diff options
Diffstat (limited to 'bin')
51 files changed, 422 insertions, 360 deletions
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 1166de90..25dbdd86 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkconf.8,v 1.11.12.3 2004/03/08 04:04:13 marka Exp $ +.\" $Id: named-checkconf.8,v 1.11.12.4 2004/06/03 05:35:41 marka Exp $ .\" .TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" "" .SH NAME @@ -56,4 +56,4 @@ errors were detected and 0 otherwise. \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook index 468f9269..d1336cfa 100644 --- a/bin/check/named-checkconf.docbook +++ b/bin/check/named-checkconf.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.4 2004/03/08 04:04:13 marka Exp $ --> +<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.5 2004/06/03 02:24:59 marka Exp $ --> <refentry> <refentryinfo> @@ -132,7 +132,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index f4de0b29..4d9e68da 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkconf.html,v 1.5.2.1.4.3 2004/03/08 04:04:13 marka Exp $ --> +<!-- $Id: named-checkconf.html,v 1.5.2.1.4.4 2004/06/03 05:35:42 marka Exp $ --> <HTML ><HEAD @@ -212,7 +212,7 @@ NAME="AEN69" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8 index bdf2e14f..efa600c8 100644 --- a/bin/check/named-checkzone.8 +++ b/bin/check/named-checkzone.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkzone.8,v 1.11.2.1.8.3 2004/03/08 04:04:14 marka Exp $ +.\" $Id: named-checkzone.8,v 1.11.2.1.8.4 2004/06/03 05:35:42 marka Exp $ .\" .TH "NAMED-CHECKZONE" "8" "June 13, 2000" "BIND9" "" .SH NAME @@ -91,4 +91,4 @@ errors were detected and 0 otherwise. \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook index a31612cf..68b0baee 100644 --- a/bin/check/named-checkzone.docbook +++ b/bin/check/named-checkzone.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.6 2004/03/08 04:04:14 marka Exp $ --> +<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.7 2004/06/03 02:25:00 marka Exp $ --> <refentry> <refentryinfo> @@ -222,7 +222,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 5939050e..bd2fa1e4 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named-checkzone.html,v 1.5.2.2.4.3 2004/03/08 04:04:14 marka Exp $ --> +<!-- $Id: named-checkzone.html,v 1.5.2.2.4.4 2004/06/03 05:35:43 marka Exp $ --> <HTML ><HEAD @@ -383,7 +383,7 @@ NAME="AEN137" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/dig/dig.c b/bin/dig/dig.c index b8bfcc26..f91a2889 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.157.2.13.2.16 2004/04/15 06:49:09 marka Exp $ */ +/* $Id: dig.c,v 1.157.2.13.2.18 2004/06/07 03:56:25 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -144,8 +144,8 @@ static void print_usage(FILE *fp) { fputs( "Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n" -" {global-d-opt} host [@local-server] {local-d-opt}\n" -" [ host [@local-server] {local-d-opt} [...]]\n", fp); +" {global-d-opt} host [@local-server] {local-d-opt}\n" +" [ host [@local-server] {local-d-opt} [...]]\n", fp); } static void @@ -165,7 +165,7 @@ static void help(void) { print_usage(stdout); fputs( -"Where: domain are in the Domain Name System\n" +"Where: domain is in the Domain Name System\n" " q-class is one of (in,hs,ch,...) [default: in]\n" " q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n" " (Use ixfr=version for type ixfr)\n" @@ -173,7 +173,7 @@ help(void) { " -x dot-notation (shortcut for in-addr lookups)\n" " -i (IP6.INT reverse IPv6 lookups)\n" " -f filename (batch mode)\n" -" -b address (bind to source address)\n" +" -b address[#port] (bind to source address/port)\n" " -p port (specify port number)\n" " -t type (specify query type)\n" " -c class (specify query class)\n" @@ -1073,13 +1073,14 @@ plus_option(char *option, isc_boolean_t is_batchfile, /* * ISC_TRUE returned if value was used */ +static const char *single_dash_opts = "46dhimnv"; +static const char *dash_opts = "46bcdfhikmnptvyx"; static isc_boolean_t dash_option(char *option, char *next, dig_lookup_t **lookup, - isc_boolean_t *open_type_class, - isc_boolean_t *firstarg, - int argc, char **argv) + isc_boolean_t *open_type_class, isc_boolean_t *firstarg, + int argc, char **argv) { - char cmd, *value, *ptr; + char opt, *value, *ptr; isc_result_t result; isc_boolean_t value_from_next; isc_textregion_t tr; @@ -1089,9 +1090,68 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, struct in_addr in4; struct in6_addr in6; in_port_t srcport; - char *hash; + char *hash, *cmd; - cmd = option[0]; + while (strpbrk(option, single_dash_opts) == &option[0]) { + /* + * Since the -[46dhimnv] options do not take an argument, + * account for them (in any number and/or combination) + * if they appear as the first character(s) of a q-opt. + */ + opt = option[0]; + switch (opt) { + case '4': + if (have_ipv4) { + isc_net_disableipv6(); + have_ipv6 = ISC_FALSE; + } else { + fatal("can't find IPv4 networking"); + return (ISC_FALSE); + } + break; + case '6': + if (have_ipv6) { + isc_net_disableipv4(); + have_ipv4 = ISC_FALSE; + } else { + fatal("can't find IPv6 networking"); + return (ISC_FALSE); + } + break; + case 'd': + ptr = strpbrk(&option[1], dash_opts); + if (ptr != &option[1]) { + cmd = option; + FULLCHECK("debug"); + debugging = ISC_TRUE; + return (ISC_FALSE); + } else + debugging = ISC_TRUE; + break; + case 'h': + help(); + exit(0); + break; + case 'i': + ip6_int = ISC_TRUE; + break; + case 'm': /* memdebug */ + /* memdebug is handled in preparse_args() */ + break; + case 'n': + /* deprecated */ + break; + case 'v': + version(); + exit(0); + break; + } + if (strlen(option) > 1U) + option = &option[1]; + else + return (ISC_FALSE); + } + opt = option[0]; if (strlen(option) > 1U) { value_from_next = ISC_FALSE; value = &option[1]; @@ -1099,45 +1159,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, value_from_next = ISC_TRUE; value = next; } - switch (cmd) { - case 'd': - debugging = ISC_TRUE; - return (ISC_FALSE); - case 'h': - help(); - exit(0); - break; - case 'i': - ip6_int = ISC_TRUE; - return (ISC_FALSE); - case 'm': /* memdebug */ - /* memdebug is handled in preparse_args() */ - return (ISC_FALSE); - case 'n': - /* deprecated */ - return (ISC_FALSE); - case '4': - if (have_ipv4) { - isc_net_disableipv6(); - have_ipv6 = ISC_FALSE; - } else - fatal("can't find IPv4 networking"); - return (ISC_FALSE); - case '6': - if (have_ipv6) { - isc_net_disableipv4(); - have_ipv4 = ISC_FALSE; - } else - fatal("can't find IPv6 networking"); - return (ISC_FALSE); - case 'v': - version(); - exit(0); - break; - } if (value == NULL) goto invalid_option; - switch (cmd) { + switch (opt) { case 'b': hash = strchr(value, '#'); if (hash != NULL) { @@ -1289,20 +1313,26 @@ static void preparse_args(int argc, char **argv) { int rc; char **rv; + char *option; rc = argc; rv = argv; for (rc--, rv++; rc > 0; rc--, rv++) { - if (strcmp(rv[0], "-m") == 0) { - memdebugging = ISC_TRUE; - isc_mem_debugging = ISC_MEM_DEBUGTRACE | - ISC_MEM_DEBUGRECORD; - return; + if (rv[0][0] != '-') + continue; + option = &rv[0][1]; + while (strpbrk(option, single_dash_opts) == &option[0]) { + if (option[0] == 'm') { + memdebugging = ISC_TRUE; + isc_mem_debugging = ISC_MEM_DEBUGTRACE | + ISC_MEM_DEBUGRECORD; + return; + } + option = &option[1]; } } } - static void parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, int argc, char **argv) { @@ -1551,9 +1581,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, } /* - * Callback from dighost.c to allow program-specific shutdown code. Here, - * Here, we're possibly reading from a batch file, then shutting down for - * real if there's nothing in the batch file to read. + * Callback from dighost.c to allow program-specific shutdown code. + * Here, we're possibly reading from a batch file, then shutting down + * for real if there's nothing in the batch file to read. */ void dighost_shutdown(void) { @@ -1568,6 +1598,7 @@ dighost_shutdown(void) { return; } + fflush(stdout); if (feof(batchfp)) { batchname = NULL; isc_app_shutdown(); diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index d5e75a69..ad1fa372 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.221.2.19.2.11 2004/04/13 03:00:06 marka Exp $ */ +/* $Id: dighost.c,v 1.221.2.19.2.12 2004/06/11 00:30:50 marka Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -864,7 +864,7 @@ setup_file_key(void) { dst_key_t *dstkey = NULL; debug("setup_file_key()"); - result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE, + result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "Couldn't read key from %s: %s\n", @@ -3552,8 +3552,8 @@ get_trusted_key(isc_mem_t *mctx) return ISC_R_FAILURE; } fclose(fptemp); - result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC, - mctx, &key); + result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC | + DST_TYPE_KEY, mctx, &key); removetmpkey(mctx, filetemp); isc_mem_free(mctx, filetemp); if (result != ISC_R_SUCCESS ) { diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index a06b9e33..923ab848 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nslookup.c,v 1.90.2.4.2.4 2004/04/13 03:00:06 marka Exp $ */ +/* $Id: nslookup.c,v 1.90.2.4.2.5 2004/06/07 03:56:25 marka Exp $ */ #include <config.h> @@ -725,6 +725,7 @@ get_next_command(void) { char *ptr, *arg; char *input; + fflush(stdout); buf = isc_mem_allocate(mctx, COMMSIZE); if (buf == NULL) fatal("memory allocation failure"); diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index fd4e5680..235c26ea 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -13,34 +13,36 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.19.12.3 2004/03/08 04:04:16 marka Exp $ +.\" $Id: dnssec-keygen.8,v 1.19.12.5 2004/06/11 02:32:45 marka Exp $ .\" .TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-keygen \- DNSSEC key generation tool .SH SYNOPSIS .sp -\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-f \fIflag\fB\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR +\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-f \fIflag\fB\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-k\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR .SH "DESCRIPTION" .PP \fBdnssec-keygen\fR generates keys for DNSSEC -(Secure DNS), as defined in RFC 2535. It can also generate +(Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. .SH "OPTIONS" .TP \fB-a \fIalgorithm\fB\fR Selects the cryptographic algorithm. The value of -\fBalgorithm\fR must be one of RSAMD5 or RSA, +\fBalgorithm\fR must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. -Note that for DNSSEC, DSA is a mandatory to implement algorithm, -and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. +Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, +and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + +Note 2: HMAC-MD5 and DH automatically set the -k flag. .TP \fB-b \fIkeysize\fB\fR Specifies the number of bits in the key. The choice of key -size depends on the algorithm used. RSA keys must be between +size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be @@ -49,8 +51,8 @@ between 1 and 512 bits. \fB-n \fInametype\fB\fR Specifies the owner type of the key. The value of \fBnametype\fR must either be ZONE (for a DNSSEC -zone key), HOST or ENTITY (for a key associated with a host), -or USER (for a key associated with a user). These values are +zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), +USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. .TP \fB-c \fIclass\fB\fR @@ -58,11 +60,11 @@ Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. .TP \fB-e\fR -If generating an RSA key, use a large exponent. +If generating an RSAMD5/RSASHA1 key, use a large exponent. .TP \fB-f \fIflag\fB\fR -Set the specified flag in the flag field of the key record. -The only recognized flag is KSK (Key Signing Key). +Set the specified flag in the flag field of the KEY/DNSKEY record. +The only recognized flag is KSK (Key Signing Key) DNSKEY. .TP \fB-g \fIgenerator\fB\fR If generating a Diffie Hellman key, use this generator. @@ -74,6 +76,9 @@ if possible; otherwise the default is 2. Prints a short summary of the options and arguments to \fBdnssec-keygen\fR. .TP +\fB-k\fR +Generate KEY records rather than DNSKEY records. +.TP \fB-p \fIprotocol\fB\fR Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). @@ -159,8 +164,6 @@ the files \fIKexample.com.+003+26160.key\fR and \fIKexample.com.+003+26160.private\fR .SH "SEE ALSO" .PP -\fBdnssec-makekeyset\fR(8), -\fBdnssec-signkey\fR(8), \fBdnssec-signzone\fR(8), \fIBIND 9 Administrator Reference Manual\fR, \fIRFC 2535\fR, @@ -168,4 +171,4 @@ the files \fIKexample.com.+003+26160.key\fR and \fIRFC 2539\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index f1e5c142..7feaf7c3 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.48.2.1.10.10 2004/03/10 02:55:50 marka Exp $ */ +/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */ #include <config.h> @@ -68,7 +68,7 @@ usage(void) { fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); - fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER\n"); + fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -c <class> (default: IN)\n"); @@ -101,7 +101,7 @@ main(int argc, char **argv) { dst_key_t *key = NULL, *oldkey; dns_fixedname_t fname; dns_name_t *name; - isc_uint16_t flags = 0; + isc_uint16_t flags = 0, ksk = 0; dns_secalg_t alg; isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE; isc_mem_t *mctx = NULL; @@ -143,7 +143,7 @@ main(int argc, char **argv) { break; case 'f': if (strcasecmp(isc_commandline_argument, "KSK") == 0) - flags |= DNS_KEYFLAG_KSK; + ksk = DNS_KEYFLAG_KSK; else fatal("unknown flag '%s'", isc_commandline_argument); @@ -211,17 +211,20 @@ main(int argc, char **argv) { if (algname == NULL) fatal("no algorithm was specified"); - if (strcasecmp(algname, "HMAC-MD5") == 0) + if (strcasecmp(algname, "HMAC-MD5") == 0) { + options |= DST_TYPE_KEY; alg = DST_ALG_HMACMD5; - else { + } else { r.base = algname; r.length = strlen(algname); ret = dns_secalg_fromtext(&alg, &r); if (ret != ISC_R_SUCCESS) fatal("unknown algorithm %s", algname); + if (alg == DST_ALG_DH) + options |= DST_TYPE_KEY; } - if (type != NULL) { + if (type != NULL && (options & DST_TYPE_KEY) != 0) { if (strcasecmp(type, "NOAUTH") == 0) flags |= DNS_KEYTYPE_NOAUTH; else if (strcasecmp(type, "NOCONF") == 0) @@ -271,20 +274,29 @@ main(int argc, char **argv) { fatal("no nametype specified"); if (strcasecmp(nametype, "zone") == 0) flags |= DNS_KEYOWNER_ZONE; - else if (strcasecmp(nametype, "host") == 0 || - strcasecmp(nametype, "entity") == 0) - flags |= DNS_KEYOWNER_ENTITY; - else if (strcasecmp(nametype, "user") == 0) - flags |= DNS_KEYOWNER_USER; - else - fatal("invalid nametype %s", nametype); + else if ((options & DST_TYPE_KEY) != 0) { /* KEY */ + if (strcasecmp(nametype, "host") == 0 || + strcasecmp(nametype, "entity") == 0) + flags |= DNS_KEYOWNER_ENTITY; + else if (strcasecmp(nametype, "user") == 0) + flags |= DNS_KEYOWNER_USER; + else + fatal("invalid KEY nametype %s", nametype); + } else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */ + fatal("invalid DNSKEY nametype %s", nametype); rdclass = strtoclass(classname); - flags |= signatory; + if ((options & DST_TYPE_KEY) != 0) /* KEY */ + flags |= signatory; + else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */ + flags |= ksk; if (protocol == -1) protocol = DNS_KEYPROTO_DNSSEC; + else if ((options & DST_TYPE_KEY) == 0 && + protocol != DNS_KEYPROTO_DNSSEC) + fatal("invalid DNSKEY protocol: %d", protocol); if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) { if (size > 0) diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 548c3b15..a2034d9e 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.docbook,v 1.3.12.4 2004/03/08 04:04:16 marka Exp $ --> +<!-- $Id: dnssec-keygen.docbook,v 1.3.12.6 2004/06/11 01:17:34 marka Exp $ --> <refentry> <refentryinfo> @@ -45,6 +45,7 @@ <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg> <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg> <arg><option>-h</option></arg> + <arg><option>-k</option></arg> <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg> <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg> @@ -58,7 +59,7 @@ <title>DESCRIPTION</title> <para> <command>dnssec-keygen</command> generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535. It can also generate + (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. </para> @@ -73,13 +74,16 @@ <listitem> <para> Selects the cryptographic algorithm. The value of - <option>algorithm</option> must be one of RSAMD5 or RSA, + <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. </para> <para> - Note that for DNSSEC, DSA is a mandatory to implement algorithm, - and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </para> + <para> + Note 2: HMAC-MD5 and DH automatically set the -k flag. </para> </listitem> </varlistentry> @@ -89,7 +93,7 @@ <listitem> <para> Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be between + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be @@ -104,8 +108,8 @@ <para> Specifies the owner type of the key. The value of <option>nametype</option> must either be ZONE (for a DNSSEC - zone key), HOST or ENTITY (for a key associated with a host), - or USER (for a key associated with a user). These values are + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. </para> </listitem> @@ -125,7 +129,7 @@ <term>-e</term> <listitem> <para> - If generating an RSA key, use a large exponent. + If generating an RSAMD5/RSASHA1 key, use a large exponent. </para> </listitem> </varlistentry> @@ -134,8 +138,8 @@ <term>-f <replaceable class="parameter">flag</replaceable></term> <listitem> <para> - Set the specified flag in the flag field of the key record. - The only recognized flag is KSK (Key Signing Key). + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. </para> </listitem> </varlistentry> @@ -163,6 +167,15 @@ </varlistentry> <varlistentry> + <term>-k</term> + <listitem> + <para> + Generate KEY records rather than DNSKEY records. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-p <replaceable class="parameter">protocol</replaceable></term> <listitem> <para> @@ -303,14 +316,6 @@ <title>SEE ALSO</title> <para> <citerefentry> - <refentrytitle>dnssec-makekeyset</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-signkey</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> <refentrytitle>dnssec-signzone</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, @@ -324,7 +329,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index b90939d9..cd72fb22 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.3 2004/03/08 04:04:17 marka Exp $ --> +<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.5 2004/06/11 02:32:45 marka Exp $ --> <HTML ><HEAD @@ -109,6 +109,9 @@ CLASS="OPTION" >-h</TT >] [<TT CLASS="OPTION" +>-k</TT +>] [<TT +CLASS="OPTION" >-p <TT CLASS="REPLACEABLE" ><I @@ -152,7 +155,7 @@ CLASS="REPLACEABLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN51" +NAME="AEN53" ></A ><H2 >DESCRIPTION</H2 @@ -161,7 +164,7 @@ NAME="AEN51" CLASS="COMMAND" >dnssec-keygen</B > generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535. It can also generate + (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. </P @@ -169,7 +172,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN55" +NAME="AEN57" ></A ><H2 >OPTIONS</H2 @@ -191,13 +194,16 @@ CLASS="REPLACEABLE" <TT CLASS="OPTION" >algorithm</TT -> must be one of RSAMD5 or RSA, +> must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. </P ><P -> Note that for DNSSEC, DSA is a mandatory to implement algorithm, - and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. +> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </P +><P +> Note 2: HMAC-MD5 and DH automatically set the -k flag. </P ></DD ><DT @@ -210,7 +216,7 @@ CLASS="REPLACEABLE" ><DD ><P > Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be between + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be @@ -231,8 +237,8 @@ CLASS="REPLACEABLE" CLASS="OPTION" >nametype</TT > must either be ZONE (for a DNSSEC - zone key), HOST or ENTITY (for a key associated with a host), - or USER (for a key associated with a user). These values are + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. </P ></DD @@ -253,7 +259,7 @@ CLASS="REPLACEABLE" >-e</DT ><DD ><P -> If generating an RSA key, use a large exponent. +> If generating an RSAMD5/RSASHA1 key, use a large exponent. </P ></DD ><DT @@ -265,8 +271,8 @@ CLASS="REPLACEABLE" ></DT ><DD ><P -> Set the specified flag in the flag field of the key record. - The only recognized flag is KSK (Key Signing Key). +> Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. </P ></DD ><DT @@ -296,6 +302,13 @@ CLASS="COMMAND" </P ></DD ><DT +>-k</DT +><DD +><P +> Generate KEY records rather than DNSKEY records. + </P +></DD +><DT >-p <TT CLASS="REPLACEABLE" ><I @@ -388,7 +401,7 @@ CLASS="REPLACEABLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN129" +NAME="AEN136" ></A ><H2 >GENERATED KEYS</H2 @@ -484,7 +497,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN156" +NAME="AEN163" ></A ><H2 >EXAMPLE</H2 @@ -535,7 +548,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN169" +NAME="AEN176" ></A ><H2 >SEE ALSO</H2 @@ -544,20 +557,6 @@ NAME="AEN169" CLASS="CITEREFENTRY" ><SPAN CLASS="REFENTRYTITLE" ->dnssec-makekeyset</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signkey</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" >dnssec-signzone</SPAN >(8)</SPAN >, @@ -582,12 +581,12 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN185" +NAME="AEN186" ></A ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/dnssec/dnssec-makekeyset.docbook b/bin/dnssec/dnssec-makekeyset.docbook index 2e1734a2..07327481 100644 --- a/bin/dnssec/dnssec-makekeyset.docbook +++ b/bin/dnssec/dnssec-makekeyset.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.3.4.1 2004/03/06 10:21:15 marka Exp $ --> +<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ --> <refentry> <refentryinfo> @@ -220,7 +220,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/dnssec/dnssec-signkey.docbook b/bin/dnssec/dnssec-signkey.docbook index 9ce94a1c..8258a3da 100644 --- a/bin/dnssec/dnssec-signkey.docbook +++ b/bin/dnssec/dnssec-signkey.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signkey.docbook,v 1.2.2.2.4.1 2004/03/06 10:21:15 marka Exp $ --> +<!-- $Id: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ --> <refentry> <refentryinfo> @@ -224,7 +224,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index 0f1a44ce..a1795b80 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.4 2004/03/15 01:02:42 marka Exp $ +.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.6 2004/06/11 02:32:46 marka Exp $ .\" .TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" "" .SH NAME @@ -23,14 +23,12 @@ dnssec-signzone \- DNSSEC zone signing tool \fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-l \fIdomain\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ] .SH "DESCRIPTION" .PP -\fBdnssec-signzone\fR signs a zone. It generates NSEC -and RRSIG records and produces a signed version of the zone. If there -is a \fIsignedkey\fR file from the zone's parent, -the parent's signatures will be incorporated into the generated -signed zone file. The security status of delegations from the -signed zone (that is, whether the child zones are secure or not) is +\fBdnssec-signzone\fR signs a zone. It generates +NSEC and RRSIG records and produces a signed version of the +zone. The security status of delegations from the signed zone +(that is, whether the child zones are secure or not) is determined by the presence or absence of a -\fIsignedkey\fR file for each child zone. +\fIkeyset\fR file for each child zone. .SH "OPTIONS" .TP \fB-a\fR @@ -48,7 +46,7 @@ Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. .TP \fB-d \fIdirectory\fB\fR -Look for \fIsignedkey\fR files in +Look for \fIkeyset\fR files in \fBdirectory\fR as the directory .TP \fB-g\fR @@ -146,8 +144,8 @@ current directory. The following command signs the \fBexample.com\fR zone with the DSA key generated in the \fBdnssec-keygen\fR man page. The zone's keys must be in the zone. If there are -\fIsignedkey\fR files associated with this zone -or any child zones, they must be in the current directory. +\fIkeyset\fR files associated with child zones, +they must be in the current directory. \fBexample.com\fR, the following command would be issued: .PP @@ -162,9 +160,8 @@ should be referenced in a zone statement in a .SH "SEE ALSO" .PP \fBdnssec-keygen\fR(8), -\fBdnssec-signkey\fR(8), \fIBIND 9 Administrator Reference Manual\fR, \fIRFC 2535\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index bb538f25..1f7d4029 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.139.2.2.4.12 2004/04/15 02:10:38 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.139.2.2.4.13 2004/06/11 01:17:35 marka Exp $ */ #include <config.h> @@ -222,7 +222,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; key_format(key, keystr, sizeof(keystr)); - fatal("key '%s' failed to sign data: %s", + fatal("dnskey '%s' failed to sign data: %s", keystr, isc_result_totext(result)); } INCSTAT(nsigned); @@ -252,30 +252,32 @@ iszonekey(signer_key_t *key) { } /* - * Finds the key that generated a SIG, if possible. First look at the keys + * Finds the key that generated a RRSIG, if possible. First look at the keys * that we've loaded already, and then see if there's a key on disk. */ static signer_key_t * -keythatsigned(dns_rdata_rrsig_t *sig) { +keythatsigned(dns_rdata_rrsig_t *rrsig) { isc_result_t result; dst_key_t *pubkey = NULL, *privkey = NULL; signer_key_t *key; key = ISC_LIST_HEAD(keylist); while (key != NULL) { - if (sig->keyid == dst_key_id(key->key) && - sig->algorithm == dst_key_alg(key->key) && - dns_name_equal(&sig->signer, dst_key_name(key->key))) + if (rrsig->keyid == dst_key_id(key->key) && + rrsig->algorithm == dst_key_alg(key->key) && + dns_name_equal(&rrsig->signer, dst_key_name(key->key))) return key; key = ISC_LIST_NEXT(key, link); } - result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm, - DST_TYPE_PUBLIC, NULL, mctx, &pubkey); + result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, + rrsig->algorithm, DST_TYPE_PUBLIC, + NULL, mctx, &pubkey); if (result != ISC_R_SUCCESS) return (NULL); - result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm, + result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, + rrsig->algorithm, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL, mctx, &privkey); if (result == ISC_R_SUCCESS) { @@ -288,8 +290,8 @@ keythatsigned(dns_rdata_rrsig_t *sig) { } /* - * Check to see if we expect to find a key at this name. If we see a SIG - * and can't find the signing key that we expect to find, we drop the sig. + * Check to see if we expect to find a key at this name. If we see a RRSIG + * and can't find the signing key that we expect to find, we drop the rrsig. * I'm not sure if this is completely correct, but it seems to work. */ static isc_boolean_t @@ -313,17 +315,17 @@ expecttofindkey(dns_name_t *name) { return (ISC_FALSE); } dns_name_format(name, namestr, sizeof(namestr)); - fatal("failure looking for '%s KEY' in database: %s", + fatal("failure looking for '%s DNSKEY' in database: %s", namestr, isc_result_totext(result)); return (ISC_FALSE); /* removes a warning */ } static inline isc_boolean_t setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, - dns_rdata_t *sig) + dns_rdata_t *rrsig) { isc_result_t result; - result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig); + result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig); if (result == ISC_R_SUCCESS) { INCSTAT(nverified); return (ISC_TRUE); @@ -334,7 +336,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, } /* - * Signs a set. Goes through contortions to decide if each SIG should + * Signs a set. Goes through contortions to decide if each RRSIG should * be dropped or retained, and then determines if any new SIGs need to * be generated. */ @@ -344,7 +346,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, { dns_rdataset_t sigset; dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_rdata_rrsig_t sig; + dns_rdata_rrsig_t rrsig; signer_key_t *key; isc_result_t result; isc_boolean_t nosigs = ISC_FALSE; @@ -370,7 +372,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, nosigs = ISC_TRUE; } if (result != ISC_R_SUCCESS) - fatal("failed while looking for '%s SIG %s': %s", + fatal("failed while looking for '%s RRSIG %s': %s", namestr, typestr, isc_result_totext(result)); vbprintf(1, "%s/%s:\n", namestr, typestr); @@ -397,44 +399,44 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, dns_rdataset_current(&sigset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL); check_result(result, "dns_rdata_tostruct"); - future = isc_serial_lt(now, sig.timesigned); + future = isc_serial_lt(now, rrsig.timesigned); - key = keythatsigned(&sig); - sig_format(&sig, sigstr, sizeof(sigstr)); + key = keythatsigned(&rrsig); + sig_format(&rrsig, sigstr, sizeof(sigstr)); if (key != NULL && issigningkey(key)) - expired = isc_serial_gt(now + cycle, sig.timeexpire); + expired = isc_serial_gt(now + cycle, rrsig.timeexpire); else - expired = isc_serial_gt(now, sig.timeexpire); + expired = isc_serial_gt(now, rrsig.timeexpire); - if (isc_serial_gt(sig.timesigned, sig.timeexpire)) { - /* sig is dropped and not replaced */ - vbprintf(2, "\tsig by %s dropped - " + if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) { + /* rrsig is dropped and not replaced */ + vbprintf(2, "\trrsig by %s dropped - " "invalid validity period\n", sigstr); } else if (key == NULL && !future && - expecttofindkey(&sig.signer)) + expecttofindkey(&rrsig.signer)) { - /* sig is dropped and not replaced */ - vbprintf(2, "\tsig by %s dropped - " - "private key not found\n", + /* rrsig is dropped and not replaced */ + vbprintf(2, "\trrsig by %s dropped - " + "private dnskey not found\n", sigstr); } else if (key == NULL || future) { - vbprintf(2, "\tsig by %s %s - key not found\n", + vbprintf(2, "\trrsig by %s %s - dnskey not found\n", expired ? "retained" : "dropped", sigstr); if (!expired) keep = ISC_TRUE; } else if (issigningkey(key)) { if (!expired && setverifies(name, set, key, &sigrdata)) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s dropped - %s\n", + vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, expired ? "expired" : "failed to verify"); @@ -444,22 +446,22 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, } else if (iszonekey(key)) { if (!expired && setverifies(name, set, key, &sigrdata)) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s dropped - %s\n", + vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, expired ? "expired" : "failed to verify"); wassignedby[key->position] = ISC_TRUE; } } else if (!expired) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s expired\n", sigstr); + vbprintf(2, "\trrsig by %s expired\n", sigstr); } if (keep) { @@ -482,7 +484,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, char keystr[KEY_FORMATSIZE]; key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tresigning with key %s\n", keystr); + vbprintf(1, "\tresigning with dnskey %s\n", keystr); isc_buffer_init(&b, array, sizeof(array)); signwithkey(name, set, &trdata, key->key, &b); nowsignedby[key->position] = ISC_TRUE; @@ -495,7 +497,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, } dns_rdata_reset(&sigrdata); - dns_rdata_freestruct(&sig); + dns_rdata_freestruct(&rrsig); result = dns_rdataset_next(&sigset); } if (result == ISC_R_NOMORE) @@ -526,7 +528,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, continue; key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tsigning with key %s\n", keystr); + vbprintf(1, "\tsigning with dnskey %s\n", keystr); dns_rdata_init(&trdata); isc_buffer_init(&b, array, sizeof(array)); signwithkey(name, set, &trdata, key->key, &b); @@ -607,7 +609,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { return (result); } - vbprintf(2, "found KEY records\n"); + vbprintf(2, "found DNSKEY records\n"); result = dns_db_newversion(db, &ver); check_result(result, "dns_db_newversion"); @@ -753,7 +755,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { /* * Signs all records at a name. This mostly just signs each set individually, - * but also adds the SIG bit to any NSECs generated earlier, deals with + * but also adds the RRSIG bit to any NSECs generated earlier, deals with * parent/child KEY signatures, and handles other exceptional cases. */ static void @@ -815,9 +817,9 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdataset_disassociate(&sigdsset); } else if (dns_rdataset_isassociated(&sigdsset)) { result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_rrsig, - dns_rdatatype_ds); + gversion, + dns_rdatatype_rrsig, + dns_rdatatype_ds); check_result(result, "dns_db_deleterdataset"); dns_rdataset_disassociate(&sigdsset); } @@ -858,7 +860,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); - /* If this is a SIG set, skip it. */ + /* If this is a RRSIG set, skip it. */ if (rdataset.type == dns_rdatatype_rrsig) goto skip; @@ -871,18 +873,11 @@ signname(dns_dbnode_t *node, dns_name_t *name) { if (rdataset.type != dns_rdatatype_nsec && rdataset.type != dns_rdatatype_ds) goto skip; -#if 0 - /* - * The current draft allows DS not at a zone cut. - * This is a bad idea. Update once the RFC is published. - * XXXMPA. - */ } else if (rdataset.type == dns_rdatatype_ds) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(name, namebuf, sizeof(namebuf)); fatal("'%s': found DS RRset without NS RRset\n", namebuf); -#endif } signset(&diff, node, name, &rdataset); @@ -979,7 +974,7 @@ soattl(void) { } /* - * Delete any SIG records at a node. + * Delete any RRSIG records at a node. */ static void cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { @@ -1411,8 +1406,8 @@ warnifallksk(dns_db_t *db) { dns_db_detachnode(db, &node); dns_db_closeversion(db, ¤tversion, ISC_FALSE); if (!have_non_ksk && !ignoreksk) - fprintf(stderr, - "%s: warning: No non-KSK key found. Supply non-KSK key or use '-z'.\n", + fprintf(stderr, "%s: warning: No non-KSK dnskey found. " + "Supply non-KSK dnskey or use '-z'.\n", program); } @@ -1568,9 +1563,9 @@ usage(void) { fprintf(stderr, "\t-g:\t"); fprintf(stderr, "generate DS records from keyset files\n"); fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); - fprintf(stderr, "\t\tSIG start time - absolute|offset (now - 1 hour)\n"); + fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tSIG end time - absolute|from start|from now " + fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " "(now + 30 days)\n"); fprintf(stderr, "\t-i interval:\n"); fprintf(stderr, "\t\tcycle interval - resign " @@ -1592,6 +1587,8 @@ usage(void) { fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); fprintf(stderr, "\t-k key_signing_key\n"); fprintf(stderr, "\t-l lookasidezone\n"); + fprintf(stderr, "\t-z:\t"); + fprintf(stderr, "ignore KSK flag in DNSKEYs"); fprintf(stderr, "\n"); @@ -1850,7 +1847,7 @@ main(int argc, char *argv[]) { DST_TYPE_PRIVATE, mctx, &newkey); if (result != ISC_R_SUCCESS) - fatal("cannot load key %s: %s", argv[i], + fatal("cannot load dnskey %s: %s", argv[i], isc_result_totext(result)); key = ISC_LIST_HEAD(keylist); @@ -1863,7 +1860,7 @@ main(int argc, char *argv[]) { { if (!dst_key_isprivate(dkey)) fatal("cannot sign zone with " - "non-private key %s", + "non-private dnskey %s", argv[i]); break; } @@ -1887,7 +1884,7 @@ main(int argc, char *argv[]) { DST_TYPE_PRIVATE, mctx, &newkey); if (result != ISC_R_SUCCESS) - fatal("cannot load key %s: %s", dskeyfile[i], + fatal("cannot load dnskey %s: %s", dskeyfile[i], isc_result_totext(result)); key = ISC_LIST_HEAD(keylist); @@ -1909,7 +1906,7 @@ main(int argc, char *argv[]) { key = ISC_LIST_NEXT(key, link); } if (key == NULL) { - /* Override key flags. */ + /* Override dnskey flags. */ key = newkeystruct(newkey, ISC_TRUE); key->isksk = ISC_TRUE; key->isdsk = ISC_FALSE; diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 5c12c4e8..2b85102a 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.6 2004/03/10 02:55:51 marka Exp $ --> +<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.8 2004/06/11 01:17:35 marka Exp $ --> <refentry> <refentryinfo> @@ -63,14 +63,12 @@ <refsect1> <title>DESCRIPTION</title> <para> - <command>dnssec-signzone</command> signs a zone. It generates NSEC - and RRSIG records and produces a signed version of the zone. If there - is a <filename>signedkey</filename> file from the zone's parent, - the parent's signatures will be incorporated into the generated - signed zone file. The security status of delegations from the - signed zone (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <filename>signedkey</filename> file for each child zone. + <command>dnssec-signzone</command> signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + <filename>keyset</filename> file for each child zone. </para> </refsect1> @@ -120,7 +118,7 @@ <term>-d <replaceable class="parameter">directory</replaceable></term> <listitem> <para> - Look for <filename>signedkey</filename> files in + Look for <filename>keyset</filename> files in <option>directory</option> as the directory </para> </listitem> @@ -317,8 +315,8 @@ The following command signs the <userinput>example.com</userinput> zone with the DSA key generated in the <command>dnssec-keygen</command> man page. The zone's keys must be in the zone. If there are - <filename>signedkey</filename> files associated with this zone - or any child zones, they must be in the current directory. + <filename>keyset</filename> files associated with child zones, + they must be in the current directory. <userinput>example.com</userinput>, the following command would be issued: </para> @@ -343,10 +341,6 @@ <refentrytitle>dnssec-keygen</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-signkey</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>RFC 2535</citetitle>. </para> @@ -355,7 +349,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 9c2e96f4..139be9ab 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.4 2004/03/15 01:02:42 marka Exp $ --> +<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.6 2004/06/11 02:32:46 marka Exp $ --> <HTML ><HEAD @@ -189,26 +189,21 @@ NAME="AEN66" > <B CLASS="COMMAND" >dnssec-signzone</B -> signs a zone. It generates NSEC - and RRSIG records and produces a signed version of the zone. If there - is a <TT -CLASS="FILENAME" ->signedkey</TT -> file from the zone's parent, - the parent's signatures will be incorporated into the generated - signed zone file. The security status of delegations from the - signed zone (that is, whether the child zones are secure or not) is - determined by the presence or absence of a +> signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a <TT CLASS="FILENAME" ->signedkey</TT +>keyset</TT > file for each child zone. </P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN72" +NAME="AEN71" ></A ><H2 >OPTIONS</H2 @@ -273,7 +268,7 @@ CLASS="REPLACEABLE" ><P > Look for <TT CLASS="FILENAME" ->signedkey</TT +>keyset</TT > files in <TT CLASS="OPTION" @@ -515,7 +510,7 @@ CLASS="REPLACEABLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN182" +NAME="AEN181" ></A ><H2 >EXAMPLE</H2 @@ -533,9 +528,9 @@ CLASS="COMMAND" man page. The zone's keys must be in the zone. If there are <TT CLASS="FILENAME" ->signedkey</TT -> files associated with this zone - or any child zones, they must be in the current directory. +>keyset</TT +> files associated with child zones, + they must be in the current directory. <TT CLASS="USERINPUT" ><B @@ -574,7 +569,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN196" +NAME="AEN195" ></A ><H2 >SEE ALSO</H2 @@ -586,13 +581,6 @@ CLASS="REFENTRYTITLE" >dnssec-keygen</SPAN >(8)</SPAN >, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signkey</SPAN ->(8)</SPAN ->, <I CLASS="CITETITLE" >BIND 9 Administrator Reference Manual</I @@ -606,12 +594,12 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN207" +NAME="AEN203" ></A ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8 index 6ae18bd2..bbc177d0 100644 --- a/bin/named/lwresd.8 +++ b/bin/named/lwresd.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwresd.8,v 1.13.208.1 2004/03/06 07:41:39 marka Exp $ +.\" $Id: lwresd.8,v 1.13.208.2 2004/06/03 05:35:47 marka Exp $ .\" .TH "LWRESD" "8" "June 30, 2000" "BIND9" "" .SH NAME @@ -137,4 +137,4 @@ The default process-id file. \fBresolver\fR(5). .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook index a552ad9d..46314c26 100644 --- a/bin/named/lwresd.docbook +++ b/bin/named/lwresd.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.docbook,v 1.6.208.1 2004/03/06 10:21:20 marka Exp $ --> +<!-- $Id: lwresd.docbook,v 1.6.208.2 2004/06/03 02:24:57 marka Exp $ --> <refentry> <refentryinfo> @@ -286,7 +286,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index fd084080..3bfef9f0 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.html,v 1.4.2.1.4.1 2004/03/06 10:21:20 marka Exp $ --> +<!-- $Id: lwresd.html,v 1.4.2.1.4.2 2004/06/03 05:35:47 marka Exp $ --> <HTML ><HEAD @@ -533,7 +533,7 @@ NAME="AEN162" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/named/named.8 b/bin/named/named.8 index 1fed2906..cd120ddc 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.17.208.2 2004/03/06 07:41:39 marka Exp $ +.\" $Id: named.8,v 1.17.208.3 2004/06/03 05:35:47 marka Exp $ .\" .TH "NAMED" "8" "June 30, 2000" "BIND9" "" .SH NAME @@ -174,4 +174,4 @@ The default process-id file. \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/named/named.docbook b/bin/named/named.docbook index df5c1fee..754f1a07 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.docbook,v 1.5.98.2 2004/03/06 10:21:20 marka Exp $ --> +<!-- $Id: named.docbook,v 1.5.98.3 2004/06/03 02:24:57 marka Exp $ --> <refentry> <refentryinfo> @@ -356,7 +356,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/named/named.html b/bin/named/named.html index 1d4c72ee..45690343 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.html,v 1.4.2.1.4.2 2004/03/06 10:21:20 marka Exp $ --> +<!-- $Id: named.html,v 1.4.2.1.4.3 2004/06/03 05:35:48 marka Exp $ --> <HTML ><HEAD @@ -661,7 +661,7 @@ NAME="AEN198" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/named/server.c b/bin/named/server.c index 9837a567..3a0c638c 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.339.2.15.2.54 2004/05/14 01:03:44 marka Exp $ */ +/* $Id: server.c,v 1.339.2.15.2.55 2004/06/04 02:32:55 marka Exp $ */ #include <config.h> @@ -1171,14 +1171,42 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "dnssec-lookaside", &obj); if (result == ISC_R_SUCCESS) { - const char *dlv; - isc_buffer_t b; - dlv = cfg_obj_asstring(obj); - isc_buffer_init(&b, dlv, strlen(dlv)); - isc_buffer_add(&b, strlen(dlv)); - CHECK(dns_name_fromtext(dns_fixedname_name(&view->dlv_fixed), - &b, dns_rootname, ISC_TRUE, NULL)); - view->dlv = dns_fixedname_name(&view->dlv_fixed); + for (element = cfg_list_first(obj); + element != NULL; + element = cfg_list_next(element)) + { + const char *str; + isc_buffer_t b; + dns_name_t *dlv; + + obj = cfg_listelt_value(element); +#if 0 + dns_fixedname_t fixed; + dns_name_t *name; + + /* + * When we support multiple dnssec-lookaside + * entries this is how to find the domain to be + * checked. XXXMPA + */ + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + str = cfg_obj_asstring(cfg_tuple_get(obj, + "domain")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + CHECK(dns_name_fromtext(name, &b, dns_rootname, + ISC_TRUE, NULL)); +#endif + str = cfg_obj_asstring(cfg_tuple_get(obj, + "trust-anchor")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + dlv = dns_fixedname_name(&view->dlv_fixed); + CHECK(dns_name_fromtext(dlv, &b, dns_rootname, + ISC_TRUE, NULL)); + view->dlv = dns_fixedname_name(&view->dlv_fixed); + } } else view->dlv = NULL; diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index c4d9bf8a..7fc13f3d 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tkeyconf.c,v 1.19.208.1 2004/03/06 10:21:21 marka Exp $ */ +/* $Id: tkeyconf.c,v 1.19.208.2 2004/06/11 00:30:51 marka Exp $ */ #include <config.h> @@ -53,6 +53,7 @@ ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx, dns_name_t *name; isc_buffer_t b; cfg_obj_t *obj; + int type; result = dns_tkeyctx_create(mctx, ectx, &tctx); if (result != ISC_R_SUCCESS) @@ -69,9 +70,9 @@ ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx, name = dns_fixedname_name(&fname); RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL)); + type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY; RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH, - DST_TYPE_PUBLIC|DST_TYPE_PRIVATE, - NULL, mctx, &tctx->dhkey)); + type, NULL, mctx, &tctx->dhkey)); } obj = NULL; diff --git a/bin/named/update.c b/bin/named/update.c index 6b396cd0..dea27fd7 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.88.2.5.2.19 2004/05/12 06:38:46 marka Exp $ */ +/* $Id: update.c,v 1.88.2.5.2.20 2004/06/04 03:44:45 marka Exp $ */ #include <config.h> @@ -1102,14 +1102,16 @@ add_rr_prepare_action(void *data, rr_t *rr) { isc_result_t result = ISC_R_SUCCESS; add_rr_prepare_ctx_t *ctx = data; dns_difftuple_t *tuple = NULL; + isc_boolean_t equal; /* * If the update RR is a "duplicate" of the update RR, * the update should be silently ignored. */ - if (dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0 && - rr->ttl == ctx->update_rr_ttl) { + equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0); + if (equal && rr->ttl == ctx->update_rr_ttl) { ctx->ignore_add = ISC_TRUE; + return (ISC_R_SUCCESS); } /* @@ -1137,12 +1139,14 @@ add_rr_prepare_action(void *data, rr_t *rr) { &rr->rdata, &tuple)); dns_diff_append(&ctx->del_diff, &tuple); - CHECK(dns_difftuple_create(ctx->add_diff.mctx, - DNS_DIFFOP_ADD, ctx->name, - ctx->update_rr_ttl, - &rr->rdata, - &tuple)); - dns_diff_append(&ctx->add_diff, &tuple); + if (!equal) { + CHECK(dns_difftuple_create(ctx->add_diff.mctx, + DNS_DIFFOP_ADD, ctx->name, + ctx->update_rr_ttl, + &rr->rdata, + &tuple)); + dns_diff_append(&ctx->add_diff, &tuple); + } } failure: return (result); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 13e0aac3..cb30a5f3 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.103.2.15.2.15 2004/05/12 04:47:16 marka Exp $ */ +/* $Id: nsupdate.c,v 1.103.2.15.2.16 2004/06/17 01:00:38 sra Exp $ */ #include <config.h> @@ -346,7 +346,8 @@ setup_keyfile(void) { debug("Creating key..."); - result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE, mctx, + result = dst_key_fromnamedfile(keyfile, + DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not read key from %s: %s\n", diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8 index d3bd35e8..b12e90cc 100644 --- a/bin/rndc/rndc-confgen.8 +++ b/bin/rndc/rndc-confgen.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc-confgen.8,v 1.3.2.5.2.2 2004/03/06 07:41:40 marka Exp $ +.\" $Id: rndc-confgen.8,v 1.3.2.5.2.3 2004/06/03 05:35:48 marka Exp $ .\" .TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" "" .SH NAME @@ -137,4 +137,4 @@ run \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/rndc/rndc-confgen.docbook b/bin/rndc/rndc-confgen.docbook index 5f82e7e1..272de459 100644 --- a/bin/rndc/rndc-confgen.docbook +++ b/bin/rndc/rndc-confgen.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc-confgen.docbook,v 1.3.2.1.4.2 2004/03/06 10:21:32 marka Exp $ --> +<!-- $Id: rndc-confgen.docbook,v 1.3.2.1.4.3 2004/06/03 02:24:58 marka Exp $ --> <refentry> <refentryinfo> @@ -260,7 +260,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html index 09f3d51a..9d0ccc77 100644 --- a/bin/rndc/rndc-confgen.html +++ b/bin/rndc/rndc-confgen.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.2 2004/03/06 10:21:32 marka Exp $ --> +<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.3 2004/06/03 05:35:49 marka Exp $ --> <HTML ><HEAD @@ -566,7 +566,7 @@ NAME="AEN173" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index d57f5863..356883bc 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.8,v 1.24.206.1 2004/03/06 07:41:40 marka Exp $ +.\" $Id: rndc.8,v 1.24.206.2 2004/06/03 05:35:49 marka Exp $ .\" .TH "RNDC" "8" "June 30, 2000" "BIND9" "" .SH NAME @@ -115,4 +115,4 @@ Several error messages could be clearer. \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5 index 47e71973..5b61cfb0 100644 --- a/bin/rndc/rndc.conf.5 +++ b/bin/rndc/rndc.conf.5 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.conf.5,v 1.21.206.1 2004/03/06 07:41:40 marka Exp $ +.\" $Id: rndc.conf.5,v 1.21.206.2 2004/06/03 05:35:50 marka Exp $ .\" .TH "RNDC.CONF" "5" "June 30, 2000" "BIND9" "" .SH NAME @@ -139,4 +139,4 @@ BIND 9 Administrator Reference Manual for details. \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook index 6ca7d461..95f158b7 100644 --- a/bin/rndc/rndc.conf.docbook +++ b/bin/rndc/rndc.conf.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.conf.docbook,v 1.4.206.1 2004/03/06 10:21:32 marka Exp $ --> +<!-- $Id: rndc.conf.docbook,v 1.4.206.2 2004/06/03 02:24:58 marka Exp $ --> <refentry> <refentryinfo> @@ -196,7 +196,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html index eb2fe25f..c91f5d84 100644 --- a/bin/rndc/rndc.conf.html +++ b/bin/rndc/rndc.conf.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.conf.html,v 1.5.2.1.4.1 2004/03/06 10:21:32 marka Exp $ --> +<!-- $Id: rndc.conf.html,v 1.5.2.1.4.2 2004/06/03 05:35:50 marka Exp $ --> <HTML ><HEAD @@ -373,7 +373,7 @@ NAME="AEN91" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index 371aee96..d4529ccf 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.docbook,v 1.7.206.1 2004/03/06 10:21:32 marka Exp $ --> +<!-- $Id: rndc.docbook,v 1.7.206.2 2004/06/03 02:24:58 marka Exp $ --> <refentry> <refentryinfo> @@ -214,7 +214,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index b1b61fcb..6519499b 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: rndc.html,v 1.7.2.1.4.1 2004/03/06 10:21:32 marka Exp $ --> +<!-- $Id: rndc.html,v 1.7.2.1.4.2 2004/06/03 05:35:50 marka Exp $ --> <HTML ><HEAD @@ -416,7 +416,7 @@ NAME="AEN118" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/bin/tests/dst/Ktest.+001+00002.key b/bin/tests/dst/Ktest.+001+00002.key index 7a5ec2fa..a8b4b4d6 100644 --- a/bin/tests/dst/Ktest.+001+00002.key +++ b/bin/tests/dst/Ktest.+001+00002.key @@ -1 +1 @@ -test. IN KEY 49152 2 1 +test. IN DNSKEY 49152 2 1 diff --git a/bin/tests/dst/Ktest.+001+54622.key b/bin/tests/dst/Ktest.+001+54622.key index 2d000cfc..b0277e33 100644 --- a/bin/tests/dst/Ktest.+001+54622.key +++ b/bin/tests/dst/Ktest.+001+54622.key @@ -1 +1 @@ -test. IN KEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ== +test. IN DNSKEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ== diff --git a/bin/tests/dst/Ktest.+003+23616.key b/bin/tests/dst/Ktest.+003+23616.key index 44ad296d..958d5857 100644 --- a/bin/tests/dst/Ktest.+003+23616.key +++ b/bin/tests/dst/Ktest.+003+23616.key @@ -1 +1 @@ -test. IN KEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx +test. IN DNSKEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx diff --git a/bin/tests/dst/Ktest.+003+49667.key b/bin/tests/dst/Ktest.+003+49667.key index 18ab1475..fb73f570 100644 --- a/bin/tests/dst/Ktest.+003+49667.key +++ b/bin/tests/dst/Ktest.+003+49667.key @@ -1 +1 @@ -test. IN KEY 49152 2 3 +test. IN DNSKEY 49152 2 3 diff --git a/bin/tests/dst/dst_test.c b/bin/tests/dst/dst_test.c index 0a642cf7..b891a35e 100644 --- a/bin/tests/dst/dst_test.c +++ b/bin/tests/dst/dst_test.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_test.c,v 1.37.206.1 2004/03/06 10:21:43 marka Exp $ */ +/* $Id: dst_test.c,v 1.37.206.2 2004/06/11 00:30:52 marka Exp $ */ #include <config.h> @@ -160,7 +160,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx) { isc_region_t r1, r2; unsigned char array1[1024], array2[1024]; int alg = DST_ALG_DH; - int type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE; + int type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY; ret = dst_key_fromfile(name1, id1, alg, type, current, mctx, &key1); printf("read(%d) returned: %s\n", alg, isc_result_totext(ret)); diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c index f4279b23..da654a37 100644 --- a/bin/tests/dst/t_dst.c +++ b/bin/tests/dst/t_dst.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: t_dst.c,v 1.47.206.1 2004/03/06 10:21:43 marka Exp $ */ +/* $Id: t_dst.c,v 1.47.206.2 2004/06/11 00:30:52 marka Exp $ */ #include <config.h> @@ -168,7 +168,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx, char tmp[PATH_MAX + 1]; char *p; int alg = DST_ALG_DH; - int type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE; + int type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY; unsigned char array1[1024], array2[1024]; isc_buffer_t b1, b2; isc_region_t r1, r2; diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf index 1d538184..22126ba7 100644 --- a/bin/tests/system/dlv/ns5/named.conf +++ b/bin/tests/system/dlv/ns5/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2.4.1 2004/05/14 05:20:50 marka Exp $ */ +/* $Id: named.conf,v 1.2.4.2 2004/06/04 02:32:56 marka Exp $ */ /* * Choose a keyname that is unlikely to clash with any real key names. @@ -58,7 +58,7 @@ options { recursion yes; notify yes; dnssec-enable yes; - dnssec-lookaside "dlv.utld"; + dnssec-lookaside "." trust-anchor "dlv.utld"; }; zone "." { type hint; file "hints"; }; diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf index 6d87c783..f5282d74 100644 --- a/bin/tests/system/dnssec/ns6/named.conf +++ b/bin/tests/system/dnssec/ns6/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.5.2.2 2004/03/10 02:55:55 marka Exp $ */ +/* $Id: named.conf,v 1.5.2.3 2004/06/04 02:32:57 marka Exp $ */ // NS6 @@ -32,7 +32,7 @@ options { notify yes; disable-algorithms . { DSA; }; dnssec-enable yes; - dnssec-lookaside dlv; + dnssec-lookaside . trust-anchor dlv; }; zone "." { diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh index fb79667c..fb79667c 100644..100755 --- a/bin/tests/system/ifconfig.sh +++ b/bin/tests/system/ifconfig.sh diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c index 04f6437b..60b6743b 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: keycreate.c,v 1.7.12.4 2004/03/08 09:04:17 marka Exp $ */ +/* $Id: keycreate.c,v 1.7.12.5 2004/06/11 00:30:53 marka Exp $ */ #include <config.h> @@ -75,6 +75,7 @@ recvquery(isc_task_t *task, isc_event_t *event) { dns_message_t *query, *response; char keyname[256]; isc_buffer_t keynamebuf; + int type; UNUSED(task); @@ -115,8 +116,8 @@ recvquery(isc_task_t *task, isc_event_t *event) { CHECK("dst_key_buildfilename", result); printf("%.*s\n", (int)isc_buffer_usedlength(&keynamebuf), (char *)isc_buffer_base(&keynamebuf)); - result = dst_key_tofile(tsigkey->key, - DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, ""); + type = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_KEY; + result = dst_key_tofile(tsigkey->key, type, ""); CHECK("dst_key_tofile", result); dns_message_destroy(&query); @@ -209,6 +210,7 @@ main(int argc, char *argv[]) { isc_logconfig_t *logconfig; isc_task_t *task; isc_result_t result; + int type; RUNCHECK(isc_app_start()); @@ -280,9 +282,8 @@ main(int argc, char *argv[]) { RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL)); ourkey = NULL; - result = dst_key_fromnamedfile(ourkeyname, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, - mctx, &ourkey); + type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; + result = dst_key_fromnamedfile(ourkeyname, type, mctx, &ourkey); CHECK("dst_key_fromnamedfile", result); isc_buffer_init(&nonce, noncedata, sizeof(noncedata)); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index 90f92166..8f3cb809 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: keydelete.c,v 1.4.206.2 2004/03/08 02:07:49 marka Exp $ */ +/* $Id: keydelete.c,v 1.4.206.3 2004/06/11 00:30:53 marka Exp $ */ #include <config.h> @@ -154,6 +154,7 @@ main(int argc, char **argv) { isc_logconfig_t *logconfig; isc_task_t *task; isc_result_t result; + int type; RUNCHECK(isc_app_start()); @@ -222,9 +223,8 @@ main(int argc, char **argv) { RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL)); dstkey = NULL; - result = dst_key_fromnamedfile(keyname, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, - mctx, &dstkey); + type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; + result = dst_key_fromnamedfile(keyname, type, mctx, &dstkey); CHECK("dst_key_fromnamedfile", result); result = dns_tsigkey_createfromkey(dst_key_name(dstkey), DNS_TSIG_HMACMD5_NAME, diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh index ad1d0f14..b411055d 100644 --- a/bin/tests/system/tkey/ns1/setup.sh +++ b/bin/tests/system/tkey/ns1/setup.sh @@ -15,11 +15,11 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.2.2.2.10.1 2004/03/06 10:22:35 marka Exp $ +# $Id: setup.sh,v 1.2.2.2.10.2 2004/06/11 00:30:54 marka Exp $ RANDFILE=../random.data -keyname=`$KEYGEN -a DH -b 768 -n host -r $RANDFILE server` +keyname=`$KEYGEN -k -a DH -b 768 -n host -r $RANDFILE server` keyid=`echo $keyname | $PERL -p -e 's/^.*\+0*//;'` rm -f named.conf perl -p -e "s/KEYID/$keyid/;" < named.conf.in > named.conf diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh index 063f33fd..caf16621 100644 --- a/bin/tests/system/tkey/tests.sh +++ b/bin/tests/system/tkey/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.2.12.3 2004/03/08 09:04:17 marka Exp $ +# $Id: tests.sh,v 1.2.12.4 2004/06/11 00:30:53 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -28,7 +28,7 @@ RANDFILE=random.data echo "I:generating new DH key" ret=0 -dhkeyname=`$KEYGEN -a DH -b 768 -n host -r $RANDFILE client` || ret=1 +dhkeyname=`$KEYGEN -k -a DH -b 768 -n host -r $RANDFILE client` || ret=1 if [ $ret != 0 ]; then echo "I:failed" echo "I:exit status: $status" |