From: Mark Andrews Date: Wed, 7 Aug 2024 05:47:05 +0000 (+1000) Subject: Document -M tag_min:tag_max X-Git-Tag: v9.21.1~19^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c347fb321a218d59763a6759fd3aaf6d0266cd2;p=thirdparty%2Fbind9.git Document -M tag_min:tag_max A new argument has been added to dnssec-keygen and dnssec-keyfromlabel to restrict the tag value of key generated / imported to a particular range. This is intended to be used by multi-signers. Co-authored-by: Suzanne Goldlust --- diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index d0cc5ef5cdb..2805bc612e0 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} +:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} Description ~~~~~~~~~~~ @@ -123,6 +123,18 @@ Options place, in which case the existing TTL would take precedence. Setting the default TTL to ``0`` or ``none`` removes it. +.. option:: -M tag_min:tag_max + + This option sets the range of key tag values + that ``dnssec-keyfromlabel`` will accept. If the key tag of the new + key or the key tag of the revoked version of the new key is + outside this range, the new key will be rejected. This is + designed to be used when generating keys in a multi-signer + scenario, where each operator is given a range of key tags to + prevent collisions among different operators. The valid + values for ``tag_min`` and ``tag_max`` are [0..65535]. The + default allows all key tag values to be accepted. + .. option:: -p protocol This option sets the protocol value for the key. The protocol is a number between diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 88044ee26be..ff73377ecb0 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} +:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} Description ~~~~~~~~~~~ @@ -150,6 +150,19 @@ Options This option provides a configuration file that contains a ``dnssec-policy`` statement (matching the policy set with :option:`-k`). +.. option:: -M tag_min:tag_max + + This option sets the range of acceptable key tag values that ``dnssec-keygen`` + will produce. If the key tag of the new key or the key tag of + the revoked version of the new key is outside this range, + the new key will be rejected and another new key will be generated. + This is designed to be used when generating keys in a multi-signer + scenario, where each operator is given a range of key tags to + prevent collisions among different operators. The valid values + for ``tag_min`` and ``tag_max`` are [0..65535]. The default allows all + key tag values to be produced. This option is ignored when ``-k policy`` + is specified. + .. option:: -n nametype This option specifies the owner type of the key. The value of ``nametype`` must