statements allow updating of subdomains based on a Kerberos or Active
Directory machine principal.
+BIND 9.12.4
+
+BIND 9.12.4 is a maintenance release, and addresses the security
+vulnerabilities disclosed in CVE-2018-5744, CVE-2018-5745, and
+CVE-2019-6465.
+
Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
It is possible to set per\-user defaults for
\fBdig\fR
via
-${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
+${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
+\fB\-r\fR
+option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
from other arguments\&.
.RE
.PP
+\-r
+.RS 4
+Do not read options from
+${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
+.RE
+.PP
\-t \fItype\fR
.RS 4
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
.PP
\fB+[no]idnin\fR
.RS 4
-Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
+Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
+.sp
+The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
-Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
+Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
+.sp
+The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<p>
It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
- <code class="filename">${HOME}/.digrc</code>. This file is read and
- any options in it
- are applied before the command line arguments.
+ <code class="filename">${HOME}/.digrc</code>. This file is read and any
+ options in it are applied before the command line arguments.
+ The <code class="option">-r</code> option disables this feature, for
+ scripts that need predictable behaviour.
</p>
<p>
the <em class="parameter"><code>name</code></em> from other arguments.
</p>
</dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+ <p>
+ Do not read options from <code class="filename">${HOME}/.digrc</code>.
+ This is useful for scripts that need predictable behaviour.
+ </p>
+ </dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
<p>
Process [do not process] IDN domain names on input.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to process IDN input.
+ compile time.
+ </p>
+ <p>
+ The default is to process IDN input when standard output
+ is a tty. The IDN processing on input is disabled when
+ dig output is redirected to files, pipes, and other
+ non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
<p>
Convert [do not convert] puny code on output.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to convert output.
+ compile time.
+ </p>
+ <p>
+ The default is to process puny code on output when
+ standard output is a tty. The puny code processing on
+ output is disabled when dig output is redirected to
+ files, pipes, and other non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.PP
\fBnslookup\fR
returns with an exit status of 1 if any query failed, and 0 otherwise\&.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBnslookup\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
+\fBnslookup\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
+\fBIDN_DISABLE\fR
+environment variable\&. The IDN support is disabled if the variable is set when
+\fBnslookup\fR
+runs or when the standard output is not a tty\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</div>
<div class="refsection">
-<a name="id-1.11"></a><h2>FILES</h2>
+<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
+
+ <p>
+ If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+ The IDN support is disabled if the variable is set when
+ <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
+ a tty.
+ </p>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.12"></a><h2>SEE ALSO</h2>
+<a name="id-1.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
-.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.sp
The
\fIalgorithm\fR
-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
+must be one of SHA\-1, SHA\-256, SHA\-384, or GOST\&. These values are case insensitive, and hyphens may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
.RE
.SH "COPYRIGHT"
.br
-Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
record. This option has no effect when using CDS records.
</p>
<p>
- The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
- (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
- values are case insensitive. If no algorithm is specified,
+ The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1,
+ SHA-256, SHA-384, or GOST. These values are case insensitive,
+ and hyphens may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
-.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
+\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
+\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
.SH "DESCRIPTION"
.PP
+The
\fBdnssec\-dsfromkey\fR
-outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
+command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
+\fB\-l\fR
+option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
+\fB\-C\fR
+it outputs CDS (Child DS) RRs\&.
+.PP
+The input keys can be specified in a number of ways:
+.PP
+By default,
+\fBdnssec\-dsfromkey\fR
+reads a key file named like
+Knnnn\&.+aaa+iiiii\&.key, as generated by
+\fBdnssec\-keygen\fR\&.
+.PP
+With the
+\fB\-f \fR\fB\fIfile\fR\fR
+option,
+\fBdnssec\-dsfromkey\fR
+reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
+.PP
+With the
+\fB\-s\fR
+option,
+\fBdnssec\-dsfromkey\fR
+reads a
+keyset\-
+file, as generated by
+\fBdnssec\-keygen\fR\fB\-C\fR\&.
.SH "OPTIONS"
.PP
\-1
.RS 4
-Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
+An abbreviation for
+\fB\-a SHA1\fR
.RE
.PP
\-2
.RS 4
-Use SHA\-256 as the digest algorithm\&.
+An abbreviation for
+\fB\-a SHA\-256\fR
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
-Select the digest algorithm\&. The value of
-\fBalgorithm\fR
-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&.
+Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
+.sp
+The
+\fIalgorithm\fR
+must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
-\-C
+\-A
.RS 4
-Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
+Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
+\fB\-f\fR
+zone file mode\&.
.RE
.PP
-\-T \fITTL\fR
+\-c \fIclass\fR
.RS 4
-Specifies the TTL of the DS records\&.
+Specifies the DNS class (default is IN)\&. Useful only in
+\fB\-s\fR
+keyset or
+\fB\-f\fR
+zone file mode\&.
.RE
.PP
-\-K \fIdirectory\fR
+\-C
.RS 4
-Look for key files (or, in keyset mode,
-keyset\-
-files) in
-\fBdirectory\fR\&.
+Generate CDS records rather than DS records\&. This is mutually exclusive with the
+\fB\-l\fR
+option for generating DLV records\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
-Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
+Zone file mode:
+\fBdnssec\-dsfromkey\fR\*(Aqs final
+\fIdnsname\fR
+argument is the DNS domain name of a zone whose master file can be read from
\fBfile\fR\&. If the zone name is the same as
\fBfile\fR, then it may be omitted\&.
.sp
If
-\fBfile\fR
-is set to
+\fIfile\fR
+is
"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
\fBdig\fR
command as input, as in:
\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
.RE
.PP
-\-A
+\-h
.RS 4
-Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
+Prints usage information\&.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Look for key files or
+keyset\-
+files in
+\fBdirectory\fR\&.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set instead of a DS set\&. The specified
-\fBdomain\fR
-is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
+\fIdomain\fR
+is appended to the name for each record in the set\&. This is mutually exclusive with the
+\fB\-C\fR
+option for generating CDS records\&.
.RE
.PP
\-s
.RS 4
-Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
+Keyset mode:
+\fBdnssec\-dsfromkey\fR\*(Aqs final
+\fIdnsname\fR
+argument is the DNS domain name used to locate a
+keyset\-
+file\&.
.RE
.PP
-\-c \fIclass\fR
+\-T \fITTL\fR
.RS 4
-Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
+Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
.RE
.PP
\-v \fIlevel\fR
Sets the debugging level\&.
.RE
.PP
-\-h
-.RS 4
-Prints usage information\&.
-.RE
-.PP
\-V
.RS 4
Prints version information\&.
.PP
To build the SHA\-256 DS RR from the
\fBKexample\&.com\&.+003+26160\fR
-keyfile name, the following command would be issued:
+keyfile name, you can issue the following command:
.PP
\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
.PP
The command would print something like:
.PP
-\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
+\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
.SH "FILES"
.PP
-The keyfile can be designed by the key identification
+The keyfile can be designated by the key identification
Knnnn\&.+aaa+iiiii
or the full file name
Knnnn\&.+aaa+iiiii\&.key
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
-RFC 3658,
-RFC 4431\&.
-RFC 4509\&.
+RFC 3658
+(DS RRs),
+RFC 4431
+(DLV RRs),
+RFC 4509
+(SHA\-256 for DS RRs),
+RFC 6605
+(SHA\-384 for DS RRs),
+RFC 7344
+(CDS and CDNSKEY RRs)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-1</code>]
- [<code class="option">-2</code>]
- [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
- [<code class="option">-C</code>]
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+ [
+ <code class="option">-1</code>
+ | <code class="option">-2</code>
+ | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
+ ]
+ [
+ <code class="option">-C</code>
+ | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
+ ]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+ [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+ [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
{keyfile}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
- {-s}
- [<code class="option">-1</code>]
- [<code class="option">-2</code>]
- [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-s</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+ [
+ <code class="option">-1</code>
+ | <code class="option">-2</code>
+ | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
+ ]
+ [
+ <code class="option">-C</code>
+ | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
+ ]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
+ [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+ [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-A</code>]
+ {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
+ [dnsname]
+ </p></div>
+ <div class="cmdsynopsis"><p>
+ <code class="command">dnssec-dsfromkey</code>
+ [
+ <code class="option">-1</code>
+ | <code class="option">-2</code>
+ | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
+ ]
+ [
+ <code class="option">-C</code>
+ | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
+ ]
+ [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+ [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+ [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+ {-s}
{dnsname}
- </p></div>
+ </p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
- [<code class="option">-h</code>]
- [<code class="option">-V</code>]
- </p></div>
+ [
+ <code class="option">-h</code>
+ | <code class="option">-V</code>
+ ]
+ </p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
- <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
- outputs the Delegation Signer (DS) resource record (RR), as defined in
- RFC 3658 and RFC 4509, for the given key(s).
+ <p>
+ The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
+ Signer) resource records (RRs) and other similarly-constructed RRs:
+ with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
+ Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
+ DS) RRs.
+ </p>
+
+ <p>
+ The input keys can be specified in a number of ways:
+ </p>
+
+ <p>
+ By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
+ named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
+ by <span class="command"><strong>dnssec-keygen</strong></span>.
+ </p>
+
+ <p>
+ With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
+ option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
+ or partial zone file (which can contain just the DNSKEY records).
+ </p>
+
+ <p>
+ With the <code class="option">-s</code>
+ option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
+ a <code class="filename">keyset-</code> file, as generated
+ by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
</p>
+
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
-
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd>
<p>
- Use SHA-1 as the digest algorithm (the default is to use
- both SHA-1 and SHA-256).
+ An abbreviation for <code class="option">-a SHA1</code>
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
- Use SHA-256 as the digest algorithm.
+ An abbreviation for <code class="option">-a SHA-256</code>
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
- Select the digest algorithm. The value of
- <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
- SHA-256 (SHA256), GOST or SHA-384 (SHA384).
- These values are case insensitive.
+ Specify a digest algorithm to use when converting DNSKEY
+ records to DS records. This option can be repeated, so
+ that multiple DS records are created for each DNSKEY
+ record.
+ </p>
+ <p>
+ The <em class="replaceable"><code>algorithm</code></em> must be one of
+ SHA-1, SHA-256, or SHA-384. These values are case insensitive,
+ and the hyphen may be omitted. If no algorithm is specified,
+ the default is SHA-256.
</p>
</dd>
-<dt><span class="term">-C</span></dt>
+<dt><span class="term">-A</span></dt>
<dd>
- <p>
- Generate CDS records rather than DS records. This is mutually
- exclusive with generating lookaside records.
- </p>
- </dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+ <p>
+ Include ZSKs when generating DS records. Without this option, only
+ keys which have the KSK flag set will be converted to DS records
+ and printed. Useful only in <code class="option">-f</code> zone file mode.
+ </p>
+ </dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
- Specifies the TTL of the DS records.
+ Specifies the DNS class (default is IN). Useful only
+ in <code class="option">-s</code> keyset or <code class="option">-f</code>
+ zone file mode.
</p>
</dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dt><span class="term">-C</span></dt>
<dd>
<p>
- Look for key files (or, in keyset mode,
- <code class="filename">keyset-</code> files) in
- <code class="option">directory</code>.
+ Generate CDS records rather than DS records. This is mutually
+ exclusive with the <code class="option">-l</code> option for generating DLV
+ records.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
- Zone file mode: in place of the keyfile name, the argument is
- the DNS domain name of a zone master file, which can be read
+ Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
+ final <em class="replaceable"><code>dnsname</code></em> argument is
+ the DNS domain name of a zone whose master file can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
- If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
+ If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
-<dt><span class="term">-A</span></dt>
+<dt><span class="term">-h</span></dt>
<dd>
- <p>
- Include ZSKs when generating DS records. Without this option,
- only keys which have the KSK flag set will be converted to DS
- records and printed. Useful only in zone file mode.
- </p>
- </dd>
+ <p>
+ Prints usage information.
+ </p>
+ </dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+ <p>
+ Look for key files or <code class="filename">keyset-</code> files in
+ <code class="option">directory</code>.
+ </p>
+ </dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
- Generate a DLV set instead of a DS set. The specified
- <code class="option">domain</code> is appended to the name for each
+ Generate a DLV set instead of a DS set. The specified
+ <em class="replaceable"><code>domain</code></em> is appended to the name for each
record in the set.
- The DNSSEC Lookaside Validation (DLV) RR is described
- in RFC 4431. This is mutually exclusive with generating
- CDS records.
+ This is mutually exclusive with the <code class="option">-C</code> option
+ for generating CDS records.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
- Keyset mode: in place of the keyfile name, the argument is
- the DNS domain name of a keyset file.
+ Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
+ final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
+ domain name used to locate a <code class="filename">keyset-</code> file.
</p>
</dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd>
<p>
- Specifies the DNS class (default is IN). Useful only
- in keyset or zone file mode.
+ Specifies the TTL of the DS records. By default the TTL is omitted.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Sets the debugging level.
</p>
</dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints usage information.
- </p>
- </dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
- keyfile name, the following command would be issued:
+ keyfile name, you can issue the following command:
</p>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
</p>
<p>
The command would print something like:
</p>
- <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
+ <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
</p>
+
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p>
- The keyfile can be designed by the key identification
+ The keyfile can be designated by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 3658</em>,
- <em class="citetitle">RFC 4431</em>.
- <em class="citetitle">RFC 4509</em>.
+ <em class="citetitle">RFC 3658</em> (DS RRs),
+ <em class="citetitle">RFC 4431</em> (DLV RRs),
+ <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
+ <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
+ <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
</p>
</div>
-.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2008-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009-2011, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2009, 2011-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000, 2001, 2003-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2003-2009, 2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
-.\" Copyright (C) 2004-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2004-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2004-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2000-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2012-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2012-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2012-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2016-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2016-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBdnssec\-settime\fR\&.
.PP
DNSSEC policy can be read from a configuration file (default
-/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a default policy used for all zones\&.
+/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a "default" policy used for all zones\&.
.PP
When
\fBdnssec\-keymgr\fR
\fB\-K\fR
option), and check the keys for all the zones represented in the directory\&.
.PP
+Key times that are in the past will not be updated unless the
+\fB\-f\fR
+is used (see below)\&. Key inactivation and deletion times that are less than five minutes in the future will be delayed by five minutes\&.
+.PP
It is expected that this tool will be run automatically and unattended (for example, by
\fBcron\fR)\&.
.SH "OPTIONS"
.sp -1
.IP \(bu 2.3
.\}
-Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
+\fIAlgorithm policies:\fR
+(\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using
\fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&.
.RE
.sp -1
.IP \(bu 2.3
.\}
-Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
+\fIZone policies:\fR
+(\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a
\fBpolicy\fR
-option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&.
+option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&. If a zone does not have its own policy then the "default" policy applies\&.
.RE
.PP
Options that can be specified in policies:
.PP
-\fBalgorithm\fR
+\fBalgorithm\fR \fIname\fR;
.RS 4
The key algorithm\&. If no policy is defined, the default is RSASHA256\&.
.RE
.PP
-\fBcoverage\fR
+\fBcoverage\fR \fIduration\fR;
.RS 4
The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&.
.RE
.PP
-\fBdirectory\fR
+\fBdirectory\fR \fIpath\fR;
.RS 4
Specifies the directory in which keys should be stored\&.
.RE
.PP
-\fBkey\-size\fR
+\fBkey\-size\fR \fIkeytype\fR \fIsize\fR;
.RS 4
-Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA\&.
+Specifies the number of bits to use in creating keys\&. The keytype is either "zsk" or "ksk"\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA\&.
.RE
.PP
-\fBkeyttl\fR
+\fBkeyttl\fR \fIduration\fR;
.RS 4
The key TTL\&. If no policy is defined, the default is one hour\&.
.RE
.PP
-\fBpost\-publish\fR
+\fBpost\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long after inactivation a key should be deleted from the zone\&. Note: If
\fBroll\-period\fR
-is not set, this value is ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
+is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
-\fBpre\-publish\fR
+\fBpre\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long before activation a key should be published\&. Note: If
\fBroll\-period\fR
-is not set, this value is ignored\&. Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
+is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
-\fBroll\-period\fR
+\fBroll\-period\fR \fIkeytype\fR \fIduration\fR;
.RS 4
-How frequently keys should be rolled over\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not roll over by default\&.
+How frequently keys should be rolled over\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSKs\&. KSKs do not roll over by default\&.
.RE
.PP
-\fBstandby\fR
+\fBstandby\fR \fIkeytype\fR \fInumber\fR;
.RS 4
Not yet implemented\&.
.RE
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2016-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2016-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2016-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2016-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</p>
<p>
DNSSEC policy can be read from a configuration file (default
- <code class="filename">/etc/dnssec-policy.conf</code>), from which the key
- parameters, publication and rollover schedule, and desired
- coverage duration for any given zone can be determined. This
+ <code class="filename">/etc/dnssec-policy.conf</code>), from which the
+ key parameters, publication and rollover schedule, and desired
+ coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
- per-zone basis, or to set a default policy used for all zones.
+ per-zone basis, or to set a "<code class="literal">default</code>" policy
+ used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
set by the <code class="option">-K</code> option), and check the keys for
all the zones represented in the directory.
</p>
+ <p>
+ Key times that are in the past will not be updated unless
+ the <code class="option">-f</code> is used (see below). Key inactivation
+ and deletion times that are less than five minutes in the future
+ will be delayed by five minutes.
+ </p>
<p>
It is expected that this tool will be run automatically and
unattended (for example, by <span class="command"><strong>cron</strong></span>).
</li>
<li class="listitem">
<p>
- Algorithm policies:
+ <span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
</li>
<li class="listitem">
<p>
- Zone policies:
+ <span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
+ If a zone does not have its own policy then the
+ "<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
+ <em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>coverage</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
- This can be represented as a number of seconds, or as a duration using
- human-readable units (examples: "1y" or "6 months").
+ This can be represented as a number of seconds, or as a duration
+ using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>directory</strong></span>
+ <em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the directory in which keys should be stored.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the number of bits to use in creating keys.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
+ The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key TTL. If no policy is defined, the default is one hour.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long after inactivation a key should be deleted from the zone.
Note: If <code class="option">roll-period</code> is not set, this value is
- ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
- duration. A default value for this option can be set in algorithm
+ ignored. The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
- Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How frequently keys should be rolled over.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
- configured, the default is one year for ZSK's. KSK's do not
+ configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Not yet implemented.
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2015-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2015-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2015-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2015-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009-2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009-2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009-2011, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2015-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2015-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2015-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2015-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2015-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
Internet Systems Consortium
.SH "COPYRIGHT"
.br
-Copyright \(co 2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
javascript-capable browser.
</p>
- <p>
- Applications that depend on a particular XML schema
- can request
- <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
- of the statistics XML schema or
- <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
- If the requested schema is supported by the server, then
- it will respond; if not, it will return a "page not found"
- error.
- </p>
-
<p>
Broken-out subsets of the statistics can be viewed at
<a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
</td>
</tr>
<tr>
+<td>
+ <p>
+ AMTRELAY
+ </p>
+ </td>
+<td>
+ <p>
+ Automatic Multicast Tunneling Relay
+ discovery record.
+ Work in progress draft-ietf-mboned-driad-amt-discovery.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p>
APL
</p>
</td>
</tr>
+<tr>
+<td>
+ <p>
+ ZONEMD
+ </p>
+ </td>
+<td>
+ <p>
+ Zone Message Digest.
+ Work in progress draft-wessels-dns-zone-digest.
+ </p>
+ </td>
+</tr>
</tbody>
</table>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4rc1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.3</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.4rc1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
CVE-2018-5736. [GL #134]
</p>
</li>
+<li class="listitem">
+ <p>
+ Code change #4964, intended to prevent double signatures
+ when deleting an inactive zone DNSKEY in some situations,
+ introduced a new problem during zone processing in which
+ some delegation glue RRsets are incorrectly identified
+ as needing RRSIGs, which are then created for them using
+ the current active ZSK for the zone. In some, but not all
+ cases, the newly-signed RRsets are added to the zone's
+ NSEC/NSEC3 chain, but incompletely -- this can result in
+ a broken chain, affecting validation of proof of nonexistence
+ for records in the zone. [GL #771]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
+ security root with <span class="command"><strong>managed-keys</strong></span> and the
+ authoritative zone rolled the key to an algorithm not supported
+ by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> leaked memory when processing a
+ request with multiple Key Tag EDNS options present. ISC
+ would like to thank Toshifumi Sakaguchi for bringing this
+ to our attention. This flaw is disclosed in CVE-2018-5744.
+ [GL #772]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Zone transfer controls for writable DLZ zones were not
+ effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
+ not being called for such zones. This flaw is disclosed in
+ CVE-2019-6465. [GL #790]
+ </p>
+ </li>
</ul></div>
</div>
in the respective principals.
</p>
</li>
+<li class="listitem">
+ <p>
+ The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
+ can be used to make BIND enable and enforce FIPS mode in the
+ OpenSSL library. When compiled with such option the BIND will
+ refuse to run if FIPS mode can't be enabled, thus this option
+ must be only enabled for the systems where FIPS mode is available.
+ </p>
+ </li>
</ul></div>
</div>
option. [GL #105]
</p>
</li>
+<li class="listitem">
+ <p>
+ When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
+ <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
+ the standard output is not a tty (e.g. not used by human). The command
+ line options +idnin and +idnout need to be used to enable IDN
+ processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
+ is used from the shell scripts.
+ </p>
+ </li>
</ul></div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.12.3</p></div>
-<div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
+<div><p class="releaseinfo">BIND Version 9.12.4rc1</p></div>
+<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</div>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4rc1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<p>
It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
- <code class="filename">${HOME}/.digrc</code>. This file is read and
- any options in it
- are applied before the command line arguments.
+ <code class="filename">${HOME}/.digrc</code>. This file is read and any
+ options in it are applied before the command line arguments.
+ The <code class="option">-r</code> option disables this feature, for
+ scripts that need predictable behaviour.
</p>
<p>
the <em class="parameter"><code>name</code></em> from other arguments.
</p>
</dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+ <p>
+ Do not read options from <code class="filename">${HOME}/.digrc</code>.
+ This is useful for scripts that need predictable behaviour.
+ </p>
+ </dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
<p>
Process [do not process] IDN domain names on input.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to process IDN input.
+ compile time.
+ </p>
+ <p>
+ The default is to process IDN input when standard output
+ is a tty. The IDN processing on input is disabled when
+ dig output is redirected to files, pipes, and other
+ non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
<p>
Convert [do not convert] puny code on output.
This requires IDN SUPPORT to have been enabled at
- compile time. The default is to convert output.
+ compile time.
+ </p>
+ <p>
+ The default is to process puny code on output when
+ standard output is a tty. The puny code processing on
+ output is disabled when dig output is redirected to
+ files, pipes, and other non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
record. This option has no effect when using CDS records.
</p>
<p>
- The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
- (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
- values are case insensitive. If no algorithm is specified,
+ The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1,
+ SHA-256, SHA-384, or GOST. These values are case insensitive,
+ and hyphens may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-1</code>]
- [<code class="option">-2</code>]
- [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
- [<code class="option">-C</code>]
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+ [
+ <code class="option">-1</code>
+ | <code class="option">-2</code>
+ | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
+ ]
+ [
+ <code class="option">-C</code>
+ | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
+ ]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
+ [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+ [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
{keyfile}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
- {-s}
- [<code class="option">-1</code>]
- [<code class="option">-2</code>]
- [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-s</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+ [
+ <code class="option">-1</code>
+ | <code class="option">-2</code>
+ | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
+ ]
+ [
+ <code class="option">-C</code>
+ | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
+ ]
[<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
+ [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+ [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-A</code>]
+ {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
+ [dnsname]
+ </p></div>
+ <div class="cmdsynopsis"><p>
+ <code class="command">dnssec-dsfromkey</code>
+ [
+ <code class="option">-1</code>
+ | <code class="option">-2</code>
+ | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
+ ]
+ [
+ <code class="option">-C</code>
+ | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
+ ]
+ [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+ [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+ [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
+ {-s}
{dnsname}
- </p></div>
+ </p></div>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-dsfromkey</code>
- [<code class="option">-h</code>]
- [<code class="option">-V</code>]
- </p></div>
+ [
+ <code class="option">-h</code>
+ | <code class="option">-V</code>
+ ]
+ </p></div>
</div>
<div class="refsection">
<a name="id-1.13.9.7"></a><h2>DESCRIPTION</h2>
- <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
- outputs the Delegation Signer (DS) resource record (RR), as defined in
- RFC 3658 and RFC 4509, for the given key(s).
+ <p>
+ The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
+ Signer) resource records (RRs) and other similarly-constructed RRs:
+ with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
+ Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
+ DS) RRs.
+ </p>
+
+ <p>
+ The input keys can be specified in a number of ways:
+ </p>
+
+ <p>
+ By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
+ named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
+ by <span class="command"><strong>dnssec-keygen</strong></span>.
+ </p>
+
+ <p>
+ With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
+ option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
+ or partial zone file (which can contain just the DNSKEY records).
+ </p>
+
+ <p>
+ With the <code class="option">-s</code>
+ option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
+ a <code class="filename">keyset-</code> file, as generated
+ by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
</p>
+
</div>
<div class="refsection">
<a name="id-1.13.9.8"></a><h2>OPTIONS</h2>
-
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-1</span></dt>
<dd>
<p>
- Use SHA-1 as the digest algorithm (the default is to use
- both SHA-1 and SHA-256).
+ An abbreviation for <code class="option">-a SHA1</code>
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
- Use SHA-256 as the digest algorithm.
+ An abbreviation for <code class="option">-a SHA-256</code>
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
- Select the digest algorithm. The value of
- <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
- SHA-256 (SHA256), GOST or SHA-384 (SHA384).
- These values are case insensitive.
+ Specify a digest algorithm to use when converting DNSKEY
+ records to DS records. This option can be repeated, so
+ that multiple DS records are created for each DNSKEY
+ record.
+ </p>
+ <p>
+ The <em class="replaceable"><code>algorithm</code></em> must be one of
+ SHA-1, SHA-256, or SHA-384. These values are case insensitive,
+ and the hyphen may be omitted. If no algorithm is specified,
+ the default is SHA-256.
</p>
</dd>
-<dt><span class="term">-C</span></dt>
+<dt><span class="term">-A</span></dt>
<dd>
- <p>
- Generate CDS records rather than DS records. This is mutually
- exclusive with generating lookaside records.
- </p>
- </dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
+ <p>
+ Include ZSKs when generating DS records. Without this option, only
+ keys which have the KSK flag set will be converted to DS records
+ and printed. Useful only in <code class="option">-f</code> zone file mode.
+ </p>
+ </dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
- Specifies the TTL of the DS records.
+ Specifies the DNS class (default is IN). Useful only
+ in <code class="option">-s</code> keyset or <code class="option">-f</code>
+ zone file mode.
</p>
</dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dt><span class="term">-C</span></dt>
<dd>
<p>
- Look for key files (or, in keyset mode,
- <code class="filename">keyset-</code> files) in
- <code class="option">directory</code>.
+ Generate CDS records rather than DS records. This is mutually
+ exclusive with the <code class="option">-l</code> option for generating DLV
+ records.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
- Zone file mode: in place of the keyfile name, the argument is
- the DNS domain name of a zone master file, which can be read
+ Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
+ final <em class="replaceable"><code>dnsname</code></em> argument is
+ the DNS domain name of a zone whose master file can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
- If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
+ If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span class="command"><strong>dig</strong></span>
command as input, as in:
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
-<dt><span class="term">-A</span></dt>
+<dt><span class="term">-h</span></dt>
<dd>
- <p>
- Include ZSKs when generating DS records. Without this option,
- only keys which have the KSK flag set will be converted to DS
- records and printed. Useful only in zone file mode.
- </p>
- </dd>
+ <p>
+ Prints usage information.
+ </p>
+ </dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+ <p>
+ Look for key files or <code class="filename">keyset-</code> files in
+ <code class="option">directory</code>.
+ </p>
+ </dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
- Generate a DLV set instead of a DS set. The specified
- <code class="option">domain</code> is appended to the name for each
+ Generate a DLV set instead of a DS set. The specified
+ <em class="replaceable"><code>domain</code></em> is appended to the name for each
record in the set.
- The DNSSEC Lookaside Validation (DLV) RR is described
- in RFC 4431. This is mutually exclusive with generating
- CDS records.
+ This is mutually exclusive with the <code class="option">-C</code> option
+ for generating CDS records.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
- Keyset mode: in place of the keyfile name, the argument is
- the DNS domain name of a keyset file.
+ Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
+ final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
+ domain name used to locate a <code class="filename">keyset-</code> file.
</p>
</dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd>
<p>
- Specifies the DNS class (default is IN). Useful only
- in keyset or zone file mode.
+ Specifies the TTL of the DS records. By default the TTL is omitted.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Sets the debugging level.
</p>
</dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints usage information.
- </p>
- </dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
- keyfile name, the following command would be issued:
+ keyfile name, you can issue the following command:
</p>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
</p>
<p>
The command would print something like:
</p>
- <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
+ <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
</p>
+
</div>
<div class="refsection">
<a name="id-1.13.9.10"></a><h2>FILES</h2>
<p>
- The keyfile can be designed by the key identification
+ The keyfile can be designated by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 3658</em>,
- <em class="citetitle">RFC 4431</em>.
- <em class="citetitle">RFC 4509</em>.
+ <em class="citetitle">RFC 3658</em> (DS RRs),
+ <em class="citetitle">RFC 4431</em> (DLV RRs),
+ <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
+ <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
+ <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
</p>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</p>
<p>
DNSSEC policy can be read from a configuration file (default
- <code class="filename">/etc/dnssec-policy.conf</code>), from which the key
- parameters, publication and rollover schedule, and desired
- coverage duration for any given zone can be determined. This
+ <code class="filename">/etc/dnssec-policy.conf</code>), from which the
+ key parameters, publication and rollover schedule, and desired
+ coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
- per-zone basis, or to set a default policy used for all zones.
+ per-zone basis, or to set a "<code class="literal">default</code>" policy
+ used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
set by the <code class="option">-K</code> option), and check the keys for
all the zones represented in the directory.
</p>
+ <p>
+ Key times that are in the past will not be updated unless
+ the <code class="option">-f</code> is used (see below). Key inactivation
+ and deletion times that are less than five minutes in the future
+ will be delayed by five minutes.
+ </p>
<p>
It is expected that this tool will be run automatically and
unattended (for example, by <span class="command"><strong>cron</strong></span>).
</li>
<li class="listitem">
<p>
- Algorithm policies:
+ <span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
</li>
<li class="listitem">
<p>
- Zone policies:
+ <span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
+ If a zone does not have its own policy then the
+ "<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
+ <em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>coverage</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
- This can be represented as a number of seconds, or as a duration using
- human-readable units (examples: "1y" or "6 months").
+ This can be represented as a number of seconds, or as a duration
+ using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>directory</strong></span>
+ <em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the directory in which keys should be stored.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the number of bits to use in creating keys.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
+ The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key TTL. If no policy is defined, the default is one hour.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long after inactivation a key should be deleted from the zone.
Note: If <code class="option">roll-period</code> is not set, this value is
- ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
- duration. A default value for this option can be set in algorithm
+ ignored. The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
- Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How frequently keys should be rolled over.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
- configured, the default is one year for ZSK's. KSK's do not
+ configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Not yet implemented.
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</div>
<div class="refsection">
-<a name="id-1.13.30.11"></a><h2>FILES</h2>
+<a name="id-1.13.30.11"></a><h2>IDN SUPPORT</h2>
+
+ <p>
+ If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+ The IDN support is disabled if the variable is set when
+ <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
+ a tty.
+ </p>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.13.30.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.13.30.12"></a><h2>SEE ALSO</h2>
+<a name="id-1.13.30.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.3</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4rc1</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.12.3</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.12.4rc1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
CVE-2018-5736. [GL #134]
</p>
</li>
+<li class="listitem">
+ <p>
+ Code change #4964, intended to prevent double signatures
+ when deleting an inactive zone DNSKEY in some situations,
+ introduced a new problem during zone processing in which
+ some delegation glue RRsets are incorrectly identified
+ as needing RRSIGs, which are then created for them using
+ the current active ZSK for the zone. In some, but not all
+ cases, the newly-signed RRsets are added to the zone's
+ NSEC/NSEC3 chain, but incompletely -- this can result in
+ a broken chain, affecting validation of proof of nonexistence
+ for records in the zone. [GL #771]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
+ security root with <span class="command"><strong>managed-keys</strong></span> and the
+ authoritative zone rolled the key to an algorithm not supported
+ by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> leaked memory when processing a
+ request with multiple Key Tag EDNS options present. ISC
+ would like to thank Toshifumi Sakaguchi for bringing this
+ to our attention. This flaw is disclosed in CVE-2018-5744.
+ [GL #772]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Zone transfer controls for writable DLZ zones were not
+ effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
+ not being called for such zones. This flaw is disclosed in
+ CVE-2019-6465. [GL #790]
+ </p>
+ </li>
</ul></div>
</div>
in the respective principals.
</p>
</li>
+<li class="listitem">
+ <p>
+ The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
+ can be used to make BIND enable and enforce FIPS mode in the
+ OpenSSL library. When compiled with such option the BIND will
+ refuse to run if FIPS mode can't be enabled, thus this option
+ must be only enabled for the systems where FIPS mode is available.
+ </p>
+ </li>
</ul></div>
</div>
option. [GL #105]
</p>
</li>
+<li class="listitem">
+ <p>
+ When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
+ <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
+ the standard output is not a tty (e.g. not used by human). The command
+ line options +idnin and +idnout need to be used to enable IDN
+ processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
+ is used from the shell scripts.
+ </p>
+ </li>
</ul></div>
</div>
-Release Notes for BIND Version 9.12.3
+Release Notes for BIND Version 9.12.4rc1
Introduction
multiple versions of a slave zone were transferred from a master in
close succession. This flaw is disclosed in CVE-2018-5736. [GL #134]
+ * Code change #4964, intended to prevent double signatures when deleting
+ an inactive zone DNSKEY in some situations, introduced a new problem
+ during zone processing in which some delegation glue RRsets are
+ incorrectly identified as needing RRSIGs, which are then created for
+ them using the current active ZSK for the zone. In some, but not all
+ cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
+ chain, but incompletely -- this can result in a broken chain,
+ affecting validation of proof of nonexistence for records in the zone.
+ [GL #771]
+
+ * named could crash if it managed a DNSSEC security root with
+ managed-keys and the authoritative zone rolled the key to an algorithm
+ not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL
+ #780]
+
+ * named leaked memory when processing a request with multiple Key Tag
+ EDNS options present. ISC would like to thank Toshifumi Sakaguchi for
+ bringing this to our attention. This flaw is disclosed in
+ CVE-2018-5744. [GL #772]
+
+ * Zone transfer controls for writable DLZ zones were not effective as
+ the allowzonexfr method was not being called for such zones. This flaw
+ is disclosed in CVE-2019-6465. [GL #790]
+
New Features
* update-policy rules that otherwise ignore the name field now require
name space at or below the machine names identified in the respective
principals.
+ * The new configure option --enable-fips-mode can be used to make BIND
+ enable and enforce FIPS mode in the OpenSSL library. When compiled
+ with such option the BIND will refuse to run if FIPS mode can't be
+ enabled, thus this option must be only enabled for the systems where
+ FIPS mode is available.
+
Feature Changes
* BIND now can be compiled against libidn2 library to add IDNA2008
name but different class; this has been corrected with the addition of
a -class option. [GL #105]
+ * When compiled with IDN support, the dig and the nslookup commands now
+ disable IDN processing when the standard output is not a tty (e.g. not
+ used by human). The command line options +idnin and +idnout need to be
+ used to enable IDN processing when dig or nslookup is used from the
+ shell scripts.
+
Bug Fixes
* When a negative trust anchor was added to multiple views using rndc
bindkeys-file <quoted_string>;
blackhole { <address_match_element>; ... };
cache-file <quoted_string>;
- catalog-zones { zone <quoted_string> [ default-masters [ port
- <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
- port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+ catalog-zones { zone <string> [ default-masters [ port <integer> ]
+ [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
+ <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
check-dup-records ( fail | warn | ignore );
resolver-retry-interval <integer>;
response-padding { <address_match_element>; ... } block-size
<integer>;
- response-policy { zone <quoted_string> [ log <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- policy ( cname | disabled | drop | given | no-op | nodata |
- nxdomain | passthru | tcp-only <quoted_string> ) ] [
- recursive-only <boolean> ] [ nsip-enable <boolean> ] [
- nsdname-enable <boolean> ]; ... } [ break-dnssec <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+ response-policy { zone <string> [ log <boolean> ] [ max-policy-ttl
+ <integer> ] [ min-update-interval <integer> ] [ policy ( cname
+ | disabled | drop | given | no-op | nodata | nxdomain |
+ passthru | tcp-only <quoted_string> ) ] [ recursive-only
+ <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable
+ <boolean> ]; ... } [ break-dnssec <boolean> ] [ max-policy-ttl
+ <integer> ] [ min-update-interval <integer> ] [ min-ns-dots
+ <integer> ] [ nsip-wait-recurse <boolean> ] [
qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [
nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
auth-nxdomain <boolean>; // default changed
auto-dnssec ( allow | maintain | off );
cache-file <quoted_string>;
- catalog-zones { zone <quoted_string> [ default-masters [ port
- <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
- port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+ catalog-zones { zone <string> [ default-masters [ port <integer> ]
+ [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
+ <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
<string> ]; ... } ] [ zone-directory <quoted_string> ] [
in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
check-dup-records ( fail | warn | ignore );
resolver-retry-interval <integer>;
response-padding { <address_match_element>; ... } block-size
<integer>;
- response-policy { zone <quoted_string> [ log <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- policy ( cname | disabled | drop | given | no-op | nodata |
- nxdomain | passthru | tcp-only <quoted_string> ) ] [
- recursive-only <boolean> ] [ nsip-enable <boolean> ] [
- nsdname-enable <boolean> ]; ... } [ break-dnssec <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+ response-policy { zone <string> [ log <boolean> ] [ max-policy-ttl
+ <integer> ] [ min-update-interval <integer> ] [ policy ( cname
+ | disabled | drop | given | no-op | nodata | nxdomain |
+ passthru | tcp-only <quoted_string> ) ] [ recursive-only
+ <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable
+ <boolean> ]; ... } [ break-dnssec <boolean> ] [ max-policy-ttl
+ <integer> ] [ min-update-interval <integer> ] [ min-ns-dots
+ <integer> ] [ nsip-wait-recurse <boolean> ] [
qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [
nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
-.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
projects / thirdparty / bind9.git / commitdiff
