summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorInternet Software Consortium, Inc <@isc.org>2010-01-28 05:35:29 -0700
committerInternet Software Consortium, Inc <@isc.org>2010-01-28 05:35:29 -0700
commitee98af508e8628e0925fddd1de893f394f256c12 (patch)
tree13cc91474e5135aea9d9621b83b7a92333c77252
parent2d27fb027f207bdec109fad8c9c65f9d6278b3db (diff)
downloadbind9-ee98af508e8628e0925fddd1de893f394f256c12.tar.gz
9.7.0rc2
Diffstat
-rw-r--r--CHANGES127
-rw-r--r--COPYRIGHT4
-rw-r--r--FAQ18
-rw-r--r--FAQ.xml35
-rw-r--r--README32
-rw-r--r--README.rfc501118
-rw-r--r--bin/check/named-checkconf.822
-rw-r--r--bin/check/named-checkconf.docbook19
-rw-r--r--bin/check/named-checkconf.html27
-rw-r--r--bin/dnssec/dnssec-dsfromkey.c10
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.813
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.c41
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.docbook19
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.html26
-rw-r--r--bin/dnssec/dnssec-keygen.c64
-rw-r--r--bin/dnssec/dnssec-revoke.c9
-rw-r--r--bin/dnssec/dnssec-settime.c18
-rw-r--r--bin/dnssec/dnssec-signzone.c6
-rw-r--r--bin/dnssec/dnssectool.c64
-rw-r--r--bin/dnssec/dnssectool.h8
-rw-r--r--bin/named/query.c48
-rw-r--r--bin/named/server.c22
-rw-r--r--bin/named/update.c106
-rw-r--r--bin/nsupdate/nsupdate.16
-rw-r--r--bin/nsupdate/nsupdate.docbook6
-rw-r--r--bin/nsupdate/nsupdate.html6
-rw-r--r--bin/pkcs11/pkcs11-destroy.c4
-rw-r--r--bin/rndc/rndc.c4
-rw-r--r--bin/tests/cfg_test.c6
-rw-r--r--bin/tests/system/autosign/clean.sh27
-rw-r--r--bin/tests/system/autosign/ns1/keygen.sh24
-rw-r--r--bin/tests/system/autosign/ns1/root.db.in5
-rw-r--r--bin/tests/system/autosign/ns2/bar.db.in85
-rw-r--r--bin/tests/system/autosign/ns2/example.db.in10
-rw-r--r--bin/tests/system/autosign/ns2/keygen.sh23
-rw-r--r--bin/tests/system/autosign/ns2/named.conf50
-rw-r--r--bin/tests/system/autosign/ns2/revkeys.shar231
-rw-r--r--bin/tests/system/autosign/ns3/keygen.sh56
-rw-r--r--bin/tests/system/autosign/ns3/named.conf75
-rw-r--r--bin/tests/system/autosign/ns3/nsec.example.db.in31
-rw-r--r--bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in31
-rw-r--r--bin/tests/system/autosign/ns3/oldsigs.example.db.in31
-rw-r--r--bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in (renamed from bin/tests/system/autosign/ns3/multiple.example.db.in)7
-rw-r--r--bin/tests/system/autosign/prereq.sh7
-rw-r--r--bin/tests/system/autosign/setup.sh6
-rw-r--r--bin/tests/system/autosign/tests.sh211
-rw-r--r--bin/tests/system/conf.sh.in8
-rw-r--r--bin/tests/system/dnssec/ns2/example.db.in10
-rw-r--r--bin/tests/system/dnssec/ns2/sign.sh53
-rw-r--r--bin/tests/system/dnssec/ns3/kskonly.example.db.in31
-rw-r--r--bin/tests/system/dnssec/ns3/named.conf9
-rw-r--r--bin/tests/system/dnssec/ns3/sign.sh60
-rw-r--r--bin/tests/system/dnssec/tests.sh69
-rw-r--r--bin/tests/system/pending/clean.sh5
-rw-r--r--bin/tests/system/pending/ns1/root.db.in7
-rw-r--r--bin/tests/system/pending/ns1/sign.sh7
-rw-r--r--bin/tests/system/pending/ns2/example.com.db.in32
-rw-r--r--bin/tests/system/pending/ns2/example.db.in7
-rw-r--r--bin/tests/system/pending/ns2/forgery.db29
-rw-r--r--bin/tests/system/pending/ns2/named.conf16
-rw-r--r--bin/tests/system/pending/ns2/sign.sh26
-rw-r--r--bin/tests/system/pending/tests.sh172
-rw-r--r--bin/tests/system/smartsign/child.db29
-rw-r--r--bin/tests/system/smartsign/clean.sh19
-rw-r--r--bin/tests/system/smartsign/parent.db36
-rw-r--r--bin/tests/system/smartsign/prereq.sh27
-rw-r--r--bin/tests/system/smartsign/setup.sh20
-rw-r--r--bin/tests/system/smartsign/tests.sh167
-rw-r--r--bin/tools/Makefile.in21
-rw-r--r--bin/tools/isc-hmac-fixup.861
-rw-r--r--bin/tools/isc-hmac-fixup.c136
-rw-r--r--bin/tools/isc-hmac-fixup.docbook109
-rw-r--r--bin/tools/isc-hmac-fixup.html84
-rw-r--r--bin/tools/win32/ischmacfixup.dsp103
-rw-r--r--bin/tools/win32/ischmacfixup.dsw29
-rw-r--r--bin/tools/win32/ischmacfixup.mak299
-rw-r--r--bin/tools/win32/journalprint.mak2
-rw-r--r--bin/win32/BINDInstall/BINDInstallDlg.cpp5
-rw-r--r--doc/arm/Bv9ARM-book.xml29
-rw-r--r--doc/arm/Bv9ARM.ch01.html52
-rw-r--r--doc/arm/Bv9ARM.ch02.html24
-rw-r--r--doc/arm/Bv9ARM.ch03.html28
-rw-r--r--doc/arm/Bv9ARM.ch04.html72
-rw-r--r--doc/arm/Bv9ARM.ch05.html8
-rw-r--r--doc/arm/Bv9ARM.ch06.html191
-rw-r--r--doc/arm/Bv9ARM.ch07.html16
-rw-r--r--doc/arm/Bv9ARM.ch08.html20
-rw-r--r--doc/arm/Bv9ARM.ch09.html182
-rw-r--r--doc/arm/Bv9ARM.ch10.html7
-rw-r--r--doc/arm/Bv9ARM.html157
-rw-r--r--doc/arm/man.arpaname.html10
-rw-r--r--doc/arm/man.ddns-confgen.html12
-rw-r--r--doc/arm/man.dig.html22
-rw-r--r--doc/arm/man.dnssec-dsfromkey.html18
-rw-r--r--doc/arm/man.dnssec-keyfromlabel.html26
-rw-r--r--doc/arm/man.dnssec-keygen.html18
-rw-r--r--doc/arm/man.dnssec-revoke.html12
-rw-r--r--doc/arm/man.dnssec-settime.html16
-rw-r--r--doc/arm/man.dnssec-signzone.html14
-rw-r--r--doc/arm/man.genrandom.html20
-rw-r--r--doc/arm/man.host.html12
-rw-r--r--doc/arm/man.isc-hmac-fixup.html122
-rw-r--r--doc/arm/man.named-checkconf.html31
-rw-r--r--doc/arm/man.named-checkzone.html14
-rw-r--r--doc/arm/man.named-journalprint.html10
-rw-r--r--doc/arm/man.named.html18
-rw-r--r--doc/arm/man.nsec3hash.html20
-rw-r--r--doc/arm/man.nsupdate.html20
-rw-r--r--doc/arm/man.rndc-confgen.html14
-rw-r--r--doc/arm/man.rndc.conf.html14
-rw-r--r--doc/arm/man.rndc.html14
-rw-r--r--doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt1058
-rw-r--r--doc/draft/draft-ietf-dnsext-axfr-clarify-13.txt1571
-rw-r--r--doc/draft/draft-ietf-dnsext-dns-tcp-requirements-02.txt (renamed from doc/draft/draft-ietf-dnsext-dns-tcp-requirements-01.txt)264
-rw-r--r--doc/draft/draft-ietf-dnsext-dnssec-gost-06.txt (renamed from doc/draft/draft-ietf-dnsext-dnssec-gost-05.txt)86
-rw-r--r--lib/dns/api2
-rw-r--r--lib/dns/dnssec.c85
-rw-r--r--lib/dns/dst_api.c8
-rw-r--r--lib/dns/dst_parse.c10
-rw-r--r--lib/dns/hmac_link.c146
-rw-r--r--lib/dns/include/dns/dnssec.h6
-rw-r--r--lib/dns/include/dns/keytable.h6
-rw-r--r--lib/dns/include/dns/log.h3
-rw-r--r--lib/dns/include/dns/name.h8
-rw-r--r--lib/dns/include/dns/ncache.h6
-rw-r--r--lib/dns/include/dns/types.h4
-rw-r--r--lib/dns/include/dns/zone.h4
-rw-r--r--lib/dns/log.c5
-rw-r--r--lib/dns/nsec3.c35
-rw-r--r--lib/dns/rbtdb.c49
-rw-r--r--lib/dns/resolver.c38
-rw-r--r--lib/dns/validator.c14
-rw-r--r--lib/dns/zone.c153
-rw-r--r--lib/export/samples/nsprobe.c8
-rw-r--r--lib/isc/Makefile.in5
-rw-r--r--lib/isc/api2
-rw-r--r--lib/isc/include/isc/md5.h5
-rw-r--r--lib/isc/include/isc/util.h14
-rw-r--r--version4
-rw-r--r--win32utils/BINDBuild.dsw15
-rw-r--r--win32utils/BuildAll.bat1
141 files changed, 5861 insertions, 2383 deletions
diff --git a/CHANGES b/CHANGES
index 6a74fcd3..aec133c9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,130 @@
+ --- 9.7.0rc2 released ---
+
+2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
+ creating key files if there is a chance that the new
+ key ID will collide with an existing one after
+ either of the keys has been revoked. (To override
+ this in the case of dnssec-keyfromlabel, use the -y
+ option. dnssec-keygen will simply create a
+ different, noncolliding key, so an override is
+ not necessary.) [RT #20838]
+
+2842. [func] Added "smartsign" and improved "autosign" and
+ "dnssec" regression tests. [RT #20865]
+
+2841. [bug] Change 2836 was not complete. [RT #20883]
+
+2840. [bug] Temporary fixed pkcs11-destroy usage check.
+ [RT #20760]
+
+2839. [bug] A KSK revoked by named could not be deleted.
+ [RT #20881]
+
+2838. [placeholder]
+
+2837. [port] Prevent Linux spurious warnings about fwrite().
+ [RT #20812]
+
+2836. [bug] Keys that were scheduled to become active could
+ be delayed. [RT #20874]
+
+2835. [bug] Key inactivity dates were inadvertently stored in
+ the private key file with the outdated tag
+ "Unpublish" rather than "Inactive". This has been
+ fixed; however, any existing keys that had Inactive
+ dates set will now need to have them reset, using
+ 'dnssec-settime -I'. [RT #20868]
+
+2834. [bug] HMAC-SHA* keys that were longer than the algorithm
+ digest length were used incorrectly, leading to
+ interoperability problems with other DNS
+ implementations. This has been corrected.
+ (Note: If an oversize key is in use, and
+ compatibility is needed with an older release of
+ BIND, the new tool "isc-hmac-fixup" can convert
+ the key secret to a form that will work with all
+ versions.) [RT #20751]
+
+2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
+ [RT #20851]
+
+2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
+ to avoid redefinition in some OSes [RT 20831]
+
+2831. [security] Do not attempt to validate or cache
+ out-of-bailiwick data returned with a secure
+ answer; it must be re-fetched from its original
+ source and validated in that context. [RT #20819]
+
+2830. [bug] Changing the OPTOUT setting could take multiple
+ passes. [RT #20813]
+
+2829. [bug] Fixed potential node inconsistency in rbtdb.c.
+ [RT #20808]
+
+2828. [security] Cached CNAME or DNAME RR could be returned to clients
+ without DNSSEC validation. [RT #20737]
+
+2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
+2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
+ being released. [RT #20740]
+
+2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
+ was in the process of being created was not properly
+ recorded in the zone. [RT #20786]
+
+2824. [bug] "rndc sign" was not being run by the correct task.
+ [RT #20759]
+
+2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
+
+2822. [bug] rbtdb.c:loadnode() could return the wrong result.
+ [RT #20802]
+
+2821. [doc] Add note that named-checkconf doesn't automatically
+ read rndc.key and bind.keys [RT #20758]
+
+2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
+ [RT #20771]
+
+2818. [cleanup] rndc could return an incorrect error code
+ when a zone was not found. [RT #20767]
+
+2817. [cleanup] Removed unnecessary isc_tasc_endexclusive() calls.
+ [RT #20768]
+
+2816. [bug] previous_closest_nsec() could fail to return
+ data for NSEC3 nodes [RT #29730]
+
+2815. [bug] Exclusively lock the task when freezing a zone.
+ [RT #19838]
+
+2814. [func] Provide a definitive error message when a master
+ zone is not loaded. [RT #20757]
+
+2813. [bug] Better handling of unreadable DNSSEC key files.
+ [RT #20710]
+
+2812. [bug] Make sure updates can't result in a zone with
+ NSEC-only keys and NSEC3 records. [RT 20748]
+
+2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
+ output. [RT #20733]
+
+2810. [doc] Clarified the process of transitioning an NSEC3 zone
+ to insecure. [RT #20746]
+
+2809. [cleanup] Restored accidentally-deleted text in usage output
+ in dnssec-settime and dnssec-revoke [RT #20739]
+
+2808. [bug] Remove the attempt to install atomic.h from lib/isc.
+ atomic.h is correctly installed by the architecture
+ specific subdirectories. [RT #20722]
+
+2807. [bug] Fixed a possible ASSERT when reconfiguring zone
+ keys. [RT #20720]
+
--- 9.7.0rc1 released ---
2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
diff --git a/COPYRIGHT b/COPYRIGHT
index 452f97d7..13254260 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-$Id: COPYRIGHT,v 1.15 2009/01/05 23:47:53 tbox Exp $
+$Id: COPYRIGHT,v 1.15.188.1 2010/01/04 23:48:10 tbox Exp $
Portions Copyright (C) 1996-2001 Nominum, Inc.
diff --git a/FAQ b/FAQ
index b256ed8b..9e3469ce 100644
--- a/FAQ
+++ b/FAQ
@@ -1,6 +1,6 @@
Frequently Asked Questions about BIND 9
-Copyright © 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 Internet Software Consortium.
@@ -784,6 +784,22 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
See these man-pages for more information : selinux(8), named_selinux
(8), chcon(1), setsebool(8)
+Q: I'm running BIND on Ubuntu -
+
+ Why can't named update slave zone database files?
+
+ Why can't named create DDNS journal files or update the master zones
+ from journals?
+
+ Why can't named create custom log files?
+
+A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
+ addition to normal file system permissions to protect the system.
+
+ Adjust the paths to use those specified in /etc/apparmor.d/
+ usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
+ to write at the location specified in named.conf.
+
Q: Listening on individual IPv6 interfaces does not work.
A: This is usually due to "/proc/net/if_inet6" not being available in the
diff --git a/FAQ.xml b/FAQ.xml
index 258bc8a9..e8654f73 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -1,7 +1,7 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: FAQ.xml,v 1.52 2009/11/03 14:02:20 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.52.24.2 2010/01/20 23:48:18 tbox Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
@@ -29,6 +29,7 @@
<year>2007</year>
<year>2008</year>
<year>2009</year>
+ <year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -1385,6 +1386,36 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
<qandaentry>
<question>
<para>
+ I'm running BIND on Ubuntu -
+ </para>
+ <para>
+ Why can't named update slave zone database files?
+ </para>
+ <para>
+ Why can't named create DDNS journal files or update
+ the master zones from journals?
+ </para>
+ <para>
+ Why can't named create custom log files?
+ </para>
+ </question>
+ <answer>
+ <para>
+ Ubuntu uses AppArmor <ulink url="http://en.wikipedia.org/wiki/AppArmor">
+ &lt;http://en.wikipedia.org/wiki/AppArmor&gt;</ulink> in
+ addition to normal file system permissions to protect the system.
+ </para>
+ <para>
+ Adjust the paths to use those specified in /etc/apparmor.d/usr.sbin.named
+ or adjust /etc/apparmor.d/usr.sbin.named to allow named to write at the
+ location specified in named.conf.
+ </para>
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+ <para>
Listening on individual IPv6 interfaces does not work.
</para>
</question>
diff --git a/README b/README
index c3277631..c1def626 100644
--- a/README
+++ b/README
@@ -73,10 +73,34 @@ BIND 9.7.0
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection (see README.pkcs11 for additional details).
- Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
- ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
- you should ensure that all changes that are in progress have completed
- prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
+ COMPATIBILITY NOTES:
+
+ - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
+ ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
+ you should ensure that all changes that are in progress have
+ completed prior to upgrading to BIND 9.7. BIND 9.7 implements
+ those features in a way which is not backwards compatible.
+
+ - Prior releases had a bug which caused HMAC-SHA* keys with long
+ secrets to be used incorrectly. Fixing this bug means that older
+ versions of BIND 9 may fail to interoperate with this version
+ when using TSIG keys. If this occurs, the new "isc-hmac-fixup"
+ tool will convert a key with a long secret into a form that works
+ correctly with all versions of BIND 9. See the "isc-hmac-fixup"
+ man page for additional details.
+
+ - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
+ It is possible for the new key ID to collide with that of a
+ different key. Newly generated keys will not have this problem,
+ as "dnssec-keygen" looks for potential collisions before
+ generating keys, but exercise caution if using key revokation
+ with keys that were generated by older versions of BIND 9.
+ See README.rfc5011 for more details.
+
+ - A bug was fixed in which a key's scheduled inactivity date was
+ stored incorectly. Users who participated in the 9.7.0 BETA
+ test and had DNSSEC keys with scheduled inactivity dates will
+ need to reset those keys' dates using "dnssec-settime -I".
BIND 9.6.0
diff --git a/README.rfc5011 b/README.rfc5011
index fd941fb9..7cf34912 100644
--- a/README.rfc5011
+++ b/README.rfc5011
@@ -54,3 +54,21 @@ the resolver. However, validation can proceed using the new active key
(which had been accepted by the resolver when it was a stand-by key).
See RFC 5011 for more details on key rollover scenarios.
+
+When a key has been revoked, its key ID changes, increasing by
+128, and wrapping around at 65535. So, for example, the key
+"Kexample.com.+005+10000" becomes "Kexample.com.+005+10128".
+
+If two keys have ID's exactly 128 apart, and one is revoked, then the
+two key ID's will collide, causing several problems. To prevent this,
+dnssec-keygen will not generate a new key if another key is present which
+may collide. This checking will only occur if the new keys are written
+to the same directory which holds all other keys in use for that zone.
+
+Older versions of BIND 9 did not have this precaution. Exercise caution if
+using key revocation on keys that were generated by previous releases, or
+if using keys stored in multiple directories or on multiple machines.
+
+It is expected that a future release of BIND 9 will address this problem
+in a different way, by storing revoked keys with their original unrevoked
+key ID's.
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index d39bdb73..ebc371e5 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-checkconf.8,v 1.32 2009/07/14 01:13:07 tbox Exp $
+.\" $Id: named-checkconf.8,v 1.32.126.1 2009/12/29 02:09:32 tbox Exp $
.\"
.hy 0
.ad l
@@ -37,7 +37,25 @@ named\-checkconf \- named configuration file syntax checking tool
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
-checks the syntax, but not the semantics, of a named configuration file.
+checks the syntax, but not the semantics, of a
+\fBnamed\fR
+configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
+\fI/etc/named.conf\fR
+is read by default.
+.PP
+Note: files that
+\fBnamed\fR
+reads in separate parser contexts, such as
+\fIrndc.key\fR
+and
+\fIbind.keys\fR, are not automatically read by
+\fBnamed\-checkconf\fR. Configuration errors in these files may cause
+\fBnamed\fR
+to fail to run, even if
+\fBnamed\-checkconf\fR
+was successful.
+\fBnamed\-checkconf\fR
+can be run on these files explicitly, however.
.SH "OPTIONS"
.PP
\-h
diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
index 877998be..c278b438 100644
--- a/bin/check/named-checkconf.docbook
+++ b/bin/check/named-checkconf.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.docbook,v 1.21 2009/07/13 23:47:42 tbox Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.21.126.1 2009/12/28 23:21:44 each Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
@@ -67,8 +67,21 @@
<refsect1>
<title>DESCRIPTION</title>
<para><command>named-checkconf</command>
- checks the syntax, but not the semantics, of a named
- configuration file.
+ checks the syntax, but not the semantics, of a
+ <command>named</command> configuration file. The file is parsed
+ and checked for syntax errors, along with all files included by it.
+ If no file is specified, <filename>/etc/named.conf</filename> is read
+ by default.
+ </para>
+ <para>
+ Note: files that <command>named</command> reads in separate
+ parser contexts, such as <filename>rndc.key</filename> and
+ <filename>bind.keys</filename>, are not automatically read
+ by <command>named-checkconf</command>. Configuration
+ errors in these files may cause <command>named</command> to
+ fail to run, even if <command>named-checkconf</command> was
+ successful. <command>named-checkconf</command> can be run
+ on these files explicitly, however.
</para>
</refsect1>
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index e43819a8..da1cee16 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.html,v 1.32 2009/07/14 01:13:07 tbox Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.32.126.1 2009/12/29 02:09:33 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -34,12 +34,25 @@
<div class="refsect1" lang="en">
<a name="id2543395"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
- checks the syntax, but not the semantics, of a named
- configuration file.
+ checks the syntax, but not the semantics, of a
+ <span><strong class="command">named</strong></span> configuration file. The file is parsed
+ and checked for syntax errors, along with all files included by it.
+ If no file is specified, <code class="filename">/etc/named.conf</code> is read
+ by default.
+ </p>
+<p>
+ Note: files that <span><strong class="command">named</strong></span> reads in separate
+ parser contexts, such as <code class="filename">rndc.key</code> and
+ <code class="filename">bind.keys</code>, are not automatically read
+ by <span><strong class="command">named-checkconf</strong></span>. Configuration
+ errors in these files may cause <span><strong class="command">named</strong></span> to
+ fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
+ successful. <span><strong class="command">named-checkconf</strong></span> can be run
+ on these files explicitly, however.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543406"></a><h2>OPTIONS</h2>
+<a name="id2543444"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@@ -78,21 +91,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543530"></a><h2>RETURN VALUES</h2>
+<a name="id2543568"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543542"></a><h2>SEE ALSO</h2>
+<a name="id2543579"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543572"></a><h2>AUTHOR</h2>
+<a name="id2543609"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index f2408a8d..55ede033 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-dsfromkey.c,v 1.16 2009/10/12 20:48:10 each Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.16.50.1 2010/01/13 19:31:51 each Exp $ */
/*! \file */
@@ -265,12 +265,12 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
fatal("can't print class");
isc_buffer_usedregion(&nameb, &r);
- fwrite(r.base, 1, r.length, stdout);
+ isc_util_fwrite(r.base, 1, r.length, stdout);
putchar(' ');
isc_buffer_usedregion(&classb, &r);
- fwrite(r.base, 1, r.length, stdout);
+ isc_util_fwrite(r.base, 1, r.length, stdout);
if (lookaside == NULL)
printf(" DS ");
@@ -278,7 +278,7 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
printf(" DLV ");
isc_buffer_usedregion(&textb, &r);
- fwrite(r.base, 1, r.length, stdout);
+ isc_util_fwrite(r.base, 1, r.length, stdout);
putchar('\n');
}
diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index 1ea7f5cd..4f561500 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.16 2009/11/03 21:58:30 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.16.24.1 2010/01/20 02:08:51 tbox Exp $
.\"
.hy 0
.ad l
@@ -32,7 +32,7 @@
dnssec\-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 20
-\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
@@ -138,6 +138,11 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
.RS 4
Sets the debugging level.
.RE
+.PP
+\-y
+.RS 4
+Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.)
+.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
@@ -210,5 +215,5 @@ RFC 4034.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC")
.br
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 50777022..1b60e06b 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keyfromlabel.c,v 1.29 2009/11/25 23:00:32 marka Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.29.8.2 2010/01/19 23:48:12 tbox Exp $ */
/*! \file */
@@ -32,6 +32,7 @@
#include <isc/string.h>
#include <isc/util.h>
+#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
@@ -82,13 +83,14 @@ usage(void) {
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
- fprintf(stderr, " -k : generate a TYPE=KEY key\n");
+ fprintf(stderr, " -k: generate a TYPE=KEY key\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
+ fprintf(stderr, " -y: permit keys that might collide\n");
fprintf(stderr, " -v verbose level\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
@@ -117,7 +119,7 @@ main(int argc, char **argv) {
#endif
char *classname = NULL;
char *endp;
- dst_key_t *key = NULL, *oldkey = NULL;
+ dst_key_t *key = NULL;
dns_fixedname_t fname;
dns_name_t *name;
isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
@@ -146,6 +148,8 @@ main(int argc, char **argv) {
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE;
isc_boolean_t use_nsec3 = ISC_FALSE;
+ isc_boolean_t avoid_collisions = ISC_TRUE;
+ isc_boolean_t exact;
unsigned char c;
if (argc == 1)
@@ -160,7 +164,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
- "3a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
+ "3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case '3':
@@ -218,6 +222,9 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
+ case 'y':
+ avoid_collisions = ISC_FALSE;
+ break;
case 'G':
genonly = ISC_TRUE;
break;
@@ -502,16 +509,26 @@ main(int argc, char **argv) {
}
/*
- * Try to read a key with the same name, alg and id from disk.
- * If there is one we must return failure.
+ * Do not overwrite an existing key. Warn LOUDLY if there
+ * is a risk of ID collision due to this key or another key
+ * being revoked.
*/
- ret = dst_key_fromfile(name, dst_key_id(key), alg,
- DST_TYPE_PRIVATE, directory, mctx, &oldkey);
- /* do not overwrite an existing key */
- if (ret == ISC_R_SUCCESS) {
+ if (key_collision(dst_key_id(key), name, directory, alg, mctx, &exact))
+ {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, directory, &buf);
- fatal("%s: %s already exists\n", program, filename);
+ if (exact)
+ fatal("%s: %s already exists\n", program, filename);
+
+ if (avoid_collisions)
+ fatal("%s: %s could collide with another key upon "
+ "revokation\n", program, filename);
+
+ fprintf(stderr, "%s: WARNING: Key %s could collide with "
+ "another key upon revokation. If you plan "
+ "to revoke keys, destroy this key and "
+ "generate a different one.\n",
+ program, filename);
}
ret = dst_key_tofile(key, options, directory);
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 6516d8e3..f0197d49 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.15 2009/11/03 21:44:46 each Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.15.24.2 2010/01/19 23:48:12 tbox Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
@@ -38,6 +38,7 @@
<copyright>
<year>2008</year>
<year>2009</year>
+ <year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -63,6 +64,7 @@
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-y</option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -264,6 +266,19 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-y</term>
+ <listitem>
+ <para>
+ Allows DNSSEC key files to be generated even if the key ID
+ would collide with that of an existing key, in the event of
+ either key being revoked. (This is only safe to use if you
+ are sure you won't be using RFC 5011 trust anchor maintenance
+ with either of the keys involved.)
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index 735aed44..778b23fd 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.html,v 1.15 2009/11/03 21:58:30 tbox Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.html,v 1.15.24.1 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -28,10 +28,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543483"></a><h2>DESCRIPTION</h2>
+<a name="id2543491"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -44,7 +44,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543501"></a><h2>OPTIONS</h2>
+<a name="id2543509"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@@ -152,10 +152,18 @@
<dd><p>
Sets the debugging level.
</p></dd>
+<dt><span class="term">-y</span></dt>
+<dd><p>
+ Allows DNSSEC key files to be generated even if the key ID
+ would collide with that of an existing key, in the event of
+ either key being revoked. (This is only safe to use if you
+ are sure you won't be using RFC 5011 trust anchor maintenance
+ with either of the keys involved.)
+ </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543852"></a><h2>TIMING OPTIONS</h2>
+<a name="id2543873"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -202,7 +210,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544019"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2544039"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@@ -241,7 +249,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544091"></a><h2>SEE ALSO</h2>
+<a name="id2544112"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -249,7 +257,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544124"></a><h2>AUTHOR</h2>
+<a name="id2544145"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index befd7385..79484ffc 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.108 2009/11/25 22:58:48 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.108.8.4 2010/01/19 23:48:12 tbox Exp $ */
/*! \file */
@@ -47,6 +47,7 @@
#include <isc/string.h>
#include <isc/util.h>
+#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
@@ -67,11 +68,6 @@ int verbose;
#define DEFAULT_ALGORITHM "RSASHA1"
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
-static isc_boolean_t
-dsa_size_ok(int size) {
- return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
-
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -142,14 +138,16 @@ usage(void) {
fprintf(stderr, " -m <memory debugging mode>:\n");
fprintf(stderr, " usage | trace | record | size | mctx\n");
fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
- fprintf(stderr, "Date options:\n");
- fprintf(stderr, " -P date/[+-]offset: set key publication date "
+ fprintf(stderr, "Timing options:\n");
+ fprintf(stderr, " -P date/[+-]offset/none: set key publication date "
"(default: now)\n");
- fprintf(stderr, " -A date/[+-]offset: set key activation date "
+ fprintf(stderr, " -A date/[+-]offset/none: set key activation date "
"(default: now)\n");
- fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
- fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
- fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
+ fprintf(stderr, " -R date/[+-]offset/none: set key "
+ "revocation date\n");
+ fprintf(stderr, " -I date/[+-]offset/none: set key "
+ "inactivation date\n");
+ fprintf(stderr, " -D date/[+-]offset/none: set key deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
"all dates\n");
@@ -160,6 +158,11 @@ usage(void) {
exit (-1);
}
+static isc_boolean_t
+dsa_size_ok(int size) {
+ return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
static void
progress(int p)
{
@@ -190,7 +193,7 @@ main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
char *classname = NULL;
char *endp;
- dst_key_t *key = NULL, *oldkey;
+ dst_key_t *key = NULL;
dns_fixedname_t fname;
dns_name_t *name;
isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
@@ -728,7 +731,6 @@ main(int argc, char **argv) {
do {
conflict = ISC_FALSE;
- oldkey = NULL;
if (!quiet && show_progress) {
fprintf(stderr, "Generating key pair.");
@@ -816,37 +818,35 @@ main(int argc, char **argv) {
}
/*
- * Try to read a key with the same name, alg and id from disk.
- * If there is one we must continue generating a different
- * key unless we were asked to generate a null key, in which
- * case we return failure.
+ * Do not overwrite an existing key, or create a key
+ * if there is a risk of ID collision due to this key
+ * or another key being revoked.
*/
- ret = dst_key_fromfile(name, dst_key_id(key), alg,
- DST_TYPE_PRIVATE, directory,
- mctx, &oldkey);
- /* do not overwrite an existing key */
- if (ret == ISC_R_SUCCESS) {
- dst_key_free(&oldkey);
+ if (key_collision(dst_key_id(key), name, directory,
+ alg, mctx, NULL)) {
conflict = ISC_TRUE;
- if (null_key)
+ if (null_key) {
+ dst_key_free(&key);
break;
- }
- if (conflict == ISC_TRUE) {
+ }
+
if (verbose > 0) {
isc_buffer_clear(&buf);
dst_key_buildfilename(key, 0, directory, &buf);
fprintf(stderr,
- "%s: %s already exists, "
- "generating a new key\n",
+ "%s: %s already exists, or might "
+ "collide with another key upon "
+ "revokation. Generating a new key\n",
program, filename);
}
+
dst_key_free(&key);
}
} while (conflict == ISC_TRUE);
if (conflict)
- fatal("cannot generate a null key when a key with id 0 "
- "already exists");
+ fatal("cannot generate a null key due to possible key ID "
+ "collision");
ret = dst_key_tofile(key, options, directory);
if (ret != ISC_R_SUCCESS) {
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 4df61fd5..d5858b0c 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-revoke.c,v 1.18 2009/10/27 18:56:48 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.18.34.2 2009/12/18 23:48:18 tbox Exp $ */
/*! \file */
@@ -54,12 +54,11 @@ usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
- fprintf(stderr, "\t-E engine:\n");
#ifdef USE_PKCS11
- fprintf(stderr, "\t\tname of an OpenSSL engine to use "
- "(default is \"pkcs11\")\n");
+ fprintf(stderr, " -E engine: specify OpenSSL engine "
+ "(default \"pkcs11\")\n");
#else
- fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+ fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -K directory: use directory for key files\n");
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 0fedbbb7..70ad94ad 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-settime.c,v 1.19 2009/10/27 18:56:49 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.19.34.5 2010/01/07 19:16:30 each Exp $ */
/*! \file */
@@ -58,10 +58,10 @@ usage(void) {
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
#ifdef USE_PKCS11
- fprintf(stderr, "\t\tname of an OpenSSL engine to use "
- "(default is \"pkcs11\")\n");
+ fprintf(stderr, " -E engine: specify OpenSSL engine "
+ "(default \"pkcs11\")\n");
#else
- fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+ fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
fprintf(stderr, " -f: force update of old-style "
"keys\n");
@@ -71,13 +71,13 @@ usage(void) {
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
- fprintf(stderr, " -A date/[+-]offset/none: set key "
+ fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
"activation date\n");
- fprintf(stderr, " -R date/[+-]offset/none: set key "
+ fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
"revocation date\n");
- fprintf(stderr, " -I date/[+-]offset/none: set key "
+ fprintf(stderr, " -I date/[+-]offset/none: set/unset key "
"inactivation date\n");
- fprintf(stderr, " -D date/[+-]offset/none: set key "
+ fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/A/R/U/D/all: print a particular time "
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 1d327a10..cd02e552 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.258 2009/12/04 22:06:37 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.258.4.2 2010/01/05 23:47:58 tbox Exp $ */
/*! \file */
@@ -3256,7 +3256,7 @@ usage(void) {
fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
fprintf(stderr, "\t-P:\t");
fprintf(stderr, "disable post-sign verification\n");
- fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs");
+ fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
fprintf(stderr, "\t-t:\t");
fprintf(stderr, "print statistics\n");
fprintf(stderr, "\t-u:\t");
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index a1b3f600..44329356 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.c,v 1.58 2009/10/26 23:47:35 tbox Exp $ */
+/* $Id: dnssectool.c,v 1.58.36.2 2010/01/19 23:48:13 tbox Exp $ */
/*! \file */
@@ -37,6 +37,8 @@
#include <isc/util.h>
#include <isc/print.h>
+#include <dns/dnssec.h>
+#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdatastruct.h>
@@ -402,3 +404,61 @@ set_keyversion(dst_key_t *key) {
dst_key_settime(key, DST_TIME_CREATED, now);
}
}
+
+isc_boolean_t
+key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
+ dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact)
+{
+ isc_result_t result;
+ isc_boolean_t conflict = ISC_FALSE;
+ dns_dnsseckeylist_t matchkeys;
+ dns_dnsseckey_t *key = NULL;
+ isc_uint16_t oldid, diff;
+ isc_uint16_t bits = DNS_KEYFLAG_REVOKE; /* flag bits to look for */
+
+ if (exact != NULL)
+ *exact = ISC_FALSE;
+
+ ISC_LIST_INIT(matchkeys);
+ result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
+ if (result == ISC_R_NOTFOUND)
+ return (ISC_FALSE);
+
+ while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
+ key = ISC_LIST_HEAD(matchkeys);
+ if (dst_key_alg(key->key) != alg)
+ goto next;
+
+ oldid = dst_key_id(key->key);
+ diff = (oldid > id) ? (oldid - id) : (id - oldid);
+ if ((diff & ~bits) == 0) {
+ conflict = ISC_TRUE;
+ if (diff != 0) {
+ if (verbose > 1)
+ fprintf(stderr, "Key ID %d could "
+ "collide with %d\n",
+ id, oldid);
+ } else {
+ if (exact != NULL)
+ *exact = ISC_TRUE;
+ if (verbose > 1)
+ fprintf(stderr, "Key ID %d exists\n",
+ id);
+ }
+ }
+
+ next:
+ ISC_LIST_UNLINK(matchkeys, key, link);
+ dns_dnsseckey_destroy(mctx, &key);
+ }
+
+ /* Finish freeing the list */
+ while (!ISC_LIST_EMPTY(matchkeys)) {
+ key = ISC_LIST_HEAD(matchkeys);
+ ISC_LIST_UNLINK(matchkeys, key, link);
+ dns_dnsseckey_destroy(mctx, &key);
+ }
+
+ return (conflict);
+}
+
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index 249d7054..a50a85a1 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.h,v 1.29 2009/10/26 21:18:24 each Exp $ */
+/* $Id: dnssectool.h,v 1.29.36.2 2010/01/19 23:48:13 tbox Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
@@ -76,4 +76,8 @@ check_keyversion(dst_key_t *key, char *keystr);
void
set_keyversion(dst_key_t *key);
+
+isc_boolean_t
+key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
+ dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact);
#endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/bin/named/query.c b/bin/named/query.c
index a9795a2b..7760539e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.335 2009/11/28 15:57:36 vjs Exp $ */
+/* $Id: query.c,v 1.335.8.1 2009/12/30 08:33:40 jinmei Exp $ */
/*! \file */
@@ -3737,8 +3737,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
dns_rdataset_t *noqname;
isc_boolean_t resuming;
int line = -1;
- dns_rdataset_t tmprdataset;
- unsigned int dboptions;
CTRACE("query_find");
@@ -3956,49 +3954,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
/*
* Now look for an answer in the database.
*/
- dboptions = client->query.dboptions;
- if (sigrdataset == NULL && client->view->enablednssec) {
- /*
- * If the client doesn't want DNSSEC we still want to
- * look for any data pending validation to save a remote
- * lookup if possible.
- */
- dns_rdataset_init(&tmprdataset);
- sigrdataset = &tmprdataset;
- dboptions |= DNS_DBFIND_PENDINGOK;
- }
- refind:
result = dns_db_find(db, client->query.qname, version, type,
- dboptions, client->now, &node, fname,
- rdataset, sigrdataset);
- /*
- * If we have found pending data try to validate it.
- * If the data does not validate as secure and we can't
- * use the unvalidated data requery the database with
- * pending disabled to prevent infinite looping.
- */
- if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
- goto validation_done;
- if (validate(client, db, fname, rdataset, sigrdataset))
- goto validation_done;
- if (rdataset->trust != dns_trust_pending_answer ||
- !PENDINGOK(client->query.dboptions)) {
- dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- if (sigrdataset == &tmprdataset)
- sigrdataset = NULL;
- dns_db_detachnode(db, &node);
- dboptions &= ~DNS_DBFIND_PENDINGOK;
- goto refind;
- }
- validation_done:
- if (sigrdataset == &tmprdataset) {
- if (dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- sigrdataset = NULL;
- }
+ client->query.dboptions, client->now,
+ &node, fname, rdataset, sigrdataset);
resume:
CTRACE("query_find: resume");
diff --git a/bin/named/server.c b/bin/named/server.c
index 20d09108..427b56ef 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.556 2009/11/28 15:57:36 vjs Exp $ */
+/* $Id: server.c,v 1.556.8.6 2010/01/13 23:48:19 tbox Exp $ */
/*! \file */
@@ -4090,8 +4090,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
/*
- * Create (or recreate) the built-in views. Currently
- * there is only one, the _bind view, but allow for others.
+ * Create (or recreate) the built-in views.
*/
builtin_views = NULL;
RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
@@ -5132,6 +5131,8 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
/* Partial match? */
if (result != ISC_R_SUCCESS && *zonep != NULL)
dns_zone_detach(zonep);
+ if (result == DNS_R_PARTIALMATCH)
+ result = ISC_R_NOTFOUND;
fail1:
return (result);
}
@@ -6151,10 +6152,8 @@ ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
n = snprintf((char *)isc_buffer_used(text),
isc_buffer_availablelength(text),
"%d tsig keys deleted.\n", foundkeys);
- if (n >= isc_buffer_availablelength(text)) {
- isc_task_endexclusive(server->task);
+ if (n >= isc_buffer_availablelength(text))
return (ISC_R_NOSPACE);
- }
isc_buffer_add(text, n);
return (ISC_R_SUCCESS);
@@ -6270,10 +6269,8 @@ ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
n = snprintf((char *)isc_buffer_used(text),
isc_buffer_availablelength(text),
"no tsig keys found.\n");
- if (n >= isc_buffer_availablelength(text)) {
- isc_task_endexclusive(server->task);
+ if (n >= isc_buffer_availablelength(text))
return (ISC_R_NOSPACE);
- }
isc_buffer_add(text, n);
}
@@ -6304,7 +6301,7 @@ ns_server_sign(ns_server_t *server, char *args) {
keyopts = dns_zone_getkeyopts(zone);
if ((keyopts & DNS_ZONEKEY_ALLOW) != 0)
- result = dns_zone_rekey(zone);
+ dns_zone_rekey(zone);
else
result = ISC_R_NOPERM;
@@ -6359,6 +6356,8 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
return (DNS_R_NOTMASTER);
}
+ result = isc_task_beginexclusive(server->task);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
frozen = dns_zone_getupdatedisabled(zone);
if (freeze) {
if (frozen) {
@@ -6398,6 +6397,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
}
}
}
+ isc_task_endexclusive(server->task);
if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
isc_buffer_putmem(text, (const unsigned char *)msg,
diff --git a/bin/named/update.c b/bin/named/update.c
index 8dfd121d..97e06b0b 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.c,v 1.176 2009/12/04 21:09:32 marka Exp $ */
+/* $Id: update.c,v 1.176.4.3 2009/12/30 03:55:03 marka Exp $ */
#include <config.h>
@@ -3034,61 +3034,62 @@ static isc_result_t
check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *ver, dns_diff_t *diff)
{
- dns_diff_t temp_diff;
- dns_diffop_t op;
- dns_difftuple_t *tuple, *newtuple = NULL, *next;
- isc_boolean_t flag;
+ dns_difftuple_t *tuple;
+ isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
isc_result_t result;
unsigned int iterations = 0, max;
dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
- dns_diff_init(diff->mctx, &temp_diff);
+ /* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
+ for (tuple = ISC_LIST_HEAD(diff->tuples);
+ tuple != NULL;
+ tuple = ISC_LIST_NEXT(tuple, link)) {
+ if (tuple->op != DNS_DIFFOP_ADD)
+ continue;
- CHECK(dns_nsec_nseconly(db, ver, &flag));
+ if (tuple->rdata.type == dns_rdatatype_dnskey) {
+ isc_uint8_t alg;
+ alg = tuple->rdata.data[3];
+ if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+ alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+ nseconly = ISC_TRUE;
+ break;
+ }
+ } else if (tuple->rdata.type == dns_rdatatype_nsec3param) {
+ nsec3 = ISC_TRUE;
+ break;
+ }
+ }
+
+ /* Check existing DB for NSEC-only DNSKEY */
+ if (!nseconly)
+ CHECK(dns_nsec_nseconly(db, ver, &nseconly));
- if (flag)
+ /* Check existing DB for NSEC3 */
+ if (!nsec3)
CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
- privatetype, &flag));
- if (flag) {
- update_log(client, zone, ISC_LOG_WARNING,
+ privatetype, &nsec3));
+
+ /* Refuse to allow NSEC3 with NSEC-only keys */
+ if (nseconly && nsec3) {
+ update_log(client, zone, ISC_LOG_ERROR,
"NSEC only DNSKEYs and NSEC3 chains not allowed");
- } else {
- CHECK(get_iterations(db, ver, privatetype, &iterations));
- CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
- if (max != 0 && iterations > max) {
- flag = ISC_TRUE;
- update_log(client, zone, ISC_LOG_WARNING,
- "too many NSEC3 iterations (%u) for "
- "weakest DNSKEY (%u)", iterations, max);
- }
- }
- if (flag) {
- for (tuple = ISC_LIST_HEAD(diff->tuples);
- tuple != NULL;
- tuple = next) {
- next = ISC_LIST_NEXT(tuple, link);
- if (tuple->rdata.type != dns_rdatatype_dnskey &&
- tuple->rdata.type != dns_rdatatype_nsec3param)
- continue;
- op = (tuple->op == DNS_DIFFOP_DEL) ?
- DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
- CHECK(dns_difftuple_create(temp_diff.mctx, op,
- &tuple->name, tuple->ttl,
- &tuple->rdata, &newtuple));
- CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
- INSIST(newtuple == NULL);
- }
- for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
- tuple != NULL;
- tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
- ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
- dns_diff_appendminimal(diff, &tuple);
- }
+ result = DNS_R_REFUSED;
+ goto failure;
}
+ /* Verify NSEC3 params */
+ CHECK(get_iterations(db, ver, privatetype, &iterations));
+ CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
+ if (max != 0 && iterations > max) {
+ update_log(client, zone, ISC_LOG_ERROR,
+ "too many NSEC3 iterations (%u) for "
+ "weakest DNSKEY (%u)", iterations, max);
+ result = DNS_R_REFUSED;
+ goto failure;
+ }
failure:
- dns_diff_clear(&temp_diff);
return (result);
}
@@ -3182,6 +3183,23 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
}
/*
+ * Remove any existing CREATE request to add an
+ * otherwise indentical chain with a reversed
+ * OPTOUT state.
+ */
+ buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
+ CHECK(rr_exists(db, ver, name, &rdata, &flag));
+
+ if (flag) {
+ CHECK(dns_difftuple_create(diff->mctx,
+ DNS_DIFFOP_DEL,
+ name, tuple->ttl,
+ &rdata,
+ &newtuple));
+ CHECK(do_one_tuple(&newtuple, db, ver, diff));
+ }
+
+ /*
* Remove the temporary add record.
*/
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index 40000e11..a07e3bca 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: nsupdate.1,v 1.11 2009/10/16 04:20:32 tbox Exp $
+.\" $Id: nsupdate.1,v 1.11.42.1 2009/12/17 02:57:07 tbox Exp $
.\"
.hy 0
.ad l
@@ -126,7 +126,7 @@ can be run in a local\-host only mode using the
flag. This sets the server address to localhost (disabling the
\fBserver\fR
so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in
-\fI/var/run/named/ddns.key\fR, which is automatically generated by
+\fI/var/run/named/session.key\fR, which is automatically generated by
\fBnamed\fR
if any local master zone has set
\fBupdate\-policy\fR
@@ -381,7 +381,7 @@ The prerequisite condition gets the name server to check that there are no resou
used to identify default name server
.RE
.PP
-\fB/var/run/named/ddns.key\fR
+\fB/var/run/named/session.key\fR
.RS 4
sets the default TSIG key for use in local\-only mode
.RE
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index 31afb281..e3e1469c 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.docbook,v 1.41 2009/10/16 02:59:41 each Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.41.42.1 2009/12/16 07:12:49 each Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Aug 25, 2009</date>
@@ -183,7 +183,7 @@
using the <option>-l</option> flag. This sets the server address to
localhost (disabling the <command>server</command> so that the server
address cannot be overridden). Connections to the local server will
- use a TSIG key found in <filename>/var/run/named/ddns.key</filename>,
+ use a TSIG key found in <filename>/var/run/named/session.key</filename>,
which is automatically generated by <command>named</command> if any
local master zone has set <command>update-policy</command> to
<command>local</command>. The location of this key file can be
@@ -655,7 +655,7 @@
</varlistentry>
<varlistentry>
- <term><constant>/var/run/named/ddns.key</constant></term>
+ <term><constant>/var/run/named/session.key</constant></term>
<listitem>
<para>
sets the default TSIG key for use in local-only mode
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 4407b515..3c35d94e 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.html,v 1.48 2009/10/16 04:20:32 tbox Exp $ -->
+<!-- $Id: nsupdate.html,v 1.48.42.1 2009/12/17 02:57:07 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -139,7 +139,7 @@
using the <code class="option">-l</code> flag. This sets the server address to
localhost (disabling the <span><strong class="command">server</strong></span> so that the server
address cannot be overridden). Connections to the local server will
- use a TSIG key found in <code class="filename">/var/run/named/ddns.key</code>,
+ use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
which is automatically generated by <span><strong class="command">named</strong></span> if any
local master zone has set <span><strong class="command">update-policy</strong></span> to
<span><strong class="command">local</strong></span>. The location of this key file can be
@@ -516,7 +516,7 @@
<dd><p>
used to identify default name server
</p></dd>
-<dt><span class="term"><code class="constant">/var/run/named/ddns.key</code></span></dt>
+<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
<dd><p>
sets the default TSIG key for use in local-only mode
</p></dd>
diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
index d7e4a92d..2c7cb265 100644
--- a/bin/pkcs11/pkcs11-destroy.c
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -38,7 +38,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* $Id: pkcs11-destroy.c,v 1.7 2009/10/26 23:36:53 each Exp $ */
+/* $Id: pkcs11-destroy.c,v 1.7.36.1 2010/01/13 21:21:33 fdupont Exp $ */
/* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */
@@ -124,7 +124,7 @@ main(int argc, char *argv[])
}
}
- if (errflg || (!id && (label != NULL))) {
+ if (errflg || (id && (label != NULL))) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
"[-i id | -l label] [-p pin]\n");
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 6ea63556..0786d2c3 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc.c,v 1.126 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: rndc.c,v 1.126.66.1 2009/12/18 07:59:09 each Exp $ */
/*! \file */
@@ -117,6 +117,8 @@ command is one of the following:\n\
notify zone [class [view]]\n\
Resend NOTIFY messages for the zone.\n\
reconfig Reload configuration file and new zones only.\n\
+ sign zone [class [view]]\n\
+ Update zone keys, and sign as needed.\n\
stats Write server statistics to the statistics file.\n\
querylog Toggle query logging.\n\
dumpdb [-all|-cache|-zones] [view ...]\n\
diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c
index 25a372cf..d26121f3 100644
--- a/bin/tests/cfg_test.c
+++ b/bin/tests/cfg_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: cfg_test.c,v 1.21 2009/03/02 23:47:43 tbox Exp $ */
+/* $Id: cfg_test.c,v 1.21.154.1 2010/01/13 19:31:52 each Exp $ */
/*! \file */
@@ -49,7 +49,7 @@ check_result(isc_result_t result, const char *format, ...) {
static void
output(void *closure, const char *text, int textlen) {
UNUSED(closure);
- (void) fwrite(text, 1, textlen, stdout);
+ (void) isc_util_fwrite(text, 1, textlen, stdout);
}
static void
diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
index 303b4b47..0d22a8c9 100644
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,24 +14,31 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: clean.sh,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
-rm -f inact.key del.key unpub.key standby.key rev.key
-rm -f ns1/root.db ns2/example.db ns3/secure.example.db
-rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
-rm -f ns2/private.secure.example.db
+rm -f active.key inact.key del.key unpub.key standby.key rev.key
+rm -f nopriv.key vanishing.key
+rm -f nsupdate.out
rm -f */core
rm -f */example.bk
+rm -f */named.memstats
rm -f dig.out.*
rm -f random.data
-rm -f ns2/dlv.db
-rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
-rm -f ns3/optout-unknown.example.db ns3/optout.example.db
-rm -f */named.memstats
+rm -f ns1/root.db
+rm -f ns2/example.db
+rm -f ns2/private.secure.example.db ns2/bar.db
+rm -f ns3/nsec.example.db
+rm -f ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db
+rm -f ns3/nsec3-to-nsec.example.db
+rm -f ns3/oldsigs.example.db
+rm -f ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
+rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
+rm -f ns3/secure.example.db
rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db
+rm -f ns3/secure-to-insecure.example.db
diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh
index cdcf31d9..607570cd 100644
--- a/bin/tests/system/autosign/ns1/keygen.sh
+++ b/bin/tests/system/autosign/ns1/keygen.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: keygen.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: keygen.sh,v 1.3.6.3 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@@ -29,14 +29,17 @@ infile=root.db.in
cat $infile ../ns2/dsset-example. > $zonefile
-$KEYGEN -q -r $RANDFILE $zone > /dev/null
-zskdel=`$KEYGEN -q -r $RANDFILE -D now $zone`
-zskinact=`$KEYGEN -q -r $RANDFILE -I now $zone`
-zskunpub=`$KEYGEN -q -r $RANDFILE -G $zone`
-zsksby=`$KEYGEN -q -r $RANDFILE -A none $zone`
+zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
+zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
+zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
+zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
+zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
+rm $zsknopriv.private
-ksksby=`$KEYGEN -q -r $RANDFILE -P now -A now+15s -fk $zone`
-kskrev=`$KEYGEN -q -r $RANDFILE -R now+15s -fk $zone`
+ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
+kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
@@ -62,8 +65,11 @@ EOF
' > trusted.conf
cp trusted.conf ../ns5/trusted.conf
+echo $zskact > ../active.key
+echo $zskvanish > ../vanishing.key
echo $zskdel > ../del.key
echo $zskinact > ../inact.key
echo $zskunpub > ../unpub.key
+echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
echo $kskrev > ../rev.key
diff --git a/bin/tests/system/autosign/ns1/root.db.in b/bin/tests/system/autosign/ns1/root.db.in
index a1a19c4d..5c954060 100644
--- a/bin/tests/system/autosign/ns1/root.db.in
+++ b/bin/tests/system/autosign/ns1/root.db.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+; $Id: root.db.in,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
$TTL 30
. IN SOA a.root.servers.nil. each.isc.org. (
@@ -26,4 +26,5 @@ $TTL 30
a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
+bar. NS ns2.example.
ns2.example. A 10.53.0.2
diff --git a/bin/tests/system/autosign/ns2/bar.db.in b/bin/tests/system/autosign/ns2/bar.db.in
new file mode 100644
index 00000000..77ac4bc7
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/bar.db.in
@@ -0,0 +1,85 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: bar.db.in,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+
+; Used for testing ANY queries
+foo TXT "testing"
+foo A 10.0.1.0
+
+; Used for testing CNAME queries
+cname1 CNAME cname1-target
+cname1-target TXT "testing cname"
+
+cname2 CNAME cname2-target
+cname2-target TXT "testing cname"
+
+; Used for testing DNAME queries
+dname1 DNAME dname1-target
+foo.dname1-target TXT "testing dname"
+
+dname2 DNAME dname2-target
+foo.dname2-target TXT "testing dname"
+
+; A secure subdomain
+secure NS ns.secure
+ns.secure A 10.53.0.3
+
+; An insecure subdomain
+insecure NS ns.insecure
+ns.insecure A 10.53.0.3
+
+; A insecure subdomain
+mustbesecure NS ns.mustbesecure
+ns.mustbesecure A 10.53.0.3
+
+z A 10.0.0.26
+
+nsec3 NS ns.nsec3
+ns.nsec3 A 10.53.0.3
+
+optout NS ns.optout
+ns.optout A 10.53.0.3
+
+nsec3-unknown NS ns.nsec3-unknown
+ns.nsec3-unknown A 10.53.0.3
+
+optout-unknown NS ns.optout-unknown
+ns.optout-unknown A 10.53.0.3
+
+multiple NS ns.multiple
+ns.multiple A 10.53.0.3
+
+rsasha256 NS ns.rsasha256
+ns.rsasha256 A 10.53.0.3
+
+rsasha512 NS ns.rsasha512
+ns.rsasha512 A 10.53.0.3
diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in
index 88f113f0..f35f6995 100644
--- a/bin/tests/system/autosign/ns2/example.db.in
+++ b/bin/tests/system/autosign/ns2/example.db.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+; $Id: example.db.in,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
@@ -83,3 +83,9 @@ ns.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
+
+nsec3-to-nsec NS ns.nsec3-to-nsec
+ns.nsec3-to-nsec A 10.53.0.3
+
+oldsigs NS ns.oldsigs
+ns.oldsigs A 10.53.0.3
diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
index 12ed51d8..7b3b2cf9 100644
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: keygen.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: keygen.sh,v 1.3.6.3 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@@ -24,7 +24,7 @@ RANDFILE=../random.data
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && sh keygen.sh )
-for subdomain in secure nsec3 optout rsasha256 rsasha512
+for subdomain in secure nsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
do
cp ../ns3/dsset-$subdomain.example. .
done
@@ -35,8 +35,8 @@ zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile dsset-*.example. > $zonefile
-kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
-$KEYGEN -q -r $RANDFILE $zone > /dev/null
+kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
$DSFROMKEY $kskname.key > dsset-${zone}.
# Create keys for a private secure zone.
@@ -44,5 +44,14 @@ zone=private.secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
-$KEYGEN -q -r $RANDFILE -fk $zone > /dev/null
-$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+
+# Extract saved keys for the revoke-to-duplicate-key test
+zone=bar
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile > $zonefile
+sh revkeys.shar > /dev/null
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY Kbar.+005+30804.key > dsset-bar.
diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf
index de79f6b0..1cf3d306 100644
--- a/bin/tests/system/autosign/ns2/named.conf
+++ b/bin/tests/system/autosign/ns2/named.conf
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
+/* $Id: named.conf,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $ */
// NS2
@@ -35,12 +35,12 @@ options {
};
key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-md5;
+ secret "1234abcd8765";
+ algorithm hmac-md5;
};
controls {
- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
@@ -51,46 +51,56 @@ zone "." {
zone "example" {
type master;
file "example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
+};
+
+zone "bar" {
+ type master;
+ file "bar.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+ dnssec-dnskey-kskonly yes;
};
zone "private.secure.example" {
type master;
file "private.secure.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "insecure.secure.example" {
type master;
file "insecure.secure.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "child.nsec3.example" {
type master;
file "child.nsec3.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "child.optout.example" {
type master;
file "child.optout.example.db";
- allow-query { any; };
- allow-transfer { any; };
+ allow-query { any; };
+ allow-transfer { any; };
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns2/revkeys.shar b/bin/tests/system/autosign/ns2/revkeys.shar
new file mode 100644
index 00000000..beb6d472
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/revkeys.shar
@@ -0,0 +1,231 @@
+#!/bin/sh
+# This is a shell archive (produced by GNU sharutils 4.6.3).
+# To extract the files from this archive, save it to some FILE, remove
+# everything before the `#!/bin/sh' line above, then type `sh FILE'.
+#
+lock_dir=_sh31052
+# Made on 2010-01-08 23:17 PST by <each@pisces>.
+# Source directory was `/home/each/isc/bind9/bin/tests/system/autosign/ns2/keys'.
+#
+# Existing files will *not* be overwritten, unless `-c' is specified.
+#
+# This shar contains:
+# length mode name
+# ------ ---------- ------------------------------------------
+# 538 -rw-r--r-- Kbar.+005+30676.key
+# 1774 -rw-r--r-- Kbar.+005+30676.private
+# 538 -rw-r--r-- Kbar.+005+30804.key
+# 1774 -rw-r--r-- Kbar.+005+30804.private
+#
+MD5SUM=${MD5SUM-md5sum}
+f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
+test -n "${f}" && md5check=true || md5check=false
+${md5check} || \
+ echo 'Note: not verifying md5sums. Consider installing GNU coreutils.'
+save_IFS="${IFS}"
+IFS="${IFS}:"
+gettext_dir=FAILED
+locale_dir=FAILED
+first_param="$1"
+for dir in $PATH
+do
+ if test "$gettext_dir" = FAILED && test -f $dir/gettext \
+ && ($dir/gettext --version >/dev/null 2>&1)
+ then
+ case `$dir/gettext --version 2>&1 | sed 1q` in
+ *GNU*) gettext_dir=$dir ;;
+ esac
+ fi
+ if test "$locale_dir" = FAILED && test -f $dir/shar \
+ && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
+ then
+ locale_dir=`$dir/shar --print-text-domain-dir`
+ fi
+done
+IFS="$save_IFS"
+if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
+then
+ echo=echo
+else
+ TEXTDOMAINDIR=$locale_dir
+ export TEXTDOMAINDIR
+ TEXTDOMAIN=sharutils
+ export TEXTDOMAIN
+ echo="$gettext_dir/gettext -s"
+fi
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
+then if (echo -n test; echo 1,2,3) | grep n >/dev/null
+ then shar_n= shar_c='
+'
+ else shar_n=-n shar_c= ; fi
+else shar_n= shar_c='\c' ; fi
+f=shar-touch.$$
+st1=200112312359.59
+st2=123123592001.59
+st2tr=123123592001.5 # old SysV 14-char limit
+st3=1231235901
+
+if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st1} && test -f ${f}; then
+ shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
+
+elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
+ shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
+
+elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st3} && test -f ${f}; then
+ shar_touch='touch -am $3$4$5$6$2 "$8"'
+
+else
+ shar_touch=:
+ echo
+ ${echo} 'WARNING: not restoring timestamps. Consider getting and'
+ ${echo} 'installing GNU `touch'\'', distributed in GNU coreutils...'
+ echo
+fi
+rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
+#
+if test ! -d ${lock_dir}
+then : ; else ${echo} 'lock directory '${lock_dir}' exists'
+ exit 1
+fi
+if mkdir ${lock_dir}
+then ${echo} 'x - created lock directory `'${lock_dir}\''.'
+else ${echo} 'x - failed to create lock directory `'${lock_dir}\''.'
+ exit 1
+fi
+# ============= Kbar.+005+30676.key ==============
+if test -f 'Kbar.+005+30676.key' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30676.key (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30676.key (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.key' &&
+; This is a key-signing key, keyid 30676, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30676.key'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30676.key'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30676.key failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.key: MD5 check failed'
+ ) << SHAR_EOF
+9c89adb7c9e6d5e2fd34f694b8752c95 Kbar.+005+30676.key
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30676.key'` -ne 538 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30676.key is not 538'
+ fi
+fi
+# ============= Kbar.+005+30676.private ==============
+if test -f 'Kbar.+005+30676.private' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30676.private (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30676.private (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.private' &&
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQAB
+PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
+Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30676.private'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30676.private'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30676.private failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.private: MD5 check failed'
+ ) << SHAR_EOF
+c85dfac0b5c0cf2972878a65717af9ea Kbar.+005+30676.private
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30676.private'` -ne 1774 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30676.private is not 1774'
+ fi
+fi
+# ============= Kbar.+005+30804.key ==============
+if test -f 'Kbar.+005+30804.key' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30804.key (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30804.key (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.key' &&
+; This is a key-signing key, keyid 30804, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30804.key'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30804.key'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30804.key failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.key: MD5 check failed'
+ ) << SHAR_EOF
+825116de64b44b14893cb3b8a48475bc Kbar.+005+30804.key
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30804.key'` -ne 538 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30804.key is not 538'
+ fi
+fi
+# ============= Kbar.+005+30804.private ==============
+if test -f 'Kbar.+005+30804.private' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30804.private (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30804.private (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.private' &&
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQCB
+PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
+Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30804.private'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30804.private'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30804.private failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.private: MD5 check failed'
+ ) << SHAR_EOF
+580cfb43bac6ed945896b464923676e7 Kbar.+005+30804.private
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30804.private'` -ne 1774 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30804.private is not 1774'
+ fi
+fi
+if rm -fr ${lock_dir}
+then ${echo} 'x - removed lock directory `'${lock_dir}\''.'
+else ${echo} 'x - failed to remove lock directory `'${lock_dir}\''.'
+ exit 1
+fi
+exit 0
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index 06d8ab53..16e8bf05 100644
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: keygen.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: keygen.sh,v 1.3.6.3 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@@ -25,8 +25,8 @@ zone=secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
-ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
-$KEYGEN -q -r $RANDFILE $zone > /dev/null
+ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
$DSFROMKEY $ksk.key > dsset-${zone}.
#
@@ -102,8 +102,8 @@ zone=optout.optout.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
-ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
-$KEYGEN -q -r $RANDFILE $zone > /dev/null
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
$DSFROMKEY $ksk.key > dsset-${zone}.
#
@@ -138,3 +138,47 @@ cp $infile $zonefile
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# NSEC-only zone.
+#
+zone=nsec.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# Signature refresh test zone. Signatures are set to expire long
+# in the past; they should be updated by autosign.
+#
+zone=oldsigs.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# NSEC3->NSEC transition test zone.
+#
+zone=nsec3-to-nsec.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
+$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# secure-to-insecure transition test zone.
+#
+zone=secure-to-insecure.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1
diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
index ea07c276..b37fcc61 100644
--- a/bin/tests/system/autosign/ns3/named.conf
+++ b/bin/tests/system/autosign/ns3/named.conf
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
+/* $Id: named.conf,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $ */
// NS3
@@ -35,12 +35,12 @@ options {
};
key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-md5;
+ secret "1234abcd8765";
+ algorithm hmac-md5;
};
controls {
- inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+ inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
@@ -54,11 +54,17 @@ zone "example" {
file "example.bk";
};
+zone "bar" {
+ type slave;
+ masters { 10.53.0.2; };
+ file "bar.bk";
+};
+
zone "secure.example" {
type master;
file "secure.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "insecure.example" {
@@ -70,77 +76,98 @@ zone "nsec3.example" {
type master;
file "nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "optout.nsec3.example" {
type master;
file "optout.nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "nsec3.nsec3.example" {
type master;
file "nsec3.nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "secure.nsec3.example" {
type master;
file "secure.nsec3.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "optout.example" {
type master;
file "optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "secure.optout.example" {
type master;
file "secure.optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "nsec3.optout.example" {
type master;
file "nsec3.optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "optout.optout.example" {
type master;
file "optout.optout.example.db";
allow-update { any; };
- auto-dnssec maintain;
-};
-
-zone "multiple.example" {
- type master;
- file "multiple.example.db";
- allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "rsasha256.example" {
type master;
file "rsasha256.example.db";
allow-update { any; };
- auto-dnssec maintain;
+ auto-dnssec maintain;
};
zone "rsasha512.example" {
type master;
file "rsasha512.example.db";
- allow-update { any; };
- auto-dnssec maintain;
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec.example" {
+ type master;
+ file "nsec.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec3-to-nsec.example" {
+ type master;
+ file "nsec3-to-nsec.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "secure-to-insecure.example" {
+ type master;
+ file "secure-to-insecure.example.db";
+ allow-update { any; };
+ dnssec-secure-to-insecure yes;
+};
+
+zone "oldsigs.example" {
+ type master;
+ file "oldsigs.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
};
include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns3/nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec.example.db.in
new file mode 100644
index 00000000..6d8996f1
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec.example.db.in
@@ -0,0 +1,31 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in
new file mode 100644
index 00000000..baf5e384
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in
@@ -0,0 +1,31 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec3-to-nsec.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
diff --git a/bin/tests/system/autosign/ns3/oldsigs.example.db.in b/bin/tests/system/autosign/ns3/oldsigs.example.db.in
new file mode 100644
index 00000000..ed4d356f
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/oldsigs.example.db.in
@@ -0,0 +1,31 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: oldsigs.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
diff --git a/bin/tests/system/autosign/ns3/multiple.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
index 08a803bd..9664de1d 100644
--- a/bin/tests/system/autosign/ns3/multiple.example.db.in
+++ b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: multiple.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+; $Id: secure-to-insecure.example.db.in,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
@@ -29,6 +29,3 @@ a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
-a.a.a.a A 10.0.0.3
-*.e A 10.0.0.6
-child NS ns2.example.
diff --git a/bin/tests/system/autosign/prereq.sh b/bin/tests/system/autosign/prereq.sh
index 4ce0b550..54e0ed04 100644
--- a/bin/tests/system/autosign/prereq.sh
+++ b/bin/tests/system/autosign/prereq.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,10 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: prereq.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: prereq.sh,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
../../../tools/genrandom 400 random.data
diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh
index d4c95462..5d52cbeb 100644
--- a/bin/tests/system/autosign/setup.sh
+++ b/bin/tests/system/autosign/setup.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,12 +14,14 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+# $Id: setup.sh,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
. ./clean.sh
+echo "I:generating keys and preparing zones"
+
../../../tools/genrandom 400 random.data
cd ns1 && sh keygen.sh
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 5cace39a..784d2cbd 100644
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.4 2009/12/02 05:42:15 each Exp $
+# $Id: tests.sh,v 1.4.6.3 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@@ -25,8 +25,37 @@ n=0
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+echo "I:waiting 30 seconds for autosign changes to take effect"
+sleep 30
+
+echo "I:checking that zone transfer worked ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
+ret=0
+# this command should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC3->NSEC conversion prerequisites ($n)"
+ret=0
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:converting zones from nsec to nsec3"
-$NSUPDATE > /dev/null <<END || status=1
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
server 10.53.0.3 5300
zone nsec3.nsec3.example.
update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
@@ -48,23 +77,78 @@ update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
END
-echo "I:waiting 30 seconds for key changes to take effect"
-sleep 30
+# try to convert nsec.example; this should fail due to non-NSEC key
+$NSUPDATE > nsupdate.out 2>&1 <<END
+server 10.53.0.3 5300
+zone nsec.example.
+update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+END
+
+echo "I:waiting for changes to take effect"
+sleep 3
+
+echo "I:converting zone from nsec3 to nsec"
+$NSUPDATE > /dev/null 2>&1 << END || status=1
+server 10.53.0.3 5300
+zone nsec3-to-nsec.example.
+update delete nsec3-to-nsec.example. NSEC3PARAM
+send
+END
+
+echo "I:waiting for change to take effect"
+sleep 3
# Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically
# signed zones to be dumped to their zone files
echo "I:dumping zone files"
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 freeze 2>&1 | sed 's/^/I:ns1 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 thaw 2>&1 | sed 's/^/I:ns1 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 freeze 2>&1 | sed 's/^/I:ns2 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 thaw 2>&1 | sed 's/^/I:ns2 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze 2>&1 | sed 's/^/I:ns3 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw 2>&1 | sed 's/^/I:ns3 /'
-# Check the example. domain
+echo "I:checking expired signatures were updated ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
-echo "I:checking that zone transfer worked ($n)"
+echo "I:checking NSEC->NSEC3 conversion succeeded ($n)"
ret=0
-$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
+ret=0
+grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC3->NSEC conversion succeeded ($n)"
+ret=0
+# this command should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@@ -456,7 +540,7 @@ status=`expr $status + $ret`
echo "I:checking that revoked key is present ($n)"
ret=0
-id=`sed 's/^K.+005+0*//' < rev.key`
+id=`sed 's/^K.+007+0*//' < rev.key`
id=`expr $id + 128 % 65536`
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
@@ -466,7 +550,7 @@ status=`expr $status + $ret`
echo "I:checking that revoked key self-signs ($n)"
ret=0
-id=`sed 's/^K.+005+0*//' < rev.key`
+id=`sed 's/^K.+007+0*//' < rev.key`
id=`expr $id + 128 % 65536`
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
@@ -476,7 +560,7 @@ status=`expr $status + $ret`
echo "I:checking for unpublished key ($n)"
ret=0
-id=`sed 's/^K.+005+0*//' < unpub.key`
+id=`sed 's/^K.+007+0*//' < unpub.key`
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
@@ -485,7 +569,7 @@ status=`expr $status + $ret`
echo "I:checking that standby key does not sign records ($n)"
ret=0
-id=`sed 's/^K.+005+0*//' < standby.key`
+id=`sed 's/^K.+007+0*//' < standby.key`
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
@@ -494,7 +578,26 @@ status=`expr $status + $ret`
echo "I:checking that deactivated key does not sign records ($n)"
ret=0
-id=`sed 's/^K.+005+0*//' < inact.key`
+id=`sed 's/^K.+007+0*//' < inact.key`
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking insertion of public-only key ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < nopriv.key`
+file="ns1/`cat nopriv.key`.key"
+keydata=`grep DNSKEY $file`
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
+server 10.53.0.1 5300
+zone .
+ttl 3600
+update add $keydata
+send
+END
+sleep 1
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
@@ -503,13 +606,89 @@ status=`expr $status + $ret`
echo "I:checking key deletion ($n)"
ret=0
-id=`sed 's/^K.+005+0*//' < del.key`
+id=`sed 's/^K.+007+0*//' < del.key`
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking secure-to-insecure transition ($n)"
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
+server 10.53.0.3 5300
+zone secure-to-insecure.example
+update delete secure-to-insecure.example dnskey
+send
+END
+sleep 2
+$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
+egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:preparing to test key change corner cases"
+echo "I:removing a private key file"
+file="ns1/`cat vanishing.key`.private"
+rm -f $file
+
+echo "I:preparing ZSK roll"
+newid=`sed 's/^K.+007+0*//' < standby.key`
+file="ns1/`cat standby.key`.key"
+$SETTIME -A now $file > /dev/null
+oldid=`sed 's/^K.+007+0*//' < active.key`
+file="ns1/`cat active.key`.key"
+$SETTIME -I now -D now+10 $file > /dev/null
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
+
+echo "I:revoking key to duplicated key ID"
+$SETTIME -R now ns2/Kbar.+005+30676.key > /dev/null
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 sign bar. 2>&1 | sed 's/^/I:ns2 /'
+
+echo "I:waiting for changes to take effect"
+sleep 5
+
+echo "I:checking former standby key is now active ($n)"
+ret=0
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:waiting for former active key to be removed"
+sleep 10
+
+echo "I:checking key was removed ($n)"
+ret=0
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id =.*'"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking private key file removal caused no immediate harm ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < vanishing.key`
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking revoked key with duplicate key ID (failure expected) ($n)"
+lret=0
+id=30676
+$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
+grep '; key id =.*'"$id"'$' dig.out.ns2.test$n || lret=1
+$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
+n=`expr $n + 1`
+if [ $lret != 0 ]; then echo "I:failed"; fi
+
echo "I:exit status: $status"
exit $status
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 8cbaf373..03fa2ee3 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: conf.sh.in,v 1.43 2009/11/30 21:00:47 each Exp $
+# $Id: conf.sh.in,v 1.43.8.2 2010/01/18 23:48:01 tbox Exp $
#
# Common configuration data for system tests, to be sourced into
@@ -49,8 +49,8 @@ CHECKCONF=$TOP/bin/check/named-checkconf
# v6synth
SUBDIRS="acl autosign cacheclean checkconf checknames dnssec forward glue ixfr
limits lwresd masterfile masterformat metadata notify nsupdate pending
- resolver rrsetorder sortlist stub tkey unknown upforwd views xfer xferquota
- zonechecks"
+ resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views
+ xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.
PERL=@PERL@
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 9a47023b..c1821116 100644
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007-2010 Internet Systems Consortium, Inc. ("ISC")
; Copyright (C) 2000-2002 Internet Software Consortium.
;
; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.21 2009/10/27 23:47:44 tbox Exp $
+; $Id: example.db.in,v 1.21.32.3 2010/01/18 23:48:01 tbox Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
@@ -36,6 +36,9 @@ d A 10.0.0.4
foo TXT "testing"
foo A 10.0.1.0
+bad-cname CNAME a
+bad-dname DNAME @
+
; Used for testing CNAME queries
cname1 CNAME cname1-target
cname1-target TXT "testing cname"
@@ -101,3 +104,6 @@ ns.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
+
+kskonly NS ns.kskonly
+ns.kskonly A 10.53.0.3
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 0d47b909..3bae1db1 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2010 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.35 2009/10/28 00:27:10 marka Exp $
+# $Id: sign.sh,v 1.35.32.3 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@@ -31,7 +31,7 @@ zonefile=example.db
( cd ../ns3 && sh sign.sh )
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
- optout-unknown multiple rsasha256 rsasha512
+ optout-unknown multiple rsasha256 rsasha512 kskonly
do
cp ../ns3/dsset-$subdomain.example. .
done
@@ -43,6 +43,53 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+#
+# lower/uppercase the signature bits with the exception of the last characters
+# changing the last 4 characters will lead to a bad base64 encoding.
+#
+$CHECKZONE -D -q -i local $zone $zonefile.signed |
+awk '
+tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
+ for (i = 1; i <= NF; i++ ) {
+ if (i <= 12) {
+ printf("%s ", $i);
+ continue;
+ }
+ prefix = substr($i, 1, length($i) - 4);
+ suffix = substr($i, length($i) - 4, 4);
+ if (i > 12 && tolower(prefix) != prefix)
+ printf("%s%s", tolower(prefix), suffix);
+ else if (i > 12 && toupper(prefix) != prefix)
+ printf("%s%s", toupper(prefix), suffix);
+ else
+ printf("%s%s ", prefix, suffix);
+ }
+ printf("\n");
+ next;
+}
+
+tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
+ for (i = 1; i <= NF; i++ ) {
+ if (i <= 12) {
+ printf("%s ", $i);
+ continue;
+ }
+ prefix = substr($i, 1, length($i) - 4);
+ suffix = substr($i, length($i) - 4, 4);
+ if (i > 12 && tolower(prefix) != prefix)
+ printf("%s%s", tolower(prefix), suffix);
+ else if (i > 12 && toupper(prefix) != prefix)
+ printf("%s%s", toupper(prefix), suffix);
+ else
+ printf("%s%s ", prefix, suffix);
+ }
+ printf("\n");
+ next;
+}
+
+{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed
+
+
# Sign the privately secure file
privzone=private.secure.example.
diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in
new file mode 100644
index 00000000..01f323a6
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/kskonly.example.db.in
@@ -0,0 +1,31 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: kskonly.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index c3f7d10d..37193676 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.35 2009/10/27 23:47:44 tbox Exp $ */
+/* $Id: named.conf,v 1.35.32.2 2010/01/18 23:48:01 tbox Exp $ */
// NS3
@@ -166,4 +166,9 @@ zone "rsasha512.example" {
file "rsasha512.example.db.signed";
};
+zone "kskonly.example" {
+ type master;
+ file "kskonly.example.db.signed";
+};
+
include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index faab14a7..f05e7ffd 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2010 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
+# $Id: sign.sh,v 1.30.32.2 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@@ -30,7 +30,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=bogus.example.
infile=bogus.example.db.in
@@ -40,7 +40,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=dynamic.example.
infile=dynamic.example.db.in
@@ -51,7 +51,7 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=keyless.example.
infile=keyless.example.db.in
@@ -61,7 +61,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# Change the signer field of the a.b.keyless.example SIG A
# to point to a provably nonexistent KEY record.
@@ -81,7 +81,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# NSEC3/NSEC3 test zone
@@ -94,7 +94,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC3 test zone
@@ -107,7 +107,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A nsec3 zone (non-optout).
@@ -120,7 +120,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC test zone
@@ -133,7 +133,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/NSEC3 test zone
@@ -146,7 +146,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# OPTOUT/OPTOUT test zone
@@ -159,7 +159,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A optout nsec3 zone.
@@ -172,7 +172,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A nsec3 zone (non-optout) with unknown hash algorithm.
@@ -185,7 +185,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A optout nsec3 zone.
@@ -198,7 +198,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A multiple parameter nsec3 zone.
@@ -211,17 +211,17 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
mv $zonefile.signed $zonefile
-$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A RSASHA256 zone.
@@ -234,7 +234,7 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A RSASHA512 zone.
@@ -247,4 +247,16 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+#
+# A zone with the DNSKEY set only signed by the KSK
+#
+zone=kskonly.example.
+infile=kskonly.example.db.in
+zonefile=kskonly.example.db
+
+kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+zskname=`$KEYGEN -q -r $RANDFILE $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 30a9ec96..2388eb16 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.55 2009/10/27 23:47:44 tbox Exp $
+# $Id: tests.sh,v 1.55.32.3 2010/01/18 23:48:01 tbox Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@@ -38,6 +38,26 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+# test AD bit:
+# - dig +adflag asks for authentication (ad in response)
+echo "I:checking AD bit asking for validation ($n)"
+ret=0
+$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking for AD in authoritative answer ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking positive validation NSEC ($n)"
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -522,6 +542,41 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD. pending data should be returned even if it's bogus
+expect="a.example.
+10.0.0.1"
+ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+#check: requery without +CD. bogus cached data should be rejected.
+$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD. pending data should be returned even if it's bogus
+expect="example.
+a.example.
+10.0.0.1"
+ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+#check: requery without +CD. bogus cached data should be rejected.
+$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
# Check the insecure.secure.example domain (insecurity proof)
echo "I:checking 2-server insecurity proof ($n)"
@@ -627,6 +682,16 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking positive validation with KSK-only DNSKEY signature ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking cd bit on a query that should fail ($n)"
ret=0
$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \
diff --git a/bin/tests/system/pending/clean.sh b/bin/tests/system/pending/clean.sh
index 5655e07b..9e20966d 100644
--- a/bin/tests/system/pending/clean.sh
+++ b/bin/tests/system/pending/clean.sh
@@ -14,9 +14,10 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.3 2009/12/03 04:51:41 marka Exp $
+# $Id: clean.sh,v 1.3.6.1 2009/12/30 08:33:40 jinmei Exp $
rm -rf */*.signed
+rm -rf */*.jnl
rm -rf */K*
rm -rf */dsset-*
rm -rf */named.memstats
@@ -24,4 +25,6 @@ rm -rf */named.run
rm -rf */trusted.conf
rm -rf ns1/root.db
rm -rf ns2/example.db
+rm -rf ns2/example.com.db
rm -rf random.data
+rm -rf nsupdate.out.test
diff --git a/bin/tests/system/pending/ns1/root.db.in b/bin/tests/system/pending/ns1/root.db.in
index a53b09ac..6a654fdc 100644
--- a/bin/tests/system/pending/ns1/root.db.in
+++ b/bin/tests/system/pending/ns1/root.db.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db.in,v 1.3 2009/11/18 23:48:06 tbox Exp $
+; $Id: root.db.in,v 1.3.16.3 2010/01/07 23:48:15 tbox Exp $
$TTL 30
. IN SOA marka.isc.org. a.root.servers.nil. (
@@ -27,5 +27,8 @@ a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
ns2.example. A 10.53.0.2
+example.com. NS ns2.example.com.
+ns2.example.com. A 10.53.0.2
hostile. NS ns3.hostile.
ns3.hostile. A 10.53.0.3
+nice.good. A 10.10.10.10
diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh
index b0b0a0e4..fa301dec 100644
--- a/bin/tests/system/pending/ns1/sign.sh
+++ b/bin/tests/system/pending/ns1/sign.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.2 2009/11/17 23:55:18 marka Exp $
+# $Id: sign.sh,v 1.2.22.3 2010/01/07 23:48:15 tbox Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@@ -28,12 +28,13 @@ zonefile=root.db
(cd ../ns2 && sh -e sign.sh )
cp ../ns2/dsset-example. .
+cp ../ns2/dsset-example.com. .
keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key > $zonefile
-$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# Configure the resolving server with a trusted key.
diff --git a/bin/tests/system/pending/ns2/example.com.db.in b/bin/tests/system/pending/ns2/example.com.db.in
new file mode 100644
index 00000000..b0b85467
--- /dev/null
+++ b/bin/tests/system/pending/ns2/example.com.db.in
@@ -0,0 +1,32 @@
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.com.db.in,v 1.2.2.3 2010/01/18 23:48:01 tbox Exp $
+
+$TTL 30
+@ IN SOA mname1. . (
+ 2009110300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ MX 10 mail
+ns2 A 10.53.0.2
+mail A 192.0.2.2
+ AAAA 2001:db8::2
+pending-ok A 192.0.2.2
+pending-ng A 192.0.2.102
+removed A 10.9.8.7
diff --git a/bin/tests/system/pending/ns2/example.db.in b/bin/tests/system/pending/ns2/example.db.in
index ca0d596b..c716a69f 100644
--- a/bin/tests/system/pending/ns2/example.db.in
+++ b/bin/tests/system/pending/ns2/example.db.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,10 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.2 2009/11/17 23:55:18 marka Exp $
+; $Id: example.db.in,v 1.2.22.2 2010/01/07 23:48:15 tbox Exp $
$TTL 30
+$ORIGIN example.
@ IN SOA mname1. . (
2009110300 ; serial
20 ; refresh (20 seconds)
@@ -26,3 +27,5 @@ $TTL 30
MX 10 mail
ns2 A 10.53.0.2
mail A 10.0.0.2
+bad CNAME nice.good.
+worse A 6.6.6.6
diff --git a/bin/tests/system/pending/ns2/forgery.db b/bin/tests/system/pending/ns2/forgery.db
new file mode 100644
index 00000000..2ad05ded
--- /dev/null
+++ b/bin/tests/system/pending/ns2/forgery.db
@@ -0,0 +1,29 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: forgery.db,v 1.2.2.2 2010/01/07 23:48:15 tbox Exp $
+
+$TTL 30
+$ORIGIN good.
+@ IN SOA mname1. . (
+ 2009110300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+
+nice.good. CNAME worse.example.
diff --git a/bin/tests/system/pending/ns2/named.conf b/bin/tests/system/pending/ns2/named.conf
index cb63caa6..b3e990d5 100644
--- a/bin/tests/system/pending/ns2/named.conf
+++ b/bin/tests/system/pending/ns2/named.conf
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.3 2009/11/18 23:48:06 tbox Exp $ */
+/* $Id: named.conf,v 1.3.16.3 2010/01/07 23:48:15 tbox Exp $ */
// NS2
@@ -45,3 +45,15 @@ zone "example" {
type master;
file "example.db.signed";
};
+
+zone "example.com" {
+ type master;
+ file "example.com.db.signed";
+ allow-update { 10.53.0.0/8; };
+};
+
+zone "good" {
+ type master;
+ file "forgery.db";
+ allow-query { any; };
+};
diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh
index 3bd1102f..462fc0d1 100644
--- a/bin/tests/system/pending/ns2/sign.sh
+++ b/bin/tests/system/pending/ns2/sign.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,20 +14,28 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.3 2009/11/18 23:48:07 tbox Exp $
+# $Id: sign.sh,v 1.3.16.4 2010/01/18 19:18:35 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
-zone=example.
-infile=example.db.in
-zonefile=example.db
+for domain in example example.com; do
+ zone=${domain}.
+ infile=${domain}.db.in
+ zonefile=${domain}.db
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+ keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+ keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
-cat $infile $keyname1.key $keyname2.key >$zonefile
+ cat $infile $keyname1.key $keyname2.key > $zonefile
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+ $SIGNER -3 bebe -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+done
+
+# remove "removed" record from example.com, causing the server to
+# send an apparently-invalid NXDOMAIN
+sed '/^removed/d' example.com.db.signed > example.com.db.new
+rm -f example.com.db.signed
+mv example.com.db.new example.com.db.signed
diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh
index e56b4079..6b2dd144 100644
--- a/bin/tests/system/pending/tests.sh
+++ b/bin/tests/system/pending/tests.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -14,22 +14,50 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.3 2009/11/18 23:48:06 tbox Exp $
+# $Id: tests.sh,v 1.3.16.4 2010/01/18 19:18:35 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
+# replace_data dname RR old_data new_data
+replace_data()
+{
+ if [ $# -ne 4 ]; then
+ echo I:unexpected input for replace_data
+ return 1
+ fi
+
+ _dname=$1
+ _rr=$2
+ _olddata=$3
+ _newdata=$4
+
+ _ret=0
+ $NSUPDATE -d <<END>> nsupdate.out.test 2>&1 || _ret=1
+server 10.53.0.2 5300
+update delete ${_dname} 30 ${_rr} ${_olddata}
+update add ${_dname} 30 ${_rr} ${_newdata}
+send
+END
+
+ if [ $_ret != 0 ]; then
+ echo I:failed to update the test data
+ return 1
+ fi
+
+ return 0
+}
+
status=0
n=0
-rm -f dig.out.*
-
-DIGOPTS="+short +tcp +cd -p 5300"
+DIGOPTS="+short +tcp -p 5300"
+DIGOPTS_CD="$DIGOPTS +cd"
echo I:Priming cache.
ret=0
expect="10 mail.example."
-ans=`$DIG $DIGOPTS @10.53.0.4 hostile MX` || ret=1
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 hostile MX` || ret=1
test "$ans" = "$expect" || ret=1
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
@@ -37,7 +65,137 @@ status=`expr $status + $ret`
echo I:Checking that bogus additional is not returned with +CD.
ret=0
expect="10.0.0.2"
-ans=`$DIG $DIGOPTS @10.53.0.4 mail.example A` || ret=1
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with pending additional records. These should not be promoted
+# to answer.
+#
+echo "I:Priming cache (pending additional A and AAAA)"
+ret=0
+expect="10 mail.example.com."
+ans=`$DIG $DIGOPTS @10.53.0.4 example.com MX` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo "I:Replacing pending A"
+ret=0
+replace_data mail.example.com. A 192.0.2.2 192.0.2.3 || ret=1
+status=`expr $status + $ret`
+
+echo "I:Replacing pending AAAA"
+ret=0
+replace_data mail.example.com. AAAA 2001:db8::2 2001:db8::3 || ret=1
+status=`expr $status + $ret`
+
+echo "I:Checking updated data to be returned (without CD)"
+ret=0
+expect="192.0.2.3"
+ans=`$DIG $DIGOPTS @10.53.0.4 mail.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo "I:Checking updated data to be returned (with CD)"
+ret=0
+expect="2001:db8::3"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example.com AAAA` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with a pending answer record. It can be returned (without
+# validation) with +CD.
+#
+echo "I:Priming cache (pending answer)"
+ret=0
+expect="192.0.2.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Replacing pending data
+ret=0
+replace_data pending-ok.example.com. A 192.0.2.2 192.0.2.3 || ret=1
+status=`expr $status + $ret`
+
+echo I:Confirming cached pending data to be returned with CD
+ret=0
+expect="192.0.2.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with a pending answer record. It should not be returned
+# to no-DNSSEC clients.
+#
+echo "I:Priming cache (pending answer)"
+ret=0
+expect="192.0.2.102"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ng.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Replacing pending data
+ret=0
+replace_data pending-ng.example.com. A 192.0.2.102 192.0.2.103 || ret=1
+status=`expr $status + $ret`
+
+echo I:Confirming updated data returned, not the cached one, without CD
+ret=0
+expect="192.0.2.103"
+ans=`$DIG $DIGOPTS @10.53.0.4 pending-ng.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Try to fool the resolver with an out-of-bailiwick CNAME
+#
+echo I:Trying to Prime out-of-bailiwick pending answer with CD
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 bad.example. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Confirming the out-of-bailiwick answer is not cached or reused with CD
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 nice.good. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Make sure the resolver doesn't cache bogus NXDOMAIN
+#
+echo I:Trying to Prime bogus NXDOMAIN
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Confirming the bogus NXDOMAIN was not cached
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
test "$ans" = "$expect" || ret=1
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
diff --git a/bin/tests/system/smartsign/child.db b/bin/tests/system/smartsign/child.db
new file mode 100644
index 00000000..dcd92db4
--- /dev/null
+++ b/bin/tests/system/smartsign/child.db
@@ -0,0 +1,29 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.db,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+$ORIGIN .
+$TTL 60 ; 1 minute
+child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns.child.parent.nil.
+$ORIGIN child.parent.nil.
+$TTL 300 ; 5 minutes
+ns A 10.53.0.3
diff --git a/bin/tests/system/smartsign/clean.sh b/bin/tests/system/smartsign/clean.sh
new file mode 100644
index 00000000..3d299135
--- /dev/null
+++ b/bin/tests/system/smartsign/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+rm -f K* dsset-* *.signed random.data dnskey.sigs other.sigs dsset.out
diff --git a/bin/tests/system/smartsign/parent.db b/bin/tests/system/smartsign/parent.db
new file mode 100644
index 00000000..839835bd
--- /dev/null
+++ b/bin/tests/system/smartsign/parent.db
@@ -0,0 +1,36 @@
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: parent.db,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+$ORIGIN .
+$TTL 300 ; 5 minutes
+parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns1.parent.nil.
+ NS ns2.parent.nil.
+$ORIGIN parent.nil.
+$TTL 3600 ; 1 hour
+a A 1.1.1.1
+$TTL 300 ; 5 minutes
+ns1 A 10.53.0.1
+ns2 A 10.53.0.2
+
+child NS ns.child
+ns.child A 10.53.0.3
diff --git a/bin/tests/system/smartsign/prereq.sh b/bin/tests/system/smartsign/prereq.sh
new file mode 100644
index 00000000..cc017a35
--- /dev/null
+++ b/bin/tests/system/smartsign/prereq.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -r random.data foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ echo "I:This test requires that --with-openssl was used." >&2
+ exit 1
+fi
diff --git a/bin/tests/system/smartsign/setup.sh b/bin/tests/system/smartsign/setup.sh
new file mode 100644
index 00000000..d6b78b01
--- /dev/null
+++ b/bin/tests/system/smartsign/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+sh clean.sh
+../../../tools/genrandom 400 random.data
diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh
new file mode 100644
index 00000000..d947d1e2
--- /dev/null
+++ b/bin/tests/system/smartsign/tests.sh
@@ -0,0 +1,167 @@
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.1.4.3 2010/01/19 15:55:44 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+RANDFILE=./random.data
+
+pzone=parent.nil
+pfile=parent.db
+
+czone=child.parent.nil
+cfile=child.db
+
+echo I:generating keys
+# active zsk
+czsk1=`$KEYGEN -q -r $RANDFILE $czone`
+
+# not yet published or active
+czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
+
+# published but not active
+czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
+
+# inactive
+czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+
+# active ksk
+cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone`
+
+# published but not YET active; will be active in 20 seconds
+cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
+# $SETTIME moved after other $KEYGENs
+
+echo I:revoking key
+# revoking key changes its ID
+cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
+cksk4=`$REVOKE $cksk3`
+$SETTIME -A now+20s $cksk2 > /dev/null
+
+echo I:signing child zone
+czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1`
+
+echo I:generating keys
+pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
+pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
+
+echo I:signing parent zone
+pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
+
+czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'`
+czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'`
+czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'`
+czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'`
+ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'`
+ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'`
+ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'`
+ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)\.private$/\1/'`
+
+pzid=`echo $pzsk | sed 's/^K.*+005+0*//'`
+pkid=`echo $pksk | sed 's/^K.*+005+0*//'`
+
+echo "I:checking dnssec-signzone output matches expectations"
+ret=0
+echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking parent zone DNSKEY set"
+ret=0
+grep "key id = $pzid" $pfile.signed > /dev/null || ret=1
+grep "key id = $pkid" $pfile.signed > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking parent zone DS records"
+ret=0
+awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
+grep "$ckactive" dsset.out > /dev/null || ret=1
+grep "$ckpublished" dsset.out > /dev/null || ret=1
+# revoked key should not be there, hence the &&
+grep "$ckprerevoke" dsset.out > /dev/null && ret=1
+grep "$ckrevoked" dsset.out > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone DNSKEY set"
+ret=0
+grep "key id = $ckactive" $cfile.signed > /dev/null || ret=1
+grep "key id = $ckpublished" $cfile.signed > /dev/null || ret=1
+grep "key id = $ckrevoked" $cfile.signed > /dev/null || ret=1
+grep "key id = $czactive" $cfile.signed > /dev/null || ret=1
+grep "key id = $czpublished" $cfile.signed > /dev/null || ret=1
+grep "key id = $czinactive" $cfile.signed > /dev/null || ret=1
+# should not be there, hence the &&
+grep "key id = $ckprerevoke" $cfile.signed > /dev/null && ret=1
+grep "key id = $czgenerated" $cfile.signed > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone signatures"
+ret=0
+# check DNSKEY signatures first
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
+grep "$ckactive" dnskey.sigs > /dev/null || ret=1
+grep "$ckrevoked" dnskey.sigs > /dev/null || ret=1
+grep "$czactive" dnskey.sigs > /dev/null || ret=1
+# should not be there:
+grep "$ckprerevoke" dnskey.sigs > /dev/null && ret=1
+grep "$ckpublished" dnskey.sigs > /dev/null && ret=1
+grep "$czpublished" dnskey.sigs > /dev/null && ret=1
+grep "$czinactive" dnskey.sigs > /dev/null && ret=1
+grep "$czgenerated" dnskey.sigs > /dev/null && ret=1
+# now check other signatures first
+awk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $2 }' $cfile.signed | sort -un > other.sigs
+# should not be there:
+grep "$ckactive" other.sigs > /dev/null && ret=1
+grep "$ckpublished" other.sigs > /dev/null && ret=1
+grep "$ckprerevoke" other.sigs > /dev/null && ret=1
+grep "$ckrevoked" other.sigs > /dev/null && ret=1
+grep "$czpublished" other.sigs > /dev/null && ret=1
+grep "$czinactive" other.sigs > /dev/null && ret=1
+grep "$czgenerated" other.sigs > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:waiting 20 seconds for key activation"
+sleep 20
+echo "I:re-signing child zone"
+czoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1`
+mv $cfile.new $cfile.signed
+
+echo "I:checking dnssec-signzone output matches expectations"
+ret=0
+echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone signatures again"
+ret=0
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
+grep "$ckpublished" dnskey.sigs > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 6e1cab4c..43f905bb 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.11 2009/12/05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.11.2.2 2010/01/07 23:48:15 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -43,12 +43,14 @@ NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
TARGETS = arpaname@EXEEXT@ named-journalprint@EXEEXT@ nsec3hash@EXEEXT@ \
- genrandom@EXEEXT@
-SRCS = arpaname.c named-journalprint.c nsec3hash.c genrandom.c
+ genrandom@EXEEXT@ isc-hmac-fixup@EXEEXT@
+SRCS = arpaname.c named-journalprint.c nsec3hash.c genrandom.c \
+ isc-hmac-fixup.c
-MANPAGES = arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8
+MANPAGES = arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8 \
+ isc-hmac-fixup.8
HTMLPAGES = arpaname.html named-journalprint.html nsec3hash.html \
- genrandom.html
+ genrandom.html isc-hmac-fixup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@@ -67,6 +69,11 @@ nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
+isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
+ export BASEOBJS="isc-hmac-fixup.@O@"; \
+ export LIBS0="${ISCLIBS}"; \
+ ${FINALBUILDCMD}
+
genrandom@EXEEXT@: genrandom.@O@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
@@ -85,7 +92,9 @@ install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
+ ${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
diff --git a/bin/tools/isc-hmac-fixup.8 b/bin/tools/isc-hmac-fixup.8
new file mode 100644
index 00000000..42ce052a
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.8
@@ -0,0 +1,61 @@
+.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: isc-hmac-fixup.8,v 1.1.2.3 2010/01/08 02:08:23 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: isc\-hmac\-fixup
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: January 5, 2010
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "ISC\-HMAC\-FIXUP" "1" "January 5, 2010" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+isc\-hmac\-fixup \- fixes HMAC keys generated by older versions of BIND
+.SH "SYNOPSIS"
+.HP 15
+\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
+.SH "DESCRIPTION"
+.PP
+Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations.
+.PP
+This bug has been fixed in BIND 9.7. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys.
+\fBisc\-hmac\-fixup\fR
+modifies those keys to restore compatibility.
+.PP
+To modify a key, run
+\fBisc\-hmac\-fixup\fR
+and specify the key's algorithm and secret on the command line. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret. (If the secret did not require conversion, then it will be printed without modification.)
+.SH "SECURITY CONSIDERATIONS"
+.PP
+Secrets that have been converted by
+\fBisc\-hmac\-fixup\fR
+are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength."
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual,
+RFC 2104.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2010 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/tools/isc-hmac-fixup.c b/bin/tools/isc-hmac-fixup.c
new file mode 100644
index 00000000..b2b3a1bb
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: isc-hmac-fixup.c,v 1.2.2.2 2010/01/07 23:48:15 tbox Exp $ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/md5.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+
+#define HMAC_LEN 64
+
+int
+main(int argc, char **argv) {
+ isc_buffer_t buf;
+ unsigned char key[1024];
+ char secret[1024];
+ char base64[(1024*4)/3];
+ isc_region_t r;
+ isc_result_t result;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
+ fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
+ "SHA256 | SHA384 | SHA512)\n");
+ return (1);
+ }
+
+ isc_buffer_init(&buf, secret, sizeof(secret));
+ result = isc_base64_decodestring(argv[2], &buf);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "error: %s\n", isc_result_totext(result));
+ return (1);
+ }
+ isc__buffer_usedregion(&buf, &r);
+
+ if (!strcasecmp(argv[1], "md5") ||
+ !strcasecmp(argv[1], "hmac-md5")) {
+ if (r.length > HMAC_LEN) {
+ isc_md5_t md5ctx;
+ isc_md5_init(&md5ctx);
+ isc_md5_update(&md5ctx, r.base, r.length);
+ isc_md5_final(&md5ctx, key);
+
+ r.base = key;
+ r.length = ISC_MD5_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha1") ||
+ !strcasecmp(argv[1], "hmac-sha1")) {
+ if (r.length > ISC_SHA1_DIGESTLENGTH) {
+ isc_sha1_t sha1ctx;
+ isc_sha1_init(&sha1ctx);
+ isc_sha1_update(&sha1ctx, r.base, r.length);
+ isc_sha1_final(&sha1ctx, key);
+
+ r.base = key;
+ r.length = ISC_SHA1_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha224") ||
+ !strcasecmp(argv[1], "hmac-sha224")) {
+ if (r.length > ISC_SHA224_DIGESTLENGTH) {
+ isc_sha224_t sha224ctx;
+ isc_sha224_init(&sha224ctx);
+ isc_sha224_update(&sha224ctx, r.base, r.length);
+ isc_sha224_final(key, &sha224ctx);
+
+ r.base = key;
+ r.length = ISC_SHA224_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha256") ||
+ !strcasecmp(argv[1], "hmac-sha256")) {
+ if (r.length > ISC_SHA256_DIGESTLENGTH) {
+ isc_sha256_t sha256ctx;
+ isc_sha256_init(&sha256ctx);
+ isc_sha256_update(&sha256ctx, r.base, r.length);
+ isc_sha256_final(key, &sha256ctx);
+
+ r.base = key;
+ r.length = ISC_SHA256_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha384") ||
+ !strcasecmp(argv[1], "hmac-sha384")) {
+ if (r.length > ISC_SHA384_DIGESTLENGTH) {
+ isc_sha384_t sha384ctx;
+ isc_sha384_init(&sha384ctx);
+ isc_sha384_update(&sha384ctx, r.base, r.length);
+ isc_sha384_final(key, &sha384ctx);
+
+ r.base = key;
+ r.length = ISC_SHA384_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha512") ||
+ !strcasecmp(argv[1], "hmac-sha512")) {
+ if (r.length > ISC_SHA512_DIGESTLENGTH) {
+ isc_sha512_t sha512ctx;
+ isc_sha512_init(&sha512ctx);
+ isc_sha512_update(&sha512ctx, r.base, r.length);
+ isc_sha512_final(key, &sha512ctx);
+
+ r.base = key;
+ r.length = ISC_SHA512_DIGESTLENGTH;
+ }
+ } else {
+ fprintf(stderr, "unknown hmac/digest algorithm: %s\n", argv[1]);
+ return (1);
+ }
+
+ isc_buffer_init(&buf, base64, sizeof(base64));
+ result = isc_base64_totext(&r, 0, "", &buf);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "error: %s\n", isc_result_totext(result));
+ return (1);
+ }
+ fprintf(stdout, "%.*s\n", isc_buffer_usedlength(&buf), base64);
+ return (0);
+}
diff --git a/bin/tools/isc-hmac-fixup.docbook b/bin/tools/isc-hmac-fixup.docbook
new file mode 100644
index 00000000..fc2021a2
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.docbook
@@ -0,0 +1,109 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: isc-hmac-fixup.docbook,v 1.2.2.1 2010/01/07 21:53:04 each Exp $ -->
+<refentry id="man.isc-hmac-fixup">
+ <refentryinfo>
+ <date>January 5, 2010</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
+ <manvolnum>1</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>isc-hmac-fixup</application></refname>
+ <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2010</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>isc-hmac-fixup</command>
+ <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
+ <arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+ HMAC-SHA* TSIG keys which were longer than the digest length of the
+ hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+ longer than 256 bits, etc) to be used incorrectly, generating a
+ message authentication code that was incompatible with other DNS
+ implementations.
+ </para>
+ <para>
+ This bug has been fixed in BIND 9.7. However, the fix may
+ cause incompatibility between older and newer versions of
+ BIND, when using long keys. <command>isc-hmac-fixup</command>
+ modifies those keys to restore compatibility.
+ </para>
+ <para>
+ To modify a key, run <command>isc-hmac-fixup</command> and
+ specify the key's algorithm and secret on the command line. If the
+ secret is longer than the digest length of the algorithm (64 bytes
+ for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+ new secret will be generated consisting of a hash digest of the old
+ secret. (If the secret did not require conversion, then it will be
+ printed without modification.)
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SECURITY CONSIDERATIONS</title>
+ <para>
+ Secrets that have been converted by <command>isc-hmac-fixup</command>
+ are shortened, but as this is how the HMAC protocol works in
+ operation anyway, it does not affect security. RFC 2104 notes,
+ "Keys longer than [the digest length] are acceptable but the
+ extra length would not significantly increase the function
+ strength."
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2104</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/tools/isc-hmac-fixup.html b/bin/tools/isc-hmac-fixup.html
new file mode 100644
index 00000000..d48cee80
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.html
@@ -0,0 +1,84 @@
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: isc-hmac-fixup.html,v 1.1.2.3 2010/01/08 02:08:23 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-hmac-fixup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543351"></a><h2>DESCRIPTION</h2>
+<p>
+ Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+ HMAC-SHA* TSIG keys which were longer than the digest length of the
+ hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+ longer than 256 bits, etc) to be used incorrectly, generating a
+ message authentication code that was incompatible with other DNS
+ implementations.
+ </p>
+<p>
+ This bug has been fixed in BIND 9.7. However, the fix may
+ cause incompatibility between older and newer versions of
+ BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
+ modifies those keys to restore compatibility.
+ </p>
+<p>
+ To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
+ specify the key's algorithm and secret on the command line. If the
+ secret is longer than the digest length of the algorithm (64 bytes
+ for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+ new secret will be generated consisting of a hash digest of the old
+ secret. (If the secret did not require conversion, then it will be
+ printed without modification.)
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543374"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
+ Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
+ are shortened, but as this is how the HMAC protocol works in
+ operation anyway, it does not affect security. RFC 2104 notes,
+ "Keys longer than [the digest length] are acceptable but the
+ extra length would not significantly increase the function
+ strength."
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543388"></a><h2>SEE ALSO</h2>
+<p>
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 2104</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543405"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/tools/win32/ischmacfixup.dsp b/bin/tools/win32/ischmacfixup.dsp
new file mode 100644
index 00000000..40dce555
--- /dev/null
+++ b/bin/tools/win32/ischmacfixup.dsp
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="ischmacfixup" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=ischmacfixup - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE
+!MESSAGE NMAKE /f "ischmacfixup.mak".
+!MESSAGE
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE
+!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"
+!MESSAGE
+!MESSAGE Possible choices for configuration are:
+!MESSAGE
+!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe"
+
+!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept
+
+!ENDIF
+
+# Begin Target
+
+# Name "ischmacfixup - Win32 Release"
+# Name "ischmacfixup - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\isc-hmac-fixup.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/tools/win32/ischmacfixup.dsw b/bin/tools/win32/ischmacfixup.dsw
new file mode 100644
index 00000000..4ca034e0
--- /dev/null
+++ b/bin/tools/win32/ischmacfixup.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "ischmacfixup"=".\ischmacfixup.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/tools/win32/ischmacfixup.mak b/bin/tools/win32/ischmacfixup.mak
new file mode 100644
index 00000000..2b8f874d
--- /dev/null
+++ b/bin/tools/win32/ischmacfixup.mak
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on ischmacfixup.dsp
+!IF "$(CFG)" == ""
+CFG=ischmacfixup - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to ischmacfixup - Win32 Debug.
+!ENDIF
+
+!IF "$(CFG)" != "ischmacfixup - Win32 Release" && "$(CFG)" != "ischmacfixup - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE
+!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"
+!MESSAGE
+!MESSAGE Possible choices for configuration are:
+!MESSAGE
+!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE
+!ERROR An invalid configuration is specified.
+!ENDIF
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE
+NULL=nul
+!ENDIF
+
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+ $(_VC_MANIFEST_BASENAME).auto.rc \
+ $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\isc-hmac-fixup.exe"
+
+
+CLEAN :
+ -@erase "$(INTDIR)\isc-hmac-fixup.obj"
+ -@erase "$(INTDIR)\vc60.idb"
+ -@erase "..\..\..\Build\Release\isc-hmac-fixup.exe"
+ -@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\isc-hmac-fixup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+
+.c{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.c{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc"
+BSC32_SBRS= \
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe"
+LINK32_OBJS= \
+ "$(INTDIR)\isc-hmac-fixup.obj"
+
+"..\..\..\Build\Release\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+ $(LINK32) @<<
+ $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+ $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\isc-hmac-fixup.exe" "$(OUTDIR)\isc-hmac-fixup.bsc"
+
+
+CLEAN :
+ -@erase "$(INTDIR)\isc-hmac-fixup.obj"
+ -@erase "$(INTDIR)\isc-hmac-fixup.sbr"
+ -@erase "$(INTDIR)\vc60.idb"
+ -@erase "$(INTDIR)\vc60.pdb"
+ -@erase "$(OUTDIR)\isc-hmac-fixup.pdb"
+ -@erase "$(OUTDIR)\isc-hmac-fixup.bsc"
+ -@erase "..\..\..\Build\Debug\isc-hmac-fixup.exe"
+ -@erase "..\..\..\Build\Debug\isc-hmac-fixup.ilk"
+ -@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+
+.c{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.c{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc"
+BSC32_SBRS= \
+ "$(INTDIR)\isc-hmac-fixup.sbr"
+
+"$(OUTDIR)\isc-hmac-fixup.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+ $(BSC32) @<<
+ $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept
+LINK32_OBJS= \
+ "$(INTDIR)\isc-hmac-fixup.obj"
+
+"..\..\..\Build\Debug\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+ $(LINK32) @<<
+ $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+ $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("isc-hmac-fixup.dep")
+!INCLUDE "isc-hmac-fixup.dep"
+!ELSE
+!MESSAGE Warning: cannot find "isc-hmac-fixup.dep"
+!ENDIF
+!ENDIF
+
+
+!IF "$(CFG)" == "ischmacfixup - Win32 Release" || "$(CFG)" == "ischmacfixup - Win32 Debug"
+SOURCE="..\isc-hmac-fixup.c"
+
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"
+
+
+"$(INTDIR)\isc-hmac-fixup.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"
+
+
+"$(INTDIR)\isc-hmac-fixup.obj" "$(INTDIR)\isc-hmac-fixup.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+!ENDIF
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+ type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+ type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/bin/tools/win32/journalprint.mak b/bin/tools/win32/journalprint.mak
index 2b7f8fd6..76881036 100644
--- a/bin/tools/win32/journalprint.mak
+++ b/bin/tools/win32/journalprint.mak
@@ -271,7 +271,7 @@ SOURCE="..\named-journalprint.c"
!ELSEIF "$(CFG)" == "journalprint - Win32 Debug"
-"$(INTDIR)\named-journalprint.obj" "$(INTDIR)\named-journalprint.sbr" : $(SOURCE) "$(INTDIR)"
+"$(INTDIR)\named-journalprint.obj" "$(INTDIR)\named-journalprint.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 91bbfb99..acc5f204 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: BINDInstallDlg.cpp,v 1.46 2009/12/04 21:59:23 marka Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.46.4.2 2010/01/07 23:48:15 tbox Exp $ */
/*
* Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -158,6 +158,7 @@ const FileData installFiles[] =
{"named-checkzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"named-compilezone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"named-journalprint.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+ {"isc-hmax-fixup.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-destroy.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-list.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 510e4cc5..5661a036 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.450 2009/12/04 21:59:23 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.3 2010/01/07 23:48:15 tbox Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -30,6 +30,7 @@
<year>2007</year>
<year>2008</year>
<year>2009</year>
+ <year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -6616,9 +6617,26 @@ options {
<term><command>dnssec-secure-to-insecure</command></term>
<listitem>
<para>
- Allow a zone to transition from secure to insecure by
- deleting all DNSKEY records. The default is
- <command>no</command>.
+ Allow a dynamic zone to transition from secure to
+ insecure (i.e., signed to unsigned) by deleting all
+ of the DNSKEY records. The default is <command>no</command>.
+ If set to <command>yes</command>, and if the DNSKEY RRset
+ at the zone apex is deleted, all RRSIG and NSEC records
+ will be removed from the zone as well.
+ </para>
+ <para>
+ If the zone uses NSEC3, then it is also necessary to
+ delete the NSEC3PARAM RRset from the zone apex; this will
+ cause the removal of all corresponding NSEC3 records.
+ (It is expected that this requirement will be eliminated
+ in a future release.)
+ </para>
+ <para>
+ Note that if a zone has been configured with
+ <command>auto-dnssec maintain</command> and the
+ private keys remain accessible in the key repository,
+ then the zone will be automatically signed again the
+ next time <command>named</command> is started.
</para>
</listitem>
</varlistentry>
@@ -15656,6 +15674,7 @@ zone "example.com" {
<xi:include href="../../bin/confgen/ddns-confgen.docbook"/>
<xi:include href="../../bin/tools/arpaname.docbook"/>
<xi:include href="../../bin/tools/genrandom.docbook"/>
+ <xi:include href="../../bin/tools/isc-hmac-fixup.docbook"/>
<xi:include href="../../bin/tools/nsec3hash.docbook"/>
</reference>
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 08bdc3d6..410a3566 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch01.html,v 1.47 2009/07/11 01:12:46 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.47.126.1 2010/01/08 02:08:26 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,17 +45,17 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563412">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564391">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564531">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564712">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564733">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564768">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567173">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567250">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567422">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567553">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -71,7 +71,7 @@
</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2563409"></a>Scope of Document</h2></div></div></div>
+<a name="id2563412"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
@@ -87,7 +87,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564388"></a>Organization of This Document</h2></div></div></div>
+<a name="id2564391"></a>Organization of This Document</h2></div></div></div>
<p>
In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
@@ -116,7 +116,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564528"></a>Conventions Used in This Document</h2></div></div></div>
+<a name="id2564531"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
@@ -243,7 +243,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564641"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
+<a name="id2564712"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
@@ -253,7 +253,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564662"></a>DNS Fundamentals</h3></div></div></div>
+<a name="id2564733"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
@@ -275,7 +275,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564696"></a>Domains and Domain Names</h3></div></div></div>
+<a name="id2564768"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
@@ -321,7 +321,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567170"></a>Zones</h3></div></div></div>
+<a name="id2567173"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
@@ -374,7 +374,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567246"></a>Authoritative Name Servers</h3></div></div></div>
+<a name="id2567250"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
@@ -391,7 +391,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567270"></a>The Primary Master</h4></div></div></div>
+<a name="id2567273"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
@@ -411,7 +411,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567300"></a>Slave Servers</h4></div></div></div>
+<a name="id2567303"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
@@ -427,7 +427,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567389"></a>Stealth Servers</h4></div></div></div>
+<a name="id2567393"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
@@ -462,7 +462,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567419"></a>Caching Name Servers</h3></div></div></div>
+<a name="id2567422"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
@@ -489,7 +489,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567523"></a>Forwarding</h4></div></div></div>
+<a name="id2567526"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
@@ -516,7 +516,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567549"></a>Name Servers in Multiple Roles</h3></div></div></div>
+<a name="id2567553"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 377f21de..8b33a106 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch02.html,v 1.41 2009/07/11 01:12:46 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch02.html,v 1.41.126.1 2010/01/08 02:08:24 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,16 +45,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567584">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567610">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567623">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567854">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567865">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567587">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567613">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567626">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567721">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567732">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567584"></a>Hardware requirements</h2></div></div></div>
+<a name="id2567587"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
@@ -73,7 +73,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567610"></a>CPU Requirements</h2></div></div></div>
+<a name="id2567613"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
@@ -84,7 +84,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567623"></a>Memory Requirements</h2></div></div></div>
+<a name="id2567626"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
@@ -107,7 +107,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567854"></a>Name Server Intensive Environment Issues</h2></div></div></div>
+<a name="id2567721"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
@@ -124,7 +124,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567865"></a>Supported Operating Systems</h2></div></div></div>
+<a name="id2567732"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index f8fdfd8e..711b1ecd 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch03.html,v 1.77 2009/10/12 23:15:32 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.77.50.1 2010/01/08 02:08:24 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,14 +47,14 @@
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567897">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567913">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567764">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567780">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568004">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568007">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568361">Name Server Operations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570124">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568366">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570128">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -68,7 +68,7 @@
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567897"></a>A Caching-only Name Server</h3></div></div></div>
+<a name="id2567764"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
@@ -98,7 +98,7 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567913"></a>An Authoritative-only Name Server</h3></div></div></div>
+<a name="id2567780"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
@@ -146,7 +146,7 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568004"></a>Load Balancing</h2></div></div></div>
+<a name="id2568007"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple records
@@ -289,10 +289,10 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568358"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568361"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2568363"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<a name="id2568366"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
@@ -786,7 +786,7 @@ controls {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570124"></a>Signals</h3></div></div></div>
+<a name="id2570128"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index ae5341ce..259fbe00 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch04.html,v 1.103 2009/11/11 01:14:42 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.103.22.1 2010/01/08 02:08:24 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,29 +49,29 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570568">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570654">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570571">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570658">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571088">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571229">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571240">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571345">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571539">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571588">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571091">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571233">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571348">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571542">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571591">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571602">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571651">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571605">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571654">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571719">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571798">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571879">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571722">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572061">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572065">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572328">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572349">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572331">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572353">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -224,7 +224,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570568"></a>Split DNS</h2></div></div></div>
+<a name="id2570571"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@@ -254,7 +254,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570654"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2570658"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
@@ -511,7 +511,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571088"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2571091"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -519,7 +519,7 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571105"></a>Automatic Generation</h4></div></div></div>
+<a name="id2571108"></a>Automatic Generation</h4></div></div></div>
<p>
The following command will generate a 128-bit (16 byte) HMAC-SHA256
key as described above. Longer keys are better, but shorter keys
@@ -543,7 +543,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571211"></a>Manual Generation</h4></div></div></div>
+<a name="id2571214"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -558,7 +558,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571229"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2571233"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@@ -566,7 +566,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571240"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571243"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
@@ -593,7 +593,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571345"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571348"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -625,7 +625,7 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571539"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571542"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
@@ -652,7 +652,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571588"></a>Errors</h3></div></div></div>
+<a name="id2571591"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@@ -678,7 +678,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571602"></a>TKEY</h2></div></div></div>
+<a name="id2571605"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
@@ -714,7 +714,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571651"></a>SIG(0)</h2></div></div></div>
+<a name="id2571654"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -775,7 +775,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571719"></a>Generating Keys</h3></div></div></div>
+<a name="id2571722"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-keygen</strong></span> program is used to
generate keys.
@@ -831,7 +831,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571798"></a>Signing the Zone</h3></div></div></div>
+<a name="id2571801"></a>Signing the Zone</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-signzone</strong></span> program is used
to sign a zone.
@@ -873,7 +873,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571879"></a>Configuring Servers</h3></div></div></div>
+<a name="id2571882"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span><strong class="command">named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
@@ -1019,7 +1019,7 @@ options {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572061"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="id2572065"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 fully supports all currently
defined forms of IPv6 name to address and address to name
@@ -1057,7 +1057,7 @@ options {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572328"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572331"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<p>
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@@ -1076,7 +1076,7 @@ host 3600 IN AAAA 2001:db8::1
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572349"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572353"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<p>
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index c4d9bb4c..bc5d02a1 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch05.html,v 1.84 2009/11/11 01:14:42 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.84.22.1 2010/01/08 02:08:24 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572451">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572451"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572454"></a>The Lightweight Resolver Library</h2></div></div></div>
<p>
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index ab9e955e..a76ee137 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch06.html,v 1.249 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.249.4.2 2010/01/08 02:08:24 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,58 +48,58 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573997">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573932">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574515"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574518"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574773"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575132"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575149"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575136"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575153"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575173"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575196"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575287"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575413"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575200"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575290"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575416"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577480"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577554"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577686"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577730"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577483"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577557"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577689"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577733"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577745"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577748"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588103"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588122"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588326"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588377"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588277"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588328"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588424"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588475"><span><strong class="command">managed-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588375"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588494"><span><strong class="command">managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588848"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588867"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590421"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590440"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593225">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593176">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595387">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595406">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596003">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596130">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596403"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595954">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596149">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596422"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -477,7 +477,7 @@
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573627"></a>Syntax</h4></div></div></div>
+<a name="id2573630"></a>Syntax</h4></div></div></div>
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
[<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -486,7 +486,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573655"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573658"></a>Definition and Usage</h4></div></div></div>
<p>
Address match lists are primarily used to determine access
control for various server operations. They are also used in
@@ -570,7 +570,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573997"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573932"></a>Comment Syntax</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
comments to appear
@@ -580,7 +580,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2574012"></a>Syntax</h4></div></div></div>
+<a name="id2573947"></a>Syntax</h4></div></div></div>
<p>
</p>
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -596,7 +596,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2574042"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573977"></a>Definition and Usage</h4></div></div></div>
<p>
Comments may appear anywhere that whitespace may appear in
a <acronym class="acronym">BIND</acronym> configuration file.
@@ -848,7 +848,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574515"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574518"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
address_match_list
};
@@ -930,7 +930,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574773"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574776"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">controls</strong></span> {
[ inet ( ip_addr | * ) [ port ip_port ]
allow { <em class="replaceable"><code> address_match_list </code></em> }
@@ -1054,12 +1054,12 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575132"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575136"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575149"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2575153"></a><span><strong class="command">include</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">include</strong></span> statement inserts the
@@ -1074,7 +1074,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575173"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575176"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
algorithm <em class="replaceable"><code>string</code></em>;
secret <em class="replaceable"><code>string</code></em>;
@@ -1083,7 +1083,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575196"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575200"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">key</strong></span> statement defines a shared
secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1130,7 +1130,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575287"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575290"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">logging</strong></span> {
[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
@@ -1154,7 +1154,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575413"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575416"></a><span><strong class="command">logging</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">logging</strong></span> statement configures a
@@ -1188,7 +1188,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575465"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575468"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
<p>
All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
you can make as many of them as you want.
@@ -1753,7 +1753,7 @@ category notify { null; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2576961"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<a name="id2576964"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<p>
The <span><strong class="command">query-errors</strong></span> category is
specifically intended for debugging purposes: To identify
@@ -1981,7 +1981,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577480"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577483"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">lwres</strong></span>
statement in the <code class="filename">named.conf</code> file:
@@ -1997,7 +1997,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577554"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577557"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">lwres</strong></span> statement configures the
name
@@ -2048,7 +2048,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577686"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577689"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
@@ -2056,7 +2056,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577730"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2577733"></a><span><strong class="command">masters</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p><span><strong class="command">masters</strong></span>
lists allow for a common set of masters to be easily used by
@@ -2065,7 +2065,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577745"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577748"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">options</strong></span>
statement in the <code class="filename">named.conf</code> file:
@@ -3489,16 +3489,35 @@ options {
<span><strong class="command">yes</strong></span>.
</p></dd>
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
-<dd><p>
- Allow a zone to transition from secure to insecure by
- deleting all DNSKEY records. The default is
- <span><strong class="command">no</strong></span>.
- </p></dd>
+<dd>
+<p>
+ Allow a dynamic zone to transition from secure to
+ insecure (i.e., signed to unsigned) by deleting all
+ of the DNSKEY records. The default is <span><strong class="command">no</strong></span>.
+ If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset
+ at the zone apex is deleted, all RRSIG and NSEC records
+ will be removed from the zone as well.
+ </p>
+<p>
+ If the zone uses NSEC3, then it is also necessary to
+ delete the NSEC3PARAM RRset from the zone apex; this will
+ cause the removal of all corresponding NSEC3 records.
+ (It is expected that this requirement will be eliminated
+ in a future release.)
+ </p>
+<p>
+ Note that if a zone has been configured with
+ <span><strong class="command">auto-dnssec maintain</strong></span> and the
+ private keys remain accessible in the key repository,
+ then the zone will be automatically signed again the
+ next time <span><strong class="command">named</strong></span> is started.
+ </p>
+</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582885"></a>Forwarding</h4></div></div></div>
+<a name="id2582836"></a>Forwarding</h4></div></div></div>
<p>
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -3542,7 +3561,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2583012"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2583031"></a>Dual-stack Servers</h4></div></div></div>
<p>
Dual-stack servers are used as servers of last resort to work
around
@@ -3739,7 +3758,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2583449"></a>Interfaces</h4></div></div></div>
+<a name="id2583468"></a>Interfaces</h4></div></div></div>
<p>
The interfaces and ports that the server will answer queries
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@@ -4191,7 +4210,7 @@ avoid-v6-udp-ports {};
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584652"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2584672"></a>UDP Port Lists</h4></div></div></div>
<p>
<span><strong class="command">use-v4-udp-ports</strong></span>,
<span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -4233,7 +4252,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584780"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2584731"></a>Operating System Resource Limits</h4></div></div></div>
<p>
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -4395,7 +4414,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2585134"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2585222"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
<dd><p>
@@ -5191,7 +5210,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587214"></a>Content Filtering</h4></div></div></div>
+<a name="id2587165"></a>Content Filtering</h4></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 provides the ability to filter
out DNS responses from external DNS servers containing
@@ -5521,7 +5540,7 @@ deny-answer-aliases { "example.net"; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2588103"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<a name="id2588122"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">statistics-channels</strong></span> statement
@@ -5572,7 +5591,7 @@ deny-answer-aliases { "example.net"; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2588326"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2588277"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -5581,7 +5600,7 @@ deny-answer-aliases { "example.net"; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2588377"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2588328"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -5621,7 +5640,7 @@ deny-answer-aliases { "example.net"; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2588424"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2588375"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -5630,7 +5649,7 @@ deny-answer-aliases { "example.net"; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2588475"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
+<a name="id2588494"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span><strong class="command">managed-keys</strong></span> statement, like
@@ -5756,7 +5775,7 @@ deny-answer-aliases { "example.net"; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2588848"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2588867"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">view</strong></span> statement is a powerful
feature
@@ -6036,10 +6055,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590421"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2590440"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2590428"></a>Zone Types</h4></div></div></div>
+<a name="id2590448"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -6250,7 +6269,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2590856"></a>Class</h4></div></div></div>
+<a name="id2590807"></a>Class</h4></div></div></div>
<p>
The zone's name may optionally be followed by a class. If
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -6272,7 +6291,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2590889"></a>Zone Options</h4></div></div></div>
+<a name="id2590840"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
<dd><p>
@@ -6943,7 +6962,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593225"></a>Zone File</h2></div></div></div>
+<a name="id2593176"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -6956,7 +6975,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2593243"></a>Resource Records</h4></div></div></div>
+<a name="id2593262"></a>Resource Records</h4></div></div></div>
<p>
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -7693,7 +7712,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2594730"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2594886"></a>Textual expression of RRs</h4></div></div></div>
<p>
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -7896,7 +7915,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2595387"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2595406"></a>Discussion of MX Records</h3></div></div></div>
<p>
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -8152,7 +8171,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2596003"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2595954"></a>Inverse Mapping in IPv4</h3></div></div></div>
<p>
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -8213,7 +8232,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2596130"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2596149"></a>Other Zone File Directives</h3></div></div></div>
<p>
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -8228,7 +8247,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2596152"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
+<a name="id2596171"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<p>
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
@@ -8239,7 +8258,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2596168"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2596256"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$ORIGIN</strong></span>
<em class="replaceable"><code>domain-name</code></em>
@@ -8268,7 +8287,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2596229"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2596316"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$INCLUDE</strong></span>
<em class="replaceable"><code>filename</code></em>
@@ -8304,7 +8323,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2596298"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2596386"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$TTL</strong></span>
<em class="replaceable"><code>default-ttl</code></em>
@@ -8323,7 +8342,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2596403"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2596422"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<p>
Syntax: <span><strong class="command">$GENERATE</strong></span>
<em class="replaceable"><code>range</code></em>
@@ -8747,7 +8766,7 @@ HOST-127.EXAMPLE. MX 0 .
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2597356"></a>Name Server Statistics Counters</h4></div></div></div>
+<a name="id2597444"></a>Name Server Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -9304,7 +9323,7 @@ HOST-127.EXAMPLE. MX 0 .
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2598898"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<a name="id2598917"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -9458,7 +9477,7 @@ HOST-127.EXAMPLE. MX 0 .
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599417"></a>Resolver Statistics Counters</h4></div></div></div>
+<a name="id2599436"></a>Resolver Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -9841,7 +9860,7 @@ HOST-127.EXAMPLE. MX 0 .
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2600439"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<a name="id2600458"></a>Socket I/O Statistics Counters</h4></div></div></div>
<p>
Socket I/O statistics counters are defined per socket
types, which are
@@ -9996,7 +10015,7 @@ HOST-127.EXAMPLE. MX 0 .
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2600881"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<a name="id2600900"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<p>
Most statistics counters that were available
in <span><strong class="command">BIND</strong></span> 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index a6e0e47a..02d84d46 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch07.html,v 1.220 2009/12/04 22:22:27 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.220.4.2 2010/01/08 02:08:25 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,10 +46,10 @@
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601054"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601142"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601136">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601195">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601223">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601283">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl>
@@ -122,7 +122,7 @@ zone "example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601054"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2601142"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
</h2></div></div></div>
<p>
On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
@@ -148,7 +148,7 @@ zone "example.com" {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2601136"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2601223"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span><strong class="command">chroot</strong></span> environment
to
@@ -176,7 +176,7 @@ zone "example.com" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2601195"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2601283"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<p>
Prior to running the <span><strong class="command">named</strong></span> daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 551256cd..578609e7 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch08.html,v 1.220 2009/12/04 22:22:27 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.220.4.2 2010/01/08 02:08:25 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601275">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601281">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601292">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601378">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601363">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601368">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601380">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601397">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601275"></a>Common Problems</h2></div></div></div>
+<a name="id2601363"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2601281"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2601368"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601292"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2601380"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
Zone serial numbers are just numbers &#8212; they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601378"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2601397"></a>Where Can I Get Help?</h2></div></div></div>
<p>
The Internet Systems Consortium
(<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 820fe28b..a8e96f8a 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch09.html,v 1.222 2009/12/04 22:22:25 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.222.4.2 2010/01/08 02:08:25 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,21 +45,21 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601576">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601595">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601816">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601835">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605028">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605047">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601576"></a>Acknowledgments</h2></div></div></div>
+<a name="id2601595"></a>Acknowledgments</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -162,7 +162,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601816"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2601835"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -250,17 +250,17 @@
</p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2602004"></a>Bibliography</h4></div></div></div>
+<a name="id2602023"></a>Bibliography</h4></div></div></div>
<div class="bibliodiv">
<h3 class="title">Standards</h3>
<div class="biblioentry">
-<a name="id2602014"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2602034"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602038"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2602057"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602061"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2602081"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
Specification</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
</div>
@@ -268,42 +268,42 @@
<h3 class="title">
<a name="proposed_standards"></a>Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2602098"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2602117"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
Specification</i>. </span><span class="pubdate">July 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602124"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2602144"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
Queries</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602150"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602169"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602174"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602194"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602198"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2602217"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602253"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2602273"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602280"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2602299"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602307"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2602326"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602369"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602388"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602398"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602418"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602428"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2602448"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602455"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2602474"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
@@ -312,19 +312,19 @@
<h3 class="title">
<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2602537"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2602556"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602564"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2602583"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602600"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2602619"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602665"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2602684"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602730"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2602749"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
</div>
@@ -332,146 +332,146 @@
<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
Implementation</h3>
<div class="biblioentry">
-<a name="id2602804"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2602823"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602829"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2602849"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602898"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602917"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602933"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2602952"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Resource Record Types</h3>
<div class="biblioentry">
-<a name="id2602979"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2602998"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603036"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2603056"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603074"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2603093"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603109"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2603128"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
Domain
Name System</i>. </span><span class="pubdate">January 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603232"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2603251"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
Location of
Services.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603270"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2603289"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
Distribute MIXER
Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603296"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2603315"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603321"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603340"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603348"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603367"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603374"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603394"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603414"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603433"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603444"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603463"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603474"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2603493"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603516"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2603536"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603549"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2603569"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603576"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2603595"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603600"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2603619"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
version 6</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603657"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2603676"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> and the Internet</h3>
<div class="biblioentry">
-<a name="id2603689"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2603708"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603715"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2603734"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
Support</i>. </span><span class="pubdate">October 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603737"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2603756"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603761"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2603780"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603806"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2603826"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603830"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2603849"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> Operations</h3>
<div class="biblioentry">
-<a name="id2603888"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2603907"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603911"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2603930"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603938"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2603957"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2603964"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2603984"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604001"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2604020"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Internationalized Domain Names</h3>
<div class="biblioentry">
-<a name="id2604046"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2604066"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604078"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2604098"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604193"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2604212"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604228"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2604247"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in
Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
@@ -487,47 +487,47 @@
</p>
</div>
<div class="biblioentry">
-<a name="id2604273"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2604292"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604295"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2604314"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604321"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2604340"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604346"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2604365"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604370"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2604389"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604416"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2604435"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604439"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2604458"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604466"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2604485"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604491"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2604510"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
<div class="biblioentry">
-<a name="id2604535"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2604554"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
Location</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604593"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2604612"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604619"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2604638"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
</div>
</div>
@@ -541,39 +541,39 @@
</p>
</div>
<div class="biblioentry">
-<a name="id2604667"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2604686"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604707"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2604726"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604733"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2604753"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604763"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2604782"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604789"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2604808"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604816"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2604835"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604852"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2604871"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604888"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2604907"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604915"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2604934"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604941"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2604961"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2604986"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2605005"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
</div>
</div>
@@ -594,14 +594,14 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2605028"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2605047"></a>Other Documents About <acronym class="acronym">BIND</acronym>
</h3></div></div></div>
<p></p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2605037"></a>Bibliography</h4></div></div></div>
+<a name="id2605057"></a>Bibliography</h4></div></div></div>
<div class="biblioentry">
-<a name="id2605040"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2605059"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
</div>
</div>
</div>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 5814e135..fa036aa1 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch10.html,v 1.18 2009/12/04 22:22:27 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch10.html,v 1.18.4.1 2010/01/08 02:08:24 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -106,6 +106,9 @@
<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
</dt>
<dt>
+<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+</dt>
+<dt>
<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
</dt>
</dl>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 5743844a..c66282bc 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.html,v 1.239 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.239.4.2 2010/01/08 02:08:24 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -41,7 +41,7 @@
<div>
<div><h1 class="title">
<a name="id2563174"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright © 2004-2009 Internet Systems Consortium, Inc. ("ISC")</p></div>
+<div><p class="copyright">Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
</div>
<hr>
@@ -51,39 +51,39 @@
<dl>
<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563412">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564391">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564531">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564712">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564733">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564768">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567173">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567250">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567422">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567553">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567584">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567610">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567623">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567854">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567865">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567587">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567613">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567626">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567721">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567732">Supported Operating Systems</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567897">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567913">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567764">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567780">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568004">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568007">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568361">Name Server Operations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570124">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568366">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570128">Signals</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,34 +92,34 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570568">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570654">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570571">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570658">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571088">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571229">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571240">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571345">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571539">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571588">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571091">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571233">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571348">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571542">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571591">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571602">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571651">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571605">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571654">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571719">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571798">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571879">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571722">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572061">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572065">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572328">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572349">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572331">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572353">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572451">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,58 +127,58 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573997">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573932">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574515"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574518"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574773"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575132"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575149"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575136"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575153"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575173"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575196"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575287"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575413"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575200"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575290"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575416"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577480"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577554"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577686"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577730"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577483"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577557"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577689"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577733"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577745"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577748"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588103"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588122"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588326"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588377"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588277"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588328"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588424"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588475"><span><strong class="command">managed-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588375"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588494"><span><strong class="command">managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588848"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588867"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590421"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590440"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593225">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593176">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595387">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595406">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596003">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596130">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596403"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595954">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596149">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596422"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -187,31 +187,31 @@
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601054"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601142"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601136">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601195">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601223">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601283">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601275">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601281">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601292">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601378">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601363">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601368">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601380">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601397">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601576">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601595">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601816">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601835">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605028">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605047">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
@@ -274,6 +274,9 @@
<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
</dt>
<dt>
+<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+</dt>
+<dt>
<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
</dt>
</dl></dd>
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 670b6a71..0bf82d4a 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.arpaname.html,v 1.2 2009/12/04 22:32:31 tbox Exp $ -->
+<!-- $Id: man.arpaname.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,20 +50,20 @@
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2610966"></a><h2>DESCRIPTION</h2>
+<a name="id2613190"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2610981"></a><h2>SEE ALSO</h2>
+<a name="id2613205"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2647449"></a><h2>AUTHOR</h2>
+<a name="id2613219"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 37194b76..aeed4b8e 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.ddns-confgen.html,v 1.40 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.ddns-confgen.html,v 1.40.4.4 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2639866"></a><h2>DESCRIPTION</h2>
+<a name="id2638336"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">ddns-confgen</strong></span>
generates a key for use by <span><strong class="command">nsupdate</strong></span>
and <span><strong class="command">named</strong></span>. It simplifies configuration
@@ -77,7 +77,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2640022"></a><h2>OPTIONS</h2>
+<a name="id2638491"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
@@ -144,7 +144,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2643772"></a><h2>SEE ALSO</h2>
+<a name="id2638760"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -152,7 +152,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2643811"></a><h2>AUTHOR</h2>
+<a name="id2638798"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 0e3e38aa..fafebe92 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dig.html,v 1.138 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.dig.html,v 1.138.4.2 2010/01/08 02:08:26 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -52,7 +52,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2580077"></a><h2>DESCRIPTION</h2>
+<a name="id2563925"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -98,7 +98,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2580172"></a><h2>SIMPLE USAGE</h2>
+<a name="id2580199"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@@ -144,7 +144,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2631961"></a><h2>OPTIONS</h2>
+<a name="id2580310"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@@ -248,7 +248,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2632304"></a><h2>QUERY OPTIONS</h2>
+<a name="id2632262"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -573,7 +573,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2633372"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2633262"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2633458"></a><h2>IDN SUPPORT</h2>
+<a name="id2633348"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2633486"></a><h2>FILES</h2>
+<a name="id2633377"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2633508"></a><h2>SEE ALSO</h2>
+<a name="id2633466"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2633545"></a><h2>BUGS</h2>
+<a name="id2633504"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 2c46a4d3..bbde3499 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-dsfromkey.html,v 1.50 2009/12/04 22:22:25 tbox Exp $ -->
+<!-- $Id: man.dnssec-dsfromkey.html,v 1.50.4.2 2010/01/08 02:08:23 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,14 +51,14 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2606086"></a><h2>DESCRIPTION</h2>
+<a name="id2606181"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2606100"></a><h2>OPTIONS</h2>
+<a name="id2606195"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
@@ -119,7 +119,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2606357"></a><h2>EXAMPLE</h2>
+<a name="id2606452"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -134,7 +134,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2606393"></a><h2>FILES</h2>
+<a name="id2606488"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -148,13 +148,13 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2606571"></a><h2>CAVEAT</h2>
+<a name="id2606598"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2606581"></a><h2>SEE ALSO</h2>
+<a name="id2606608"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -164,7 +164,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2606620"></a><h2>AUTHOR</h2>
+<a name="id2606715"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index a587f68f..3c9177cd 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83 2009/12/04 22:22:25 tbox Exp $ -->
+<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83.4.3 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,10 +47,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2607025"></a><h2>DESCRIPTION</h2>
+<a name="id2607019"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2607250"></a><h2>OPTIONS</h2>
+<a name="id2607040"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@@ -171,10 +171,18 @@
<dd><p>
Sets the debugging level.
</p></dd>
+<dt><span class="term">-y</span></dt>
+<dd><p>
+ Allows DNSSEC key files to be generated even if the key ID
+ would collide with that of an existing key, in the event of
+ either key being revoked. (This is only safe to use if you
+ are sure you won't be using RFC 5011 trust anchor maintenance
+ with either of the keys involved.)
+ </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2610336"></a><h2>TIMING OPTIONS</h2>
+<a name="id2608158"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -221,7 +229,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2610434"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2610168"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@@ -260,7 +268,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2651283"></a><h2>SEE ALSO</h2>
+<a name="id2651085"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -268,7 +276,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2651316"></a><h2>AUTHOR</h2>
+<a name="id2651118"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index bb5f0372..c83bff82 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-keygen.html,v 1.152 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.dnssec-keygen.html,v 1.152.4.3 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2608508"></a><h2>DESCRIPTION</h2>
+<a name="id2608560"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2608529"></a><h2>OPTIONS</h2>
+<a name="id2608580"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@@ -256,7 +256,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2660568"></a><h2>TIMING OPTIONS</h2>
+<a name="id2660619"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -303,7 +303,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2660734"></a><h2>GENERATED KEYS</h2>
+<a name="id2660922"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@@ -349,7 +349,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2660979"></a><h2>EXAMPLE</h2>
+<a name="id2661030"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -370,7 +370,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2661035"></a><h2>SEE ALSO</h2>
+<a name="id2661086"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
@@ -379,7 +379,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2661066"></a><h2>AUTHOR</h2>
+<a name="id2661117"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index b17f7a39..217d2efd 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-revoke.html,v 1.35 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.dnssec-revoke.html,v 1.35.4.3 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2607165"></a><h2>DESCRIPTION</h2>
+<a name="id2609060"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2609500"></a><h2>OPTIONS</h2>
+<a name="id2609074"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@@ -91,14 +91,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2609608"></a><h2>SEE ALSO</h2>
+<a name="id2609181"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2609633"></a><h2>AUTHOR</h2>
+<a name="id2609206"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 5608d208..b778af86 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-settime.html,v 1.30 2009/12/04 22:22:25 tbox Exp $ -->
+<!-- $Id: man.dnssec-settime.html,v 1.30.4.3 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2609787"></a><h2>DESCRIPTION</h2>
+<a name="id2609702"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@@ -75,7 +75,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2609846"></a><h2>OPTIONS</h2>
+<a name="id2609761"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
@@ -106,7 +106,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2610554"></a><h2>TIMING OPTIONS</h2>
+<a name="id2610469"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2610652"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2610567"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
@@ -177,7 +177,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2611552"></a><h2>SEE ALSO</h2>
+<a name="id2610852"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -185,7 +185,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2611585"></a><h2>AUTHOR</h2>
+<a name="id2610885"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 604b7e1e..e5fda458 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-signzone.html,v 1.152 2009/12/04 22:22:25 tbox Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.152.4.3 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2612219"></a><h2>DESCRIPTION</h2>
+<a name="id2612066"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612238"></a><h2>OPTIONS</h2>
+<a name="id2612085"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@@ -397,7 +397,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2661917"></a><h2>EXAMPLE</h2>
+<a name="id2662105"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -427,14 +427,14 @@ db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
-<a name="id2662133"></a><h2>SEE ALSO</h2>
+<a name="id2662252"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2662157"></a><h2>AUTHOR</h2>
+<a name="id2662277"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 8741c8f5..21885b8b 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.genrandom.html,v 1.2 2009/12/04 22:32:31 tbox Exp $ -->
+<!-- $Id: man.genrandom.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -23,7 +23,7 @@
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
<link rel="prev" href="man.arpaname.html" title="arpaname">
-<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
+<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@@ -33,7 +33,7 @@
<td width="20%" align="left">
<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
</td>
</tr>
</table>
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">genrandom</code> {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2611162"></a><h2>DESCRIPTION</h2>
+<a name="id2638850"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">genrandom</strong></span>
generates a file containing a specified quantity of pseudo-random
@@ -59,7 +59,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2611177"></a><h2>ARGUMENTS</h2>
+<a name="id2638865"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">size</span></dt>
<dd><p>
@@ -72,14 +72,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2647530"></a><h2>SEE ALSO</h2>
+<a name="id2638900"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2647557"></a><h2>AUTHOR</h2>
+<a name="id2638926"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
@@ -91,14 +91,14 @@
<td width="40%" align="left">
<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">arpaname</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
+<td width="40%" align="right" valign="top"> <span class="application">isc-hmac-fixup</span>
</td>
</tr>
</table>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index fb3adb43..dc783775 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.host.html,v 1.136 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.host.html,v 1.136.4.2 2010/01/08 02:08:26 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2605336"></a><h2>DESCRIPTION</h2>
+<a name="id2605431"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2605782"></a><h2>IDN SUPPORT</h2>
+<a name="id2607242"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -216,12 +216,12 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2605879"></a><h2>FILES</h2>
+<a name="id2607271"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2605893"></a><h2>SEE ALSO</h2>
+<a name="id2607285"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
new file mode 100644
index 00000000..fbcefeb9
--- /dev/null
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -0,0 +1,122 @@
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: man.isc-hmac-fixup.html,v 1.1.2.4 2010/01/20 02:08:51 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-hmac-fixup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.genrandom.html" title="genrandom">
+<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643593"></a><h2>DESCRIPTION</h2>
+<p>
+ Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+ HMAC-SHA* TSIG keys which were longer than the digest length of the
+ hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+ longer than 256 bits, etc) to be used incorrectly, generating a
+ message authentication code that was incompatible with other DNS
+ implementations.
+ </p>
+<p>
+ This bug has been fixed in BIND 9.7. However, the fix may
+ cause incompatibility between older and newer versions of
+ BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
+ modifies those keys to restore compatibility.
+ </p>
+<p>
+ To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
+ specify the key's algorithm and secret on the command line. If the
+ secret is longer than the digest length of the algorithm (64 bytes
+ for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+ new secret will be generated consisting of a hash digest of the old
+ secret. (If the secret did not require conversion, then it will be
+ printed without modification.)
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643621"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
+ Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
+ are shortened, but as this is how the HMAC protocol works in
+ operation anyway, it does not affect security. RFC 2104 notes,
+ "Keys longer than [the digest length] are acceptable but the
+ extra length would not significantly increase the function
+ strength."
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643637"></a><h2>SEE ALSO</h2>
+<p>
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 2104</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643654"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">genrandom</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index b47370e2..bae1246f 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.named-checkconf.html,v 1.146 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.named-checkconf.html,v 1.146.4.4 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,14 +50,27 @@
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2612686"></a><h2>DESCRIPTION</h2>
+<a name="id2612385"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
- checks the syntax, but not the semantics, of a named
- configuration file.
+ checks the syntax, but not the semantics, of a
+ <span><strong class="command">named</strong></span> configuration file. The file is parsed
+ and checked for syntax errors, along with all files included by it.
+ If no file is specified, <code class="filename">/etc/named.conf</code> is read
+ by default.
+ </p>
+<p>
+ Note: files that <span><strong class="command">named</strong></span> reads in separate
+ parser contexts, such as <code class="filename">rndc.key</code> and
+ <code class="filename">bind.keys</code>, are not automatically read
+ by <span><strong class="command">named-checkconf</strong></span>. Configuration
+ errors in these files may cause <span><strong class="command">named</strong></span> to
+ fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
+ successful. <span><strong class="command">named-checkconf</strong></span> can be run
+ on these files explicitly, however.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612700"></a><h2>OPTIONS</h2>
+<a name="id2612455"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@@ -96,21 +109,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2612835"></a><h2>RETURN VALUES</h2>
+<a name="id2612589"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612849"></a><h2>SEE ALSO</h2>
+<a name="id2612603"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612878"></a><h2>AUTHOR</h2>
+<a name="id2612633"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 878d20e8..2965763d 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.named-checkzone.html,v 1.154 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.named-checkzone.html,v 1.154.4.4 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,7 +51,7 @@
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2613543"></a><h2>DESCRIPTION</h2>
+<a name="id2613378"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,7 +71,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2662199"></a><h2>OPTIONS</h2>
+<a name="id2613428"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@@ -265,14 +265,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2662970"></a><h2>RETURN VALUES</h2>
+<a name="id2665809"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2662984"></a><h2>SEE ALSO</h2>
+<a name="id2665891"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@@ -280,7 +280,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2663017"></a><h2>AUTHOR</h2>
+<a name="id2665924"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index f5a3f604..691616d0 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.named-journalprint.html,v 1.2 2009/12/04 22:32:31 tbox Exp $ -->
+<!-- $Id: man.named-journalprint.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2608829"></a><h2>DESCRIPTION</h2>
+<a name="id2610712"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2608875"></a><h2>SEE ALSO</h2>
+<a name="id2614444"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
@@ -84,7 +84,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2615869"></a><h2>AUTHOR</h2>
+<a name="id2614475"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 1f9cfed0..c18bad7b 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.named.html,v 1.156 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.named.html,v 1.156.4.4 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2614459"></a><h2>DESCRIPTION</h2>
+<a name="id2613748"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614490"></a><h2>OPTIONS</h2>
+<a name="id2613779"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@@ -246,7 +246,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2635114"></a><h2>SIGNALS</h2>
+<a name="id2614401"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -267,7 +267,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668137"></a><h2>CONFIGURATION</h2>
+<a name="id2635204"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
@@ -284,7 +284,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668186"></a><h2>FILES</h2>
+<a name="id2635253"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
@@ -297,7 +297,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2668230"></a><h2>SEE ALSO</h2>
+<a name="id2635297"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
@@ -310,7 +310,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668300"></a><h2>AUTHOR</h2>
+<a name="id2669978"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 6802d52c..90294a57 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.nsec3hash.html,v 1.2 2009/12/04 22:32:31 tbox Exp $ -->
+<!-- $Id: man.nsec3hash.html,v 1.2.4.5 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.genrandom.html" title="genrandom">
+<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@@ -30,7 +30,7 @@
<tr><th colspan="3" align="center"><span class="application">nsec3hash</span></th></tr>
<tr>
<td width="20%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> </td>
</tr>
@@ -48,7 +48,7 @@
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2648474"></a><h2>DESCRIPTION</h2>
+<a name="id2646089"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2648489"></a><h2>ARGUMENTS</h2>
+<a name="id2646104"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">salt</span></dt>
<dd><p>
@@ -80,14 +80,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2648551"></a><h2>SEE ALSO</h2>
+<a name="id2646166"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5155</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2648568"></a><h2>AUTHOR</h2>
+<a name="id2646183"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
@@ -97,13 +97,13 @@
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right"> </td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
-<span class="application">genrandom</span> </td>
+<span class="application">isc-hmac-fixup</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> </td>
</tr>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index d497796c..219a41b0 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.nsupdate.html,v 1.80 2009/12/04 22:22:25 tbox Exp $ -->
+<!-- $Id: man.nsupdate.html,v 1.80.4.5 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616486"></a><h2>DESCRIPTION</h2>
+<a name="id2614750"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -157,7 +157,7 @@
using the <code class="option">-l</code> flag. This sets the server address to
localhost (disabling the <span><strong class="command">server</strong></span> so that the server
address cannot be overridden). Connections to the local server will
- use a TSIG key found in <code class="filename">/var/run/named/ddns.key</code>,
+ use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
which is automatically generated by <span><strong class="command">named</strong></span> if any
local master zone has set <span><strong class="command">update-policy</strong></span> to
<span><strong class="command">local</strong></span>. The location of this key file can be
@@ -210,7 +210,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2629654"></a><h2>INPUT FORMAT</h2>
+<a name="id2619044"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
@@ -474,7 +474,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2672807"></a><h2>EXAMPLES</h2>
+<a name="id2672983"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
@@ -528,13 +528,13 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2672857"></a><h2>FILES</h2>
+<a name="id2673033"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
used to identify default name server
</p></dd>
-<dt><span class="term"><code class="constant">/var/run/named/ddns.key</code></span></dt>
+<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
<dd><p>
sets the default TSIG key for use in local-only mode
</p></dd>
@@ -551,7 +551,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2673009"></a><h2>SEE ALSO</h2>
+<a name="id2673116"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
@@ -566,7 +566,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2673066"></a><h2>BUGS</h2>
+<a name="id2673174"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index d87ca424..fdaf9480 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.rndc-confgen.html,v 1.160 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.rndc-confgen.html,v 1.160.4.4 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2638110"></a><h2>DESCRIPTION</h2>
+<a name="id2637536"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@@ -66,7 +66,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2638177"></a><h2>OPTIONS</h2>
+<a name="id2637738"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@@ -173,7 +173,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2639587"></a><h2>EXAMPLES</h2>
+<a name="id2638193"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@@ -190,7 +190,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2644081"></a><h2>SEE ALSO</h2>
+<a name="id2639341"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -198,7 +198,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2644119"></a><h2>AUTHOR</h2>
+<a name="id2639380"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 4a16e904..41ca9787 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.rndc.conf.html,v 1.161 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.rndc.conf.html,v 1.161.4.4 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2637349"></a><h2>DESCRIPTION</h2>
+<a name="id2611242"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2637521"></a><h2>EXAMPLE</h2>
+<a name="id2636331"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
@@ -209,7 +209,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2637642"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2637272"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2637668"></a><h2>SEE ALSO</h2>
+<a name="id2637298"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2637774"></a><h2>AUTHOR</h2>
+<a name="id2637336"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 0ffce38e..cd59e490 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.rndc.html,v 1.159 2009/12/04 22:22:26 tbox Exp $ -->
+<!-- $Id: man.rndc.html,v 1.159.4.4 2010/01/20 02:08:51 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2635271"></a><h2>DESCRIPTION</h2>
+<a name="id2623637"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -79,7 +79,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2635321"></a><h2>OPTIONS</h2>
+<a name="id2623687"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
@@ -151,7 +151,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2636161"></a><h2>LIMITATIONS</h2>
+<a name="id2635654"></a><h2>LIMITATIONS</h2>
<p><span><strong class="command">rndc</strong></span>
does not yet support all the commands of
the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +165,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2636192"></a><h2>SEE ALSO</h2>
+<a name="id2635685"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -175,7 +175,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2636247"></a><h2>AUTHOR</h2>
+<a name="id2635740"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt b/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
deleted file mode 100644
index 5278587d..00000000
--- a/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
+++ /dev/null
@@ -1,1058 +0,0 @@
-DNS Extensions Working Group Edward Lewis
-INTERNET-DRAFT NeuStar, Inc.
-Expires: Octopber 1, 2009 April 2009
-Updates: 1034, 1035 (if approved)
-Intended status: Standards Track
-
- DNS Zone Transfer Protocol (AXFR)
- draft-ietf-dnsext-axfr-clarify-11.txt
-
-Status of this Memo
-
- This Internet-Draft is submitted to IETF in full conformance with the
- provisions of BCP 78 and BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/1id-abstracts.html
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html
-
- This Internet-Draft will expire on October 1, 2009.
-
-Copyright Notice
-
- Copyright (c) 2009 IETF Trust and the persons identified as the
- document authors. All rights reserved.
-
- This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info) in effect on the date of
- publication of this document. Please review these documents
- carefully, as they describe your rights and restrictions with
- respect to this document.
-
-Abstract
-
-The Domain Name System standard mechanisms for maintaining coherent
-servers for a zone consist of three elements. One mechanism is the
-Authoritative Transfer (AXFR) is defined in RFC 1034 and RFC 1035.
-The definition of AXFR, has proven insufficient in detail, forcing
-implementations intended to be compliant to make assumptions, impeding
-interoperability. Yet today we have a satisfactory set of
-implementations that do interoperate. This document is a new
-definition of the AXFR, new in the sense that is it recording an
-accurate definition of an interoperable AXFR mechanism.
-
-1 Introduction
-
-The Domain Name System standard facilities for maintaining coherent
-servers for a zone consist of three elements. Authoritative
-Transfer (AXFR) is defined in "Domain Names - Concepts and Facilities"
-[RFC1034] (referred to in this document as RFC 1034) and "Domain Names
-- Implementation and Specification" [RFC1035] (aka RFC 1035).
-Incremental Zone Transfer (IXFR) is defined in "Incremental Zone
-Transfer in DNS" [RFC1995]. A mechanism for prompt notification of
-zone changes (NOTIFY) is defined in "A Mechanism for Prompt
-Notification of Zone Changes (DNS NOTIFY)" [RFC1996]. The goal of
-these mechanisms is to enable a set of DNS name servers to remain
-coherently authoritative for a given zone.
-
-Comments on this draft ought to be addressed to the editor or to
-namedroppers@ops.ietf.org.
-
-1.1 Definition of Terms
-
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-document are to be interpreted as described in "Key words for use in
-RFCs to Indicate Requirement Levels" [BCP14].
-
-"Newer"/"New" DNS and "older"/"old" DNS refers to implementations
-written after and prior to the publication of this document.
-
-1.2 Scope
-
-In the greater context there are many ways to achieve coherency among
-a set of name servers. The AXFR, IXFR and NOTIFY mechanisms form
-just one, the one defined in the RFCs cited. For example, there are
-DNS implementations that assemble answers from data stored in
-relational databases (as opposed to master files) relying on the
-database's non-DNS means to synchronize the database instances. Some
-of these non-DNS solutions interoperate in some fashion. As far as
-it is known, AXFR, IXFR and NOTIFY are the only in-band mechanisms
-that provide an interoperable solution to the desire for coherency
-within the definition of DNS, they certainly are the only mechanisms
-documented by the IETF.
-
-This document does not cover incoherent DNS situations. There are
-applications of the DNS in which servers for a zone are designed to be
-incoherent. For these configurations, a coherency mechanism as
-described here would be unsuitable.
-
-"General purpose DNS implementation" refers to DNS software developed
-for wide-spread use. This includes resolvers and servers freely
-accessible as libraries and standalone processes. This also includes
-proprietary implementations used only in support of DNS service
-offerings.
-
-"Turnkey DNS implementation" refers to custom made, single use
-implementations of DNS. Such implementations consist of software
-that employs the DNS protocol message format yet do not conform to
-the entire range of DNS functionality.
-
-A DNS implementation is not required to support AXFR, IXFR and NOTIFY.
-A DNS implementation SHOULD have some means for maintaining name server
-coherency. A general purpose DNS implementation SHOULD include AXFR
-(and in the same vein IXFR and NOTIFY), but turnkey DNS implementations
-MAY exist without AXFR. (An editorial note to readers of this section.
-The mention of IXFR and NOTIFY is for context and illustration, this
-document does not make any normative comments on those mechanisms.)
-
-1.3 Context
-
-Besides describing the mechanisms themselves, there is the context in
-which they operate to consider. When AXFR, IXFR and NOTIFY were
-defined, there was little consideration given to security and privacy
-issues. Since the original definition of AXFR, new opinions have
-appeared on the access to an entire zone's contents. In this document,
-the basic mechanisms will be discussed separately from the permission
-to use these mechanisms.
-
-1.4 Coverage and Relationship to Original AXFR Specification
-
-This document concentrates on just the definition of AXFR. Any effort
-to update the IXFR or NOTIFY mechanisms would be done in different
-documents.
-
-The original "specification" of the AXFR sub-protocol is scattered
-through RFC 1034 and RFC 1035. Section 2.2 of RFC 1035 on page 5
-depicts the scenario for which AXFR has been designed. Section 4.3.5
-of RFC 1034 describes the zone synchronization strategies in general
-and rules for the invocation of a full zone transfer via AXFR; the
-fifth paragraph of that section contains a very short sketch of the
-AXFR protocol; Section 5.5 of RFC 2181 has corrected a significant
-flaw in that specification. Section 3.2.3 of RFC 1035 has assigned
-the code point for the AXFR QTYPE (see section 2.1.2 below for more
-details). Section 4.2 of RFC 1035 discusses the transport layer use
-of DNS and shortly explains why UDP transport is deemed inappropriate
-for AXFR; the last paragraph of Section 4.2.2 gives details for the
-TCP connection management with AXFR. Finally, the second paragraph
-of Section 6.3 in RFC 1035 mandates server behavior when zone data
-changes occur during an ongoing zone transfer using AXFR.
-
-This document will update the specification of AXFR in fully
-specifying the record formats and processing rules for AXFR, largely
-expanding on paragraph 5 of Section 4.3.5 of RFC 1034, and detailing
-the transport considerations for AXFR, thus amending Section 4.2.2 of
-RFC 1035. Furthermore, it discusses backward compatibility issues
-and provides policy/management considerations as well as specific
-Security Considerations for AXFR. The goal of this document is to
-define AXFR as it exists, or is supposed to exist, currently.
-
-2 AXFR Messages
-
-An AXFR session consists of an AXFR query message and the sequence of
-AXFR response messages returned for it. In this document, the AXFR
-client is the sender of the AXFR query and the AXFR server is the
-responder. (Use of terms such as master, slave, primary, secondary
-are not important to defining AXFR.) The use of the word "session"
-without qualification refers to an AXFR session.
-
-An important aspect to keep in mind is that the definition of AXFR is
-restricted to TCP [RFC0793]. The design of the AXFR process has
-certain inherent features that are not easily ported to UDP [RFC0768].
-
-The basic format of an AXFR message is the DNS message as defined in
-RFC 1035, Section 4 ("MESSAGES") [RFC1035], updated by the following:
-- "A Mechanism for Prompt Notification of Zone Changes (...)" [RFC1996]
-- "Domain Name System (DNS) IANA Considerations" [RFC5395]
-- "Dynamic Updates in the Domain Name System (DNS UPDATE)" [RFC2136]
-- "Clarifications to the DNS Specification" [RFC2181]
-- "Extension Mechanisms for DNS (EDNS0)" [RFC2671]
-- "Secret Key Transaction Authentication for DNS (TSIG)" [RFC2845]
-- "Secret Key Establishment for DNS (TKEY RR)" [RFC2930]
-- "Obsoleting IQUERY" [RFC3425]
-- "Handling of Unknown DNS Resource Record (RR) Types" [RFC3597]
-- "Resource Records for the DNS Security Extensions" [RFC4034]
-- "Protocol Modifications for the DNS Security Extensions" [RFC4035]
-- "Use of SHA-256 in DNSSEC ... (DS) ... (RRs)" [RFC4509]
-- "HMAC SHA TSIG Algorithm Identifiers" [RFC4635]
-- "... (DNSSEC) Hashed Authenticated Denial of Existence" [RFC5155]
-
-For completeness, the following, in process, documents contain
-information about the DNS message. These documents ought not interfere
-with AXFR but these documents are helpful in understanding what will
-be carried via AXFR.
-
-- "Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource
- Records for DNSSEC" [DRAFT1]
-- "Clarifications and Implementation Notes for DNSSECbis" [DRAFT2]
-
-The upper limit on the permissible size of a DNS message over TCP is
-only restricted by the TCP framing defined in RFC 1035, section 4.2.2
-which specifies a two-octet message length field, understood to be
-unsigned, and thus causing a limit of 65535 octets. Unlike DNS
-messages over UDP, this limit is not changed by EDNS0.
-
-Note that the TC (truncation) bit is never set by an AXFR server nor
-considered/read by an AXFR client.
-
-Field names used in this document will correspond to the names as they
-appear in the IANA registry for DNS Header Flags [DNSFLGS].
-
-2.1 AXFR query
-
-An AXFR query is sent by a client whenever there is a reason to ask.
-This might be because of zone maintenance activities or as a result of
-a command line request, say for debugging.
-
-An AXFR query is sent by a client whenever there is a reason to ask.
-This might be because of scheduled or triggered zone maintenance
-activities (see section 4.3.5 of RFC 1034 and DNS NOTIFY [RFC1996],
-respectively) or as a result of a command line request, say for
-debugging.
-
-2.1.1 Header Values
-
-These are the DNS message header values for an AXFR query.
-
-ID See note 2.1.1.a
-QR MUST be 0 (Query)
-OPCODE MUST be 0 (Standard Query)
-AA See note 2.1.1.b
-TC See note 2.1.1.b
-RD See note 2.1.1.b
-RA See note 2.1.1.b
-Z See note 2.1.1.c
-AD See note 2.1.1.b
-CD See note 2.1.1.b
-RCODE MUST be 0 (No error)
-QDCOUNT MUST be 1
-ANCOUNT MUST be 0
-NSCOUNT MUST be 0
-ARCOUNT See note 2.1.1.d
-
-Note 2.1.1.a Set to any value that the client is not already using
-with the same server. There is no specific means for selecting the
-value in this field. (Recall that AXFR is done only via TCP
-connections.)
-
-A server MUST reply using messages that use the same message ID to
-allow a client to meaningfully have multiple AXFR queries outstanding.
-
-Note 2.1.1.b The value in this field has no meaning in the context of
-AXFR query messages. For the client, it is RECOMMENDED that the
-value be zero. The server MUST ignore this value.
-
-Note 2.1.1.c The client MUST set this bit to 0, the server MUST ignore
-it.
-
-Note 2.1.1.d The client MUST set this field to be the number of
-resource records appearing in the additional section. See Section
-2.1.5 "Additional Section" for details.
-
-The value MAY be 0, 1 or 2. If it is 2, the additional
-section MUST contain both an EDNS0 [RFC2671] OPT resource record and
-a record carrying transaction integrity and authentication data,
-currently a choice of TSIG [RFC2845] and SIG(0) [RFC2931]. If the
-value is 1, then the additional section MUST contain either only an
-EDNS0 OPT resource record or a record carrying transaction integrity
-and authentication data. If the value is 0, the additional section
-MUST be empty.
-
-2.1.2 Query Section
-
-The Query section of the AXFR query MUST conform to section 4.1.2 of
-RFC 1035, and contain the following values:
-
-QNAME the name of the zone requested
-QTYPE AXFR(= 252), the pseudo-RR type for zone transfer [DNSVALS]
-QCLASS the class of the zone requested
-
-2.1.3 Answer Section
-
-MUST be empty.
-
-2.1.4 Authority Section
-
-MUST be empty.
-
-2.1.5 Additional Section
-
-The client MAY include an EDNS0 OPT [RFC2671] resource record. If the
-server has indicated that it does not support EDNS0, the client MUST
-send this section without an EDNS0 OPT resource record if there is a
-retry. Indication that a server does not support EDNS0 is not an
-explicit element in the protocol, it is up to the client to interpret.
-Most likely, the server will return a FORMERR which might be related to
-the OPT resource record.
-
-The client MAY include a transaction integrity and authentication
-resource record, currently a choice of TSIG [RFC2845] or SIG(0)
-[RFC2931]. If the server has indicated that it does not recognize the
-resource record, and that the error is indeed caused by the resource
-record, the client probably ought not try again. Removing the security
-data in the face of an obstacle ought to only be done with full
-awareness of the implication of doing so.
-
-In general, if an AXFR client is aware that an AXFR server does not
-support a particular mechanism, the client SHOULD NOT attempt to engage
-the server using the mechanism (or at all). A client could become
-aware of a server's abilities via a configuration setting or via some
-other (as yet) undefined means.
-
-The range of permissible resource records that MAY appear in the
-additional section might change over time. If either a change to an
-existing resource record (like the OPT RR for EDNS0) is made or
-a new additional section record is created, the new definitions ought
-to include a discussion on the impact upon AXFR. Although this is not
-predictable, future additional section residing records may have an
-effect that is orthogonal to AXFR, so can ride through the session as
-opaque data. In this case, a "wise" implementation ought to be able
-to pass these records through without disruption.
-
-2.2 AXFR response
-
-The AXFR response will consist of 0 or more messages. A "0 message"
-response is covered in section 2.2.1.
-
-An AXFR response that is transferring the zone's contents will consist
-of a series (which could be a series of length 1) of DNS messages.
-In such a series, the first message MUST begin with the SOA
-resource record of the zone, the last message MUST conclude with the
-same SOA resource record. Intermediate messages MUST NOT contain the
-SOA resource record. The first message MUST copy the Query Section
-from the corresponding AXFR query message in to the first response
-message's query section. Subsequent messages MAY do the same.
-
-An AXFR response that is indicating an error MUST consist of a single
-DNS message with the return code set to the appropriate value for the
-condition encountered - once the error condition is detected. Such
-a message MUST terminate the AXFR session; it MUST copy the Query
-Section from the AXFR query into its Query Section, but the inclusion
-of the terminating SOA resource record is not necessary.
-
-An AXFR client might receive a number of AXFR response messages
-free of an error condition before the message indicating an error
-is received.
-
-2.2.1 "0 Message" Response
-
-A legitimate "0 message" response, i.e., the client sees no response
-whatsoever, is very exceptional and controversial. Unquestionably it
-is unhealthy for there to be 0 responses in a protocol that is designed
-around a query - response paradigm over an unreliable transport. The
-lack of a response could be a sign of underlying network problems and
-cause the protocol state machine to react accordingly. However, AXFR
-uses TCP and not UDP, eliminating undetectable network errors.
-
-A "0 message response" is reserved for situations in which the server
-has a reason to suspect that the query is sent for the purpose of
-abuse. Due to the use of this being so controversial, a "0 message
-response" is not being defined as a legitimate part of the protocol
-but the use of it is being acknowledged as a warning to AXFR client
-implementations. Any earnest query has the expectation of some
-response but may not get one.
-
-2.2.2 Header Values
-
-ID See note 2.2.2.a
-QR MUST be 1 (Response)
-OPCODE MUST be 0 (Standard Query)
-AA See note 2.2.2.b
-TC MUST be 0 (Not truncated)
-RD RECOMMENDED copy request's value, MAY be set to 0
-RA See note 2.2.2.c
-Z See note 2.2.2.d
-AD See note 2.2.2.e
-CD See note 2.2.2.e
-RCODE See note 2.2.2.f
-QDCOUNT MUST be 1 in the first message; MUST be 0 or 1 in all
- following
-ANCOUNT See note 2.2.2.g
-NSCOUNT MUST be 0
-ARCOUNT See note 2.2.2.h
-
-Note 2.2.2.a Because some old implementations behave differently than
-is now desired, the requirement on this field is stated in detail.
-New DNS servers MUST set this field to the value of the AXFR query
-ID in each AXFR response message for the session. AXFR clients MUST
-be able to manage sessions resulting from the issuance of multiple
-outstanding queries, whether AXFR queries or other DNS queries. A
-client SHOULD discard responses that do not correspond (via the
-message ID) to any outstanding queries.
-
-Unless the client is sure that the server will consistently set the ID
-field to the query's ID, the client is NOT RECOMMENDED to issue any
-other queries until the end of the zone transfer. A client MAY become
-aware of a server's abilities via a configuration setting.
-
-Note 2.2.2.b If the RCODE is 0 (no error), then the AA bit MUST be 1.
-For any other value of RCODE, the AA bit MUST be set according to rules
-for that error code. If in doubt, it is RECOMMENDED that it be set
-to 1. It is RECOMMENDED that the value be ignored by the AXFR client.
-
-Note 2.2.2.c It is RECOMMENDED that the server set the value to 0,
-the client MUST ignore this value.
-
-The server MAY set this value according to the local policy regarding
-recursive service, but doing so might confuse the interpretation of the
-response as AXFR can not be retrieved recursively. A client MAY note
-the server's policy regarding recursive service from this value, but
-SHOULD NOT conclude that the AXFR response was obtained recursively
-even if the RD bit was 1 in the query.
-
-Note 2.2.2.d The server MUST set this bit to 0, the client MUST ignore
-it.
-
-Note 2.2.2.e If the implementation supports the DNS Security Extensions
-(see below) then this value MUST be set according to the rules in RFC
-4035, section 3.1.6, "The AD and CD Bits in an Authoritative Response".
-If the implementation does not support the DNS Security Extensions,
-then this value MUST be set to 0 and MUST be ignored upon receipt.
-
-The DNS Security Extensions (DNSSEC) is defined in these base
-documents:
-- "DNS Security Introduction and Requirements" [RFC4033]
-- "Resource Records for the DNS Security Extensions" [RFC4034]
-- "Protocol Modifications for the DNS Security Extensions" [RFC4035]
-- "Use of SHA-256 in DNSSEC Delegation Signer RRs" [RFC4509]
-- "DNS Security Hashed Authenticated Denial of Existence" [RFC5155]
-
-as well pending documents, such as these:
-
-- "Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource
- Records for DNSSEC" [DRAFT1]
-- "Clarifications and Implementation Notes for DNSSECbis" [DRAFT2]
-
-Note 2.2.2.f In the absence of an error, the server MUST set the value
-of this field to NoError. If a server is not authoritative for the
-queried zone, the server SHOULD set the value to NotAuth. (Reminder,
-consult the appropriate IANA registry [DNSVALS].) If a client
-receives any other value in response, it MUST act according to the
-error. For example, a malformed AXFR query or the presence of an EDNS0
-OPT resource record sent to an old server will garner a FormErr value.
-This value is not set as part of the AXFR-specific response processing.
-The same is true for other error-indicating values.
-
-Note 2.2.2.g The count of answer records MUST equal the number of
-resource records in the AXFR Answer Section. When a server is aware
-that a client will only accept one resource record per response
-message, then the value MUST be 1. A server MAY be made aware of a
-client's limitations via configuration data.
-
-Note 2.2.2.h The client MUST set this field to be the number of
-resource records appearing in the additional section. The
-considerations in Note 2.1.1.d above apply equally; see Section
-2.2.6 "Additional Section" below for more details.
-
-2.2.3 Query Section
-
-In the first response message, this section MUST be copied from the
-query. In subsequent messages, this section MAY be copied from the
-query or it MAY be empty. The content of this section MAY be used to
-determine the context of the message, that is, the name of the zone
-being transferred.
-
-2.2.4 Answer Section
-
-MUST be populated with the zone contents. See later section on
-encoding zone contents.
-
-2.2.5 Authority Section
-
-MUST be empty.
-
-2.2.6 Additional Section
-
-The contents of this section MUST follow the guidelines for EDNS0,
-TSIG, SIG(0), or what ever other future record is possible here. The
-contents of section 2.1.5 apply here as well.
-
-2.3 TCP Connection Aborts
-
-If an AXFR client sends a query on a TCP connection and the connection
-is closed at any point, the AXFR client MUST consider the AXFR session
-terminated. The message ID MAY be used again on a new connection,
-even if the question and AXFR server are the same. Facing a dropped
-connection a client SHOULD try to make some determination whether the
-connection closure was the result of network activity or a decision
-by the AXFR server. This determination is not an exact science. It
-is up to the AXFR client implementor to react, but the reaction
-SHOULD NOT be an endless cycle of retries nor an increasing (in
-frequency) retry rate.
-
-An AXFR server implementor SHOULD take into consideration the dilemma
-described above when a connection is closed with an outstanding query
-in the pipeline. For this reason, a server ought to reserve this
-course of action for situations in which it believes beyond a doubt
-that the AXFR client is attempting abusive behavior.
-
-3 Zone Contents
-
-The objective of the AXFR session is to request and transfer the
-contents of a zone. The objective is to permit the AXFR client to
-reconstruct the zone as it exists at the server for the given zone
-serial number. Over time the definition of a zone has evolved from
-denoting a static set of records to also cover a dynamically updated
-set of records, and then a potentially continually regenerated set of
-records as well.
-
-3.1 Records to Include
-
-In the answer section of AXFR response messages the resource records
-within a zone for the given serial number MUST appear. The definition
-of what belongs in a zone is described in RFC 1034, Section 4.2, "How
-the database is divided into zones", in particular, section 4.2.1,
-"Technical considerations", and it has been clarified in Section 6 of
-RFC 2181.
-
-Unless the AXFR server knows that the AXFR client is old and expects
-just one resource record per AXFR response message, an AXFR server
-SHOULD populate an AXFR response message with as many complete
-resource record sets as will fit within a DNS message.
-
-Zones for which it is impractical to list the entire zones for a serial
-number are not suitable for AXFR retrieval. A typical (but not
-limiting) description of such a zone is a zone consisting of responses
-generated via other database lookups and/or computed based upon ever
-changing data.
-
-3.2 Delegation Records
-
-In RFC 1034, section 4.2.1, this text appears (keep in mind that the
-"should" in the quotation predates [BCP14], cf. section 1.1) "The RRs
-that describe cuts ... should be exactly the same as the corresponding
-RRs in the top node of the subzone." There has been some controversy
-over this statement and the impact on which NS resource records are
-included in a zone transfer.
-
-The phrase "that describe cuts" is a reference to the NS set and
-applicable glue records. It does not mean that the cut point and apex
-resource records are identical. For example, the SOA resource record
-is only found at the apex. The discussion here is restricted to just
-the NS resource record set and glue as these "describe cuts".
-
-DNSSEC resource records have special specifications regarding their
-occurrence at a zone cut and the apex of a zone. This has for the
-first time been described in Sections 5.3 ff. and 6.2 of RFC 2181
-(for the initial specification of DNSSEC), which now is historical.
-The current DNSSEC core document set (see Note 2.2.2.e above) gives
-the full details for DNSSEC(bis) resource record placement, and
-Section 3.1.5 of RFC 4035 normatively specifies their treatment during
-AXFR; the alternate NSEC3 resource record defined later in RFC 5155
-behaves identically as the NSEC RR, for the purpose of AXFR.
-
-Informally:
-o The DS RRSet only occurs at the parental side of a zone cut and is
- authoritative data in the parent zone, not the secure child zone.
-o The DNSKEY RRSet only occurs at the APEX of a signed zone and is
- authoritative part of the zone it serves.
-o Independent RRSIG RRSets occur at the signed parent side and of a
- zone cut and at the apex of a signed zone; they are authoritative
- part of the respective zone; simple queries for RRSIG resource
- records may return bth RRSets at once if the same server is
- authoritative for the parent zone and the child zone (Section
- 3.1.5 of RFC 4035 describes how to distinguish these RRs); this
- seeming ambiguity does not occur for AXFR, since each such RRSIG
- RRset belongs to a single zone.
-o Different NSEC [RFC4034] or NSEC3 [RFC5155] resource records
- equally may occur at the parental siede of a zone cut and at the
- apex of a zone; each such resource record belongs to exactly one
- of these zones and is to be included in the AXFR of that zone.
-
-The issue is that in operations there are times when the NS resource
-records for a zone might be different at a cut point in the parent and
-at the apex of a zone. Sometimes this is the result of an error and
-sometimes it is part of an ongoing change in name servers. The DNS
-protocol is robust enough to overcome inconsistencies up to (but not
-including) there being no parent indicated NS resource record
-referencing a server that is able to serve the child zone. This
-robustness is one quality that has fueled the success of the DNS.
-Still, the inconsistency is an error state and steps need to be taken
-to make it apparent (if it is unplanned) and to make it clear once
-the inconsistency has been removed.
-
-Another issue is that the AXFR server could be authoritative for a
-different set of zones than the AXFR client. It is possible that the
-AXFR server be authoritative for both halves of an inconsistent cut
-point and that the AXFR client is authoritative for just the parent of
-the cut point.
-
-The question that arises is, when facing a situation in which a cut
-point's NS resource records do not match the authoritative set, whether
-an AXFR server responds with the NS resource record set that is in the
-zone being transferred or is at the authoritative location.
-
-The AXFR response MUST contain the cut point NS resource record set
-registered with the zone whether it agrees with the authoritative set
-or not. "Registered with" can be widely interpreted to include data
-residing in the zone file of the zone for the particular serial
-number (in zone file environments) or as any data configured to be in
-the zone (database), statically or dynamically.
-
-The reasons for this requirement are:
-
-1) The AXFR server might not be able to determine that there is an
-inconsistency given local data, hence requiring consistency would mean
-a lot more needed work and even network retrieval of data. An
-authoritative server ought not be required to perform any queries.
-
-2) By transferring the inconsistent NS resource records from a server
-that is authoritative for both the cut point and the apex to a client
-that is not authoritative for both, the error is exposed. For example,
-an authorized administrator can manually request the AXFR and inspect
-the results to see the inconsistent records. (A server authoritative
-for both halves would otherwise always answer from the more
-authoritative set, concealing the error.)
-
-3) The inconsistent NS resource record set might indicate a problem
-in a registration database.
-
-4) This requirement is necessary to ensure that retrieving a given
-(zone,serial) pair by AXFR yields the exact same set of resource
-records no matter which of the zone's authoritative servers is
-chosen as the source of the transfer.
-
-If an AXFR server were allowed to respond with the authoritative
-NS RRset of a child zone instead of a glue NS RRset in the zone
-being transferred, the set of records returned could vary depending
-on whether or not the server happens to also be authoritative for
-the child zone.
-
-The property that a given (zone,serial) pair corresponds to a
-single, well-defined set of records is necessary for the correct
-operation of incremental transfer protocols such as IXFR
-[RFC1995]. For example, a client may retrieve a zone by AXFR from
-one server, and then apply an incremental change obtained by IXFR
-from a different server. If the two servers have different ideas
-of the zone contents, the client can end up attempting to
-incrementally add records that already exist or to delete records
-that do not exist.
-
-3.3 Glue Records
-
-As quoted in the previous section, section 4.2.1 of RFC 1034 provides
-guidance and rationale for the inclusion of glue records as part of
-an AXFR transfer. And, as also argued in the previous section of this
-document, even when there is an inconsistency between the address in a
-glue record and the authoritative copy of the name server's address,
-the glue resource record that is registered as part of the zone for
-that serial number is to be included.
-
-This applies to glue records for any address family [RFC1700].
-
-The AXFR response MUST contain the appropriate glue records as
-registered with the zone. The interpretation of "registered with"
-in the previous section applies here. Inconsistent glue records are
-an operational matter.
-
-3.4 Name Compression
-
-Compression of names in DNS messages is described in RFC 1035, section
-4.1.4, "Message compression". The issue highlighted here relates to a
-comment made in RFC 1034, section 3.1, "Name space specifications and
-terminology" which says "When you receive a domain name or label, you
-should preserve its case." ("Should" in the quote predates [BCP14].)
-
-Name compression in an AXFR message MUST preserve the case of the
-original domain name. That is, although when comparing a domain name,
-"a" equals "A", when comparing for the purposes of message compression,
-"a" is not equal to "A". Note that this is not the usual definition
-of name comparison in the DNS protocol and represents a new
-requirement on AXFR servers.
-
-Rules governing name compression of RDATA in an AXFR message MUST
-abide by the specification in "Handling of Unknown DNS Resource Record
-(RR) Types" [RFC3597], specifically, section 4 on "Domain Name
-Compression."
-
-3.5 Occluded Names
-
-Dynamic Update [RFC2136] operations, and in particular its interaction
-with DNAME [RFC2672], can have a side effect of occluding names in a
-zone. The addition of a delegation point via dynamic update will
-render all subordinate domain names to be in a limbo, still part of
-the zone but not available to the lookup process. The addition of a
-DNAME resource record has the same impact. The subordinate names are
-said to be "occluded."
-
-Occluded names MUST be included in AXFR responses. An AXFR client MUST
-be able to identify and handle occluded names. The rationale for this
-action is based on a speedy recovery if the dynamic update operation
-was in error and is to be undone.
-
-4 Transport
-
-AXFR sessions are currently restricted to TCP by section 4.3.5 of RFC
-1034 that states: "Because accuracy is essential, TCP or some other
-reliable protocol must be used for AXFR requests." The restriction to
-TCP is also mentioned in section 6.1.3.2. of "Requirements for Internet
-Hosts - Application and Support" [RFC1123].
-
-The most common scenario is for an AXFR client to open a TCP connection
-to the AXFR server, send an AXFR query, receive the AXFR response, and
-then close the connection. There are variations on this, such as a
-query for the zone's SOA resource record first, and so on. Note that
-this is documented as a most common scenario.
-
-The assumption that a TCP connection is dedicated to the single AXFR
-session is incorrect, this has led to implementation choices that
-prevent either multiple concurrent zone transfers or the use of the
-open connection for other queries.
-
-Being able to have multiple concurrent zone transfers is considered
-desirable by operators who have sets of name servers that are
-authoritative for a common set of zones. It would be desirable
-if the name server implementations did not have to wait for one
-zone to transfer before the next could begin. The desire here is to
-tighten the specification, not a change, but adding words to the
-unclear areas, to define what is needed to permit two servers to
-share a TCP connection among concurrent AXFR sessions. The challenge
-is to design this in a way that can fall back to the old behavior if
-either the AXFR client or AXFR server is incapable of performing
-multiple concurrent AXFR sessions.
-
-With the addition of EDNS0 and applications which require many
-small zones such as in web hosting and some ENUM scenarios, AXFR
-sessions on UDP would now be possible and seem desirable. However,
-there are still some aspects of the AXFR session that are not easily
-translated to UDP. This document leaves AXFR over UDP undefined.
-
-4.1 TCP
-
-In the original definition there is an implicit assumption (probably
-unintentional) that a TCP connection is used for one and only one
-AXFR session. This is evidenced in no requirement to copy neither
-the Query Section nor the message ID in responses, no explicit
-ordering information within the AXFR response messages and the lack
-of an explicit notice indicating that a zone transfer continues in the
-next message.
-
-The guidance given here is intended to enable better performance of
-the AXFR exchange as well as guidelines on interactions with older
-software. Better performance includes being able to multiplex DNS
-message exchanges including zone transfer sessions. Guidelines for
-interacting with older software are generally applicable to new AXFR
-clients. In the reverse situation, older AXFR client and newer AXFR
-server ought to induce the server to operate within the specification
-for an older server.
-
-4.1.1 AXFR client TCP
-
-An AXFR client MAY request a connection to an AXFR server for any
-reason. An AXFR client SHOULD close the connection when there is
-no apparent need to use the connection for some time period. The
-AXFR server ought not have to maintain idle connections, the burden
-of connection closure ought to be on the client. Apparent need for
-the connection is a judgment for the AXFR client and the DNS
-client. If the connection is used for multiple sessions, or if it is
-known sessions will be coming or if there is other query/response
-traffic anticipated or currently on the open connection, then there
-is "apparent need."
-
-An AXFR client MAY cancel delivery of a zone only by closing the
-connection. However, this action will also cancel all other outstanding
-activity using the connection. There is no other mechanism by which
-an AXFR response can be cancelled.
-
-When a TCP connection is closed remotely (relative to the client),
-whether by the AXFR server or due to a network event, the AXFR client
-MUST cancel all outstanding sessions and non-AXFR transactions.
-Recovery from this situation is not straightforward. If the disruption
-was a spurious event, attempting to restart the connection would be
-proper. If the disruption was caused by a medium or long term
-disruption, the AXFR client would be wise to not spend too many
-resources trying to rebuild the connection. Finally, if the connection
-was dropped because of a policy at the AXFR server (as can be the case
-with older AXFR servers), the AXFR client would be wise to not retry
-the connection. Unfortunately, knowing which of the three cases above
-(momentary disruption, failure, policy) applies is not possible with
-certainty, and can only be assessed by heuristics.
-
-An AXFR client MAY use an already opened TCP connection to start an
-AXFR session. Using an existing open connection is RECOMMENDED over
-opening a new connection. (Non-AXFR session traffic can also use an
-open connection.) If in doing so the AXFR client realizes that
-the responses cannot be properly differentiated (lack of matching
-query IDs for example) or the connection is terminated for a remote
-reason, then the AXFR client SHOULD NOT attempt to reuse an open
-connection with the specific AXFR server until the AXFR server is
-updated (which is of course, not an event captured in the DNS
-protocol).
-
-4.1.2 AXFR server TCP
-
-An AXFR server MUST be able to handle multiple AXFR sessions on a
-single TCP connection, as well as handle other query/response
-transactions.
-
-If a TCP connection is closed remotely, the AXFR server MUST cancel
-all AXFR sessions in place. No retry activity is necessary; that is
-initiated by the AXFR client.
-
-Local policy MAY dictate that a TCP connection is to be closed. Such
-an action SHOULD be in reaction to limits such as those placed on
-the number of outstanding open connections. Closing a connection in
-response to a suspected security event SHOULD be done only in extreme
-cases, when the server is certain the action is warranted. An
-isolated request for a zone not on the AXFR server SHOULD receive
-a response with the appropriate return code and not see the connection
-broken.
-
-4.2 UDP
-
-AXFR sessions over UDP transport are not defined.
-
-5 Authorization
-
-A zone administrator has the option to restrict AXFR access to a zone.
-This was not envisioned in the original design of the DNS but has
-emerged as a requirement as the DNS has evolved. Restrictions on AXFR
-could be for various reasons including a desire (or in some instances,
-having a legal requirement) to keep the bulk version of the zone
-concealed or to prevent the servers from handling the load incurred in
-serving AXFR. All reasons are arguable, but the fact remains that
-there is a requirement to provide mechanisms to restrict AXFR.
-
-A DNS implementation SHOULD provide means to restrict AXFR sessions to
-specific clients.
-
-An implementation SHOULD allow access to be granted to Internet
-Protocol addresses and ranges, regardless of whether a source address
-could be spoofed. Combining this with techniques such as Virtual
-Private Networks (VPN) [RFC2764] or Virtual LANs has proven to be
-effective.
-
-A general purpose implementation is RECOMMENDED to implement access
-controls based upon "Secret Key Transaction Authentication for DNS"
-[RFC2845] and/or "DNS Request and Transaction Signatures ( SIG(0)s )"
-[RFC2931].
-
-A general purpose implementation SHOULD allow access to be open to
-all AXFR requests. I.e., an operator ought to be able to allow any
-AXFR query to be granted.
-
-A general purpose implementation SHOULD NOT have a default policy
-for AXFR requests to be "open to all." For example, a default could
-be to restrict transfers to addresses selected by the DNS
-administrator(s) for zones on the server.
-
-6 Zone Integrity
-
-An AXFR client MUST ensure that only a successfully transferred
-copy of the zone data can be used to serve this zone. Previous
-description and implementation practice have introduced a two-stage
-model of the whole zone synchronization procedure: Upon a trigger
-event (e.g., polling of SOA resource record detects change in the
-SOA serial number, or via DNS NOTIFY [RFC1996]), the AXFR session
-is initiated, whereby the zone data are saved in a zone file or
-data base (this latter step is necessary anyway to ensure proper
-restart of the server); upon successful completion of the AXFR
-operation and some sanity checks, this data set is 'loaded' and
-made available for serving the zone in an atomic operation, and
-flagged 'valid' for use during the next restart of the DNS server;
-if any error is detected, this data set MUST be deleted, and the
-AXFR client MUST continue to serve the previous version of the zone,
-if it did before. The externally visible behavior of an AXFR client
-implementation MUST be equivalent to that of this two-stage model.
-
-If a server rejects data contained in an AXFR session, the server
-SHOULD remember the serial number and MAY attempt to retrieve the
-same zone version again. The reason the same retrieval could make
-sense is that the reason for the rejection could be rooted in an
-implementation detail of one AXFR server used for the zone and not
-in another AXFR server used for the zone.
-
-Ensuring that an AXFR client does not accept a forged copy of a zone is
-important to the security of a zone. If a zone operator has the
-opportunity, protection can be afforded via dedicated links, physical
-or virtual via a VPN among the authoritative servers. But there are
-instances in which zone operators have no choice but to run AXFR
-sessions over the global public Internet.
-
-Besides best attempts at securing TCP connections, DNS implementations
-SHOULD provide means to make use of "Secret Key Transaction
-Authentication for DNS" [RFC2845] and/or "DNS Request and Transaction
-Signatures ( SIG(0)s )" [RFC2931] to allow AXFR clients to verify the
-contents. These techniques MAY also be used for authorization.
-
-7 Backwards Compatibility
-
-Describing backwards compatibility is difficult because of the lack of
-specifics in the original definition. In this section some hints at
-building in backwards compatibility are given, mostly repeated from the
-earlier sections.
-
-Backwards compatibility is not necessary, but the greater the extent of
-an implementation's compatibility the greater it's interoperability.
-For turnkey implementations this is not usually a concern. For general
-purpose implementations this takes on varying levels of importance
-depending on the implementer's desire to maintain interoperability.
-
-It is unfortunate that a need to fall back to older behavior cannot be
-discovered, hence needs to be noted in a configuration file. An
-implementation SHOULD, in it's documentation, encourage operators to
-periodically review AXFR clients and servers it has made notes about as
-old software periodically gets updated.
-
-7.1 Server
-
-An AXFR server has the luxury of being able to react to an AXFR
-client's abilities with the exception of knowing if the client can
-accept multiple resource records per AXFR response message. The
-knowledge that a client is so restricted apparently cannot be
-discovered, hence it has to be set by configuration.
-
-An implementation of an AXFR server MAY permit configuring, on a per
-AXFR client basis, a need to revert to single resource record per
-message; in that case, the default SHOULD be to use multiple records
-
-7.2 Client
-
-An AXFR client has the opportunity to try other features (i.e., those
-not defined by this document) when querying an AXFR server.
-
-Attempting to issue multiple DNS queries over a TCP transport for an
-AXFR session SHOULD be aborted if it interrupts the original request,
-and SHOULD take into consideration whether the AXFR server intends to
-close the connection immediately upon completion of the original
-(connection-causing) zone transfer.
-
-8 Security Considerations
-
-Concerns regarding authorization, traffic flooding, and message
-integrity are mentioned in "Authorization" (section 5), "TCP" (section
-4.2) and "Zone Integrity" (section 6).
-
-9 IANA Considerations
-
-No new registries or new registrations are included in this document.
-
-10 Internationalization Considerations
-
-The AXFR protocol is transparent to the parts of DNS zone content that
-can possibly be subject to Internationalization considerations.
-It is assumed that for DNS labels and domain names, the issue has been
-solved via "Internationalizing Domain Names in Applications (IDNA)"
-[RFC3490].
-
-
-11 Acknowledgements
-
-Earlier editions of this document have been edited by Andreas
-Gustafsson. In his latest version, this acknowledgement appeared.
-
-"Many people have contributed input and commentary to earlier versions
-of this document, including but not limited to Bob Halley, Dan
-Bernstein, Eric A. Hall, Josh Littlefield, Kevin Darcy, Robert Elz,
-Levon Esibov, Mark Andrews, Michael Patton, Peter Koch, Sam Trenholme,
-and Brian Wellington."
-
-Comments since the -05 version have come from these individuals:
-Alfred Hoenes, Mark Andrews, Paul Vixie, Wouter Wijngaards, Iain
-Calder, Tony Finch, Ian Jackson, Andreas Gustafsson, Brian Wellington,
-and other participants of the DNSEXT working group.
-
-12 References
-
-All references prefixed by "RFC" can be obtained from the RFC Editor
-web site at the URLs: http://rfc-editor.org/rfc.html
-or http://rfc-editor.org/rfcsearch.html ;
-information regarding this organization can be found at the following
-URL: http://rfc-editor.org/
-
-12.1 Normative
-
-[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793,
- September 1981.
-[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August
- 1980.
-[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
- STD 13, RFC 1034, November 1987.
-[RFC1035] Mockapetris, P., "Domain names - implementation and
- specification", STD 13, RFC 1035, November 1987.
-[RFC1123] Braden, R., "Requirements for Internet Hosts - Application
- and Support", STD 3, RFC 1123, October 1989.
-[RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
- August 1996.
-[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
- Changes (DNS NOTIFY)", RFC 1996, August 1996.
-[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
- "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC
- 2136, April 1997.
-[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
- Specification", RFC 2181, July 1997.
-[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
- August 1999.
-[RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC 2672,
- August 1999.
-[RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
- Wellington, "Secret Key Transaction Authentication for DNS
- (TSIG)", RFC 2845, May 2000.
-[RFC5395] Eastlake 3rd, "Domain Name System (DNS) IANA Considerations",
- BCP 42, RFC 5395, November 2008.
-[RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
- RR)", RFC 2930, September 2000.
-[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
- ( SIG(0)s )", RFC 2931, September 2000.
-[RFC3425] Lawrence, D., "Obsoleting IQUERY", RFC 3425, November 2002.
-[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
- (RR) Types", RFC 3597, September 2003.
-[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
- Rose, "DNS Security Introduction and Requirements", RFC 4033,
- March 2005.
-[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
- Rose, "Resource Records for the DNS Security Extensions",
- RFC 4034, March 2005.
-[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
- (DS) Resource Records (RRs)", RFC 4509, May 2006
-[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
- Security (DNSSEC) Hashed Authenticated Denial of Existence",
- RFC 5155, March 2008
-[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
- Rose, "Protocol Modifications for the DNS Security
- Extensions", RFC 4035, March 2005.
-[RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication
- Code, Secure Hash Algorithm) TSIG Algorithm Identifiers",
- RFC 4635, August 2006.
-[DNSFLGS] http://www.iana.org/assignments/dns-header-flags
-[DNSVALS] http://www.iana.org/assignments/dns-parameters
-
-12.2 Informative
-
-[BCP14] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-[RFC1700] J. Reynolds and J. Postel, "Assigned Numbers", RFC 1700,
- October 1994.
-[RFC2764] Gleeson, B., Lin, A., Heinanen, J., Armitage, G., and A.
- Malis, "A Framework for IP Based Virtual Private Networks",
- RFC 2764, February 2000.
-[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
- "Internationalizing Domain Names in Applications (IDNA)", RFC
- 3490, March 2003.
-[DRAFT1] Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
- RRSIG Resource Records for DNSSEC",
- draft-ietf-dnsext-dnssec-rsasha256-12, work in progress.
-[DRAFT2] Weiler, S., and D. Blacka, "Clarifications and Implementation
- Notes for DNSSECbis",
- draft-ietf-dnsext-dnssec-bis-updates-08, work in progress.
-
-13 Editor's Address
-
-Edward Lewis
-46000 Center Oak Plaza
-Sterling, VA, 22033, US
-+1-571-434-5468
-ed.lewis@neustar.biz
diff --git a/doc/draft/draft-ietf-dnsext-axfr-clarify-13.txt b/doc/draft/draft-ietf-dnsext-axfr-clarify-13.txt
new file mode 100644
index 00000000..935c709b
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-axfr-clarify-13.txt
@@ -0,0 +1,1571 @@
+
+
+
+
+
+DNS Extensions Working Group Edward Lewis
+Internet-Draft NeuStar, Inc.
+Updates: 1034, 1035 (if approved) A. Hoenes, Ed.
+Intended status: Standards Track TR-Sys
+Expires: July 18, 2010 January 18, 2010
+
+
+ DNS Zone Transfer Protocol (AXFR)
+ draft-ietf-dnsext-axfr-clarify-13
+
+Abstract
+
+ The Domain Name System standard mechanisms for maintaining coherent
+ servers for a zone consist of three elements. One mechanism is the
+ Authoritative Transfer (AXFR) defined in RFC 1034 and RFC 1035.
+ The definition of AXFR has proven insufficient in detail, thereby
+ forcing implementations intended to be compliant to make assumptions,
+ impeding interoperability. Yet today we have a satisfactory set of
+ implementations that do interoperate. This document is a new
+ definition of AXFR -- new in the sense that it records an accurate
+ definition of an interoperable AXFR mechanism.
+
+Status of this Memo
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79. This document may contain material
+ from IETF Documents or IETF Contributions published or made publicly
+ available before November 10, 2008. The person(s) controlling the
+ copyright in some of this material may not have granted the IETF
+ Trust the right to allow modifications of such material outside the
+ IETF Standards Process. Without obtaining an adequate license from
+ the person(s) controlling the copyright in such materials, this
+ document may not be modified outside the IETF Standards Process, and
+ derivative works of it may not be created outside the IETF Standards
+ Process, except to format it for publication as an RFC or to
+ translate it into languages other than English.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress".
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/1id-abstracts.html
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 1]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html
+
+ This Internet-Draft will expire on July 18, 2010.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 2]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. Definition of Terms . . . . . . . . . . . . . . . . . . . 4
+ 1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.3. Context . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 1.4. Coverage and Relationship to Original AXFR Specification . 5
+ 2. AXFR Messages . . . . . . . . . . . . . . . . . . . . . . . 7
+ 2.1. AXFR query . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 2.1.1. Header Values . . . . . . . . . . . . . . . . . . . . . 9
+ 2.1.2. Question Section . . . . . . . . . . . . . . . . . . . . 10
+ 2.1.3. Answer Section . . . . . . . . . . . . . . . . . . . . . 10
+ 2.1.4. Authority Section . . . . . . . . . . . . . . . . . . . 10
+ 2.1.5. Additional Section . . . . . . . . . . . . . . . . . . . 10
+ 2.2. AXFR Response . . . . . . . . . . . . . . . . . . . . . . 11
+ 2.2.1. Header Values . . . . . . . . . . . . . . . . . . . . . 12
+ 2.2.2. Question Section . . . . . . . . . . . . . . . . . . . . 14
+ 2.2.3. Answer Section . . . . . . . . . . . . . . . . . . . . . 14
+ 2.2.4. Authority Section . . . . . . . . . . . . . . . . . . . 14
+ 2.2.5. Additional Section . . . . . . . . . . . . . . . . . . . 14
+ 2.3. TCP Connection Aborts . . . . . . . . . . . . . . . . . . 15
+ 3. Zone Contents . . . . . . . . . . . . . . . . . . . . . . . 15
+ 3.1. Records to Include . . . . . . . . . . . . . . . . . . . . 15
+ 3.2. Delegation Records . . . . . . . . . . . . . . . . . . . . 16
+ 3.3. Glue Records . . . . . . . . . . . . . . . . . . . . . . . 18
+ 3.4. Name Compression . . . . . . . . . . . . . . . . . . . . . 18
+ 3.5. Occluded Names . . . . . . . . . . . . . . . . . . . . . . 19
+ 4. Transport . . . . . . . . . . . . . . . . . . . . . . . . . 19
+ 4.1. TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
+ 4.1.1. AXFR client TCP . . . . . . . . . . . . . . . . . . . . 20
+ 4.1.2. AXFR server TCP . . . . . . . . . . . . . . . . . . . . 21
+ 4.2. UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
+ 5. Authorization . . . . . . . . . . . . . . . . . . . . . . . 22
+ 6. Zone Integrity . . . . . . . . . . . . . . . . . . . . . . . 23
+ 7. Backwards Compatibility . . . . . . . . . . . . . . . . . . 24
+ 7.1. Server . . . . . . . . . . .. . . . . . . . . . . . . . . 24
+ 7.2. Client . . . . . . . . . . . . . . . . . . . . . . . . . . 24
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . 25
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . 25
+ 10. Internationalization Considerations . . . . . . . . . . . . 25
+ 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 25
+ 12. References . . . . . . . . . . . . . . . . . . . . . . . . 25
+ 12.1. Normative References . .. . . . . . . . . . . . . . . . 26
+ 12.2. Informative References . . . . . . . . . . . . . . . . . 27
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
+
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 3]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+1. Introduction
+
+ The Domain Name System standard facilities for maintaining coherent
+ servers for a zone consist of three elements. Authoritative Transfer
+ (AXFR) is defined in "Domain Names - Concepts and Facilities"
+ [RFC1034] (referred to in this document as RFC 1034) and "Domain
+ Names - Implementation and Specification" [RFC1035] (henceforth
+ RFC 1035). Incremental Zone Transfer (IXFR) is defined in
+ "Incremental Zone Transfer in DNS" [RFC1995]. A mechanism for prompt
+ notification of zone changes (NOTIFY) is defined in "A Mechanism for
+ Prompt Notification of Zone Changes (DNS NOTIFY)" [RFC1996]. The
+ goal of these mechanisms is to enable a set of DNS name servers to
+ remain coherently authoritative for a given zone.
+
+ This document re-specifies the AXFR mechanism as it is deployed in
+ the Internet at large, hopefully with the precision expected from
+ modern Internet Standards, and thereby updates RFC 1034 and RFC 1035.
+
+1.1. Definition of Terms
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in "Key words for use in
+ RFCs to Indicate Requirement Levels" [BCP14].
+
+ Use of "newer"/"new" and "older"/"old" DNS refers to implementations
+ written after and prior to the publication of this document.
+
+ "General purpose DNS implementation" refers to DNS software developed
+ for widespread use. This includes resolvers and servers freely
+ accessible as libraries and standalone processes. This also includes
+ proprietary implementations used only in support of DNS service
+ offerings.
+
+ "Turnkey DNS implementation" refers to custom made, single use
+ implementations of DNS. Such implementations consist of software
+ that employs the DNS protocol message format yet does not conform to
+ the entire range of DNS functionality.
+
+ The terms "AXFR session", "AXFR server" and "AXFR client" will be
+ introduced in the first paragraph of Section 2, after some more
+ context has been established.
+
+1.2. Scope
+
+ In general terms, authoritative name servers for a given zone can use
+ various means to achieve coherency of the zone contents they serve.
+ For example, there are DNS implementations that assemble answers from
+ data stored in relational databases (as opposed to master files),
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 4]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ relying on the database's non-DNS means to synchronize the database
+ instances. Some of these non-DNS solutions interoperate in some
+ fashion. However, AXFR, IXFR, and NOTIFY are the only protocol-
+ defined in-band mechanisms to provide coherence of a set of name
+ servers, and they are the only mechanisms specified by the IETF.
+
+ This document does not cover incoherent DNS situations. There are
+ applications of the DNS in which servers for a zone are designed to
+ be incoherent. For these configurations, a coherency mechanism as
+ described here would be unsuitable.
+
+ A DNS implementation is not required to support AXFR, IXFR, and
+ NOTIFY, but it should have some means for maintaining name server
+ coherency. A general purpose DNS implementation will likely support
+ AXFR (and in the same vein IXFR and NOTIFY), but turnkey DNS
+ implementations may exist without AXFR.
+
+1.3. Context
+
+ Besides describing the mechanisms themselves, there is the context in
+ which they operate to consider. In the initial specifications of
+ AXFR (and IXFR and NOTIFY), little consideration was given to
+ security and privacy issues. Since the original definition of AXFR,
+ new opinions have appeared on the access to an entire zone's
+ contents. In this document, the basic mechanisms will be discussed
+ separately from the permission to use these mechanisms.
+
+1.4. Coverage and Relationship to Original AXFR Specification
+
+ This document concentrates on just the definition of AXFR. Any
+ effort to update the specification of the IXFR or NOTIFY mechanisms
+ is left to different documents.
+
+ The original "specification" of the AXFR sub-protocol is scattered
+ through RFC 1034 and RFC 1035. Section 2.2 of RFC 1035 (on page 5)
+ depicts the scenario for which AXFR has been designed. Section 4.3.5
+ of RFC 1034 describes the zone synchronization strategies in general
+ and rules for the invocation of a full zone transfer via AXFR; the
+ fifth paragraph of that section contains a very short sketch of the
+ AXFR protocol; Section 5.5 of RFC 2181 has corrected a significant
+ flaw in that specification. Section 3.2.3 of RFC 1035 has assigned
+ the code point for the AXFR QTYPE (see Section 2.1.2 below for more
+ details). Section 4.2 of RFC 1035 discusses how the DNS uses the
+ transport layer and briefly explains why UDP transport is deemed
+ inappropriate for AXFR; the last paragraph of Section 4.2.2 gives
+ details regarding TCP connection management for AXFR. Finally, the
+ second paragraph of Section 6.3 in RFC 1035 mandates server behavior
+ when zone data changes occur during an ongoing zone transfer using
+ AXFR.
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 5]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ This document will update the specification of AXFR. To this end, it
+ fully specifies the record formats and processing rules for AXFR,
+ largely expanding on paragraph 5 of Section 4.3.5 of RFC 1034, and it
+ details the transport considerations for AXFR, thus amending Section
+ 4.2.2 of RFC 1035. Furthermore, it discusses backward compatibility
+ issues and provides policy/management considerations as well as
+ specific Security Considerations for AXFR. The goal of this document
+ is to define AXFR as it exists, or is supposed to exist, currently.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 6]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+2. AXFR Messages
+
+ An AXFR session consists of an AXFR query message and the sequence of
+ AXFR response messages returned for it. In this document, the AXFR
+ client is the sender of the AXFR query and the AXFR server is the
+ responder. (Use of terms such as master, slave, primary, secondary
+ are not important for defining AXFR.) The use of the word "session"
+ without qualification refers to an AXFR session.
+
+ An important aspect to keep in mind is that the definition of AXFR is
+ restricted to TCP [RFC0793] (see Section 4 for details). The design
+ of the AXFR process has certain inherent features that are not easily
+ ported to UDP [RFC0768].
+
+ The basic format of an AXFR message is the DNS message as defined in
+ Section 4 ("MESSAGES") of RFC 1035 [RFC1035], updated by the
+ following documents.
+
+ o The 'Basic' DNS specification:
+
+ - "A Mechanism for Prompt Notification of Zone Changes (DNS Notify)"
+ [RFC1996]
+ - "Dynamic Updates in the Domain Name System (DNS UPDATE)" [RFC2136]
+ - "Clarifications to the DNS Specification" [RFC2181]
+ - "Extension Mechanisms for DNS (EDNS0)" [RFC2671]
+ - "Secret Key Transaction Authentication for DNS (TSIG)" [RFC2845]
+ - "Secret Key Establishment for DNS (TKEY RR)" [RFC2930]
+ - "Obsoleting IQUERY" [RFC3425]
+ - "Handling of Unknown DNS Resource Record (RR) Types" [RFC3597]
+ - "HMAC SHA TSIG Algorithm Identifiers" [RFC4635]
+ - "Domain Name System (DNS) IANA Considerations" [RFC5395]
+
+ o Further additions related to the DNS Security Extensions (DNSSEC),
+ defined in these base documents:
+
+ - "DNS Security Introduction and Requirements" [RFC4033]
+ - "Resource Records for the DNS Security Extensions" [RFC4034]
+ - "Protocol Modifications for the DNS Security Extensions" [RFC4035]
+ - "Use of SHA-256 in DNSSEC Delegation Signer RRs" [RFC4509]
+ - "DNS Security Hashed Authenticated Denial of Existence" [RFC5155]
+ - "Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource
+ Records for DNSSEC" [RFC5702]
+ - "Clarifications and Implementation Notes for DNSSECbis" [DNSSEC-U]
+
+ These documents contain information about the syntax and semantics of
+ DNS messages. They ought not interfere with AXFR but are also
+ helpful in understanding what will be carried via AXFR.
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 7]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ For convenience, the synopsis of the DNS message header from
+ [RFC5395] (and the IANA registry for DNS Parameters [DNSVALS]) is
+ reproduced here informally:
+
+ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ | ID |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ |QR| OpCode |AA|TC|RD|RA| Z|AD|CD| RCODE |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ | QDCOUNT/ZOCOUNT |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ | ANCOUNT/PRCOUNT |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ | NSCOUNT/UPCOUNT |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ | ARCOUNT |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+ This document makes use of the field names as they appear in this
+ diagram. The names of sections in the body of DNS messages are
+ capitalized in this document for clarity, e.g., "Additional section".
+
+ The DNS message size limit from [RFC1035] for DNS over UDP (and its
+ extension via the EDNS0 mechanism specified in [RFC2671]) is not
+ relevant for AXFR, as explained in Section 4. The upper limit on the
+ permissible size of a DNS message over TCP is only restricted by the
+ TCP framing defined in Section 4.2.2 of RFC 1035, which specifies a
+ two-octet message length field, understood to be unsigned, and thus
+ causing a limit of 65535 octets. This limit is not changed by EDNS0.
+
+ Note that the TC (truncation) bit is never set by an AXFR server nor
+ considered/read by an AXFR client.
+
+2.1. AXFR query
+
+ An AXFR query is sent by a client whenever there is a reason to ask.
+ This might be because of scheduled or triggered zone maintenance
+ activities (see Section 4.3.5 of RFC 1034 and DNS NOTIFY [RFC1996],
+ respectively) or as a result of a command line request, say for
+ debugging.
+
+
+
+
+
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 8]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+2.1.1. Header Values
+
+ These are the DNS message header values for an AXFR query.
+
+ ID Selected by client; see Note a)
+
+ QR MUST be 0 (Query)
+
+ OPCODE MUST be 0 (Standard Query)
+
+ Flags:
+ AA 'n/a' -- see Note b)
+ TC 'n/a' -- see Note b)
+ RD 'n/a' -- see Note b)
+ RA 'n/a' -- see Note b)
+ Z 'mbz' -- see Note c)
+ AD 'n/a' -- see Note b)
+ CD 'n/a' -- see Note b)
+
+ RCODE MUST be 0 (No error)
+
+ QDCOUNT Number of entries in Question section; MUST be 1
+
+ ANCOUNT Number of entries in Answer section; MUST be 0
+
+ NSCOUNT Number of entries in Authority section; MUST be 0
+
+ ARCOUNT Number of entries in Additional section -- see Note d)
+
+ Notes:
+
+ a) Set to any value that the client is not already using with the
+ same server. There is no specific means for selecting the value
+ in this field. (Recall that AXFR is done only via TCP connections
+ -- see Section 4 "Transport".)
+
+ A server MUST reply using messages that use the same message ID to
+ allow a client to have multiple queries outstanding concurrently
+ over the same TCP connection -- see Note a) in Section 2.2.1 for
+ more details.
+
+ b) 'n/a' -- The value in this field has no meaning in the context of
+ AXFR query messages. For the client, it is RECOMMENDED that the
+ value be zero. The server MUST ignore this value.
+
+ c) 'mbz' -- The client MUST set this bit to 0, the server MUST ignore
+ it.
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 9]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ d) The client MUST set this field to the number of resource records
+ it places into the Additional section. In the absense of explicit
+ specification of new RRs to be carried in the Additional section
+ of AXFR queries, the value MAY be 0, 1 or 2. See Section 2.1.5
+ "Additional Section" for details on the currently applicable RRs.
+
+2.1.2. Question Section
+
+ The Question Section of the AXFR query MUST conform to Section 4.1.2
+ of RFC 1035, and contain a single resource record with the following
+ values:
+
+ QNAME the name of the zone requested
+
+ QTYPE AXFR (= 252), the pseudo-RR type for zone transfer
+ [DNSVALS]
+
+ QCLASS the class of the zone requested [DNSVALS]
+
+2.1.3. Answer Section
+
+ The Answer section MUST be empty.
+
+2.1.4. Authority Section
+
+ The Authority section MUST be empty.
+
+2.1.5. Additional Section
+
+ Currently, two kinds of resource records are defined that can appear
+ in the Additional section of AXFR queries and responses: EDNS and DNS
+ transaction security. Future specifications defining RRs that can be
+ carried in the Additional section of normal DNS transactions need to
+ explicitly describe their use with AXFR, should that be desired.
+
+ The client MAY include one EDNS0 OPT [RFC2671] resource record. If
+ the server does not support EDNS0, the client MUST send this section
+ without an EDNS0 OPT resource record if there is a retry. However,
+ the protocol does not define an explicit indication that the server
+ does not support EDNS0; that needs to be inferred by the client.
+ Often, the server will return a FormErr(1) which might be related to
+ the OPT resource record. Note that, at the time of this writing,
+ only the EXTENDED-RCODE field of the EDNS0 OPT RR is meaningful in
+ the context of AXFR; future specifications of EDNS0 flags and/or
+ EDNS0 options must describe their usage in the context of AXFR, if
+ applicable.
+
+ The client MAY include one transaction integrity and authentication
+ resource record, currently a choice of TSIG [RFC2845] or SIG(0)
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 10]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ [RFC2931]. If the server has indicated that it does not recognize
+ the resource record, and that the error is indeed caused by the
+ resource record, the client probably should not try again. Removing
+ the security data in the face of an obstacle ought to only be done
+ with full awareness of the implication of doing so.
+
+ In general, if an AXFR client is aware that an AXFR server does not
+ support a particular mechanism, the client SHOULD NOT attempt to
+ engage the server using the mechanism (or at all). A client could
+ become aware of a server's abilities via a configuration setting or
+ via some other (as yet) undefined means.
+
+ The range of permissible resource records that MAY appear in the
+ Additional section might change over time. If either a change to an
+ existing resource record (like the OPT RR for EDNS0) is made or a new
+ Additional section record is created, the new definitions ought to
+ include a discussion on the applicability and impact upon AXFR.
+ Future resource records residing in the Additional section might have
+ an effect that is orthogonal to AXFR, so can ride through the session
+ as opaque data. In this case, a "wise" implementation ought to be
+ able to pass these records through without disruption.
+
+2.2. AXFR Response
+
+ The AXFR response will consist of one or more messages. The special
+ case of a server closing the TCP connection without sending an AXFR
+ response is covered in section 2.3.
+
+ An AXFR response that is transferring the zone's contents will
+ consist of a series (which could be a series of length 1) of DNS
+ messages. In such a series, the first message MUST begin with the
+ SOA resource record of the zone, the last message MUST conclude with
+ the same SOA resource record. Intermediate messages MUST NOT contain
+ the SOA resource record. The AXFR server MUST copy the Question
+ section from the corresponding AXFR query message into the first
+ response message's Question section. For subsequent messages, it MAY
+ do the same or leave the Question section empty.
+
+ The AXFR protocol treats the zone contents as an unordered collection
+ (or to use the mathematical term, a "set") of RRs. Except for the
+ requirement that the transfer must begin and end with the SOA RR,
+ there is no requirement to send the RRs in any particular order or
+ grouped into response messages in any particular way. Although
+ servers typically do attempt to send related RRs (such as the RRs
+ forming an RRset, and the RRsets of a name) as a contiguous group or,
+ when message space allows, in the same response message, they are not
+ required to do so, and clients MUST accept any ordering and grouping
+ of the non-SOA RRs. Each RR SHOULD be transmitted only once, and
+ AXFR clients MUST ignore any duplicate RRs received.
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 11]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ Each AXFR response message SHOULD contain a sufficient number of RRs
+ to reasonably amortize the per-message overhead, up to the largest
+ number that will fit within a DNS message (taking the required
+ content of the other sections into account, as described below).
+ Some old AXFR clients expect each response message to contain only a
+ single RR. To interoperate with such clients, the server MAY
+ restrict response messages to a single RR. As there is no standard
+ way to automatically detect such clients, this typically requires
+ manual configuration at the server.
+
+ To indicate an error in an AXFR response, the AXFR server sends a
+ single DNS message when the error condition is detected, with the
+ response code set to the appropriate value for the condition
+ encountered, Such a message terminates the AXFR session; it MUST
+ contain a copy of the Question section from the AXFR query in its
+ Question section, but the inclusion of the terminating SOA resource
+ record is not necessary.
+
+ An AXFR server may send a number of AXFR response messages free of an
+ error condition before it sends the message indicating an error.
+
+2.2.1. Header Values
+
+ These are the DNS message header values for AXFR responses.
+
+ ID MUST be copied from request -- see Note a)
+
+ QR MUST be 1 (Response)
+
+ OPCODE MUST be 0 (Standard Query)
+
+ Flags:
+ AA normally 1 -- see Note b)
+ TC MUST be 0 (Not truncated)
+ RD RECOMMENDED: copy request's value, MAY be set to 0
+ RA SHOULD be 0 -- see Note c)
+ Z 'mbz' -- see Note d)
+ AD 'mbz' -- see Note d)
+ CD 'mbz' -- see Note d)
+
+ RCODE See Note e)
+
+ QDCOUNT MUST be 1 in the first message;
+ MUST be 0 or 1 in all following messages;
+ MUST be 1 if RCODE indicates an error
+
+ ANCOUNT See Note f)
+
+ NSCOUNT MUST be 0
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 12]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ ARCOUNT See Note g)
+
+ Notes:
+
+ a) Because some old implementations behave differently than is now
+ desired, the requirement on this field is stated in detail. New
+ DNS servers MUST set this field to the value of the AXFR query ID
+ in each AXFR response message for the session. AXFR clients MUST
+ be able to manage sessions resulting from the issuance of multiple
+ outstanding queries, whether AXFR queries or other DNS queries.
+ A client SHOULD discard responses that do not correspond (via the
+ message ID) to any outstanding queries.
+
+ Unless the client is sure that the server will consistently set
+ the ID field to the query's ID, the client is NOT RECOMMENDED to
+ issue any other queries until the end of the zone transfer.
+ A client MAY become aware of a server's abilities via a
+ configuration setting.
+
+ b) If the RCODE is 0 (no error), then the AA bit MUST be 1.
+ For any other value of RCODE, the AA bit MUST be set according to
+ the rules for that error code. If in doubt, it is RECOMMENDED
+ that it be set to 1. It is RECOMMENDED that the value be ignored
+ by the AXFR client.
+
+ c) It is RECOMMENDED that the server set the value to 0, the client
+ MUST ignore this value.
+
+ The server MAY set this value according to the local policy
+ regarding recursive service, but doing so might confuse the
+ interpretation of the response as AXFR can not be retrieved
+ recursively. A client MAY note the server's policy regarding
+ recursive service from this value, but SHOULD NOT conclude that
+ the AXFR response was obtained recursively even if the RD bit was
+ 1 in the query.
+
+ d) 'mbz' -- The server MUST set this bit to 0, the client MUST ignore
+ it.
+
+ e) In the absence of an error, the server MUST set the value of this
+ field to NoError(0). If a server is not authoritative for the
+ queried zone, the server SHOULD set the value to NotAuth(9).
+ (Reminder, consult the appropriate IANA registry [DNSVALS].) If a
+ client receives any other value in response, it MUST act according
+ to the error. For example, a malformed AXFR query or the presence
+ of an EDNS0 OPT resource record sent to an old server will result
+ in a FormErr(1) value. This value is not set as part of the AXFR-
+ specific response processing. The same is true for other values
+ indicating an error.
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 13]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ f) The count of answer records MUST equal the number of resource
+ records in the AXFR Answer Section. When a server is aware that a
+ client will only accept response messages with a single resource
+ record, then the value MUST be 1. A server MAY be made aware of a
+ client's limitations via configuration data.
+
+ g) The server MUST set this field to the number of resource records
+ it places into the Additional section. In the absense of explicit
+ specification of new RRs to be carried in the Additional section
+ of AXFR response messages, the value MAY be 0, 1 or 2. See
+ Section 2.1.5 above for details on the currently applicable RRs
+ and Section 2.2.5 for additional considerations specific to AXFR
+ servers.
+
+2.2.2. Question Section
+
+ In the first response message, this section MUST be copied from the
+ query. In subsequent messages, this section MAY be copied from the
+ query or it MAY be empty. However, in an error response message (see
+ Section 2.2), this section MUST be copied as well. The content of
+ this section MAY be used to determine the context of the message,
+ that is, the name of the zone being transferred.
+
+2.2.3. Answer Section
+
+ The Answer section MUST be populated with the zone contents. See
+ Section 3 below on encoding zone contents.
+
+2.2.4. Authority Section
+
+ The Authority section MUST be empty.
+
+2.2.5. Additional Section
+
+ The contents of this section MUST follow the guidelines for EDNS0 and
+ TSIG, SIG(0), or whatever other future record is possible here. The
+ contents of Section 2.1.5 apply analogously as well.
+
+ The following considerations specifically apply to AXFR responses:
+
+ If the client has supplied an EDNS0 OPT RR in the AXFR query and if
+ the server supports ENDS0 as well, it SHOULD include one EDNS0 OPT RR
+ in the first response message and MAY do so in subsequent response
+ messages (see Section 2.2); the specifications of EDNS0 options to be
+ carried in the OPT RR may impose stronger requirements.
+
+ If the client has supplied a transaction security resource record
+ (currently a choice of TSIG and SIG(0)) and the server supports the
+ method chosen by the client, it MUST place the corresponding resource
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 14]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ record into the AXFR response message(s), according to the rules
+ specified for that method.
+
+2.3. TCP Connection Aborts
+
+ If an AXFR client sends a query on a TCP connection and the
+ connection is closed at any point, the AXFR client MUST consider the
+ AXFR session terminated. The message ID MAY be used again on a new
+ connection, even if the question and AXFR server are the same.
+
+ Facing a dropped connection, a client SHOULD try to make some
+ determination as to whether the connection closure was the result of
+ network activity or due to a decision by the AXFR server. This
+ determination is not an exact science. It is up to the AXFR client
+ to react, but the implemented reaction SHOULD NOT be either an
+ endless cycle of retries or an increasing (in frequency) retry rate.
+
+ An AXFR server implementor should take into consideration the dilemma
+ described above when a connection is closed with an outstanding query
+ in the pipeline. For this reason, a server ought to reserve this
+ course of action for situations in which it believes beyond a doubt
+ that the AXFR client is attempting abusive behavior.
+
+
+3. Zone Contents
+
+ The objective of the AXFR session is to request and transfer the
+ contents of a zone, in order to permit the AXFR client to faithfully
+ reconstruct the zone as it exists at the primary server for the given
+ zone serial number. The word "exists" here designates the externally
+ visible behavior, i.e., the zone content that is being served (handed
+ out to clients) -- not its persistent representation in a zone file
+ or database used by the server -- and that for consistency should be
+ served subsequently by the AXFR client in an identical manner.
+
+ Over time the definition of a zone has evolved from denoting a static
+ set of records to also cover a dynamically updated set of records,
+ and then a potentially continually regenerated set of records (e.g.,
+ RRs synthesized "on the fly" from rule sets or database lookup
+ results in other forms than RR format) as well.
+
+3.1. Records to Include
+
+ In the Answer section of AXFR response messages, the resource records
+ within a zone for the given serial number MUST appear. The
+ definition of what belongs in a zone is described in RFC 1034,
+ Section 4.2, "How the database is divided into zones" (in particular
+ Section 4.2.1, "Technical considerations"), and it has been clarified
+ in Section 6 of RFC 2181.
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 15]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ Zones for which it is impractical to list the entire zone for a
+ serial number are not suitable for AXFR retrieval. A typical (but
+ not limiting) description of such a zone is a zone consisting of
+ responses generated via other database lookups and/or computed based
+ upon ever changing data.
+
+3.2. Delegation Records
+
+ In Section 4.2.1 of RFC 1034, this text appears (keep in mind that
+ the "should" in the quotation predates [BCP14], cf. Section 1.1):
+
+ "The RRs that describe cuts ... should be exactly the same as the
+ corresponding RRs in the top node of the subzone."
+
+ There has been some controversy over this statement and the impact on
+ which NS resource records are included in a zone transfer.
+
+ The phrase "that describe cuts" is a reference to the NS set and
+ applicable glue records. It does not mean that the cut point and
+ apex resource records are identical. For example, the SOA resource
+ record is only found at the apex. The discussion here is restricted
+ to just the NS resource record set and glue as these "describe cuts".
+
+ DNSSEC resource records have special specifications regarding their
+ occurrence at a zone cut and the apex of a zone. This was first
+ described in Sections 5.3 ff. and 6.2 of RFC 2181 (for the initial
+ specification of DNSSEC), which parts of RFC 2181 now in fact are
+ historical. The current DNSSEC core document set (see second bullet
+ in Section 2 above) gives the full details for DNSSEC(bis) resource
+ record placement, and Section 3.1.5 of RFC 4035 normatively specifies
+ their treatment during AXFR; the alternate NSEC3 resource record
+ defined later in RFC 5155 behaves identically as the NSEC RR, for the
+ purpose of AXFR.
+ Informally:
+
+ o The DS RRSet only occurs at the parental side of a zone cut and is
+ authoritative data in the parent zone, not the secure child zone.
+
+ o The DNSKEY RRSet only occurs at the APEX of a signed zone and is
+ part of the authoritative data of the zone it serves.
+
+ o Independent RRSIG RRSets occur at the signed parent side of a zone
+ cut and at the apex of a signed zone; they are authoritative data
+ in the respective zone; simple queries for RRSIG resource records
+ may return both RRSets at once if the same server is authoritative
+ for the parent zone and the child zone (Section 3.1.5 of RFC 4035
+ describes how to distinguish these RRs); this seeming ambiguity
+ does not occur for AXFR, since each such RRSIG RRset belongs to a
+ single zone.
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 16]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ o Different NSEC [RFC4034] (or NSEC3 [RFC5155]) resource records
+ equally may occur at the parental side of a zone cut and at the
+ apex of a zone; each such resource record belongs to exactly one
+ of these zones and is to be included in the AXFR of that zone.
+
+ One issue is that in operations there are times when the NS resource
+ records for a zone might be different at a cut point in the parent
+ and at the apex of a zone. Sometimes this is the result of an error
+ and sometimes it is part of an ongoing change in name servers. The
+ DNS protocol is robust enough to overcome inconsistencies up to (but
+ not including) there being no parent-indicated NS resource record
+ referencing a server that is able to serve the child zone. This
+ robustness is one quality that has fueled the success of the DNS.
+ Still, the inconsistency is an error state and steps need to be taken
+ to make it apparent (if it is unplanned) and to make it clear once
+ the inconsistency has been removed.
+
+ Another issue is that the AXFR server could be authoritative for a
+ different set of zones than the AXFR client. It is possible that the
+ AXFR server be authoritative for both halves of an inconsistent cut
+ point and that the AXFR client is authoritative for just the parent
+ side of the cut point.
+
+ When facing a situation in which a cut point's NS resource records do
+ not match the authoritative set, the question arises whether an AXFR
+ server responds with the NS resource record set that is in the zone
+ being transferred or the one that is at the authoritative location.
+
+ The AXFR response MUST contain the cut point NS resource record set
+ registered with the zone whether it agrees with the authoritative set
+ or not. "Registered with" can be widely interpreted to include data
+ residing in the zone file of the zone for the particular serial
+ number (in zone file environments) or as any data configured to be in
+ the zone (database), statically or dynamically.
+
+ The reasons for this requirement are:
+
+ 1) The AXFR server might not be able to determine that there is an
+ inconsistency given local data, hence requiring consistency would
+ mean a lot more needed work and even network retrieval of data. An
+ authoritative server ought not be required to perform any queries.
+
+ 2) By transferring the inconsistent NS resource records from a server
+ that is authoritative for both the cut point and the apex to a client
+ that is not authoritative for both, the error is exposed. For
+ example, an authorized administrator can manually request the AXFR
+ and inspect the results to see the inconsistent records. (A server
+ authoritative for both halves would otherwise always answer from the
+ more authoritative set, concealing the error.)
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 17]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ 3) The inconsistent NS resource record set might indicate a problem
+ in a registration database.
+
+ 4) This requirement is necessary to ensure that retrieving a given
+ (zone,serial) pair by AXFR yields the exact same set of resource
+ records no matter which of the zone's authoritative servers is chosen
+ as the source of the transfer.
+
+ If an AXFR server were allowed to respond with the authoritative NS
+ RRset of a child zone instead of a parent-side NS RRset in the zone
+ being transferred, the set of records returned could vary depending
+ on whether or not the server happened to be authoritative for the
+ child zone as well.
+
+ The property that a given (zone,serial) pair corresponds to a single,
+ well-defined set of records is necessary for the correct operation of
+ incremental transfer protocols such as IXFR [RFC1995]. For example,
+ a client may retrieve a zone by AXFR from one server, and then apply
+ an incremental change obtained by IXFR from a different server. If
+ the two servers have different ideas of the zone contents, the client
+ can end up attempting to incrementally add records that already exist
+ or to delete records that do not exist.
+
+3.3. Glue Records
+
+ As quoted in the previous section, Section 4.2.1 of RFC 1034 provides
+ guidance and rationale for the inclusion of glue records as part of
+ an AXFR transfer. And, as also argued in the previous section of
+ this document, even when there is an inconsistency between the
+ address in a glue record and the authoritative copy of the name
+ server's address, the glue resource record that is registered as part
+ of the zone for that serial number is to be included.
+
+ This applies to glue records for any address family [IANA-AF].
+
+ The AXFR response MUST contain the appropriate glue records as
+ registered with the zone. The interpretation of "registered with" in
+ the previous section applies here. Inconsistent glue records are an
+ operational matter.
+
+3.4. Name Compression
+
+ Compression of names in DNS messages is described in RFC 1035,
+ Section 4.1.4, "Message compression". The issue highlighted here
+ relates to a comment made in RFC 1034, Section 3.1, "Name space
+ specifications and terminology" which says "When you receive a domain
+ name or label, you should preserve its case." ("Should" in the quote
+ predates [BCP14].)
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 18]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ Since the primary objective of AXFR is to enable the client to serve
+ the same zone content as the server, unlike such normal DNS responses
+ that are expected to preserve the case in the query, the actual zone
+ transfer needs to retain the case of the labels in the zone content.
+ Hence, name compression in an AXFR message SHOULD be performed in a
+ case-preserving manner, unlike how it is done for 'normal' DNS
+ responses. That is, although when comparing a domain name for
+ matching, "a" equals "A", when comparing for the purposes of message
+ compression for AXFR, "a" is not equal to "A". Note that this is not
+ the usual definition of name comparison in the DNS protocol and
+ represents a new understanding of the requirement on AXFR servers.
+
+ Rules governing name compression of RDATA in an AXFR message MUST
+ abide by the specification in "Handling of Unknown DNS Resource
+ Record (RR) Types" [RFC3597], specifically, Section 4 on "Domain Name
+ Compression".
+
+3.5. Occluded Names
+
+ Dynamic Update [RFC2136] operations, and in particular its
+ interaction with DNAME [RFC2672], can have a side effect of occluding
+ names in a zone. The addition of a delegation point via dynamic
+ update will render all subordinate domain names to be in a limbo,
+ still part of the zone but not available to the lookup process. The
+ addition of a DNAME resource record has the same impact. The
+ subordinate names are said to be "occluded".
+
+ Occluded names MUST be included in AXFR responses. An AXFR client
+ MUST be able to identify and handle occluded names. The rationale
+ for this action is based on a speedy recovery if the dynamic update
+ operation was in error and is to be undone.
+
+
+4. Transport
+
+ AXFR sessions are currently restricted to TCP by Section 4.3.5 of RFC
+ 1034 that states: "Because accuracy is essential, TCP or some other
+ reliable protocol must be used for AXFR requests." The restriction
+ to TCP is also mentioned in Section 6.1.3.2. of "Requirements for
+ Internet Hosts - Application and Support" [RFC1123].
+
+ The most common scenario is for an AXFR client to open a TCP
+ connection to the AXFR server, send an AXFR query, receive the AXFR
+ response, and then close the connection. But variations of that most
+ simple scenario are legitimate and likely: in particular, sending a
+ query for the zone's SOA resource record first over the same TCP
+ connection, and reusing an existing TCP connection for other queries.
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 19]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ Therefore, the assumption that a TCP connection is dedicated to a
+ single AXFR session is incorrect. This wrong assumption has led to
+ implementation choices that prevent either multiple concurrent zone
+ transfers or the use of an open connection for other queries.
+
+ Since the early days of the DNS, operators who have sets of name
+ servers that are authoritative for a common set of zones found it
+ desirable to be able to have multiple concurrent zone transfers in
+ progress; this way a name server does not have to wait for one zone
+ transfer to complete before the next can begin. RFC 1035 did not
+ exclude this possibility, but legacy implementations failed to
+ support this functionality efficiently, over a single TCP connection.
+ The remaining presence of such legacy implementations makes it
+ necessary that new general purpose client implementations still
+ provide options for graceful fallback to the old behavior in their
+ support of concurrent DNS transactions and AXFR sessions on a single
+ TCP connection.
+
+4.1. TCP
+
+ In the original definition there arguably is an implicit assumption
+ (probably unintentional) that a TCP connection is used for one and
+ only one AXFR session. This is evidenced in the lack of an explicit
+ requirement to copy the Question Section and/or the message ID into
+ responses, no explicit ordering information within the AXFR response
+ messages, and the lack of an explicit notice indicating that a zone
+ transfer continues in the next message.
+
+ The guidance given below is intended to enable better performance of
+ the AXFR exchange as well as provide guidelines on interactions with
+ older software. Better performance includes being able to multiplex
+ DNS message exchanges including zone transfer sessions. Guidelines
+ for interacting with older software are generally applicable to new
+ AXFR clients. In the reverse situation, older AXFR client and newer
+ AXFR server, the server ought to operate within the specification for
+ an older server.
+
+4.1.1. AXFR client TCP
+
+ An AXFR client MAY request a connection to an AXFR server for any
+ reason. An AXFR client SHOULD close the connection when there is no
+ apparent need to use the connection for some time period. The AXFR
+ server ought not have to maintain idle connections; the burden of
+ connection closure ought to be on the client. "Apparent need" for
+ the connection is a judgment for the AXFR client and the DNS client.
+ If the connection is used for multiple sessions, or if it is known
+ sessions will be coming, or if there is other query/response traffic
+ anticipated or currently on the open connection, then there is
+ "apparent need".
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 20]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ An AXFR client can cancel the delivery of a zone only by closing the
+ connection. However, this action will also cancel all other
+ outstanding activity using the connection. There is no other
+ mechanism by which an AXFR response can be cancelled.
+
+ When a TCP connection is closed remotely (relative to the client),
+ whether by the AXFR server or due to a network event, the AXFR client
+ MUST cancel all outstanding sessions and non-AXFR transactions.
+ Recovery from this situation is not straightforward. If the
+ disruption was a spurious event, attempting to restart the connection
+ would be proper. If the disruption was caused by a failure that
+ proved to be persistent, the AXFR client would be wise not to spend
+ too many resources trying to rebuild the connection. Finally, if the
+ connection was dropped because of a policy at the AXFR server (as can
+ be the case with older AXFR servers), the AXFR client would be wise
+ not to retry the connection. Unfortunately, knowing which of the
+ three cases above (momentary disruption, failure, policy) applies is
+ not possible with certainty, and can only be assessed by heuristics.
+ This exemplifies the general complications for clients in connection-
+ oriented protocols not receiving meaningful error responses.
+
+ An AXFR client MAY use an already opened TCP connection to start an
+ AXFR session. Using an existing open connection is RECOMMENDED over
+ opening a new connection. (Non-AXFR session traffic can also use an
+ open connection.) If in doing so the AXFR client realizes that the
+ responses cannot be properly differentiated (lack of matching query
+ IDs for example) or the connection is terminated for a remote reason,
+ then the AXFR client SHOULD NOT attempt to reuse an open connection
+ with the specific AXFR server until the AXFR server is updated (which
+ is, of course, not an event captured in the DNS protocol).
+
+4.1.2. AXFR server TCP
+
+ An AXFR server MUST be able to handle multiple AXFR sessions on a
+ single TCP connection, as well as to handle other query/response
+ transactions over it.
+
+ If a TCP connection is closed remotely, the AXFR server MUST cancel
+ all AXFR sessions in place. No retry activity is necessary; that is
+ initiated by the AXFR client.
+
+ Local policy MAY dictate that a TCP connection is to be closed. Such
+ an action SHOULD be in reaction to limits such as those placed on the
+ number of outstanding open connections. Closing a connection in
+ response to a suspected security event SHOULD be done only in extreme
+ cases, when the server is certain the action is warranted. An
+ isolated request for a zone not on the AXFR server SHOULD receive a
+ response with the appropriate response code and not see the
+ connection broken.
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 21]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+4.2. UDP
+
+ With the addition of EDNS0 and applications which require many small
+ zones such as in web hosting and some ENUM scenarios, AXFR sessions
+ on UDP would now seem desirable. However, there are still some
+ aspects of AXFR sessions that are not easily translated to UDP.
+
+ Therefore, this document does not update RFC 1035 in this respect:
+ AXFR sessions over UDP transport are not defined.
+
+
+5. Authorization
+
+ A zone administrator has the option to restrict AXFR access to a
+ zone. This was not envisioned in the original design of the DNS but
+ has emerged as a requirement as the DNS has evolved. Restrictions on
+ AXFR could be for various reasons including a desire (or in some
+ instances, having a legal requirement) to keep the bulk version of
+ the zone concealed or to prevent the servers from handling the load
+ incurred in serving AXFR. It has been argued that these reasons are
+ questionable, but this document, driven by the desire to leverage the
+ interoperable practice that has evolved since RFC 1035, acknowledges
+ the factual requirement to provide mechanisms to restrict AXFR.
+
+ A DNS implementation SHOULD provide means to restrict AXFR sessions
+ to specific clients.
+
+ An implementation SHOULD allow access to be granted to Internet
+ Protocol addresses and ranges, regardless of whether a source address
+ could be spoofed. Combining this with techniques such as Virtual
+ Private Networks (VPN) [RFC2764] or Virtual LANs has proven to be
+ effective.
+
+ A general purpose implementation is RECOMMENDED to implement access
+ controls based upon "Secret Key Transaction Authentication for DNS"
+ [RFC2845] and/or "DNS Request and Transaction Signatures ( SIG(0)s )"
+ [RFC2931].
+
+ A general purpose implementation SHOULD allow access to be open to
+ all AXFR requests. I.e., an operator ought to be able to allow any
+ AXFR query to be granted.
+
+ A general purpose implementation SHOULD NOT have a default policy for
+ AXFR requests to be "open to all". For example, a default could be
+ to restrict transfers to addresses selected by the DNS
+ administrator(s) for zones on the server.
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 22]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+6. Zone Integrity
+
+ An AXFR client MUST ensure that only a successfully transferred copy
+ of the zone data can be used to serve this zone. Previous
+ description and implementation practice have introduced a two-stage
+ model of the whole zone synchronization procedure: Upon a trigger
+ event (e.g., polling of a SOA resource record detects change in the
+ SOA serial number, or via DNS NOTIFY [RFC1996]), the AXFR session is
+ initiated, whereby the zone data are saved in a zone file or data
+ base (this latter step is necessary anyway to ensure proper restart
+ of the server); upon successful completion of the AXFR operation and
+ some sanity checks, this data set is 'loaded' and made available for
+ serving the zone in an atomic operation, and flagged 'valid' for use
+ during the next restart of the DNS server; if any error is detected,
+ this data set MUST be deleted, and the AXFR client MUST continue to
+ serve the previous version of the zone, if it did before. The
+ externally visible behavior of an AXFR client implementation MUST be
+ equivalent to that of this two-stage model.
+
+ If an AXFR client rejects data contained in an AXFR session, it
+ SHOULD remember the serial number and MAY attempt to retrieve the
+ same zone version again. The reason the same retrieval could make
+ sense is that the reason for the rejection could be rooted in an
+ implementation detail of one AXFR server used for the zone and not
+ present in another AXFR server used for the zone.
+
+ Ensuring that an AXFR client does not accept a forged copy of a zone
+ is important to the security of a zone. If a zone operator has the
+ opportunity, protection can be afforded via dedicated links, physical
+ or virtual via a VPN among the authoritative servers. But there are
+ instances in which zone operators have no choice but to run AXFR
+ sessions over the global public Internet.
+
+ Besides best attempts at securing TCP connections, DNS
+ implementations SHOULD provide means to make use of "Secret Key
+ Transaction Authentication for DNS" [RFC2845] and/or "DNS Request and
+ Transaction Signatures ( SIG(0)s )" [RFC2931] to allow AXFR clients
+ to verify the contents. These techniques MAY also be used for
+ authorization.
+
+
+
+
+
+
+
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 23]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+7. Backwards Compatibility
+
+ Describing backwards compatibility is difficult because of the lack
+ of specifics in the original definition. In this section some hints
+ at building in backwards compatibility are given, mostly repeated
+ from the relevant earlier sections.
+
+ Backwards compatibility is not necessary, but the greater the extent
+ of an implementation's compatibility the greater its
+ interoperability. For turnkey implementations this is not usually a
+ concern. For general purpose implementations this takes on varying
+ levels of importance depending on the implementer's desire to
+ maintain interoperability.
+
+ It is unfortunate that a need to fall back to older behavior cannot
+ be discovered, hence needs to be noted in a configuration file. An
+ implementation SHOULD, in its documentation, encourage operators to
+ periodically review AXFR clients and servers it has made notes about
+ repeatedly, as old software gets updated from time to time.
+
+7.1. Server
+
+ An AXFR server has the luxury of being able to react to an AXFR
+ client's abilities with the exception of knowing whether the client
+ can accept multiple resource records per AXFR response message. The
+ knowledge that a client is so restricted cannot be discovered, hence
+ it has to be set by configuration.
+
+ An implementation of an AXFR server MAY permit configuring, on a per
+ AXFR client basis, the necessity to revert to single resource record
+ per message; in that case, the default SHOULD be to use multiple
+ records per message.
+
+7.2. Client
+
+ An AXFR client has the opportunity to try other features (i.e., those
+ not defined by this document) when querying an AXFR server.
+
+ Attempting to issue multiple DNS queries over a TCP transport for an
+ AXFR session SHOULD be aborted if it interrupts the original request,
+ and SHOULD take into consideration whether the AXFR server intends to
+ close the connection immediately upon completion of the original
+ (connection-causing) zone transfer.
+
+
+
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 24]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+8. Security Considerations
+
+ Concerns regarding authorization, traffic flooding, and message
+ integrity are mentioned in "Authorization" (Section 5), "TCP"
+ (Section 4.2) and "Zone Integrity" (Section 6).
+
+
+9. IANA Considerations
+
+ [[ Note to RFC-Ed: this section may be deleted before publication. ]]
+ No new registries or new registrations are included in this document.
+
+
+10. Internationalization Considerations
+
+ The AXFR protocol is transparent to the parts of DNS zone content
+ that can possibly be subject to Internationalization considerations.
+ It is assumed that for DNS labels and domain names, the issue has
+ been solved via "Internationalizing Domain Names in Applications
+ (IDNA)" [RFC3490] or its successor(s).
+
+
+11. Acknowledgments
+
+ Earlier editions of this document have been edited by Andreas
+ Gustafsson. In his latest version, this acknowledgment appeared:
+
+ "Many people have contributed input and commentary to earlier
+ versions of this document, including but not limited to Bob Halley,
+ Dan Bernstein, Eric A. Hall, Josh Littlefield, Kevin Darcy, Robert
+ Elz, Levon Esibov, Mark Andrews, Michael Patton, Peter Koch, Sam
+ Trenholme, and Brian Wellington."
+
+ Comments since the -05 version have come from these individuals:
+ Mark Andrews, Paul Vixie, Wouter Wijngaards, Iain Calder, Tony Finch,
+ Ian Jackson, Andreas Gustafsson, Brian Wellington, Niall O'Reilly,
+ Bill Manning, and other participants of the DNSEXT working group.
+
+ Edward Lewis served as a patiently listening sole document editor for
+ two years.
+
+12. References
+
+ All "RFC" references by can be obtained from the RFC Editor web site
+ at the URLs: http://rfc-editor.org/rfc.html
+ or http://rfc-editor.org/rfcsearch.html ;
+ information regarding this organization can be found at the following
+ URL: http://rfc-editor.org/
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 25]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+12.1. Normative References
+
+ [BCP14] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
+ RFC 793, September 1981.
+
+ [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
+ August 1980.
+
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
+ and Support", STD 3, RFC 1123, October 1989.
+
+ [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+ August 1996.
+
+ [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
+ Changes (DNS NOTIFY)", RFC 1996, August 1996.
+
+ [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
+ "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+ RFC 2136, April 1997.
+
+ [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+ Specification", RFC 2181, July 1997.
+
+ [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+ RFC 2671, August 1999.
+
+ [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
+ RFC 2672, August 1999.
+
+ [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+ Wellington, "Secret Key Transaction Authentication for DNS
+ (TSIG)", RFC 2845, May 2000.
+
+ [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
+ RR)", RFC 2930, September 2000.
+
+ [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
+ ( SIG(0)s )", RFC 2931, September 2000.
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 26]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ [RFC3425] Lawrence, D., "Obsoleting IQUERY", RFC 3425,
+ November 2002.
+
+ [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
+ (RR) Types", RFC 3597, September 2003.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+ (DS) Resource Records (RRs)", RFC 4509, May 2006
+
+ [RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication
+ Code, Secure Hash Algorithm) TSIG Algorithm Identifiers",
+ RFC 4635, August 2006.
+
+ [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+ Security (DNSSEC) Hashed Authenticated Denial of
+ Existence", RFC 5155, March 2008
+
+ [RFC5395] Eastlake 3rd, "Domain Name System (DNS) IANA
+ Considerations", BCP 42, RFC 5395, November 2008.
+
+ [RFC5702] Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY
+ and RRSIG Resource Records for DNSSEC", RFC 5702,
+ October 2009.
+
+12.2. Informative References
+
+ [DNSVALS] IANA Registry "Domain Name System (DNS) Parameters",
+ http://www.iana.org/assignments/dns-parameters
+
+ [IANA-AF] IANA Registry "Address Family Numbers",
+ http://www.iana.org/assignments/Address-family-numbers/ .
+
+ [RFC2764] Gleeson, B., Lin, A., Heinanen, J., Armitage, G., and A.
+ Malis, "A Framework for IP Based Virtual Private
+ Networks", RFC 2764, February 2000.
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 27]
+
+Internet-Draft DNS Zone Transfer Protocol (AXFR) January 2010
+
+
+ [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
+ "Internationalizing Domain Names in Applications (IDNA)",
+ RFC 3490, March 2003.
+
+ [DNSSEC-U] Weiler, S., and D. Blacka, "Clarifications and
+ Implementation Notes for DNSSECbis",
+ draft-ietf-dnsext-dnssec-bis-updates-09 (work in
+ progress), September 2009.
+
+
+Authors' Addresses
+
+ Edward Lewis
+ 46000 Center Oak Plaza
+ Sterling, VA, 22033, US
+
+ Email: ed.lewis@neustar.biz
+
+
+ Alfred Hoenes, Editor
+ TR-Sys
+ Gerlinger Str. 12
+ Ditzingen D-71254
+ Germany
+
+ Email: ah@TR-Sys.de
+
+
+Editorial Note: Discussion [[ to be removed by RFC-Editor ]]
+
+ Comments on this draft ought to be addressed to the editors and/or to
+ namedroppers@ops.ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lewis & Hoenes Expires July 18, 2010 [Page 28]
+
diff --git a/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-01.txt b/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-02.txt
index 41ae72ec..757e82a8 100644
--- a/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-01.txt
+++ b/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-02.txt
@@ -3,14 +3,19 @@
DNSEXT R. Bellis
Internet-Draft Nominet UK
-Updates: 1035, 1123 October 26, 2009
+Updates: 1035, 1123 January 6, 2010
(if approved)
Intended status: Standards Track
-Expires: April 29, 2010
+Expires: July 10, 2010
- DNS Transport over TCP
- draft-ietf-dnsext-dns-tcp-requirements-01
+ DNS Transport over TCP - Implementation Requirements
+ draft-ietf-dnsext-dns-tcp-requirements-02
+
+Abstract
+
+ This document updates the requirements for the support of TCP as a
+ transport protocol for DNS implementations.
Status of this Memo
@@ -33,31 +38,30 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
- This Internet-Draft will expire on April 29, 2010.
+ This Internet-Draft will expire on July 10, 2010.
Copyright Notice
- Copyright (c) 2009 IETF Trust and the persons identified as the
+ Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents in effect on the date of
- publication of this document (http://trustee.ietf.org/license-info).
- Please review these documents carefully, as they describe your rights
- and restrictions with respect to this document.
-
-Abstract
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
- This document updates the requirements for the support of the TCP
-
-Bellis Expires April 29, 2010 [Page 1]
+Bellis Expires July 10, 2010 [Page 1]
-Internet-Draft DNS Transport over TCP October 2009
+Internet-Draft DNS over TCP January 2010
- protocol for the transport of DNS traffic.
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the BSD License.
Table of Contents
@@ -70,25 +74,21 @@ Table of Contents
4. Transport Protocol Selection . . . . . . . . . . . . . . . . . 4
- 5. Dormant Connection Handling . . . . . . . . . . . . . . . . . . 5
+ 5. Connection Handling . . . . . . . . . . . . . . . . . . . . . . 5
6. Response re-ordering . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
- 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
- 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 9.1. Normative References . . . . . . . . . . . . . . . . . . . 6
+ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . . 7
- Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . . 7
-
- Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7
-
-
-
+ Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . . 8
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
@@ -108,18 +108,17 @@ Table of Contents
-Bellis Expires April 29, 2010 [Page 2]
+Bellis Expires July 10, 2010 [Page 2]
-Internet-Draft DNS Transport over TCP October 2009
+Internet-Draft DNS over TCP January 2010
1. Introduction
- Most DNS [RFC1035] transactions take place over the UDP [RFC0792]
- protocol. The TCP [RFC0793] protocol is used for zone transfers and
- is supported by many implementations for the transfer of other
- packets which exceed the protocol's original 512 byte packet-size
- limit.
+ Most DNS [RFC1035] transactions take place over UDP [RFC0792]. The
+ TCP [RFC0793] is used for zone transfers and for the transfer of
+ other packets which exceed the protocol's original 512 byte packet-
+ size limit.
Section 6.1.3.2 of [RFC1123] states:
@@ -127,11 +126,22 @@ Internet-Draft DNS Transport over TCP October 2009
support TCP, for sending (non-zone-transfer) queries.
However, some implementors have taken the text quoted above to mean
- that TCP support is truly optional for typical DNS operation.
+ that TCP support is an optional feature of the DNS protocol.
- This document normatively updates the core DNS protocol
- specifications such that (except in very limited circumstances)
- support for the TCP protocol is henceforth REQUIRED.
+ The majority of DNS server operators already support TCP and the
+ default configuration for most software implementations is to support
+ TCP. The primary audience for this document is those implementors
+ whose failure to support TCP restricts interoperability and limits
+ deployment of new DNS features.
+
+ This document therefore updates the core DNS protocol specifications
+ such that support for TCP is henceforth a REQUIRED part of a full DNS
+ protocol implementation.
+
+ Whilst this document makes no specific recommendations to operators
+ of DNS servers, it should be noted that failure to support TCP (or
+ blocking of DNS over TCP at the network layer) may result in
+ resolution failure and application-level timeouts.
2. Terminology used in this document
@@ -145,13 +155,21 @@ Internet-Draft DNS Transport over TCP October 2009
In the absence of EDNS0 (see below) the normal behaviour of any DNS
server needing to send a UDP response that exceeds that 512 byte
- limit is for the server to truncate the response at the 512 byte
- limit and set the TC flag in the response header. When the client
- receives such a response it takes the TC flag as notice that it
- should retry over TCP instead.
+ limit is for the server to truncate the response so that it fits
+ within the 512 byte limit and set the TC flag in the response header.
+ When the client receives such a response it takes the TC flag as an
+ indication that it should retry over TCP instead.
RFC 1123 also says:
+
+
+Bellis Expires July 10, 2010 [Page 3]
+
+Internet-Draft DNS over TCP January 2010
+
+
+
... it is also clear that some new DNS record types defined in the
future will contain information exceeding the 512 byte limit that
applies to UDP, and hence will require TCP. Thus, resolvers and
@@ -161,14 +179,6 @@ Internet-Draft DNS Transport over TCP October 2009
Existing deployments of DNSSEC [RFC4033] have shown that truncation
at the 512 byte boundary is now commonplace. For example an NXDOMAIN
-
-
-
-Bellis Expires April 29, 2010 [Page 3]
-
-Internet-Draft DNS Transport over TCP October 2009
-
-
(RCODE == 3) response from a DNSSEC signed zone using NSEC3 [RFC5155]
is almost invariably longer than 512 bytes.
@@ -180,58 +190,53 @@ Internet-Draft DNS Transport over TCP October 2009
UDP packets up to that client's announced buffer size without
truncation.
- However, transport of UDP packets which exceed the size of the path
- MTU has been found to be unreliable in some circumstances because of
- IP packet fragmentation. Many firewalls routinely block fragmented
- IP packets, and some implementations lack the software logic
- necessary to reassemble a fragmented datagram. Worse still, some
- devices deliberately refuse to handle DNS packets containing EDNS0
- options. Other issues relating to UDP transport and packet size are
- discussed in [RFC5625].
+ However, transport of UDP packets that exceed the size of the path
+ MTU causes IP packet fragmentation, which has been found to be
+ unreliable in some circumstances. Many firewalls routinely block
+ fragmented IP packets, and some implementations lack the software
+ logic necessary to reassemble a fragmented datagram. Worse still,
+ some devices deliberately refuse to handle DNS packets containing
+ EDNS0 options. Other issues relating to UDP transport and packet
+ size are discussed in [RFC5625].
The MTU most commonly found in the core of the Internet is around
1500 bytes, and even that limit is routinely exceeded by DNSSEC
signed responses.
The future that was anticipated in RFC 1123 has arrived, and the only
- standardised mechanism which may have resolved the packet size issue
- has been found inadequate.
+ standardised UDP-based mechanism which may have resolved the packet
+ size issue has been found inadequate.
4. Transport Protocol Selection
- All DNS implementations MUST support both UDP and TCP transport
- protocols, except as set out below.
+ All DNS implementations MUST support both UDP and TCP transport.
- On a case by case basis, authoritative DNS server operators MAY elect
- to disable DNS transport over TCP if all of the following conditions
- are satisfied:
+ o Authoritative resolver implementations MUST support TCP so that
+ they may serve any long responses that they are configured to
+ serve.
- o the server is authoritative only
- o the server does not support AXFR
- o all requests and responses are guaranteed to be <= 512 bytes
- A general purpose stub resolver implementation (e.g. an operating
- system's DNS resolution library) MUST support TCP since to do
- otherwise would limit its interoperability with its own clients and
- with upstream servers.
- A proprietary stub resolver implementation MAY omit support for TCP
-
-Bellis Expires April 29, 2010 [Page 4]
+Bellis Expires July 10, 2010 [Page 4]
-Internet-Draft DNS Transport over TCP October 2009
+Internet-Draft DNS over TCP January 2010
- if it is operating in an environment where truncation can never
- occur, or if it is prepared to accept a DNS lookup failure should
- truncation occur.
+ o A recursive resolver or forwarder MUST support TCP so that it does
+ not prevent long responses from a TCP-capable server from reaching
+ its TCP-capable clients.
+ o A general purpose stub resolver implementation (e.g. an operating
+ system's DNS resolution library) MUST support TCP since to do
+ otherwise would limit its interoperability with its own clients
+ and with upstream servers.
- A recursive resolver or forwarder MUST support TCP so that it does
- not prevent long responses from a TCP-capable server from reaching
- its TCP-capable clients.
+ An exception may be made for proprietary stub resolver
+ implementations. These MAY omit support for TCP if operating in an
+ environment where truncation can never occur, or where DNS lookup
+ failure is acceptable should truncation occur.
Regarding the choice of when to use UDP or TCP, RFC 1123 says:
@@ -241,10 +246,11 @@ Internet-Draft DNS Transport over TCP October 2009
That requirement is hereby relaxed. A resolver SHOULD send a UDP
query first, but MAY elect to send a TCP query instead if it has good
reason to expect the response would be truncated if it were sent over
- UDP (with or without EDNS0) or for other operational reasons.
+ UDP (with or without EDNS0) or for other operational reasons, in
+ particular if it already has an open TCP connection to the server.
-5. Dormant Connection Handling
+5. Connection Handling
Section 4.2.2 of [RFC1035] says:
@@ -258,8 +264,8 @@ Internet-Draft DNS Transport over TCP October 2009
under heavy load. Intentionally opening many connections and leaving
them dormant can trivially create a "denial of service" attack.
- This document therefore RECOMMENDS that the idle period should be of
- the order of TBD seconds.
+ This document therefore RECOMMENDS that the application-level idle
+ period should be of the order of TBD seconds.
Servers MAY allow dormant connections to remain open for longer
periods, but for the avoidance of doubt persistent DNS connections
@@ -268,17 +274,20 @@ Internet-Draft DNS Transport over TCP October 2009
close a dormant TCP connection it MUST be free to do so whenever
required.
- Further recommendations for the tuning of TCP parameters to allow
- higher throughput or improved resiliency against denial of service
- attacks are (currently) outside the scope of this document.
+Bellis Expires July 10, 2010 [Page 5]
+
+Internet-Draft DNS over TCP January 2010
+ To mitigate the risk of unintentional server overload DNS clients
+ MUST take care to minimize the number of concurrent TCP connections
+ made to any individual server.
-Bellis Expires April 29, 2010 [Page 5]
-
-Internet-Draft DNS Transport over TCP October 2009
+ Further recommendations for the tuning of TCP parameters to allow
+ higher throughput or improved resiliency against denial of service
+ attacks are outside the scope of this document.
6. Response re-ordering
@@ -301,11 +310,17 @@ Internet-Draft DNS Transport over TCP October 2009
Some DNS server operators have expressed concern that wider use of
DNS over TCP will expose them to a higher risk of "denial of service"
- attacks.
+ (DoS) attacks.
- Many large authoritative DNS operators including all but one of the
- root servers and the vast majority of TLDs already support TCP and
- attacks against them are infrequent and very rarely successful.
+ Whilst there is a theoretically higher risk of such attacks against
+ TCP-enabled servers, techniques for the mitigation of DoS attacks at
+ the network level have improved substantially since DNS was first
+ designed.
+
+ The vast majority of TLD authority servers and all but one of the
+ root name servers already support TCP and the author knows of no
+ evidence to suggest that TCP-based DoS attacks against existing DNS
+ infrastructure are commonplace.
Operators of recursive servers should ensure that they only accept
connections from expected clients, and do not accept them from
@@ -315,6 +330,13 @@ Internet-Draft DNS Transport over TCP October 2009
the number of concurrent connections.
+
+
+Bellis Expires July 10, 2010 [Page 6]
+
+Internet-Draft DNS over TCP January 2010
+
+
8. IANA Considerations
This document requests no IANA actions.
@@ -330,13 +352,6 @@ Internet-Draft DNS Transport over TCP October 2009
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
-
-
-Bellis Expires April 29, 2010 [Page 6]
-
-Internet-Draft DNS Transport over TCP October 2009
-
-
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
@@ -371,10 +386,23 @@ Internet-Draft DNS Transport over TCP October 2009
BCP 152, RFC 5625, August 2009.
+
+
+Bellis Expires July 10, 2010 [Page 7]
+
+Internet-Draft DNS over TCP January 2010
+
+
Appendix A. Change Log
NB: to be removed by the RFC Editor before publication.
+ draft-ietf-dnsext-dns-tcp-requirements-02
+ Change of title - more focus on implementation and not operation
+ Re-write of some of the security section
+ Added recommendation for minimal concurrent connections
+ Minor editorial nits from Alfred Hoenes
+
draft-ietf-dnsext-dns-tcp-requirements-01
Addition of response ordering section
Various minor editorial changes from WG reviewers
@@ -383,16 +411,6 @@ Appendix A. Change Log
Initial draft
-
-
-
-
-
-Bellis Expires April 29, 2010 [Page 7]
-
-Internet-Draft DNS Transport over TCP October 2009
-
-
Author's Address
Ray Bellis
@@ -426,23 +444,5 @@ Author's Address
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bellis Expires April 29, 2010 [Page 8]
+Bellis Expires July 10, 2010 [Page 8]
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-gost-05.txt b/doc/draft/draft-ietf-dnsext-dnssec-gost-06.txt
index 152d96ef..f651d135 100644
--- a/doc/draft/draft-ietf-dnsext-dnssec-gost-05.txt
+++ b/doc/draft/draft-ietf-dnsext-dnssec-gost-06.txt
@@ -1,12 +1,12 @@
DNS Extensions working group V.Dolmatov, Ed.
Internet-Draft Cryptocom Ltd.
-Intended status: Standards Track November 30, 2009
-Expires: May 30, 2010
+Intended status: Standards Track December 12, 2009
+Expires: June 12, 2010
Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
for DNSSEC
- draft-ietf-dnsext-dnssec-gost-05
+ draft-ietf-dnsext-dnssec-gost-06
Status of this Memo
@@ -29,7 +29,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
- This Internet-Draft will expire on May 10 2010.
+ This Internet-Draft will expire on June 12 2010.
Copyright Notice
@@ -49,7 +49,7 @@ Abstract
resource records for use in the Domain Name System Security
Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
-V.Dolmatov Expires May 30, 2010 [Page 1]
+V.Dolmatov Expires June 12, 2010 [Page 1]
Table of Contents
@@ -106,7 +106,7 @@ Table of Contents
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
-V.Dolmatov Expires May 30, 2010 [Page 2]
+V.Dolmatov Expires June 12, 2010 [Page 2]
2. DNSKEY Resource Records
@@ -121,17 +121,13 @@ V.Dolmatov Expires May 30, 2010 [Page 2]
According to [GOST3410], a public key is a point on the elliptic
curve Q = (x,y).
- The wire representation of a public key MUST contain 66 octets,
- where the first octet designates public key parameters, the second
- octet designates digest parameters next 32 octets contain the
- little-endian representation of x and the second 32 octets contain
- the little-endian representation of y.
+ The wire representation of a public key MUST contain 64 octets,
+ where the first 32 octets contain the little-endian representation
+ of x and the second 32 octets contain the little-endian
+ representation of y.
This corresponds to the binary representation of (<y>256||<x>256)
from [GOST3410], ch. 5.3.
- The only valid value for both parameters octets is 0.
- Other parameters octets values are reserved for future use.
-
Corresponding public key parameters are those identified by
id-GostR3410-2001-CryptoPro-A-ParamSet (1.2.643.2.2.35.1) [RFC4357],
and the digest parameters are those identified by
@@ -145,9 +141,8 @@ V.Dolmatov Expires May 30, 2010 [Page 2]
section 2.3.2.
To make this encoding from the wire format of a GOST public key
- with the parameters used in this document, prepend the last 64 octets
- of key data (in other words, substitute first two parameter octets)
- with the following 37-byte sequence:
+ with the parameters used in this document, prepend the 64 octets
+ of key data with the following 37-byte sequence:
0x30 0x63 0x30 0x1c 0x06 0x06 0x2a 0x85 0x03 0x02 0x02 0x13 0x30
0x12 0x06 0x07 0x2a 0x85 0x03 0x02 0x02 0x23 0x01 0x06 0x07 0x2a
@@ -161,18 +156,19 @@ V.Dolmatov Expires May 30, 2010 [Page 2]
Private-key-format: v1.2
Algorithm: {TBA1} (GOST)
- GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S
- 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
+ GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgp9c
+ t2LQaNS1vMKPLEN9zHYjLPNMIQN6QB9vt3AghZFA=
+
-V.Dolmatov Expires May 30, 2010 [Page 3]
+V.Dolmatov Expires June 12, 2010 [Page 3]
The following DNSKEY RR stores a DNS zone key for example.net
example.net. 86400 IN DNSKEY 256 3 {TBA1} (
- AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq
- tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
- yB7i836EfzmJo5LP
- ) ; key id = 15820
+ GtTJjmZKUXV+lHLG/6crB6RCR+EJR51Islpa
+ 6FqfT0MUfKhSn1yAo92+LJ0GDssTiAnj0H0I
+ 9Jrfial/yyc5Og==
+ ) ; key id = 10805
3. RRSIG Resource Records
@@ -214,12 +210,12 @@ V.Dolmatov Expires May 30, 2010 [Page 3]
assigned by IANA)
www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
- 20000101000000 15820 example.net.
- 2MIsZWtEx6pcfQrdl376B8sFg0qxsR8XMHpl
- jHh+V6U7Qte7WwI4C3Z1nFMRVf//C9rO2dGB
- rdp+C7wVoOHBqA== )
+ 20000101000000 10805 example.net.
+ k3m0r5bm6kFQmcRlHshY3jIj7KL6KTUsPIAp
+ Vy466khKuWEUoVvSkqI+9tvMQySQgZcEmS0W
+ HRFSm0XS5YST5g== )
-V.Dolmatov Expires May 30, 2010 [Page 4]
+V.Dolmatov Expires June 12, 2010 [Page 4]
Note: Several GOST signatures calculated for the same message text
differ because of using of a random element is used in signature
@@ -241,16 +237,16 @@ V.Dolmatov Expires May 30, 2010 [Page 4]
assigned by IANA)
example.net. 86400 DNSKEY 257 3 {TBA1} (
- AAADr5vmKVdXo780hSRU1YZYWuMZUbEe9R7C
- RRLc7Wj2osDXv2XbCnIpTUx8dVLnLKmDBquu
- 9tCz5oSsZl0cL0R2
- ) ; key id = 21649
-
+ 1aYdqrVz3JJXEURLMdmeI7H1CyTFfPVFBIGA
+ EabZFP+7NT5KPYXzjDkRbPWleEFbBilDNQNi
+ q/q4CwA4WR+ovg==
+ ) ; key id = 6204
+
The DS RR will be
- example.net. 3600 IN DS 21649 {TBA1} {TBA2} (
- A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A
- A44649C6 )
+ example.net. 3600 IN DS 6204 {TBA1} {TBA2} (
+ 0E6D6CB303F89DBCF614DA6E21984F7A62D08BDD0A05B3A22CC63D1B
+ 553BC61E )
5. Deployment Considerations
@@ -277,7 +273,7 @@ V.Dolmatov Expires May 30, 2010 [Page 4]
DNSKEY resource records created with the GOST algorithms as
defined in this document.
-V.Dolmatov Expires May 30, 2010 [Page 5]
+V.Dolmatov Expires June 12, 2010 [Page 5]
6.2. Support for NSEC3 Denial of Existence
@@ -333,7 +329,7 @@ V.Dolmatov Expires May 30, 2010 [Page 5]
contributors to these documents are gratefully acknowledged for
their hard work.
-V.Dolmatov Expires May 30, 2010 [Page 6]
+V.Dolmatov Expires June 12, 2010 [Page 6]
The following people provided additional feedback and text: Dmitry
Burkov, Jaap Akkerhuis, Olafur Gundmundsson, Jelte Jansen
@@ -389,7 +385,7 @@ V.Dolmatov Expires May 30, 2010 [Page 6]
Infrastructure Certificate and CRL Profile", RFC 4491,
May 2006.
-V.Dolmatov Expires May 30, 2010 [Page 7]
+V.Dolmatov Expires June 12, 2010 [Page 7]
10.2. Informative References
@@ -399,21 +395,21 @@ V.Dolmatov Expires May 30, 2010 [Page 7]
[DRAFT1] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.10-2001 digital signature algorithm"
- draft-dolmatov-cryptocom-gost34102001-06, 11.10.09
+ draft-dolmatov-cryptocom-gost34102001-07, 12.12.09
work in progress.
[DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.11-94 Hash function algorithm"
- draft-dolmatov-cryptocom-gost341194-04, 11.10.09
+ draft-dolmatov-cryptocom-gost341194-06, 12.12.09
work in progress.
[DRAFT3] Dolmatov V., Kabelev D., Ustinov I., Emelyanova I.,
"GOST 28147-89 encryption, decryption and MAC algorithms"
- draft-dolmatov-cryptocom-gost2814789-04, 11.10.09
+ draft-dolmatov-cryptocom-gost2814789-06, 12.12.09
work in progress.
-V.Dolmatov Expires May 30, 2010 [Page 8]
+V.Dolmatov Expires June 12, 2010 [Page 8]
Authors' Addresses
@@ -440,7 +436,7 @@ Moscow, 117218, Russian Federation
EMail: igus@cryptocom.ru
-V.Dolmatov Expires May 30, 2010 [Page 9]
+V.Dolmatov Expires June 12, 2010 [Page 9]
diff --git a/lib/dns/api b/lib/dns/api
index 5609cd0c..c4e83f4e 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 63
+LIBINTERFACE = 64
LIBREVISION = 0
LIBAGE = 0
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index d71a05a5..bee2f056 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
*/
/*
- * $Id: dnssec.c,v 1.115 2009/11/24 23:48:12 tbox Exp $
+ * $Id: dnssec.c,v 1.115.10.4 2010/01/13 23:48:20 tbox Exp $
*/
/*! \file */
@@ -37,6 +37,7 @@
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
+#include <dns/log.h>
#include <dns/message.h>
#include <dns/rdata.h>
#include <dns/rdatalist.h>
@@ -663,7 +664,22 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
}
}
- if (result == ISC_R_FILENOTFOUND) {
+ if (result != ISC_R_SUCCESS) {
+ char keybuf[DNS_NAME_FORMATSIZE];
+ char algbuf[DNS_SECALG_FORMATSIZE];
+ dns_name_format(dst_key_name(pubkey), keybuf,
+ sizeof(keybuf));
+ dns_secalg_format(dst_key_alg(pubkey), algbuf,
+ sizeof(algbuf));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+ "dns_dnssec_findzonekeys2: error "
+ "reading private key file %s/%s/%d: %s",
+ keybuf, algbuf, dst_key_id(pubkey),
+ isc_result_totext(result));
+ }
+
+ if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
keys[count] = pubkey;
pubkey = NULL;
count++;
@@ -1233,9 +1249,23 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
continue;
dstkey = NULL;
- RETERR(dst_key_fromnamedfile(dir.entry.name, directory,
- DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
- mctx, &dstkey));
+ result = dst_key_fromnamedfile(dir.entry.name,
+ directory,
+ DST_TYPE_PUBLIC |
+ DST_TYPE_PRIVATE,
+ mctx, &dstkey);
+
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_WARNING,
+ "dns_dnssec_findmatchingkeys: "
+ "error reading key file %s: %s",
+ dir.entry.name,
+ isc_result_totext(result));
+ continue;
+ }
RETERR(dns_dnsseckey_create(mctx, &dstkey, &key));
key->source = dns_keysource_repository;
@@ -1418,7 +1448,50 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
dst_key_alg(pubkey),
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory, mctx, &privkey);
+
+ /*
+ * If the key was revoked and the private file
+ * doesn't exist, maybe it was revoked internally
+ * by named. Try loading the unrevoked version.
+ */
if (result == ISC_R_FILENOTFOUND) {
+ isc_uint32_t flags;
+ flags = dst_key_flags(pubkey);
+ if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+ dst_key_setflags(pubkey,
+ flags & ~DNS_KEYFLAG_REVOKE);
+ result = dst_key_fromfile(dst_key_name(pubkey),
+ dst_key_id(pubkey),
+ dst_key_alg(pubkey),
+ DST_TYPE_PUBLIC|
+ DST_TYPE_PRIVATE,
+ directory,
+ mctx, &privkey);
+ if (result == ISC_R_SUCCESS &&
+ dst_key_pubcompare(pubkey, privkey,
+ ISC_FALSE)) {
+ dst_key_setflags(privkey, flags);
+ }
+ dst_key_setflags(pubkey, flags);
+ }
+ }
+
+ if (result != ISC_R_SUCCESS) {
+ char keybuf[DNS_NAME_FORMATSIZE];
+ char algbuf[DNS_SECALG_FORMATSIZE];
+ dns_name_format(dst_key_name(pubkey), keybuf,
+ sizeof(keybuf));
+ dns_secalg_format(dst_key_alg(pubkey), algbuf,
+ sizeof(algbuf));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+ "dns_dnssec_keylistfromrdataset: error "
+ "reading private key file %s/%s/%d: %s",
+ keybuf, algbuf, dst_key_id(pubkey),
+ isc_result_totext(result));
+ }
+
+ if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
addkey(keylist, &pubkey, savekeys, mctx);
goto skip;
}
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index c0bc43d4..640c68ae 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.47 2009/11/07 03:36:58 each Exp $
+ * $Id: dst_api.c,v 1.47.22.1 2010/01/13 19:31:52 each Exp $
*/
/*! \file */
@@ -1450,7 +1450,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
fprintf(fp, " ");
isc_buffer_usedregion(&classb, &r);
- fwrite(r.base, 1, r.length, fp);
+ isc_util_fwrite(r.base, 1, r.length, fp);
if ((type & DST_TYPE_KEY) != 0)
fprintf(fp, " KEY ");
@@ -1458,7 +1458,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
fprintf(fp, " DNSKEY ");
isc_buffer_usedregion(&textb, &r);
- fwrite(r.base, 1, r.length, fp);
+ isc_util_fwrite(r.base, 1, r.length, fp);
fputc('\n', fp);
fflush(fp);
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 5fc56381..0a78b5ba 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -31,7 +31,7 @@
/*%
* Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.23 2009/10/26 21:18:24 each Exp $
+ * $Id: dst_parse.c,v 1.23.36.3 2010/01/13 19:31:52 each Exp $
*/
#include <config.h>
@@ -62,7 +62,7 @@ static const char *timetags[TIMING_NTAGS] = {
"Publish:",
"Activate:",
"Revoke:",
- "Unpublish:",
+ "Inactive:",
"Delete:",
"DSPublish:"
};
@@ -626,7 +626,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
isc_buffer_usedregion(&b, &r);
fprintf(fp, "%s ", s);
- fwrite(r.base, 1, r.length, fp);
+ isc_util_fwrite(r.base, 1, r.length, fp);
fprintf(fp, "\n");
}
@@ -651,7 +651,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
isc_buffer_usedregion(&b, &r);
fprintf(fp, "%s ", timetags[i]);
- fwrite(r.base, 1, r.length, fp);
+ isc_util_fwrite(r.base, 1, r.length, fp);
fprintf(fp, "\n");
}
}
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 70eb41be..23ec6579 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.15 2009/10/24 09:46:19 fdupont Exp $
+ * $Id: hmac_link.c,v 1.15.36.2 2010/01/07 23:48:16 tbox Exp $
*/
#include <config.h>
@@ -50,14 +50,10 @@
#include "dst_internal.h"
#include "dst_parse.h"
-#define HMAC_LEN 64
-#define HMAC_IPAD 0x36
-#define HMAC_OPAD 0x5c
-
static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacmd5_key {
- unsigned char key[HMAC_LEN];
+ unsigned char key[ISC_MD5_BLOCK_LENGTH];
};
static isc_result_t
@@ -79,7 +75,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
if (hmacmd5ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
return (ISC_R_SUCCESS);
}
@@ -142,7 +138,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (memcmp(hkey1->key, hkey2->key, HMAC_LEN) == 0)
+ if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -152,18 +148,18 @@ static isc_result_t
hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_t b;
isc_result_t ret;
- int bytes;
- unsigned char data[HMAC_LEN];
+ unsigned int bytes;
+ unsigned char data[ISC_SHA1_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > HMAC_LEN) {
- bytes = HMAC_LEN;
- key->key_size = HMAC_LEN * 8;
+ if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+ bytes = ISC_SHA1_BLOCK_LENGTH;
+ key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
}
- memset(data, 0, HMAC_LEN);
+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -172,7 +168,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacmd5_fromdns(key, &b);
- memset(data, 0, HMAC_LEN);
+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
return (ret);
}
@@ -186,6 +182,7 @@ hmacmd5_isprivate(const dst_key_t *key) {
static void
hmacmd5_destroy(dst_key_t *key) {
dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+
memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
key->keydata.hmacmd5 = NULL;
@@ -225,7 +222,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > HMAC_LEN) {
+ if (r.length > ISC_SHA1_BLOCK_LENGTH) {
isc_md5_init(&md5ctx);
isc_md5_update(&md5ctx, r.base, r.length);
isc_md5_final(&md5ctx, hkey->key);
@@ -341,7 +338,7 @@ dst__hmacmd5_init(dst_func_t **funcp) {
static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha1_key {
- unsigned char key[ISC_SHA1_DIGESTLENGTH];
+ unsigned char key[ISC_SHA1_BLOCK_LENGTH];
};
static isc_result_t
@@ -352,7 +349,7 @@ hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
if (hmacsha1ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
+ isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
return (ISC_R_SUCCESS);
}
@@ -415,7 +412,7 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH) == 0)
+ if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -425,18 +422,18 @@ static isc_result_t
hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_t b;
isc_result_t ret;
- int bytes;
- unsigned char data[HMAC_LEN];
+ unsigned int bytes;
+ unsigned char data[ISC_SHA1_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > HMAC_LEN) {
- bytes = HMAC_LEN;
- key->key_size = HMAC_LEN * 8;
+ if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+ bytes = ISC_SHA1_BLOCK_LENGTH;
+ key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
}
- memset(data, 0, HMAC_LEN);
+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -445,7 +442,7 @@ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha1_fromdns(key, &b);
- memset(data, 0, ISC_SHA1_DIGESTLENGTH);
+ memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
return (ret);
}
@@ -459,6 +456,7 @@ hmacsha1_isprivate(const dst_key_t *key) {
static void
hmacsha1_destroy(dst_key_t *key) {
dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+
memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
key->keydata.hmacsha1 = NULL;
@@ -498,7 +496,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > ISC_SHA1_DIGESTLENGTH) {
+ if (r.length > ISC_SHA1_BLOCK_LENGTH) {
isc_sha1_init(&sha1ctx);
isc_sha1_update(&sha1ctx, r.base, r.length);
isc_sha1_final(&sha1ctx, hkey->key);
@@ -614,7 +612,7 @@ dst__hmacsha1_init(dst_func_t **funcp) {
static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha224_key {
- unsigned char key[ISC_SHA224_DIGESTLENGTH];
+ unsigned char key[ISC_SHA224_BLOCK_LENGTH];
};
static isc_result_t
@@ -625,7 +623,7 @@ hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
if (hmacsha224ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
+ isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
return (ISC_R_SUCCESS);
}
@@ -688,7 +686,7 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH) == 0)
+ if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -700,18 +698,18 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
- int bytes;
- unsigned char data[HMAC_LEN];
+ unsigned int bytes;
+ unsigned char data[ISC_SHA224_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > HMAC_LEN) {
- bytes = HMAC_LEN;
- key->key_size = HMAC_LEN * 8;
+ if (bytes > ISC_SHA224_BLOCK_LENGTH) {
+ bytes = ISC_SHA224_BLOCK_LENGTH;
+ key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
}
- memset(data, 0, HMAC_LEN);
+ memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -720,7 +718,7 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha224_fromdns(key, &b);
- memset(data, 0, ISC_SHA224_DIGESTLENGTH);
+ memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
return (ret);
}
@@ -734,6 +732,7 @@ hmacsha224_isprivate(const dst_key_t *key) {
static void
hmacsha224_destroy(dst_key_t *key) {
dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+
memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
key->keydata.hmacsha224 = NULL;
@@ -773,7 +772,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > ISC_SHA224_DIGESTLENGTH) {
+ if (r.length > ISC_SHA224_BLOCK_LENGTH) {
isc_sha224_init(&sha224ctx);
isc_sha224_update(&sha224ctx, r.base, r.length);
isc_sha224_final(hkey->key, &sha224ctx);
@@ -889,7 +888,7 @@ dst__hmacsha224_init(dst_func_t **funcp) {
static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha256_key {
- unsigned char key[ISC_SHA256_DIGESTLENGTH];
+ unsigned char key[ISC_SHA256_BLOCK_LENGTH];
};
static isc_result_t
@@ -900,7 +899,7 @@ hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
if (hmacsha256ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
+ isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
return (ISC_R_SUCCESS);
}
@@ -963,7 +962,7 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH) == 0)
+ if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -975,18 +974,18 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
- int bytes;
- unsigned char data[HMAC_LEN];
+ unsigned int bytes;
+ unsigned char data[ISC_SHA256_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > HMAC_LEN) {
- bytes = HMAC_LEN;
- key->key_size = HMAC_LEN * 8;
+ if (bytes > ISC_SHA256_BLOCK_LENGTH) {
+ bytes = ISC_SHA256_BLOCK_LENGTH;
+ key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
}
- memset(data, 0, HMAC_LEN);
+ memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -995,7 +994,7 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha256_fromdns(key, &b);
- memset(data, 0, ISC_SHA256_DIGESTLENGTH);
+ memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
return (ret);
}
@@ -1009,6 +1008,7 @@ hmacsha256_isprivate(const dst_key_t *key) {
static void
hmacsha256_destroy(dst_key_t *key) {
dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+
memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
key->keydata.hmacsha256 = NULL;
@@ -1048,7 +1048,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > ISC_SHA256_DIGESTLENGTH) {
+ if (r.length > ISC_SHA256_BLOCK_LENGTH) {
isc_sha256_init(&sha256ctx);
isc_sha256_update(&sha256ctx, r.base, r.length);
isc_sha256_final(hkey->key, &sha256ctx);
@@ -1164,7 +1164,7 @@ dst__hmacsha256_init(dst_func_t **funcp) {
static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha384_key {
- unsigned char key[ISC_SHA384_DIGESTLENGTH];
+ unsigned char key[ISC_SHA384_BLOCK_LENGTH];
};
static isc_result_t
@@ -1175,7 +1175,7 @@ hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
if (hmacsha384ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
+ isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
return (ISC_R_SUCCESS);
}
@@ -1238,7 +1238,7 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH) == 0)
+ if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -1250,18 +1250,18 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
- int bytes;
- unsigned char data[HMAC_LEN];
+ unsigned int bytes;
+ unsigned char data[ISC_SHA384_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > HMAC_LEN) {
- bytes = HMAC_LEN;
- key->key_size = HMAC_LEN * 8;
+ if (bytes > ISC_SHA384_BLOCK_LENGTH) {
+ bytes = ISC_SHA384_BLOCK_LENGTH;
+ key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
}
- memset(data, 0, HMAC_LEN);
+ memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -1270,7 +1270,7 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha384_fromdns(key, &b);
- memset(data, 0, ISC_SHA384_DIGESTLENGTH);
+ memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
return (ret);
}
@@ -1284,6 +1284,7 @@ hmacsha384_isprivate(const dst_key_t *key) {
static void
hmacsha384_destroy(dst_key_t *key) {
dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+
memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
key->keydata.hmacsha384 = NULL;
@@ -1323,7 +1324,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > ISC_SHA384_DIGESTLENGTH) {
+ if (r.length > ISC_SHA384_BLOCK_LENGTH) {
isc_sha384_init(&sha384ctx);
isc_sha384_update(&sha384ctx, r.base, r.length);
isc_sha384_final(hkey->key, &sha384ctx);
@@ -1439,7 +1440,7 @@ dst__hmacsha384_init(dst_func_t **funcp) {
static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha512_key {
- unsigned char key[ISC_SHA512_DIGESTLENGTH];
+ unsigned char key[ISC_SHA512_BLOCK_LENGTH];
};
static isc_result_t
@@ -1450,7 +1451,7 @@ hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
if (hmacsha512ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
+ isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
return (ISC_R_SUCCESS);
}
@@ -1513,7 +1514,7 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH) == 0)
+ if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -1525,18 +1526,18 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
- int bytes;
- unsigned char data[HMAC_LEN];
+ unsigned int bytes;
+ unsigned char data[ISC_SHA512_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > HMAC_LEN) {
- bytes = HMAC_LEN;
- key->key_size = HMAC_LEN * 8;
+ if (bytes > ISC_SHA512_BLOCK_LENGTH) {
+ bytes = ISC_SHA512_BLOCK_LENGTH;
+ key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
}
- memset(data, 0, HMAC_LEN);
+ memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -1545,7 +1546,7 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha512_fromdns(key, &b);
- memset(data, 0, ISC_SHA512_DIGESTLENGTH);
+ memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
return (ret);
}
@@ -1559,6 +1560,7 @@ hmacsha512_isprivate(const dst_key_t *key) {
static void
hmacsha512_destroy(dst_key_t *key) {
dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+
memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
key->keydata.hmacsha512 = NULL;
@@ -1598,7 +1600,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > ISC_SHA512_DIGESTLENGTH) {
+ if (r.length > ISC_SHA512_BLOCK_LENGTH) {
isc_sha512_init(&sha512ctx);
isc_sha512_update(&sha512ctx, r.base, r.length);
isc_sha512_final(hkey->key, &sha512ctx);
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index bc2549b9..4a9a8576 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec.h,v 1.40 2009/11/23 02:55:41 each Exp $ */
+/* $Id: dnssec.h,v 1.40.10.1 2010/01/13 19:31:53 each Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
@@ -284,7 +284,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
*
* 'keysigs' and 'soasigs', if not NULL and associated, contain the
* RRSIGS for the DNSKEY and SOA records respectively and are used to mark
- * whether a key is already active int eh zone.
+ * whether a key is already active in the zone.
*/
isc_result_t
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index a9703f4a..19f659b0 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keytable.h,v 1.20 2009/12/03 16:49:09 each Exp $ */
+/* $Id: keytable.h,v 1.20.4.1 2010/01/13 19:31:53 each Exp $ */
#ifndef DNS_KEYTABLE_H
#define DNS_KEYTABLE_H 1
@@ -173,7 +173,7 @@ dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name);
* Add a null key to 'keytable' for name 'name'. This marks the
* name as a secure domain, but doesn't supply any key data to allow the
* domain to be validated. (Used when automated trust anchor management
- * has gotten broken by a zone misconfiguration; for exmaple, when the
+ * has gotten broken by a zone misconfiguration; for example, when the
* active key has been revoked but the stand-by key was still in its 30-day
* waiting period for validity.)
*
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index 5eac7dfb..7f927f1c 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: log.h,v 1.44 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: log.h,v 1.44.186.1 2009/12/18 22:13:54 each Exp $ */
/*! \file dns/log.h
* \author Principal Authors: DCL */
@@ -73,6 +73,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
#define DNS_LOGMODULE_HINTS (&dns_modules[24])
#define DNS_LOGMODULE_ACACHE (&dns_modules[25])
#define DNS_LOGMODULE_DLZ (&dns_modules[26])
+#define DNS_LOGMODULE_DNSSEC (&dns_modules[27])
ISC_LANG_BEGINDECLS
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 8608ef38..3c924bbd 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: name.h,v 1.132 2009/09/01 17:36:51 jinmei Exp $ */
+/* $Id: name.h,v 1.132.104.1 2009/12/24 00:35:21 each Exp $ */
#ifndef DNS_NAME_H
#define DNS_NAME_H 1
@@ -99,12 +99,6 @@ ISC_LANG_BEGINDECLS
*****/
/***
- *** Compression pointer chaining limit
- ***/
-
-#define DNS_POINTER_MAXHOPS 16
-
-/***
*** Types
***/
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index a818fe63..f5266ad2 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ncache.h,v 1.25 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: ncache.h,v 1.25.268.2 2009/12/30 23:48:30 tbox Exp $ */
#ifndef DNS_NCACHE_H
#define DNS_NCACHE_H 1
@@ -76,7 +76,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
* The 'covers' argument is the RR type whose nonexistence we are caching,
* or dns_rdatatype_any when caching a NXDOMAIN response.
*
- * 'optout' indicates a DNS_RATASETATTR_OPTOUT should be set.
+ * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set.
*
* Note:
*\li If 'addedrdataset' is not NULL, then it will be attached to the added
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 6940fa4d..b5d92139 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: types.h,v 1.138 2009/11/17 23:55:18 marka Exp $ */
+/* $Id: types.h,v 1.138.16.1 2009/12/30 08:33:41 jinmei Exp $ */
#ifndef DNS_TYPES_H
#define DNS_TYPES_H 1
@@ -318,6 +318,8 @@ enum {
#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \
(x) == dns_trust_pending_additional)
+#define DNS_TRUST_ADDITIONAL(x) ((x) == dns_trust_additional || \
+ (x) == dns_trust_pending_additional)
#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue)
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index ed794899..9d6a8534 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.h,v 1.174 2009/12/04 22:06:37 tbox Exp $ */
+/* $Id: zone.h,v 1.174.4.1 2009/12/29 22:23:00 marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
@@ -1778,7 +1778,7 @@ dns_zone_getprivatetype(dns_zone_t *zone);
* will not be permanent.
*/
-isc_result_t
+void
dns_zone_rekey(dns_zone_t *zone);
/*%<
* Update the zone's DNSKEY set from the key repository.
diff --git a/lib/dns/log.c b/lib/dns/log.c
index 7551e15f..aca09b58 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: log.c,v 1.45 2007/06/18 23:47:40 tbox Exp $ */
+/* $Id: log.c,v 1.45.558.2 2009/12/18 23:48:18 tbox Exp $ */
/*! \file */
@@ -79,6 +79,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
{ "dns/hints", 0 },
{ "dns/acache", 0 },
{ "dns/dlz", 0 },
+ { "dns/dnssec", 0 },
{ NULL, 0 }
};
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 3ae4f2da..894857de 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2008-2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsec3.c,v 1.13 2009/12/01 05:28:40 marka Exp $ */
+/* $Id: nsec3.c,v 1.13.6.2 2010/01/04 23:48:10 tbox Exp $ */
#include <config.h>
@@ -557,7 +557,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
dns_rdataset_t rdataset;
int pass;
isc_boolean_t exists;
- isc_boolean_t remove_unsecure = ISC_FALSE;
+ isc_boolean_t maybe_remove_unsecure = ISC_FALSE;
isc_uint8_t flags;
isc_buffer_t buffer;
isc_result_t result;
@@ -638,8 +638,12 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
*/
if (!unsecure)
goto addnsec3;
- else
- remove_unsecure = ISC_TRUE;
+ else if (CREATE(nsec3param->flags) && OPTOUT(flags)) {
+ result = dns_nsec3_delnsec3(db, version, name,
+ nsec3param, diff);
+ goto failure;
+ } else
+ maybe_remove_unsecure = ISC_TRUE;
} else {
dns_rdataset_disassociate(&rdataset);
if (result != ISC_R_NOMORE)
@@ -675,26 +679,19 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
if (result != ISC_R_SUCCESS)
goto failure;
- if (remove_unsecure) {
+ if (maybe_remove_unsecure) {
dns_rdataset_disassociate(&rdataset);
/*
- * We have found the previous NSEC3 record and can now
- * see if the existing NSEC3 record needs to be
- * updated or deleted.
+ * If we have OPTOUT set in the previous NSEC3 record
+ * we actually need to delete the NSEC3 record.
+ * Otherwise we just need to replace the NSEC3 record.
*/
- if (!OPTOUT(nsec3.flags)) {
- /*
- * Just update the NSEC3 record.
- */
- goto addnsec3;
- } else {
- /*
- * This is actually a deletion not a add.
- */
+ if (OPTOUT(nsec3.flags)) {
result = dns_nsec3_delnsec3(db, version, name,
nsec3param, diff);
goto failure;
}
+ goto addnsec3;
} else {
/*
* Is this is a unsecure delegation we are adding?
@@ -1273,6 +1270,8 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
*/
nsec3.next = nexthash;
nsec3.next_length = next_length;
+ if (CREATE(nsec3param->flags))
+ nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
dns_rdatatype_nsec3, &nsec3,
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 71d338d6..c2ac6d35 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rbtdb.c,v 1.292 2009/11/26 23:48:14 tbox Exp $ */
+/* $Id: rbtdb.c,v 1.292.8.6 2010/01/04 23:48:10 tbox Exp $ */
/*! \file */
@@ -2377,7 +2377,8 @@ add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
return (result);
- node->nsec = DNS_RBT_NSEC_NORMAL;
+ if (result == ISC_R_SUCCESS)
+ node->nsec = DNS_RBT_NSEC_NORMAL;
node->find_callback = 1;
node->wild = 1;
return (ISC_R_SUCCESS);
@@ -2405,7 +2406,8 @@ add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
&node);
if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
return (result);
- node->nsec = DNS_RBT_NSEC_NORMAL;
+ if (result == ISC_R_SUCCESS)
+ node->nsec = DNS_RBT_NSEC_NORMAL;
}
i++;
}
@@ -3235,8 +3237,16 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
dns_rbtnode_t *nsecnode;
isc_result_t result;
- if (type == dns_rdatatype_nsec3)
- return (dns_rbtnodechain_prev(&search->chain, NULL, NULL));
+ if (type == dns_rdatatype_nsec3) {
+ result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
+ if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+ return (result);
+ result = dns_rbtnodechain_current(&search->chain, name, origin,
+ nodep);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ return (ISC_R_SUCCESS);
+ }
dns_fixedname_init(&ftarget);
target = dns_fixedname_name(&ftarget);
@@ -4670,7 +4680,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
* If we didn't find what we were looking for...
*/
if (found == NULL ||
- (found->trust == dns_trust_additional &&
+ (DNS_TRUST_ADDITIONAL(found->trust) &&
((options & DNS_DBFIND_ADDITIONALOK) == 0)) ||
(found->trust == dns_trust_glue &&
((options & DNS_DBFIND_GLUEOK) == 0)) ||
@@ -5754,6 +5764,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
newheader = (rdatasetheader_t *)merged;
+ init_rdataset(rbtdb, newheader);
if (loading && RESIGN(newheader) &&
RESIGN(header) &&
header->resign < newheader->resign)
@@ -6504,7 +6515,7 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
* just now getting an NSEC record.
*/
if ((*nodep)->nsec == DNS_RBT_NSEC_HAS_NSEC)
- return noderesult;
+ return (noderesult);
} else if (noderesult != ISC_R_SUCCESS) {
return (noderesult);
}
@@ -6522,7 +6533,7 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
if (nsecresult == ISC_R_SUCCESS) {
nsecnode->nsec = DNS_RBT_NSEC_NSEC;
(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
- return (ISC_R_SUCCESS);
+ return (noderesult);
}
if (nsecresult == ISC_R_EXISTS) {
@@ -6924,7 +6935,7 @@ setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
} else if (resign < oldresign)
isc_heap_increased(rbtdb->heaps[header->node->locknum],
header->heap_index);
- else
+ else if (resign > oldresign)
isc_heap_decreased(rbtdb->heaps[header->node->locknum],
header->heap_index);
} else if (resign && header->heap_index == 0) {
@@ -6944,27 +6955,35 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
rdatasetheader_t *header = NULL, *this;
unsigned int i;
isc_result_t result = ISC_R_NOTFOUND;
+ unsigned int locknum;
REQUIRE(VALID_RBTDB(rbtdb));
RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
for (i = 0; i < rbtdb->node_lock_count; i++) {
+ NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read);
this = isc_heap_element(rbtdb->heaps[i], 1);
- if (this == NULL)
+ if (this == NULL) {
+ NODE_UNLOCK(&rbtdb->node_locks[i].lock,
+ isc_rwlocktype_read);
continue;
+ }
if (header == NULL)
header = this;
- else if (isc_serial_lt(this->resign, header->resign))
+ else if (isc_serial_lt(this->resign, header->resign)) {
+ locknum = header->node->locknum;
+ NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_read);
header = this;
+ } else
+ NODE_UNLOCK(&rbtdb->node_locks[i].lock,
+ isc_rwlocktype_read);
}
if (header == NULL)
goto unlock;
- NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
- isc_rwlocktype_read);
-
bind_rdataset(rbtdb, header->node, header, 0, rdataset);
if (foundname != NULL)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4381d039..f1cfe7d0 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.413 2009/11/18 23:48:07 tbox Exp $ */
+/* $Id: resolver.c,v 1.413.14.2 2010/01/07 23:48:16 tbox Exp $ */
/*! \file */
@@ -4359,11 +4359,19 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
rdataset->ttl = res->view->maxcachettl;
/*
- * If this rrset is in a secure domain, do DNSSEC validation
- * for it, unless it is glue.
+ * If this RRset is in a secure domain, is in bailiwick,
+ * and is not glue, attempt DNSSEC validation. (We do not
+ * attempt to validate glue or out-of-bailiwick data--even
+ * though there might be some performance benefit to doing
+ * so--because it makes it simpler and safer to ensure that
+ * records from a secure domain are only cached if validated
+ * within the context of a query to the domain that owns
+ * them.)
*/
- if (secure_domain && rdataset->trust != dns_trust_glue) {
+ if (secure_domain && rdataset->trust != dns_trust_glue &&
+ !EXTERNAL(rdataset)) {
dns_trust_t trust;
+
/*
* RRSIGs are validated as part of validating the
* type they cover.
@@ -4400,22 +4408,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
}
/*
- * Reject out of bailiwick additional records
- * without RRSIGs as they can't possibly validate
- * as "secure" and as we will never never want to
- * store these as "answers" after validation.
- */
- if (rdataset->trust == dns_trust_additional &&
- sigrdataset == NULL && EXTERNAL(rdataset))
- continue;
-
- /*
- * XXXMPA: If we store as "answer" after validating
- * then we need to do bailiwick processing and
- * also need to track whether RRsets are in or
- * out of bailiwick. This will require a another
- * pending trust level.
- *
* Cache this rdataset/sigrdataset pair as
* pending data. Track whether it was additional
* or not.
@@ -5784,9 +5776,7 @@ answer_response(fetchctx_t *fctx) {
/*
* This data is outside of
* our query domain, and
- * may only be cached if it
- * comes from a secure zone
- * and validates.
+ * may not be cached.
*/
rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 2fd0bc1c..98078a20 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.182 2009/11/17 23:55:18 marka Exp $ */
+/* $Id: validator.c,v 1.182.16.1 2009/12/30 06:46:36 each Exp $ */
#include <config.h>
@@ -3276,20 +3276,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
if (val->havedlvsep)
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
else {
+ unsigned int labels;
dns_name_copy(val->event->name, secroot, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
- if (val->event->type == dns_rdatatype_ds &&
- dns_name_countlabels(secroot) > 1U)
- dns_name_split(secroot, 1, NULL, secroot);
+
+ labels = dns_name_countlabels(secroot);
+ if (val->event->type == dns_rdatatype_ds && labels > 1U)
+ dns_name_getlabelsequence(secroot, 1, labels - 1,
+ secroot);
result = dns_keytable_finddeepestmatch(val->keytable,
secroot, secroot);
-
if (result == ISC_R_NOTFOUND) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "not beneath secure root");
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure, "
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 19f0546b..f4f6a85e 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.c,v 1.540 2009/12/07 20:51:12 each Exp $ */
+/* $Id: zone.c,v 1.540.2.13 2010/01/22 01:46:43 each Exp $ */
/*! \file */
@@ -648,7 +648,7 @@ static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
dns_diff_t *diff);
-static isc_result_t zone_rekey(dns_zone_t *zone);
+static void zone_rekey(dns_zone_t *zone);
#define ENTER zone_debuglog(zone, me, 1, "enter")
@@ -1343,8 +1343,8 @@ dns_zone_getjournal(dns_zone_t *zone) {
* master file (if any) is written by the server, rather than being
* updated manually and read by the server.
*
- * This is true for slave zones, stub zones, and zones that allow
- * dynamic updates either by having an update policy ("ssutable")
+ * This is true for slave zones, stub zones, key zones, and zones that
+ * allow dynamic updates either by having an update policy ("ssutable")
* or an "allow-update" ACL with a value other than exactly "{ none; }".
*/
static isc_boolean_t
@@ -2544,8 +2544,8 @@ set_resigntime(dns_zone_t *zone) {
dns_rdataset_init(&rdataset);
dns_fixedname_init(&fixed);
- result = dns_db_getsigningtime(zone->db, &rdataset,
- dns_fixedname_name(&fixed));
+ result = dns_db_getsigningtime(zone->db, &rdataset,
+ dns_fixedname_name(&fixed));
if (result != ISC_R_SUCCESS) {
isc_time_settoepoch(&zone->resigntime);
return;
@@ -3634,7 +3634,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
if (zone->task != NULL)
zone_settimer(zone, &now);
result = ISC_R_SUCCESS;
- }
+ } else if (zone->type == dns_zone_master)
+ dns_zone_log(zone, ISC_LOG_ERROR, "not loaded due to errors.");
return (result);
}
@@ -6163,6 +6164,8 @@ zone_nsec3chain(dns_zone_t *zone) {
dns_db_detachnode(db, &node);
if (rebuild_nsec) {
+ if (nsec3chain != NULL)
+ dns_dbiterator_pause(nsec3chain->dbiterator);
result = updatesecure(db, version, &zone->origin,
zone->minimum, ISC_TRUE,
&nsec_diff);
@@ -6215,6 +6218,8 @@ zone_nsec3chain(dns_zone_t *zone) {
}
if (updatensec) {
+ if (nsec3chain != NULL)
+ dns_dbiterator_pause(nsec3chain->dbiterator);
result = updatesecure(db, version, &zone->origin,
zone->minimum, ISC_FALSE, &nsec_diff);
if (result != ISC_R_SUCCESS) {
@@ -6554,6 +6559,10 @@ zone_sign(dns_zone_t *zone) {
CHECK(dns_private_chains(db, version, zone->privatetype,
&build_nsec, &build_nsec3));
+ /* If neither chain is found, default to NSEC */
+ if (!build_nsec && !build_nsec3)
+ build_nsec = ISC_TRUE;
+
while (signing != NULL && nodes-- > 0 && signatures > 0) {
nextsigning = ISC_LIST_NEXT(signing, link);
@@ -7821,10 +7830,9 @@ zone_maintenance(dns_zone_t *zone) {
zone_refreshkeys(zone);
break;
case dns_zone_master:
- if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN) &&
- !isc_time_isepoch(&zone->refreshkeytime) &&
+ if (!isc_time_isepoch(&zone->refreshkeytime) &&
isc_time_compare(&now, &zone->refreshkeytime) >= 0)
- dns_zone_rekey(zone);
+ zone_rekey(zone);
default:
break;
}
@@ -10293,11 +10301,10 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
isc_time_compare(&zone->dumptime, &next) < 0)
next = zone->dumptime;
}
- if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
+ if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
+ !isc_time_isepoch(&zone->refreshkeytime)) {
if (isc_time_isepoch(&next) ||
- (!isc_time_isepoch(&zone->refreshkeytime) &&
- isc_time_compare(&zone->refreshkeytime, &next) < 0))
+ isc_time_compare(&zone->refreshkeytime, &next) < 0)
next = zone->refreshkeytime;
}
if (!isc_time_isepoch(&zone->resigntime)) {
@@ -13629,7 +13636,60 @@ sign_dnskey(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dst_key_free(&zone_keys[i]);
}
-static isc_result_t
+/*
+ * Prevent the zone entering a inconsistent state where
+ * NSEC only DNSKEYs are present with NSEC3 chains.
+ * See update.c:check_dnssec()
+ */
+static isc_boolean_t
+dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+ dns_diff_t *diff)
+{
+ isc_result_t result;
+ dns_difftuple_t *tuple;
+ isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
+ dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+ /* Scan the tuples for an NSEC-only DNSKEY */
+ for (tuple = ISC_LIST_HEAD(diff->tuples);
+ tuple != NULL;
+ tuple = ISC_LIST_NEXT(tuple, link)) {
+ isc_uint8_t alg;
+ if (tuple->rdata.type != dns_rdatatype_dnskey ||
+ tuple->op != DNS_DIFFOP_ADD)
+ continue;
+
+ alg = tuple->rdata.data[3];
+ if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+ alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+ nseconly = ISC_TRUE;
+ break;
+ }
+ }
+
+ /* Check existing DB for NSEC-only DNSKEY */
+ if (!nseconly)
+ CHECK(dns_nsec_nseconly(db, ver, &nseconly));
+
+ /* Check existing DB for NSEC3 */
+ if (!nsec3)
+ CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
+ privatetype, &nsec3));
+
+ /* Refuse to allow NSEC3 with NSEC-only keys */
+ if (nseconly && nsec3) {
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "NSEC only DNSKEYs and NSEC3 chains not allowed");
+ goto failure;
+ }
+
+ return (ISC_TRUE);
+
+ failure:
+ return (ISC_FALSE);
+}
+
+static void
zone_rekey(dns_zone_t *zone) {
isc_result_t result;
dns_db_t *db = NULL;
@@ -13639,7 +13699,7 @@ zone_rekey(dns_zone_t *zone) {
dns_dnsseckeylist_t dnskeys, keys, rmkeys;
dns_dnsseckey_t *key;
dns_diff_t diff;
- isc_boolean_t commit = ISC_FALSE;
+ isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
dns_ttl_t ttl = 3600;
const char *dir;
isc_mem_t *mctx;
@@ -13689,10 +13749,34 @@ zone_rekey(dns_zone_t *zone) {
isc_boolean_t check_ksk;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- CHECK(dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
- &zone->origin, ttl, &diff,
- ISC_TF(!check_ksk), mctx, logmsg));
- if (!ISC_LIST_EMPTY(diff.tuples)) {
+ result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
+ &zone->origin, ttl, &diff,
+ ISC_TF(!check_ksk),
+ mctx, logmsg);
+
+ /* Keys couldn't be updated for some reason; try again later. */
+ if (result != ISC_R_SUCCESS) {
+ isc_interval_t ival;
+ dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
+ "couldn't update zone keys: %s",
+ isc_result_totext(result));
+ isc_interval_set(&ival, HOUR, 0);
+ isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
+ goto failure;
+ }
+
+ /* See if any pre-existing keys have newly become active */
+ for (key = ISC_LIST_HEAD(dnskeys);
+ key != NULL;
+ key = ISC_LIST_NEXT(key, link)) {
+ if (key->first_sign) {
+ newactive = ISC_TRUE;
+ break;
+ }
+ }
+
+ if ((newactive || !ISC_LIST_EMPTY(diff.tuples)) &&
+ dnskey_sane(zone, db, ver, &diff)) {
commit = ISC_TRUE;
dns_diff_apply(&diff, db, ver);
sign_dnskey(zone, db, ver, &diff);
@@ -13705,7 +13789,9 @@ zone_rekey(dns_zone_t *zone) {
dns_db_closeversion(db, &ver, commit);
+ /* Update signatures */
if (commit) {
+ LOCK_ZONE(zone);
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOTIFYRESIGN);
for (key = ISC_LIST_HEAD(rmkeys);
@@ -13726,6 +13812,7 @@ zone_rekey(dns_zone_t *zone) {
key->first_sign = ISC_FALSE;
}
}
+ UNLOCK_ZONE(zone);
}
isc_time_settoepoch(&zone->refreshkeytime);
@@ -13736,7 +13823,7 @@ zone_rekey(dns_zone_t *zone) {
isc_time_t timenow, timethen;
/*
- * If we are doing automatic key maintenace and the
+ * If we are doing automatic key maintenance and the
* key metadata indicates there is a key change event
* scheduled in the future, set the key refresh timer.
*/
@@ -13750,13 +13837,12 @@ zone_rekey(dns_zone_t *zone) {
isc_time_set(&timethen, then, 0);
if (isc_time_isepoch(&zone->refreshkeytime) ||
isc_time_compare(&timethen, &zone->refreshkeytime) < 0) {
+ TIME_NOW(&timenow);
zone->refreshkeytime = timethen;
zone_settimer(zone, &timenow);
}
}
- result = ISC_R_SUCCESS;
-
failure:
dns_diff_clear(&diff);
@@ -13776,19 +13862,20 @@ zone_rekey(dns_zone_t *zone) {
dns_db_detachnode(db, &node);
if (db != NULL)
dns_db_detach(&db);
- return (result);
}
-isc_result_t
+void
dns_zone_rekey(dns_zone_t *zone) {
- isc_result_t result;
+ isc_time_t now;
- LOCK_ZONE(zone);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
- result = zone_rekey(zone);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
- UNLOCK_ZONE(zone);
- return (result);
+ if (zone->type == dns_zone_master && zone->task != NULL) {
+ LOCK_ZONE(zone);
+
+ TIME_NOW(&now);
+ zone->refreshkeytime = now;
+ zone_settimer(zone, &now);
+ UNLOCK_ZONE(zone);
+ }
}
isc_result_t
diff --git a/lib/export/samples/nsprobe.c b/lib/export/samples/nsprobe.c
index 1fc364c9..77f12313 100644
--- a/lib/export/samples/nsprobe.c
+++ b/lib/export/samples/nsprobe.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsprobe.c,v 1.5 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: nsprobe.c,v 1.5.66.2 2010/01/07 23:48:16 tbox Exp $ */
#include <config.h>
@@ -107,7 +107,7 @@ struct probe_trans {
ISC_LIST(struct probe_ns) nslist;
};
-struct stat {
+struct lcl_stat {
unsigned long valid;
unsigned long ignore;
unsigned long nxdomain;
@@ -300,7 +300,7 @@ static void
update_stat(struct probe_trans *trans) {
struct probe_ns *pns;
struct server *server;
- struct stat local_stat;
+ struct lcl_stat local_stat;
unsigned int err_count = 0;
const char *stattype;
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 614b3d9f..8d87d9e3 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.104 2009/12/05 23:31:41 each Exp $
+# $Id: Makefile.in,v 1.104.2.1 2009/12/18 04:09:55 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -123,9 +123,6 @@ installdirs:
install:: timestamp installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir}
-install:: @ISC_ARCH_DIR@/include/isc/atomic.h
- ${INSTALL_DATA} @ISC_ARCH_DIR@/include/isc/atomic.h ${DESTDIR}${includedir}/isc
-
clean distclean::
rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
libisc-nosymtbl.la timestamp
diff --git a/lib/isc/api b/lib/isc/api
index 25bcb673..ea516a14 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
LIBINTERFACE = 61
-LIBREVISION = 2
+LIBREVISION = 3
LIBAGE = 1
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
index 0a176e8f..22c8c664 100644
--- a/lib/isc/include/isc/md5.h
+++ b/lib/isc/include/isc/md5.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: md5.h,v 1.18 2009/02/06 23:47:42 tbox Exp $ */
+/* $Id: md5.h,v 1.18.168.2 2010/01/07 23:48:16 tbox Exp $ */
/*! \file isc/md5.h
* \brief This is the header file for the MD5 message-digest algorithm.
@@ -48,6 +48,7 @@
#include <isc/types.h>
#define ISC_MD5_DIGESTLENGTH 16U
+#define ISC_MD5_BLOCK_LENGTH 64U
#ifdef ISC_PLATFORM_OPENSSLHASH
#include <openssl/evp.h>
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 8a3b95d9..54e7351e 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1998-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: util.h,v 1.30 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: util.h,v 1.30.558.1 2010/01/13 19:31:53 each Exp $ */
#ifndef ISC_UTIL_H
#define ISC_UTIL_H 1
@@ -230,4 +230,14 @@
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+/*%
+ * Prevent Linux spurious warnings
+ */
+#if defined(__GNUC__) && (__GNUC__ > 3)
+#define isc_util_fwrite(a, b, c, d) \
+ __builtin_expect(fwrite((a), (b), (c), (d)), (c))
+#else
+#define isc_util_fwrite(a, b, c, d) fwrite((a), (b), (c), (d))
+#endif
+
#endif /* ISC_UTIL_H */
diff --git a/version b/version
index 414fea65..c23b0bea 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.51 2009/12/06 01:49:08 each Exp $
+# $Id: version,v 1.51.2.1 2010/01/21 21:26:06 each Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=7
PATCHVER=0
RELEASETYPE=rc
-RELEASEVER=1
+RELEASEVER=2
diff --git a/win32utils/BINDBuild.dsw b/win32utils/BINDBuild.dsw
index c9af6df0..8f31fb92 100644
--- a/win32utils/BINDBuild.dsw
+++ b/win32utils/BINDBuild.dsw
@@ -660,6 +660,21 @@ Package=<4>
###############################################################################
+Project: "ischmacfixup"="..\bin\tools\win32\ischmacfixup.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+ Begin Project Dependency
+ Project_Dep_Name libisc
+ End Project Dependency
+}}}
+
+###############################################################################
+
Global:
Package=<5>
diff --git a/win32utils/BuildAll.bat b/win32utils/BuildAll.bat
index 9120ef48..f0e5fc3b 100644
--- a/win32utils/BuildAll.bat
+++ b/win32utils/BuildAll.bat
@@ -124,6 +124,7 @@ nmake /nologo -f arpaname.mak CFG="arpaname - Win32 Release" NO_EXTERNAL_DEPS="
nmake /nologo -f genrandom.mak CFG="genrandom - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f nsec3hash.mak CFG="nsec3hash - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f journalprint.mak CFG="journalprint - Win32 Release" NO_EXTERNAL_DEPS="1"
+nmake /nologo -f ischmacfixup.mak CFG="ischmacfixup - Win32 Release" NO_EXTERNAL_DEPS="1"
cd ..\..
rem This is the BIND 9 Installer
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-18 04:17:48 +0000