, + validation can proceed using the new active key (which had been + accepted by the resolver when it was a stand-by key).</para> + <para>See RFC 5011 for more details on key rollover + scenarios.</para> + <para>When a key has been revoked, its key ID changes, + increasing by 128, and wrapping around at 65535. So, for + example, the key "<filename>Kexample.com.+005+10000</filename>" becomes + "<filename>Kexample.com.+005+10128</filename>".</para> + <para>If two keys have ID's exactly 128 apart, and one is + revoked, then the two key ID's will collide, causing several + problems. To prevent this, + <command>dnssec-keygen</command> will not generate a new key if + another key is present which may collide. This checking will + only occur if the new keys are written to the same directory + which holds all other keys in use for that zone.</para> + <para>Older versions of BIND 9 did not have this precaution. + Exercise caution if using key revocation on keys that were + generated by previous releases, or if using keys stored in + multiple directories or on multiple machines.</para> + <para>It is expected that a future release of BIND 9 will + address this problem in a different way, by storing revoked + keys with their original unrevoked key ID's.</para> + </sect2> +</sect1> diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml new file mode 100644 index 00000000..f416d176 --- /dev/null +++ b/doc/arm/pkcs11.xml @@ -0,0 +1,372 @@ +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + [<!ENTITY mdash "—">]> +<sect1 id="pkcs11"> + <title>PKCS #11 (Cryptoki) support</title> + <para>PKCS #11 (Public Key Cryptography Standard #11) defines a + platform- independent API for the control of hardware security + modules (HSMs) and other cryptographic support devices.</para> + <para>BIND 9 is known to work with two HSMs: The Sun SCA 6000 + cryptographic acceleration board, tested under Solaris x86, and + the AEP Keyper network-attached key storage device, tested with + Debian Linux, Solaris x86 and Windows Server 2003.</para> + <sect2> + <title>Prerequisites</title> + <para>See the HSM vendor documentation for information about + installing, initializing, testing and troubleshooting the + HSM.</para> + <para>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL + does not yet fully support PKCS #11. However, a PKCS #11 engine + for OpenSSL is available from the OpenSolaris project. It has + been modified by ISC to work with with BIND 9, and to provide + new features such as PIN management and key by + reference.</para> + <para>The patched OpenSSL depends on a "PKCS #11 provider". + This is a shared library object, providing a low-level PKCS #11 + interface to the HSM hardware. It is dynamically loaded by + OpenSSL at runtime. The PKCS #11 provider comes from the HSM + vendor, and and is specific to the HSM to be controlled.</para> + <para>There are two "flavors" of PKCS #11 support provided by + the patched OpenSSL, one of which must be chosen at + configuration time. The correct choice depends on the HSM + hardware:</para> + <itemizedlist> + <listitem> + <para>Use 'crypto-accelerator' with HSMs that have hardware + cryptographic acceleration features, such as the SCA 6000 + board. This causes OpenSSL to run all supported + cryptographic operations in the HSM.</para> + </listitem> + <listitem> + <para>Use 'sign-only' with HSMs that are designed to + function primarily as secure key storage devices, but lack + hardware acceleration. These devices are highly secure, but + are not necessarily any faster at cryptography than the + system CPU — often, they are slower. It is therefore + most efficient to use them only for those cryptographic + functions that require access to the secured private key, + such as zone signing, and to use the system CPU for all + other computationally-intensive operations. The AEP Keyper + is an example of such a device.</para> + </listitem> + </itemizedlist> + <para>The modified OpenSSL code is included in the BIND 9.7.0 + release, in the form of a context diff against the latest OpenSSL. + </para> + <note> + The latest OpenSSL version at the time of the BIND release + is 0.9.8l. + ISC will provide an updated patch as new versions of OpenSSL + are released. The version number in the following examples + is expected to change.</note> + <para> + Before building BIND 9 with PKCS #11 support, it will be + necessary to build OpenSSL with this patch in place and inform + it of the path to the HSM-specific PKCS #11 provider + library.</para> + <para>Obtain OpenSSL 0.9.8l:</para> + <screen> +$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8l.tar.gz</ulink></userinput> +</screen> + <para>Extract the tarball:</para> + <screen> +$ <userinput>tar zxf openssl-0.9.8l.tar.gz</userinput> +</screen> + <para>Apply the patch from the BIND 9 release:</para> + <screen> +$ <userinput>patch -p1 -d openssl-0.9.8l \ + < bind-9.7.0/bin/pkcs11/openssl-0.9.8l-patch</userinput> +</screen> + <note>(Note that the patch file may not be compatible with the + "patch" utility on all operating systems. You may need to + install GNU patch.)</note> + <para>When building OpenSSL, place it in a non-standard + location so that it does not interfere with OpenSSL libraries + elsewhere on the system. In the following examples, we choose + to install into "/opt/pkcs11/usr". We will use this location + when we configure BIND 9.</para> + <sect3> + <!-- Example 1 --> + <title>Building OpenSSL for the AEP Keyper on Linux</title> + <para>The AEP Keyper is a highly secure key storage device, + but does not provide hardware cryptographic acceleration. It + can carry out cryptographic operations, but it is probably + slower than your system's CPU. Therefore, we choose the + 'sign-only' flavor when building OpenSSL.</para> + <para>The Keyper-specific PKCS #11 provider library is + delivered with the Keyper software. In this example, we place + it /opt/pkcs11/usr/lib:</para> + <screen> +$ <userinput>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</userinput> +</screen> + <para>This library is only available for Linux as a 32-bit + binary. If we are compiling on a 64-bit Linux system, it is + necessary to force a 32-bit build, by specifying -m32 in the + build options.</para> + <para>Finally, the Keyper library requires threads, so we + must specify -pthread.</para> + <screen> +$ <userinput>cd openssl-0.9.8l</userinput> +$ <userinput>./Configure linux-generic32 -m32 -pthread \ + --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ + --pk11-flavor=sign-only \ + --prefix=/opt/pkcs11/usr</userinput> +</screen> + <para>After configuring, run "<command>make</command>" + and "<command>make test</command>". If "<command>make + test</command>" fails with "pthread_atfork() not found", you forgot to + add the -pthread above.</para> + </sect3> + <sect3> + <!-- Example 2 --> + <title>Building OpenSSL for the SCA 6000 on Solaris</title> + <para>The SCA-6000 PKCS #11 provider is installed as a system + library, libpkcs11. It is a true crypto accelerator, up to 4 + times faster than any CPU, so the flavor shall be + 'crypto-accelerator'.</para> + <para>In this example, we are building on Solaris x86 on an + AMD64 system.</para> + <screen> +$ <userinput>cd openssl-0.9.8l</userinput> +$ <userinput>./Configure solaris64-x86_64-cc \ + --pk11-libname=/usr/lib/64/libpkcs11.so \ + --pk11-flavor=crypto-accelerator \ + --prefix=/opt/pkcs11/usr</userinput> +</screen> + <para>(For a 32-bit build, use "solaris-x86-cc" and + /usr/lib/libpkcs11.so.)</para> + <para>After configuring, run + <command>make</command> and + <command>make test</command>.</para> + <para>Once you have built OpenSSL, run + "<command>apps/openssl engine pkcs11</command>" to confirm + that PKCS #11 support was compiled in correctly. The output + should be one of the following lines, depending on the flavor + selected:</para> + <screen> + (pkcs11) PKCS #11 engine support (sign only) +</screen> + <para>Or:</para> + <screen> + (pkcs11) PKCS #11 engine support (crypto accelerator) +</screen> + <para>Next, run + "<command>apps/openssl engine pkcs11 -t</command>". This will + attempt to initialize the PKCS #11 engine. If it is able to + do so successfully, it will report + <quote><literal>[ available ]</literal></quote>.</para> + <para>If the output is correct, run + "<command>make install</command>" which will install the + modified OpenSSL suite to + <filename>/opt/pkcs11/usr</filename>.</para> + </sect3> + </sect2> + <sect2> + <title>Building BIND 9 with PKCS#11</title> + <para>When building BIND 9, the location of the custom-built + OpenSSL library must be specified via configure.</para> + <sect3> + <!-- Example 3 --> + <title>Configuring BIND 9 for Linux</title> + <para>To link with the PKCS #11 provider, threads must be + enabled in the BIND 9 build.</para> + <para>The PKCS #11 library for the AEP Keyper is currently + only available as a 32-bit binary. If we are building on a + 64-bit host, we must force a 32-bit build by adding "-m32" to + the CC options on the "configure" command line.</para> + <screen> +$ <userinput>cd ../bind-9.7.0</userinput> +$ <userinput>./configure CC="gcc -m32" --enable-threads \ + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput> +</screen> + </sect3> + <sect3> + <!-- Example 4 --> + <title>Configuring BIND 9 for Solaris</title> + <para>To link with the PKCS #11 provider, threads must be + enabled in the BIND 9 build.</para> + <screen> +$ <userinput>cd ../bind-9.7.0</userinput> +$ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \ + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/usr/lib/64/libpkcs11.so</userinput> +</screen> + <para>(For a 32-bit build, omit CC="cc -xarch=amd64".)</para> + <para>If configure complains about OpenSSL not working, you + may have a 32/64-bit architecture mismatch. Or, you may have + incorrectly specified the path to OpenSSL (it should be the + same as the --prefix argument to the OpenSSL + Configure).</para> + </sect3> + <para>After configuring, run + "<command>make</command>", + "<command>make test</command>" and + "<command>make install</command>".</para> + </sect2> + <sect2> + <title>PKCS #11 Tools</title> + <para>BIND 9 includes a minimal set of tools to operate the + HSM, including + <command>pkcs11-keygen</command> to generate a new key pair + within the HSM, + <command>pkcs11-list</command> to list objects currently + available, and + <command>pkcs11-destroy</command> to remove objects.</para> + <para>In UNIX/Linux builds, these tools are built only if BIND + 9 is configured with the --with-pkcs11 option. (NOTE: If + --with-pkcs11 is set to "yes", rather than to the path of the + PKCS #11 provider, then the tools will be built but the + provider will be left undefined. Use the -m option or the + PKCS11_PROVIDER environment variable to specify the path to the + provider.)</para> + </sect2> + <sect2> + <title>Using the HSM</title> + <para>First, we must set up the runtime environment so the + OpenSSL and PKCS #11 libraries can be loaded:</para> + <screen> +$ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</userinput> +</screen> + <para>When operating an AEP Keyper, it is also necessary to + specify the location of the "machine" file, which stores + information about the Keyper for use by PKCS #11 provider + library. If the machine file is in + <filename>/opt/Keyper/PKCS11Provider/machine</filename>, + use:</para> + <screen> +$ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput> +</screen> + <!-- TODO: why not defined at compile time? --> + <para>These environment variables must be set whenever running + any tool that uses the HSM, including + <command>pkcs11-keygen</command>, + <command>pkcs11-list</command>, + <command>pkcs11-destroy</command>, + <command>dnssec-keyfromlabel</command>, + <command>dnssec-signzone</command>, + <command>dnssec-keygen</command>(which will use the HSM for + random number generation), and + <command>named</command>.</para> + <para>We can now create and use keys in the HSM. In this case, + we will create a 2048 bit key and give it the label + "sample-ksk":</para> + <screen> +$ <userinput>pkcs11-keygen -b 2048 -l sample-ksk</userinput> +</screen> + <para>To confirm that the key exists:</para> + <screen> +$ <userinput>pkcs11-list</userinput> +Enter PIN: +object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] +object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] +</screen> + <para>Before using this key to sign a zone, we must create a + pair of BIND 9 key files. The "dnssec-keyfromlabel" utility + does this. In this case, we will be using the HSM key + "sample-ksk" as the key-signing key for "example.net":</para> + <screen> +$ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput> +</screen> + <para>The resulting K*.key and K*.private files can now be used + to sign the zone. Unlike normal K* files, which contain both + public and private key data, these files will contain only the + public key data, plus an identifier for the private key which + remains stored within the HSM. The HSM handles signing with the + private key.</para> + <para>If you wish to generate a second key in the HSM for use + as a zone-signing key, follow the same procedure above, using a + different keylabel, a smaller key size, and omitting "-f KSK" + from the dnssec-keyfromlabel arguments:</para> + <screen> +$ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput> +$ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput> +</screen> + <para>Alternatively, you may prefer to generate a conventional + on-disk key, using dnssec-keygen:</para> + <screen> +$ <userinput>dnssec-keygen example.net</userinput> +</screen> + <para>This provides less security than an HSM key, but since + HSMs can be slow or cumbersome to use for security reasons, it + may be more efficient to reserve HSM keys for use in the less + frequent key-signing operation. The zone-signing key can be + rolled more frequently, if you wish, to compensate for a + reduction in key security.</para> + <para>Now you can sign the zone. (Note: If not using the -S + option to + <command>dnssec-signzone</command>, it will be necessary to add + the contents of both + <filename>K*.key</filename> files to the zone master file before + signing it.)</para> + <screen> +$ <userinput>dnssec-signzone -S example.net</userinput> +Enter PIN: +Verifying the zone using the following algorithms: +NSEC3RSASHA1. +Zone signing complete: +Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by +example.net.signed +</screen> + </sect2> + <sect2> + <title>Specifying the engine on the command line</title> + <para>The OpenSSL engine can be specified in + <command>named</command> and all of the BIND + <command>dnssec-*</command> tools by using the "-E + <engine>" command line option. If BIND 9 is built with + the --with-pkcs11 option, this option defaults to "pkcs11". + Specifying the engine will generally not be necessary unless + for some reason you wish to use a different OpenSSL + engine.</para> + <para>If you wish to disable use of the "pkcs11" engine — + for troubleshooting purposes, or because the HSM is unavailable + — set the engine to the empty string. For example:</para> + <screen> +$ <userinput>dnssec-signzone -E '' -S example.net</userinput> +</screen> + <para>This causes + <command>dnssec-signzone</command> to run as if it were compiled + without the --with-pkcs11 option.</para> + </sect2> + <sect2> + <title>Running named with automatic zone re-signing</title> + <para>If you want + <command>named</command> to dynamically re-sign zones using HSM + keys, and/or to to sign new records inserted via nsupdate, then + named must have access to the HSM PIN. This can be accomplished + by placing the PIN into the openssl.cnf file (in the above + examples, + <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para> + <para>The location of the openssl.cnf file can be overridden by + setting the OPENSSL_CONF environment variable before running + named.</para> + <para>Sample openssl.cnf:</para> + <programlisting> + openssl_conf = openssl_def + [ openssl_def ] + engines = engine_section + [ engine_section ] + pkcs11 = pkcs11_section + [ pkcs11_section ] + PIN = <replaceable><PLACE PIN HERE></replaceable> +</programlisting> + <para>This will also allow the dnssec-* tools to access the HSM + without PIN entry. (The pkcs11-* tools access the HSM directly, + not via OpenSSL, so a PIN will still be required to use + them.)</para> +<!-- +If the PIN is not known, I believe the first time named needs the +PIN to open a key, it'll ask you to type in the PIN, which will be +a problem because it probably won't be running on a terminal +--> + <warning> + <para>Placing the HSM's PIN in a text file in + this manner may reduce the security advantage of using an + HSM. Be sure this is what you want to do before configuring + OpenSSL in this way.</para> + </warning> + </sect2> + <!-- TODO: what is alternative then for named dynamic re-signing? --> + <!-- TODO: what happens if PIN is not known? named will log about it? --> +</sect1> diff --git a/lib/dns/api b/lib/dns/api index c4e83f4e..6a453afb 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ LIBINTERFACE = 64 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index f4f6a85e..319fe2ff 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.540.2.13 2010/01/22 01:46:43 each Exp $ */ +/* $Id: zone.c,v 1.540.2.14 2010/01/26 23:35:22 fdupont Exp $ */ /*! \file */ @@ -7179,6 +7179,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent; dns_keyfetch_t *kfetch; dns_zone_t *zone; + isc_mem_t *mctx; dns_keytable_t *secroots = NULL; dns_dbversion_t *ver = NULL; dns_diff_t diff; @@ -7205,6 +7206,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { kfetch = event->ev_arg; zone = kfetch->zone; + mctx = zone->mctx; keyname = dns_fixedname_name(&kfetch->name); devent = (dns_fetchevent_t *) event; @@ -7226,7 +7228,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { LOCK_ZONE(zone); dns_db_newversion(kfetch->db, &ver); - dns_diff_init(zone->mctx, &diff); + dns_diff_init(mctx, &diff); /* Fetch failed */ if (eresult != ISC_R_SUCCESS || @@ -7459,8 +7461,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { /* Remove from secroots */ untrust_key(zone->view->viewlist, - keyname, zone->mctx, - &dnskey); + keyname, mctx, &dnskey); /* If initializing, delete now */ if (keydata.addhd == 0) @@ -7506,7 +7507,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { if (initializing) { dns_keytag_t tag = 0; CHECK(compute_tag(keyname, &dnskey, - zone->mctx, &tag)); + mctx, &tag)); dns_zone_log(zone, ISC_LOG_WARNING, "Initializing automatic trust " "anchor management for zone '%s'; " @@ -7564,7 +7565,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { /* Trust this key in all views */ dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); trust_key(zone->view->viewlist, keyname, &dnskey, - zone->mctx); + mctx); } if (!deletekey) @@ -7599,8 +7600,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { /* Write changes to journal file. */ if (alldone) { - result = increment_soa_serial(kfetch->db, ver, &diff, - zone->mctx); + result = increment_soa_serial(kfetch->db, ver, &diff, mctx); if (result == ISC_R_SUCCESS) zone_journal(zone, &diff, "keyfetch_done"); } @@ -7608,6 +7608,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_diff_clear(&diff); dns_db_closeversion(kfetch->db, &ver, changed); dns_db_detach(&kfetch->db); + dns_zone_detach(&kfetch->zone); if (dns_rdataset_isassociated(&kfetch->keydataset)) dns_rdataset_disassociate(&kfetch->keydataset); @@ -7616,8 +7617,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { if (dns_rdataset_isassociated(&kfetch->dnskeysigset)) dns_rdataset_disassociate(&kfetch->dnskeysigset); - dns_name_free(keyname, zone->mctx); - isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t)); + dns_name_free(keyname, mctx); + isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t)); if (secroots != NULL) dns_keytable_detach(&secroots); @@ -7706,7 +7707,8 @@ zone_refreshkeys(dns_zone_t *zone) { zone->refreshkeycount++; kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t)); - kfetch->zone = zone; + kfetch->zone = NULL; + dns_zone_attach(zone, &kfetch->zone); dns_fixedname_init(&kfetch->name); dns_name_dup(name, zone->mctx, dns_fixedname_name(&kfetch->name)); diff --git a/lib/isc/api b/lib/isc/api index ea516a14..f7fd6642 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 61 -LIBREVISION = 3 +LIBREVISION = 4 LIBAGE = 1 diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c index fa313253..9690b084 100644 --- a/lib/isc/httpd.c +++ b/lib/isc/httpd.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2006-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: httpd.c,v 1.16 2008/08/08 05:06:49 marka Exp $ */ +/* $Id: httpd.c,v 1.16.284.2 2010/02/04 23:48:30 tbox Exp $ */ /*! \file */ @@ -151,6 +151,7 @@ struct isc_httpdmgr { ISC_LIST(isc_httpdurl_t) urls; /*%< urls we manage */ isc_httpdaction_t *render_404; + isc_httpdaction_t *render_500; }; /*% @@ -221,6 +222,11 @@ static isc_result_t render_404(const char *, const char *, unsigned int *, const char **, const char **, isc_buffer_t *, isc_httpdfree_t **, void **); +static isc_result_t render_500(const char *, const char *, + void *, + unsigned int *, const char **, + const char **, isc_buffer_t *, + isc_httpdfree_t **, void **); static void destroy_client(isc_httpd_t **httpdp) @@ -300,6 +306,7 @@ isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task, goto cleanup; httpd->render_404 = render_404; + httpd->render_500 = render_500; *httpdp = httpd; return (ISC_R_SUCCESS); @@ -623,6 +630,30 @@ render_404(const char *url, const char *querystring, return (ISC_R_SUCCESS); } +static isc_result_t +render_500(const char *url, const char *querystring, + void *arg, + unsigned int *retcode, const char **retmsg, + const char **mimetype, isc_buffer_t *b, + isc_httpdfree_t **freecb, void **freecb_args) +{ + static char msg[] = "Internal server failure."; + + UNUSED(url); + UNUSED(querystring); + UNUSED(arg); + + *retcode = 500; + *retmsg = "Internal server failure"; + *mimetype = "text/plain"; + isc_buffer_reinit(b, msg, strlen(msg)); + isc_buffer_add(b, strlen(msg)); + *freecb = NULL; + *freecb_args = NULL; + + return (ISC_R_SUCCESS); +} + static void isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) { @@ -691,8 +722,14 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) &httpd->mimetype, &httpd->bodybuffer, &httpd->freecb, &httpd->freecb_arg); if (result != ISC_R_SUCCESS) { - destroy_client(&httpd); - goto out; + result = httpd->mgr->render_500(httpd->url, httpd->querystring, + NULL, + &httpd->retcode, + &httpd->retmsg, + &httpd->mimetype, + &httpd->bodybuffer, + &httpd->freecb, + &httpd->freecb_arg); } isc_httpd_response(httpd); diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index c3e5430f..9add24fa 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.326 2009/11/13 00:41:58 each Exp $ */ +/* $Id: socket.c,v 1.326.20.2 2010/01/31 23:48:29 tbox Exp $ */ /*! \file */ @@ -1674,12 +1674,22 @@ doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) { } /* - * On TCP, zero length reads indicate EOF, while on - * UDP, zero length reads are perfectly valid, although - * strange. + * On TCP and UNIX sockets, zero length reads indicate EOF, + * while on UDP sockets, zero length reads are perfectly valid, + * although strange. */ - if ((sock->type == isc_sockettype_tcp) && (cc == 0)) - return (DOIO_EOF); + switch (sock->type) { + case isc_sockettype_tcp: + case isc_sockettype_unix: + if (cc == 0) + return (DOIO_EOF); + break; + case isc_sockettype_udp: + break; + case isc_sockettype_fdwatch: + default: + INSIST(0); + } if (sock->type == isc_sockettype_udp) { dev->address.length = msghdr.msg_namelen; @@ -1,4 +1,4 @@ -# $Id: version,v 1.51.2.1 2010/01/21 21:26:06 each Exp $ +# $Id: version,v 1.51.2.2 2010/02/04 05:19:29 each Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -6,5 +6,5 @@ MAJORVER=9 MINORVER=7 PATCHVER=0 -RELEASETYPE=rc -RELEASEVER=2 +RELEASETYPE= +RELEASEVER= diff --git a/win32utils/BuildSetup.bat b/win32utils/BuildSetup.bat index 5942e267..5e371453 100644 --- a/win32utils/BuildSetup.bat +++ b/win32utils/BuildSetup.bat @@ -45,6 +45,7 @@ echo Copying the ARM and the Installation Notes. copy ..\COPYRIGHT ..\Build\Release
copy ..\README ..\Build\Release
+copy ..\HISTORY ..\Build\Release
copy readme1st.txt ..\Build\Release
copy index.html ..\Build\Release
copy ..\doc\arm\*.html ..\Build\Release
|