From: Tinderbox User Date: Sun, 17 Nov 2019 07:25:57 +0000 (+0000) Subject: prep 9.15.6 X-Git-Tag: v9.15.6^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=767a2aef435283972faf59376e4cc4bcab7e086f;p=thirdparty%2Fbind9.git prep 9.15.6 --- diff --git a/CHANGES b/CHANGES index a5981b7862c..82d1ea501ef 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.15.6 released --- + 5319. [func] Trust anchors can now be configured using DS format to represent a key digest, by using the new "initial-ds" or "static-ds" keywords in diff --git a/PLATFORMS b/PLATFORMS index a9e9eab2a62..56b45c93577 100644 --- a/PLATFORMS +++ b/PLATFORMS @@ -4,10 +4,11 @@ Supported platforms In general, this version of BIND will build and run on any POSIX-compliant system with a C11-compliant C compiler, BSD-style sockets with -RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL -cryptography library. Atomic operations support from the compiler is -needed, either in the form of builtin operations, C11 atomics or the -Interlocked family of functions on Windows. +RFC-compliant IPv6 support, POSIX-compliant threads, the libuv +asynchronous I/O library, and the OpenSSL cryptography library. Atomic +operations support from the compiler is needed, either in the form of +builtin operations, C11 atomics, or the Interlocked family of functions on +Windows. BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). For some of the older systems listed below, you will have to install diff --git a/PLATFORMS.md b/PLATFORMS.md index c5fbaeb3dcf..ef80009dd72 100644 --- a/PLATFORMS.md +++ b/PLATFORMS.md @@ -12,10 +12,10 @@ In general, this version of BIND will build and run on any POSIX-compliant system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant -IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library. -Atomic operations support from the compiler is needed, either in the form of -builtin operations, C11 atomics or the Interlocked family of functions on -Windows. +IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library, +and the OpenSSL cryptography library. Atomic operations support from the +compiler is needed, either in the form of builtin operations, C11 atomics, +or the `Interlocked` family of functions on Windows. BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). For some of the older systems listed below, you will have to install updated libuv diff --git a/README b/README index a01871b0fa2..c7e010c107c 100644 --- a/README +++ b/README @@ -48,7 +48,8 @@ the file HISTORY. For a detailed list of changes made throughout the history of BIND 9, see the file CHANGES. See below for details on the CHANGES file format. -For up-to-date versions and release notes, see https://www.isc.org/download/. +For up-to-date versions and release notes, see https://www.isc.org/ +download/. For information about supported platforms, see PLATFORMS. @@ -110,25 +111,30 @@ BIND 9.15 features BIND 9.15 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.14 and earlier releases. New features include: + * New "dnssec-policy" statement to configure a key and signing policy + for zones, enabling automatic key regeneration and rollover. + * New new network manager based on libuv. * Support for the new GeoIP2 geolocation API - * Improved DNSSEC key configuration using dnssec-keys + * Improved DNSSEC trust anchor configuration using dnssec-keys, + permitting configuration of trust anchors in DS as well as DNSKEY + format. * YAML output for dig, mdig, and delv. Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, -basic POSIX support, and a 64-bit integer type. Successful builds have -been observed on many versions of Linux and UNIX, including RHEL/CentOS, -Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, -NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and -OpenWRT. - -BIND requires a cryptography provider library such as OpenSSL or a -hardware service module supporting PKCS#11. On Linux, BIND requires the -libcap library to set process privileges, though this requirement can be -overridden by disabling capability support at compile time. See -Compile-time options below for details on other libraries that may be -required to support optional features. +basic POSIX support, and a 64-bit integer type. BIND also requires the +libuv asynchronous I/O library, and a cryptography provider library such +as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND +requires the libcap library to set process privileges, though this +requirement can be overridden by disabling capability support at compile +time. See Compile-time options below for details on other libraries that +may be required to support optional features. + +Successful builds have been observed on many versions of Linux and UNIX, +including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, +Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, +HP-UX, and OpenWRT. BIND is also available for Windows Server 2008 and higher. See win32utils/ build.txt for details on building for Windows systems. diff --git a/README.md b/README.md index 1c925f990bd..14646569ff8 100644 --- a/README.md +++ b/README.md @@ -129,25 +129,29 @@ include: * New "dnssec-policy" statement to configure a key and signing policy for zones, enabling automatic key regeneration and rollover. -* A new network manager based on libuv. +* New new network manager based on libuv. * Support for the new GeoIP2 geolocation API -* Improved DNSSEC trust anchor configuration using `dnssec-keys` +* Improved DNSSEC trust anchor configuration using `dnssec-keys`, + permitting configuration of trust anchors in DS as well as + DNSKEY format. * YAML output for `dig`, `mdig`, and `delv`. ### Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, -basic POSIX support, and a 64-bit integer type. Successful builds have been -observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora, -Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD, -OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT. - -BIND requires a cryptography provider library such as OpenSSL or a -hardware service module supporting PKCS#11. On Linux, BIND requires -the `libcap` library to set process privileges, though this requirement -can be overridden by disabling capability support at compile time. -See [Compile-time options](#opts) below for details on other libraries -that may be required to support optional features. +basic POSIX support, and a 64-bit integer type. BIND also requires the +`libuv` asynchronous I/O library, and a cryptography provider library +such as OpenSSL or a hardware service module supporting PKCS#11. On +Linux, BIND requires the `libcap` library to set process privileges, +though this requirement can be overridden by disabling capability +support at compile time. See [Compile-time options](#opts) below +for details on other libraries that may be required to support +optional features. + +Successful builds have been observed on many versions of Linux and +UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, +Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, +OpenIndiana, OmniOS CE, HP-UX, and OpenWRT. BIND is also available for Windows Server 2008 and higher. See `win32utils/build.txt` for details on building for Windows diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 0450efac890..0d6d3005566 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -39,7 +39,7 @@ dnssec-keygen \- DNSSEC key generation tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-keygen\fR\ 'u -\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name} +\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name} .SH "DESCRIPTION" .PP \fBdnssec\-keygen\fR @@ -109,6 +109,11 @@ option suppresses them\&. Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&. .RE .PP +\-d \fIbits\fR +.RS 4 +Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&. +.RE +.PP \-E \fIengine\fR .RS 4 Specifies the cryptographic hardware to use, when applicable\&. @@ -142,6 +147,17 @@ Prints a short summary of the options and arguments to Sets the directory in which the key files are to be written\&. .RE .PP +\-k \fIpolicy\fR +.RS 4 +Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys, +\fBdnssec\-keygen\fR +will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&. +.sp +This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that +\fBdnssec\-keygen\fR +provides\&. +.RE +.PP \-L \fIttl\fR .RS 4 Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to @@ -151,6 +167,12 @@ none is the same as leaving it unset\&. .RE .PP +\-l \fIfile\fR +.RS 4 +Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with +\fB\-k\fR)\&. +.RE +.PP \-n \fInametype\fR .RS 4 Specifies the owner type of the key\&. The value of diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index bff3cf81490..76b82323827 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -41,6 +41,7 @@ [-c class] [-D date/offset] [-D sync date/offset] + [-d bits] [-E engine] [-f flag] [-G] @@ -49,8 +50,9 @@ [-I date/offset] [-i interval] [-K directory] - [-k] + [-k policy] [-L ttl] + [-l file] [-n nametype] [-P date/offset] [-P sync date/offset] @@ -59,6 +61,7 @@ [-R date/offset] [-S key] [-s strength] + [-T rrtype] [-t type] [-V] [-v level] @@ -168,6 +171,15 @@ the specified class. If not specified, class IN is used.

+
-d bits
+
+

+ Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, + RSASHA256 and RSASHA512 the key size must be in range 1024-4096. + DH size is between 128 and 4096. This option is ignored for + algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448. +

+
-E engine

@@ -218,6 +230,21 @@ Sets the directory in which the key files are to be written.

+
-k policy
+
+

+ Create keys for a specific dnssec-policy. If a policy uses + multiple keys, dnssec-keygen will generate + multiple keys. This will also create a ".state" file to keep + track of the key state. +

+

+ This option creates keys according to the dnssec-policy + configuration, hence it cannot be used together with many of + the other options that dnssec-keygen + provides. +

+
-L ttl

@@ -231,6 +258,13 @@ or none is the same as leaving it unset.

+
-l file
+
+

+ Provide a configuration file that contains a dnssec-policy + statement (matching the policy set with -k). +

+
-n nametype

diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8 index cd04021f76f..d5bde8f8d0a 100644 --- a/bin/dnssec/dnssec-settime.8 +++ b/bin/dnssec/dnssec-settime.8 @@ -39,7 +39,7 @@ dnssec-settime \- set the key timing metadata for a DNSSEC key .SH "SYNOPSIS" .HP \w'\fBdnssec\-settime\fR\ 'u -\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile} +\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-s\fR] [\fB\-g\ \fR\fB\fIstate\fR\fR] [\fB\-d\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-z\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] {keyfile} .SH "DESCRIPTION" .PP \fBdnssec\-settime\fR @@ -59,7 +59,25 @@ simply prints the key timing metadata already stored in the key\&. .PP When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key and -Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&. +Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. +.PP +Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&. +.PP +When working with state files, it is possible to update the timing metadata in those files as well with +\fB\-s\fR\&. If this option is used you can also update key states with +\fB\-d\fR +(DS), +\fB\-k\fR +(DNSKEY), +\fB\-r\fR +(RRSIG of KSK), or +\fB\-z\fR +(RRSIG of ZSK)\&. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE\&. +.PP +You can also set the goal state of the key with +\fB\-g\fR\&. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published)\&. +.PP +It is NOT RECOMMENDED to manipulate state files manually except for testing purposes\&. .SH "OPTIONS" .PP \-f @@ -156,6 +174,39 @@ If the key is being set to be an explicit successor to another key, then the def .sp As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&. .RE +.SH "KEY STATE OPTIONS" +.PP +Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE\&. These should not be set manually except for testing purposes\&. +.PP +\-s +.RS 4 +When setting key timing data, also update the state file\&. +.RE +.PP +\-g +.RS 4 +Set the goal state for this key\&. Must be HIDDEN or OMNIPRESENT\&. +.RE +.PP +\-d +.RS 4 +Set the DS state for this key, and when it was last changed\&. +.RE +.PP +\-k +.RS 4 +Set the DNSKEY state for this key, and when it was last changed\&. +.RE +.PP +\-r +.RS 4 +Set the RRSIG (KSK) state for this key, and when it was last changed\&. +.RE +.PP +\-z +.RS 4 +Set the RRSIG (ZSK) state for this key, and when it was last changed\&. +.RE .SH "PRINTING OPTIONS" .PP \fBdnssec\-settime\fR diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index 58122a3d3ab..4e88775c6ac 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -49,6 +49,12 @@ [-V] [-v level] [-E engine] + [-s] + [-g state] + [-d state date/offset] + [-k state date/offset] + [-r state date/offset] + [-z state date/offset] {keyfile}

@@ -74,11 +80,30 @@ When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated. +

+

Metadata fields are stored in the private file. A human-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).

+

+ When working with state files, it is possible to update the timing + metadata in those files as well with -s. If this + option is used you can also update key states with -d + (DS), -k (DNSKEY), -r (RRSIG of KSK), + or -z (RRSIG of ZSK). Allowed states are HIDDEN, + RUMOURED, OMNIPRESENT, and UNRETENTIVE. +

+

+ You can also set the goal state of the key with -g. + This should be either HIDDEN or OMNIPRESENT (representing whether the + key should be removed from the zone, or published). +

+

+ It is NOT RECOMMENDED to manipulate state files manually except for + testing purposes. +

@@ -262,7 +287,57 @@
-

PRINTING OPTIONS

+

KEY STATE OPTIONS

+ +

+ Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE. + These should not be set manually except for testing purposes. +

+ +
+
-s
+
+

+ When setting key timing data, also update the state file. +

+
+
-g
+
+

+ Set the goal state for this key. Must be HIDDEN or OMNIPRESENT. +

+
+
-d
+
+

+ Set the DS state for this key, and when it was last changed. +

+
+
-k
+
+

+ Set the DNSKEY state for this key, and when it was last changed. +

+
+
-r
+
+

+ Set the RRSIG (KSK) state for this key, and when it was last + changed. +

+
+
-z
+
+

+ Set the RRSIG (ZSK) state for this key, and when it was last + changed. +

+
+
+
+ +
+

PRINTING OPTIONS

dnssec-settime can also be used to print the @@ -298,7 +373,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8) diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 510e2b5c0ae..45d30a8d7d2 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -10,12 +10,12 @@ .\" Title: named.conf .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2019-08-07 +.\" Date: 2019-08-12 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9" +.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -104,7 +104,8 @@ dlz \fIstring\fR { .\} .nf dnssec\-keys { \fIstring\fR ( static\-key | - initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR + initial\-key | static\-ds | initial\-ds ) + \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; .fi .if n \{\ @@ -170,9 +171,9 @@ Deprecated \- see DNSSEC\-KEYS\&. .\} .nf managed\-keys { \fIstring\fR ( static\-key - | initial\-key ) \fIinteger\fR - \fIinteger\fR \fIinteger\fR - \fIquoted_string\fR; \&.\&.\&. }; deprecated + | initial\-key | static\-ds | + initial\-ds ) \fIinteger\fR \fIinteger\fR + \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; deprecated .fi .if n \{\ .RE @@ -230,7 +231,7 @@ options { [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [ - in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. }; + in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. }; check\-dup\-records ( fail | warn | ignore ); check\-integrity \fIboolean\fR; check\-mx ( fail | warn | ignore ); @@ -312,18 +313,18 @@ options { fstrm\-set\-output\-notify\-threshold \fIinteger\fR; fstrm\-set\-output\-queue\-model ( mpsc | spsc ); fstrm\-set\-output\-queue\-size \fIinteger\fR; - fstrm\-set\-reopen\-interval \fIttlval\fR; + fstrm\-set\-reopen\-interval \fIduration\fR; geoip\-directory ( \fIquoted_string\fR | none ); glue\-cache \fIboolean\fR; heartbeat\-interval \fIinteger\fR; hostname ( \fIquoted_string\fR | none ); inline\-signing \fIboolean\fR; - interface\-interval \fIttlval\fR; + interface\-interval \fIduration\fR; ixfr\-from\-differences ( primary | master | secondary | slave | \fIboolean\fR ); keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. }; key\-directory \fIquoted_string\fR; - lame\-ttl \fIttlval\fR; + lame\-ttl \fIduration\fR; listen\-on [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] { \fIaddress_match_element\fR; \&.\&.\&. }; @@ -337,28 +338,28 @@ options { masterfile\-style ( full | relative ); match\-mapped\-addresses \fIboolean\fR; max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR ); - max\-cache\-ttl \fIttlval\fR; + max\-cache\-ttl \fIduration\fR; max\-clients\-per\-query \fIinteger\fR; max\-journal\-size ( default | unlimited | \fIsizeval\fR ); - max\-ncache\-ttl \fIttlval\fR; + max\-ncache\-ttl \fIduration\fR; max\-records \fIinteger\fR; max\-recursion\-depth \fIinteger\fR; max\-recursion\-queries \fIinteger\fR; max\-refresh\-time \fIinteger\fR; max\-retry\-time \fIinteger\fR; max\-rsa\-exponent\-size \fIinteger\fR; - max\-stale\-ttl \fIttlval\fR; + max\-stale\-ttl \fIduration\fR; max\-transfer\-idle\-in \fIinteger\fR; max\-transfer\-idle\-out \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-udp\-size \fIinteger\fR; - max\-zone\-ttl ( unlimited | \fIttlval\fR ); + max\-zone\-ttl ( unlimited | \fIduration\fR ); memstatistics \fIboolean\fR; memstatistics\-file \fIquoted_string\fR; message\-compression \fIboolean\fR; - min\-cache\-ttl \fIttlval\fR; - min\-ncache\-ttl \fIttlval\fR; + min\-cache\-ttl \fIduration\fR; + min\-ncache\-ttl \fIduration\fR; min\-refresh\-time \fIinteger\fR; min\-retry\-time \fIinteger\fR; minimal\-any \fIboolean\fR; @@ -375,8 +376,8 @@ options { notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; notify\-to\-soa \fIboolean\fR; - nta\-lifetime \fIttlval\fR; - nta\-recheck \fIttlval\fR; + nta\-lifetime \fIduration\fR; + nta\-recheck \fIduration\fR; nxdomain\-redirect \fIstring\fR; pid\-file ( \fIquoted_string\fR | none ); port \fIinteger\fR; @@ -423,13 +424,13 @@ options { response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size \fIinteger\fR; response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log - \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval - \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op | + \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval + \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [ - break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ - min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [ + break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ + min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [ @@ -443,7 +444,7 @@ options { serial\-query\-rate \fIinteger\fR; serial\-update\-method ( date | increment | unixtime ); server\-id ( \fIquoted_string\fR | none | hostname ); - servfail\-ttl \fIttlval\fR; + servfail\-ttl \fIduration\fR; session\-keyalg \fIstring\fR; session\-keyfile ( \fIquoted_string\fR | none ); session\-keyname \fIstring\fR; @@ -454,7 +455,7 @@ options { sortlist { \fIaddress_match_element\fR; \&.\&.\&. }; stacksize ( default | unlimited | \fIsizeval\fR ); stale\-answer\-enable \fIboolean\fR; - stale\-answer\-ttl \fIttlval\fR; + stale\-answer\-ttl \fIduration\fR; startup\-notify\-rate \fIinteger\fR; statistics\-file \fIquoted_string\fR; synth\-from\-dnssec \fIboolean\fR; @@ -612,7 +613,7 @@ view \fIstring\fR [ \fIclass\fR ] { [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [ - in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. }; + in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. }; check\-dup\-records ( fail | warn | ignore ); check\-integrity \fIboolean\fR; check\-mx ( fail | warn | ignore ); @@ -655,8 +656,9 @@ view \fIstring\fR [ \fIclass\fR ] { dnssec\-accept\-expired \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-keys { \fIstring\fR ( static\-key | - initial\-key ) \fIinteger\fR \fIinteger\fR - \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; + initial\-key | static\-ds | initial\-ds + ) \fIinteger\fR \fIinteger\fR \fIinteger\fR + \fIquoted_string\fR; \&.\&.\&. }; dnssec\-loadkeys\-interval \fIinteger\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; @@ -690,10 +692,11 @@ view \fIstring\fR [ \fIclass\fR ] { secret \fIstring\fR; }; key\-directory \fIquoted_string\fR; - lame\-ttl \fIttlval\fR; + lame\-ttl \fIduration\fR; lmdb\-mapsize \fIsizeval\fR; managed\-keys { \fIstring\fR ( static\-key | initial\-key + | static\-ds | initial\-ds ) \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; deprecated @@ -703,25 +706,25 @@ view \fIstring\fR [ \fIclass\fR ] { match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. }; match\-recursive\-only \fIboolean\fR; max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR ); - max\-cache\-ttl \fIttlval\fR; + max\-cache\-ttl \fIduration\fR; max\-clients\-per\-query \fIinteger\fR; max\-journal\-size ( default | unlimited | \fIsizeval\fR ); - max\-ncache\-ttl \fIttlval\fR; + max\-ncache\-ttl \fIduration\fR; max\-records \fIinteger\fR; max\-recursion\-depth \fIinteger\fR; max\-recursion\-queries \fIinteger\fR; max\-refresh\-time \fIinteger\fR; max\-retry\-time \fIinteger\fR; - max\-stale\-ttl \fIttlval\fR; + max\-stale\-ttl \fIduration\fR; max\-transfer\-idle\-in \fIinteger\fR; max\-transfer\-idle\-out \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-udp\-size \fIinteger\fR; - max\-zone\-ttl ( unlimited | \fIttlval\fR ); + max\-zone\-ttl ( unlimited | \fIduration\fR ); message\-compression \fIboolean\fR; - min\-cache\-ttl \fIttlval\fR; - min\-ncache\-ttl \fIttlval\fR; + min\-cache\-ttl \fIduration\fR; + min\-ncache\-ttl \fIduration\fR; min\-refresh\-time \fIinteger\fR; min\-retry\-time \fIinteger\fR; minimal\-any \fIboolean\fR; @@ -737,8 +740,8 @@ view \fIstring\fR [ \fIclass\fR ] { notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; notify\-to\-soa \fIboolean\fR; - nta\-lifetime \fIttlval\fR; - nta\-recheck \fIttlval\fR; + nta\-lifetime \fIduration\fR; + nta\-recheck \fIduration\fR; nxdomain\-redirect \fIstring\fR; plugin ( query ) \fIstring\fR [ { \fIunspecified\-text\fR } ]; @@ -780,13 +783,13 @@ view \fIstring\fR [ \fIclass\fR ] { response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size \fIinteger\fR; response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log - \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval - \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op | + \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval + \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [ - break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ - min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [ + break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ + min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [ @@ -831,14 +834,14 @@ view \fIstring\fR [ \fIclass\fR ] { \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; transfers \fIinteger\fR; }; - servfail\-ttl \fIttlval\fR; + servfail\-ttl \fIduration\fR; sig\-signing\-nodes \fIinteger\fR; sig\-signing\-signatures \fIinteger\fR; sig\-signing\-type \fIinteger\fR; sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ]; sortlist { \fIaddress_match_element\fR; \&.\&.\&. }; stale\-answer\-enable \fIboolean\fR; - stale\-answer\-ttl \fIttlval\fR; + stale\-answer\-ttl \fIduration\fR; synth\-from\-dnssec \fIboolean\fR; transfer\-format ( many\-answers | one\-answer ); transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ @@ -890,6 +893,7 @@ view \fIstring\fR [ \fIclass\fR ] { dnskey\-sig\-validity \fIinteger\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-loadkeys\-interval \fIinteger\fR; + dnssec\-policy \fIstring\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); file \fIquoted_string\fR; @@ -915,7 +919,7 @@ view \fIstring\fR [ \fIclass\fR ] { max\-transfer\-idle\-out \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; - max\-zone\-ttl ( unlimited | \fIttlval\fR ); + max\-zone\-ttl ( unlimited | \fIduration\fR ); min\-refresh\-time \fIinteger\fR; min\-retry\-time \fIinteger\fR; multi\-master \fIboolean\fR; @@ -996,6 +1000,7 @@ zone \fIstring\fR [ \fIclass\fR ] { dnskey\-sig\-validity \fIinteger\fR; dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-loadkeys\-interval \fIinteger\fR; + dnssec\-policy \fIstring\fR; dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); file \fIquoted_string\fR; @@ -1020,7 +1025,7 @@ zone \fIstring\fR [ \fIclass\fR ] { max\-transfer\-idle\-out \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; - max\-zone\-ttl ( unlimited | \fIttlval\fR ); + max\-zone\-ttl ( unlimited | \fIduration\fR ); min\-refresh\-time \fIinteger\fR; min\-retry\-time \fIinteger\fR; multi\-master \fIboolean\fR; @@ -1062,6 +1067,30 @@ zone \fIstring\fR [ \fIclass\fR ] { .if n \{\ .RE .\} +.SH "DNSSEC-POLICY" +.sp +.if n \{\ +.RS 4 +.\} +.nf +dnssec\-policy \fIstring\fR { + dnskey\-ttl \fIttlval\fR; + keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. }; + parent\-ds\-ttl \fIduration\fR; + parent\-propagation\-delay \fIduration\fR; + parent\-registration\-delay \fIduration\fR; + publish\-safety \fIduration\fR; + retire\-safety \fIduration\fR; + signatures\-refresh \fIduration\fR; + signatures\-validity \fIduration\fR; + signatures\-validity\-dnskey \fIduration\fR; + zone\-max\-ttl \fIduration\fR; + zone\-propagation\-delay \fIduration\fR; +}; +.fi +.if n \{\ +.RE +.\} .SH "FILES" .PP /etc/named\&.conf diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index a34d5b0e063..c23c10a5448 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -95,7 +95,8 @@ dlz

DNSSEC-KEYS


dnssec-keys { string ( static-key |
-    initial-key ) integer integer integer
+    initial-key | static-ds | initial-ds )
+    integer integer integer
    quoted_string; ... };

@@ -144,9 +145,9 @@ logging

Deprecated - see DNSSEC-KEYS.


managed-keys { string ( static-key
-    | initial-key ) integer
-    integer integer
-    quoted_string; ... }; deprecated
+    | initial-key | static-ds |
+    initial-ds ) integer integer
+    integer quoted_string; ... }; deprecated

@@ -196,7 +197,7 @@ options     [ dscp integer ] { ( masters | ipv4_address [ port
    integer ] | ipv6_address [ port integer ] ) [ key
    string ]; ... } ] [ zone-directory quoted_string ] [
-     in-memory boolean ] [ min-update-interval ttlval ]; ... };
+     in-memory boolean ] [ min-update-interval duration ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity boolean;
check-mx ( fail | warn | ignore );
@@ -278,18 +279,18 @@ options fstrm-set-output-notify-threshold integer;
fstrm-set-output-queue-model ( mpsc | spsc );
fstrm-set-output-queue-size integer;
- fstrm-set-reopen-interval ttlval;
+ fstrm-set-reopen-interval duration;
geoip-directory ( quoted_string | none );
glue-cache boolean;
heartbeat-interval integer;
hostname ( quoted_string | none );
inline-signing boolean;
- interface-interval ttlval;
+ interface-interval duration;
ixfr-from-differences ( primary | master | secondary | slave |
    boolean );
keep-response-order { address_match_element; ... };
key-directory quoted_string;
- lame-ttl ttlval;
+ lame-ttl duration;
listen-on [ port integer ] [ dscp
    integer ] {
    address_match_element; ... };
@@ -303,28 +304,28 @@ options masterfile-style ( full | relative );
match-mapped-addresses boolean;
max-cache-size ( default | unlimited | sizeval | percentage );
- max-cache-ttl ttlval;
+ max-cache-ttl duration;
max-clients-per-query integer;
max-journal-size ( default | unlimited | sizeval );
- max-ncache-ttl ttlval;
+ max-ncache-ttl duration;
max-records integer;
max-recursion-depth integer;
max-recursion-queries integer;
max-refresh-time integer;
max-retry-time integer;
max-rsa-exponent-size integer;
- max-stale-ttl ttlval;
+ max-stale-ttl duration;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-udp-size integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
memstatistics boolean;
memstatistics-file quoted_string;
message-compression boolean;
- min-cache-ttl ttlval;
- min-ncache-ttl ttlval;
+ min-cache-ttl duration;
+ min-ncache-ttl duration;
min-refresh-time integer;
min-retry-time integer;
minimal-any boolean;
@@ -341,8 +342,8 @@ options notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
    [ dscp integer ];
notify-to-soa boolean;
- nta-lifetime ttlval;
- nta-recheck ttlval;
+ nta-lifetime duration;
+ nta-recheck duration;
nxdomain-redirect string;
pid-file ( quoted_string | none );
port integer;
@@ -389,13 +390,13 @@ options response-padding { address_match_element; ... } block-size
    integer;
response-policy { zone string [ add-soa boolean ] [ log
-     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
-     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
+     boolean ] [ max-policy-ttl duration ] [ min-update-interval
+     duration ] [ policy ( cname | disabled | drop | given | no-op |
    nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
    recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ]; ... } [ add-soa boolean ] [
-     break-dnssec boolean ] [ max-policy-ttl ttlval ] [
-     min-update-interval ttlval ] [ min-ns-dots integer ] [
+     break-dnssec boolean ] [ max-policy-ttl duration ] [
+     min-update-interval duration ] [ min-ns-dots integer ] [
    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
    [ recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ] [ dnsrps-enable boolean ] [
@@ -409,7 +410,7 @@ options serial-query-rate integer;
serial-update-method ( date | increment | unixtime );
server-id ( quoted_string | none | hostname );
- servfail-ttl ttlval;
+ servfail-ttl duration;
session-keyalg string;
session-keyfile ( quoted_string | none );
session-keyname string;
@@ -420,7 +421,7 @@ options sortlist { address_match_element; ... };
stacksize ( default | unlimited | sizeval );
stale-answer-enable boolean;
- stale-answer-ttl ttlval;
+ stale-answer-ttl duration;
startup-notify-rate integer;
statistics-file quoted_string;
synth-from-dnssec boolean;
@@ -557,7 +558,7 @@ view     [ dscp integer ] { ( masters | ipv4_address [ port
    integer ] | ipv6_address [ port integer ] ) [ key
    string ]; ... } ] [ zone-directory quoted_string ] [
-     in-memory boolean ] [ min-update-interval ttlval ]; ... };
+     in-memory boolean ] [ min-update-interval duration ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity boolean;
check-mx ( fail | warn | ignore );
@@ -600,8 +601,9 @@ view dnssec-accept-expired boolean;
dnssec-dnskey-kskonly boolean;
dnssec-keys { string ( static-key |
-     initial-key ) integer integer
-     integer quoted_string; ... };
+     initial-key | static-ds | initial-ds
+     ) integer integer integer
+     quoted_string; ... };
dnssec-loadkeys-interval integer;
dnssec-must-be-secure string boolean;
dnssec-secure-to-insecure boolean;
@@ -635,10 +637,11 @@ view secret string;
};
key-directory quoted_string;
- lame-ttl ttlval;
+ lame-ttl duration;
lmdb-mapsize sizeval;
managed-keys { string (
    static-key | initial-key
+     | static-ds | initial-ds
    ) integer integer
    integer
    quoted_string; ... }; deprecated
@@ -648,25 +651,25 @@ view match-destinations { address_match_element; ... };
match-recursive-only boolean;
max-cache-size ( default | unlimited | sizeval | percentage );
- max-cache-ttl ttlval;
+ max-cache-ttl duration;
max-clients-per-query integer;
max-journal-size ( default | unlimited | sizeval );
- max-ncache-ttl ttlval;
+ max-ncache-ttl duration;
max-records integer;
max-recursion-depth integer;
max-recursion-queries integer;
max-refresh-time integer;
max-retry-time integer;
- max-stale-ttl ttlval;
+ max-stale-ttl duration;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-udp-size integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
message-compression boolean;
- min-cache-ttl ttlval;
- min-ncache-ttl ttlval;
+ min-cache-ttl duration;
+ min-ncache-ttl duration;
min-refresh-time integer;
min-retry-time integer;
minimal-any boolean;
@@ -682,8 +685,8 @@ view notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
    [ dscp integer ];
notify-to-soa boolean;
- nta-lifetime ttlval;
- nta-recheck ttlval;
+ nta-lifetime duration;
+ nta-recheck duration;
nxdomain-redirect string;
plugin ( query ) string [ {
    unspecified-text } ];
@@ -725,13 +728,13 @@ view response-padding { address_match_element; ... } block-size
    integer;
response-policy { zone string [ add-soa boolean ] [ log
-     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
-     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
+     boolean ] [ max-policy-ttl duration ] [ min-update-interval
+     duration ] [ policy ( cname | disabled | drop | given | no-op |
    nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
    recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ]; ... } [ add-soa boolean ] [
-     break-dnssec boolean ] [ max-policy-ttl ttlval ] [
-     min-update-interval ttlval ] [ min-ns-dots integer ] [
+     break-dnssec boolean ] [ max-policy-ttl duration ] [
+     min-update-interval duration ] [ min-ns-dots integer ] [
    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
    [ recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ] [ dnsrps-enable boolean ] [
@@ -776,14 +779,14 @@ view     integer | * ) ] [ dscp integer ];
transfers integer;
};
- servfail-ttl ttlval;
+ servfail-ttl duration;
sig-signing-nodes integer;
sig-signing-signatures integer;
sig-signing-type integer;
sig-validity-interval integer [ integer ];
sortlist { address_match_element; ... };
stale-answer-enable boolean;
- stale-answer-ttl ttlval;
+ stale-answer-ttl duration;
synth-from-dnssec boolean;
transfer-format ( many-answers | one-answer );
transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [
@@ -835,6 +838,7 @@ view dnskey-sig-validity integer;
dnssec-dnskey-kskonly boolean;
dnssec-loadkeys-interval integer;
+ dnssec-policy string;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
file quoted_string;
@@ -860,7 +864,7 @@ view max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
min-refresh-time integer;
min-retry-time integer;
multi-master boolean;
@@ -937,6 +941,7 @@ zone dnskey-sig-validity integer;
dnssec-dnskey-kskonly boolean;
dnssec-loadkeys-interval integer;
+ dnssec-policy string;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
file quoted_string;
@@ -961,7 +966,7 @@ zone max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
min-refresh-time integer;
min-retry-time integer;
multi-master boolean;
@@ -1003,14 +1008,35 @@ zone
-

FILES

+

DNSSEC-POLICY

+ +


+dnssec-policy string {
+ dnskey-ttl ttlval;
+ keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... };
+ parent-ds-ttl duration;
+ parent-propagation-delay duration;
+ parent-registration-delay duration;
+ publish-safety duration;
+ retire-safety duration;
+ signatures-refresh duration;
+ signatures-validity duration;
+ signatures-validity-dnskey duration;
+ zone-max-ttl duration;
+ zone-propagation-delay duration;
+};
+

+
+ +
+

FILES

/etc/named.conf

-

SEE ALSO

+

SEE ALSO

ddns-confgen(8) diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index ec6636234cb..18020ea2ece 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -276,7 +276,8 @@ See also Fetch all DNSSEC keys for the given zone from the key directory\&. If they are within their publication period, merge them into the zone\*(Aqs DNSKEY RRset\&. Unlike \fBrndc sign\fR, however, the zone is not immediately re\-signed by the new keys, but is allowed to incrementally re\-sign over time\&. .sp -This command requires that the +This command requires that the zone is configured with a +\fBdnssec\-policy\fR, or that the \fBauto\-dnssec\fR zone option be set to maintain, and also requires the zone to be configured to allow dynamic DNS\&. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details\&.) @@ -566,7 +567,8 @@ Fetch all DNSSEC keys for the given zone from the key directory (see the \fBkey\-directory\fR option in the BIND 9 Administrator Reference Manual)\&. If they are within their publication period, merge them into the zone\*(Aqs DNSKEY RRset\&. If the DNSKEY RRset is changed, then the zone is automatically re\-signed with the new key set\&. .sp -This command requires that the +This command requires that the zone is configured with a +\fBdnssec\-policy\fR, or that the \fBauto\-dnssec\fR zone option be set to allow @@ -702,7 +704,7 @@ in each view\&. The list includes both statically configured keys and dynamic TK .PP \fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR .RS 4 -Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. +Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. The cache is flushed when validation is turned on or off to avoid using data that might differ between states\&. .RE .PP \fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index c95d016a3f7..762b283bfee 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -366,7 +366,8 @@ allowed to incrementally re-sign over time.

- This command requires that the + This command requires that the zone is configured with a + dnssec-policy, or that the auto-dnssec zone option be set to maintain, and also requires the zone to be configured to @@ -721,7 +722,8 @@ re-signed with the new key set.

- This command requires that the + This command requires that the zone is configured with a + dnssec-policy, or that the auto-dnssec zone option be set to allow or maintain, @@ -914,6 +916,8 @@

Enable, disable, or check the current status of DNSSEC validation. By default, validation is enabled. + The cache is flushed when validation is turned on or off + to avoid using data that might differ between states.

zonestatus zone [class [view]]
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 4e0cfcb2e24..89df6f81143 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index dcfea3d629e..aec6e1eb12d 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index c7e0e55f416..9e345d91ee8 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls { -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 7454502d31e..76919256087 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -61,18 +61,18 @@
DNSSEC, Dynamic Zones, and Automatic Signing
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
@@ -1060,13 +1060,14 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; The keys specified in dnssec-keys copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust. Keys configured - with the keyword static-key are loaded directly + with the keyword static-key or + static-ds are loaded directly into the table of trust anchors, and can only be changed by altering the configuration. Keys configured with - initial-key are used to initialize - RFC 5011 trust anchor maintenance, and will be kept up to - date automatically after the first time named - runs. + initial-key or initial-ds + are used to initialize RFC 5011 trust anchor maintenance, and + will be kept up to date automatically after the first time + named runs.

@@ -1106,17 +1107,7 @@ dnssec-keys { 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ dgxbcDTClU0CRBdiieyLMNzXG3"; /* Key for our organization's forward zone */ - example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6 - 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z - GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb - 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL - kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O - g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S - TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq - FxmAVZP20igTixin/1LcrgX/KMEGd/biuv - F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm - /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o - 1OTQ09A0="; + example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D" /* Key for our reverse zone. */ 2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc @@ -1195,33 +1186,53 @@ options { Converting from insecure to secure -

Changing a zone from insecure to secure can be done in two - ways: using a dynamic DNS update, or the - auto-dnssec zone option.

-

For either method, you need to configure - named so that it can see the - K* files which contain the public and private - parts of the keys that will be used to sign the zone. These files - will have been generated by - dnssec-keygen. You can do this by placing them - in the key-directory, as specified in - named.conf:

- 
+  

+    Changing a zone from insecure to secure can be done in three
+    ways: using a dynamic DNS update, use the
+    auto-dnssec zone option, or set a DNSSEC
+    policy for the zone with dnssec-policy.
+  

+  

+    For either method, you need to configure
+    named so that it can see the
+    K* files which contain the public and private
+    parts of the keys that will be used to sign the zone. These files
+    will have been generated by
+    dnssec-keygen (or created when needed by
+    named if dnssec-policy is
+    used).  Keys should be placed in the key-directory, as specified in
+    named.conf:

+    
 	zone example.net {
 		type master;
 		update-policy local;
 		file "dynamic/example.net/example.net";
 		key-directory "dynamic/example.net";
 	};
-

-  
If one KSK and one ZSK DNSKEY key have been generated, this
-  configuration will cause all records in the zone to be signed
-  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
-  well. An NSEC chain will be generated as part of the initial
-  signing process.

+
+

+ If one KSK and one ZSK DNSKEY key have been generated, this + configuration will cause all records in the zone to be signed + with the ZSK, and the DNSKEY RRset to be signed with the KSK as + well. An NSEC chain will be generated as part of the initial + signing process. +

+

+ With dnssec-policy you specify what keys should + be KSK and/or ZSK. If you want a key to sign all records with a key + you will need to specify a CSK: +

+ 
+	dnssec-policy csk {
+		keys {
+			csk key-directory lifetime P5Y algorithm 13;
+		};
+	};
+
+

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

@@ -1232,16 +1243,20 @@ options { > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= > send -

While the update request will complete almost immediately, - the zone will not be completely signed until - named has had time to walk the zone and - generate the NSEC and RRSIG records. The NSEC record at the apex - will be added last, to signal that there is a complete NSEC - chain.

-

If you wish to sign using NSEC3 instead of NSEC, you should - add an NSEC3PARAM record to the initial update request. If you - wish the NSEC3 chain to have the OPTOUT bit set, set it in the - flags field of the NSEC3PARAM record.

+

+ While the update request will complete almost immediately, + the zone will not be completely signed until + named has had time to walk the zone and + generate the NSEC and RRSIG records. The NSEC record at the apex + will be added last, to signal that there is a complete NSEC + chain. +

+

+ If you wish to sign using NSEC3 instead of NSEC, you should + add an NSEC3PARAM record to the initial update request. If you + wish the NSEC3 chain to have the OPTOUT bit set, set it in the + flags field of the NSEC3PARAM record. + 

 	% nsupdate
 	> ttl 3600
@@ -1250,94 +1265,117 @@ options {
 	> update add example.net NSEC3PARAM 1 1 100 1234567890
 	> send
-

Again, this update request will complete almost - immediately; however, the record won't show up until - named has had a chance to build/remove the - relevant chain. A private type record will be created to record - the state of the operation (see below for more details), and will - be removed once the operation completes.

-

While the initial signing and NSEC/NSEC3 chain generation - is happening, other updates are possible as well.

+

+ Again, this update request will complete almost + immediately; however, the record won't show up until + named has had a chance to build/remove the + relevant chain. A private type record will be created to record + the state of the operation (see below for more details), and will + be removed once the operation completes. +

+

+ While the initial signing and NSEC/NSEC3 chain generation + is happening, other updates are possible as well. +

+

-Fully automatic zone signing

+Fully automatic zone signing
-

To enable automatic signing, add the - auto-dnssec option to the zone statement in - named.conf. - auto-dnssec has two possible arguments: - allow or - maintain.

-

With - auto-dnssec allow, - named can search the key directory for keys - matching the zone, insert them into the zone, and use them to - sign the zone. It will do so only when it receives an - rndc sign <zonename>.

- - auto-dnssec maintain includes the above - functionality, but will also automatically adjust the zone's - DNSKEY records on schedule according to the keys' timing metadata. - (See dnssec-keygen(8) and - dnssec-settime(8) for more information.) + To enable automatic signing, you can set a + dnssec-policy, or add the + auto-dnssec option to the zone statement in + named.conf. + auto-dnssec has two possible arguments: + allow or + maintain. +

+

+ With auto-dnssec allow, + named can search the key directory for keys + matching the zone, insert them into the zone, and use them to + sign the zone. It will do so only when it receives an + rndc sign <zonename>. +

+

+ + auto-dnssec maintain includes the above + functionality, but will also automatically adjust the zone's + DNSKEY records on schedule according to the keys' timing metadata. + (See dnssec-keygen(8) and + dnssec-settime(8) for more information.) +

+

+ dnssec-policy is like + auto-dnssec maintain, but will also automatically + create new keys when necessary. Also any configuration related + to DNSSEC signing is retrieved from the policy (ignoring existing + DNSSEC named.conf options). +

+

+ named will periodically search the key directory + for keys matching the zone, and if the keys' metadata indicates + that any change should be made the zone, such as adding, removing, + or revoking a key, then that action will be carried out. By default, + the key directory is checked for changes every 60 minutes; this period + can be adjusted with the dnssec-loadkeys-interval, up + to a maximum of 24 hours. The rndc loadkeys forces + named to check for key updates immediately.

- named will periodically search the key directory - for keys matching the zone, and if the keys' metadata indicates - that any change should be made the zone, such as adding, removing, - or revoking a key, then that action will be carried out. By default, - the key directory is checked for changes every 60 minutes; this period - can be adjusted with the dnssec-loadkeys-interval, up - to a maximum of 24 hours. The rndc loadkeys forces - named to check for key updates immediately. + If keys are present in the key directory the first time the zone + is loaded, the zone will be signed immediately, without waiting for an + rndc sign or rndc loadkeys + command. (Those commands can still be used when there are unscheduled + key changes, however.)

- If keys are present in the key directory the first time the zone - is loaded, the zone will be signed immediately, without waiting for an - rndc sign or rndc loadkeys - command. (Those commands can still be used when there are unscheduled - key changes, however.) + When new keys are added to a zone, the TTL is set to match that + of any existing DNSKEY RRset. If there is no existing DNSKEY RRset, + then the TTL will be set to the TTL specified when the key was + created (using the dnssec-keygen -L option), if + any, or to the SOA TTL.

- When new keys are added to a zone, the TTL is set to match that - of any existing DNSKEY RRset. If there is no existing DNSKEY RRset, - then the TTL will be set to the TTL specified when the key was - created (using the dnssec-keygen -L option), if - any, or to the SOA TTL. + If you wish the zone to be signed using NSEC3 instead of NSEC, + submit an NSEC3PARAM record via dynamic update prior to the + scheduled publication and activation of the keys. If you wish the + NSEC3 chain to have the OPTOUT bit set, set it in the flags field + of the NSEC3PARAM record. The NSEC3PARAM record will not appear in + the zone immediately, but it will be stored for later reference. When + the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM + record will appear in the zone.

- If you wish the zone to be signed using NSEC3 instead of NSEC, - submit an NSEC3PARAM record via dynamic update prior to the - scheduled publication and activation of the keys. If you wish the - NSEC3 chain to have the OPTOUT bit set, set it in the flags field - of the NSEC3PARAM record. The NSEC3PARAM record will not appear in - the zone immediately, but it will be stored for later reference. When - the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM - record will appear in the zone. + Using the + auto-dnssec option requires the zone to be + configured to allow dynamic updates, by adding an + allow-update or + update-policy statement to the zone + configuration. If this has not been done, the configuration will + fail.

-

Using the - auto-dnssec option requires the zone to be - configured to allow dynamic updates, by adding an - allow-update or - update-policy statement to the zone - configuration. If this has not been done, the configuration will - fail.

+

-Private-type records

+Private-type records
-

The state of the signing process is signaled by - private-type records (with a default type value of 65534). When - signing is complete, these records will have a nonzero value for - the final octet (for those records which have a nonzero initial - octet).

-

The private type record format: If the first octet is - non-zero then the record indicates that the zone needs to be - signed with the key matching the record, or that all signatures - that match the record should be removed.

+

+ The state of the signing process is signaled by + private-type records (with a default type value of 65534). When + signing is complete, these records will have a nonzero value for + the final octet (for those records which have a nonzero initial + octet). +

+

+ The private type record format: If the first octet is + non-zero then the record indicates that the zone needs to be + signed with the key matching the record, or that all signatures + that match the record should be removed. +


@@ -1349,14 +1387,18 @@ options {

-

Only records flagged as "complete" can be removed via - dynamic update. Attempts to remove other private type records - will be silently ignored.

-

If the first octet is zero (this is a reserved algorithm - number that should never appear in a DNSKEY record) then the - record indicates changes to the NSEC3 chains are in progress. The - rest of the record contains an NSEC3PARAM record. The flag field - tells what operation to perform based on the flag bits.

+

+ Only records flagged as "complete" can be removed via + dynamic update. Attempts to remove other private type records + will be silently ignored. +

+

+ If the first octet is zero (this is a reserved algorithm + number that should never appear in a DNSKEY record) then the + record indicates changes to the NSEC3 chains are in progress. The + rest of the record contains an NSEC3PARAM record. The flag field + tells what operation to perform based on the flag bits. +


@@ -1370,127 +1412,160 @@ options {

-DNSKEY rollovers

+DNSKEY rollovers
-

As with insecure-to-secure conversions, rolling DNSSEC - keys can be done in two ways: using a dynamic DNS update, or the - auto-dnssec zone option.

+

+ As with insecure-to-secure conversions, rolling DNSSEC + keys can be done in two ways: using a dynamic DNS update, or the + auto-dnssec zone option. +

+

-Dynamic DNS update method

+Dynamic DNS update method
-

To perform key rollovers via dynamic update, you need to add - the K* files for the new keys so that - named can find them. You can then add the new - DNSKEY RRs via dynamic update. - named will then cause the zone to be signed - with the new keys. When the signing is complete the private type - records will be updated so that the last octet is non - zero.

-

If this is for a KSK you need to inform the parent and any - trust anchor repositories of the new KSK.

-

You should then wait for the maximum TTL in the zone before - removing the old DNSKEY. If it is a KSK that is being updated, - you also need to wait for the DS RRset in the parent to be - updated and its TTL to expire. This ensures that all clients will - be able to verify at least one signature when you remove the old - DNSKEY.

-

The old DNSKEY can be removed via UPDATE. Take care to - specify the correct key. - named will clean out any signatures generated - by the old key after the update completes.

+

+ To perform key rollovers via dynamic update, you need to add + the K* files for the new keys so that + named can find them. You can then add the new + DNSKEY RRs via dynamic update. + named will then cause the zone to be signed + with the new keys. When the signing is complete the private type + records will be updated so that the last octet is non + zero. +

+

+ If this is for a KSK you need to inform the parent and any + trust anchor repositories of the new KSK. +

+

+ You should then wait for the maximum TTL in the zone before + removing the old DNSKEY. If it is a KSK that is being updated, + you also need to wait for the DS RRset in the parent to be + updated and its TTL to expire. This ensures that all clients will + be able to verify at least one signature when you remove the old + DNSKEY. +

+

+ The old DNSKEY can be removed via UPDATE. Take care to + specify the correct key. + named will clean out any signatures generated + by the old key after the update completes. +

+

-Automatic key rollovers

+Automatic key rollovers
-

When a new key reaches its activation date (as set by - dnssec-keygen or dnssec-settime), - if the auto-dnssec zone option is set to - maintain, named will - automatically carry out the key rollover. If the key's algorithm - has not previously been used to sign the zone, then the zone will - be fully signed as quickly as possible. However, if the new key - is replacing an existing key of the same algorithm, then the - zone will be re-signed incrementally, with signatures from the - old key being replaced with signatures from the new key as their - signature validity periods expire. By default, this rollover - completes in 30 days, after which it will be safe to remove the - old key from the DNSKEY RRset.

+

+ When a new key reaches its activation date (as set by + dnssec-keygen or dnssec-settime), + if the auto-dnssec zone option is set to + maintain, named will + automatically carry out the key rollover. If the key's algorithm + has not previously been used to sign the zone, then the zone will + be fully signed as quickly as possible. However, if the new key + is replacing an existing key of the same algorithm, then the + zone will be re-signed incrementally, with signatures from the + old key being replaced with signatures from the new key as their + signature validity periods expire. By default, this rollover + completes in 30 days, after which it will be safe to remove the + old key from the DNSKEY RRset. +

+

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
-

Add the new NSEC3PARAM record via dynamic update. When the - new NSEC3 chain has been generated, the NSEC3PARAM flag field - will be zero. At this point you can remove the old NSEC3PARAM - record. The old chain will be removed after the update request - completes.

+

+ Add the new NSEC3PARAM record via dynamic update. When the + new NSEC3 chain has been generated, the NSEC3PARAM flag field + will be zero. At this point you can remove the old NSEC3PARAM + record. The old chain will be removed after the update request + completes. +

+

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
-

To do this, you just need to add an NSEC3PARAM record. When - the conversion is complete, the NSEC chain will have been removed - and the NSEC3PARAM record will have a zero flag field. The NSEC3 - chain will be generated before the NSEC chain is - destroyed.

+

+ To do this, you just need to add an NSEC3PARAM record. When + the conversion is complete, the NSEC chain will have been removed + and the NSEC3PARAM record will have a zero flag field. The NSEC3 + chain will be generated before the NSEC chain is + destroyed. +

+

+ NSEC3 is not supported yet with dnssec-policy. +

+

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
-

To do this, use nsupdate to - remove all NSEC3PARAM records with a zero flag - field. The NSEC chain will be generated before the NSEC3 chain is - removed.

+

+ To do this, use nsupdate to + remove all NSEC3PARAM records with a zero flag + field. The NSEC chain will be generated before the NSEC3 chain is + removed. +

+

-Converting from secure to insecure

+Converting from secure to insecure
-

To convert a signed zone to unsigned using dynamic DNS, - delete all the DNSKEY records from the zone apex using - nsupdate. All signatures, NSEC or NSEC3 chains, - and associated NSEC3PARAM records will be removed automatically. - This will take place after the update request completes.

-

This requires the - dnssec-secure-to-insecure option to be set to - yes in - named.conf.

-

In addition, if the auto-dnssec maintain - zone statement is used, it should be removed or changed to - allow instead (or it will re-sign). +

+ To convert a signed zone to unsigned using dynamic DNS, + delete all the DNSKEY records from the zone apex using + nsupdate. All signatures, NSEC or NSEC3 chains, + and associated NSEC3PARAM records will be removed automatically. + This will take place after the update request completes.

+

This requires the + dnssec-secure-to-insecure option to be set to + yes in + named.conf.

+

In addition, if the auto-dnssec maintain + zone statement is used, it should be removed or changed to + allow instead (or it will re-sign).

+

-Periodic re-signing

+Periodic re-signing
-

In any secure zone which supports dynamic updates, named - will periodically re-sign RRsets which have not been re-signed as - a result of some update action. The signature lifetimes will be - adjusted so as to spread the re-sign load over time rather than - all at once.

+

+ In any secure zone which supports dynamic updates, named + will periodically re-sign RRsets which have not been re-signed as + a result of some update action. The signature lifetimes will be + adjusted so as to spread the re-sign load over time rather than + all at once. +

+

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT

- named only supports creating new NSEC3 chains - where all the NSEC3 records in the zone have the same OPTOUT - state. - named supports UPDATES to zones where the NSEC3 - records in the chain have mixed OPTOUT state. - named does not support changing the OPTOUT - state of an individual NSEC3 record, the entire chain needs to be - changed if the OPTOUT state of an individual NSEC3 needs to be - changed.

+ named only supports creating new NSEC3 chains + where all the NSEC3 records in the zone have the same OPTOUT + state. + named supports UPDATES to zones where the NSEC3 + records in the chain have mixed OPTOUT state. + named does not support changing the OPTOUT + state of an individual NSEC3 record, the entire chain needs to be + changed if the OPTOUT state of an individual NSEC3 needs to be + changed. +

@@ -1512,8 +1587,8 @@ options {

To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a dnssec-keys statement and the - initial-key keyword. Information about - this can be found in + initial-key or initial-ds + keyword. Information about this can be found in the section called “dnssec-keys Statement Definition and Usage”.

@@ -2840,6 +2915,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 8b41f1cbafd..e87c1a72760 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -70,6 +70,9 @@
dnssec-keys Statement Grammar
dnssec-keys Statement Definition and Usage
+
dnssec-policy Statement Grammar
+
dnssec-policy Statement Definition + and Usage
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
@@ -806,6 +809,17 @@ + +

dnssec-policy

+ + +

+ describes a DNSSEC key and signing policy for zones. + See the section called “dnssec-policy Statement Grammar” for details. +

+ + +

include

@@ -889,11 +903,14 @@

- defines DNSSEC keys: if used with the - initial-key keyword, - keys are kept up to date using RFC 5011 - trust anchor maintenance, and if used with - static-key, keys are permanent. + defines DNSSEC trust anchors: if used with + the initial-key or + initial-ds keyword, + trust anchors are kept up to date using RFC + 5011 trust anchor maintenance, and if used with + static-key or + static-ds, trust anchors + are permanent.

@@ -2418,7 +2435,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ dscp integer ] { ( masters | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ]; ... } ] [ zone-directory quoted_string ] [ - in-memory boolean ] [ min-update-interval ttlval ]; ... }; + in-memory boolean ] [ min-update-interval duration ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity boolean; check-mx ( fail | warn | ignore ); @@ -2500,18 +2517,18 @@ badresp:1,adberr:0,findfail:0,valfail:0] fstrm-set-output-notify-threshold integer; fstrm-set-output-queue-model ( mpsc | spsc ); fstrm-set-output-queue-size integer; - fstrm-set-reopen-interval ttlval; + fstrm-set-reopen-interval duration; geoip-directory ( quoted_string | none ); glue-cache boolean; heartbeat-interval integer; hostname ( quoted_string | none ); inline-signing boolean; - interface-interval ttlval; + interface-interval duration; ixfr-from-differences ( primary | master | secondary | slave | boolean ); keep-response-order { address_match_element; ... }; key-directory quoted_string; - lame-ttl ttlval; + lame-ttl duration; listen-on [ port integer ] [ dscp integer ] { address_match_element; ... }; @@ -2525,28 +2542,28 @@ badresp:1,adberr:0,findfail:0,valfail:0] masterfile-style ( full | relative ); match-mapped-addresses boolean; max-cache-size ( default | unlimited | sizeval | percentage ); - max-cache-ttl ttlval; + max-cache-ttl duration; max-clients-per-query integer; max-journal-size ( default | unlimited | sizeval ); - max-ncache-ttl ttlval; + max-ncache-ttl duration; max-records integer; max-recursion-depth integer; max-recursion-queries integer; max-refresh-time integer; max-retry-time integer; max-rsa-exponent-size integer; - max-stale-ttl ttlval; + max-stale-ttl duration; max-transfer-idle-in integer; max-transfer-idle-out integer; max-transfer-time-in integer; max-transfer-time-out integer; max-udp-size integer; - max-zone-ttl ( unlimited | ttlval ); + max-zone-ttl ( unlimited | duration ); memstatistics boolean; memstatistics-file quoted_string; message-compression boolean; - min-cache-ttl ttlval; - min-ncache-ttl ttlval; + min-cache-ttl duration; + min-ncache-ttl duration; min-refresh-time integer; min-retry-time integer; minimal-any boolean; @@ -2563,8 +2580,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; notify-to-soa boolean; - nta-lifetime ttlval; - nta-recheck ttlval; + nta-lifetime duration; + nta-recheck duration; nxdomain-redirect string; pid-file ( quoted_string | none ); port integer; @@ -2611,13 +2628,13 @@ badresp:1,adberr:0,findfail:0,valfail:0] response-padding { address_match_element; ... } block-size integer; response-policy { zone string [ add-soa boolean ] [ log - boolean ] [ max-policy-ttl ttlval ] [ min-update-interval - ttlval ] [ policy ( cname | disabled | drop | given | no-op | + boolean ] [ max-policy-ttl duration ] [ min-update-interval + duration ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ recursive-only boolean ] [ nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [ add-soa boolean ] [ - break-dnssec boolean ] [ max-policy-ttl ttlval ] [ - min-update-interval ttlval ] [ min-ns-dots integer ] [ + break-dnssec boolean ] [ max-policy-ttl duration ] [ + min-update-interval duration ] [ min-ns-dots integer ] [ nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ] [ recursive-only boolean ] [ nsip-enable boolean ] [ nsdname-enable boolean ] [ dnsrps-enable boolean ] [ @@ -2631,7 +2648,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] serial-query-rate integer; serial-update-method ( date | increment | unixtime ); server-id ( quoted_string | none | hostname ); - servfail-ttl ttlval; + servfail-ttl duration; session-keyalg string; session-keyfile ( quoted_string | none ); session-keyname string; @@ -2642,7 +2659,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] sortlist { address_match_element; ... }; stacksize ( default | unlimited | sizeval ); stale-answer-enable boolean; - stale-answer-ttl ttlval; + stale-answer-ttl duration; startup-notify-rate integer; statistics-file quoted_string; synth-from-dnssec boolean; @@ -3068,7 +3085,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]

Specifies the directory in which to store the files that track managed DNSSEC keys (i.e., those configured using - the initial-key keyword in a + the initial-key or + initial-ds keywords in a dnssec-keys statement). By default, this is the working directory. The directory must be writable by the effective @@ -3211,7 +3229,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] the first time; if unsuccessful, the server will will terminate, under the assumption that another server is already running. If not specified, the default is - /var/run/named/named.lock. + none.

Specifying lock-file none disables the @@ -3788,15 +3806,21 @@ options {

automatic-interface-scan

- If yes and supported by the OS, - automatically rescan network interfaces when the interface - addresses are added or removed. The default is - yes. + If yes and supported by the operating + system, automatically rescan network interfaces when the + interface addresses are added or removed. The default is + yes. This configuration option does + not affect time based interface-interval + option, and it is recommended to set the time based + interface-interval to 0 when the operator + confirms that automatic interface scanning is supported by the + operating system.

- Currently the OS needs to support routing sockets for - automatic-interface-scan to be - supported. + The automatic-interface-scan implementation + uses routing sockets for the network interface discovery, + and therefore the operating system has to support the routing + sockets for this feature to work.

allow-new-zones
@@ -4305,6 +4329,17 @@ options { response to a UDP request from a cookie aware client. BADCOOKIE is sent if there is a bad or no existent server cookie. + The default is no. +

+

+ Set this to yes to test that DNS + COOKIE clients correctly handle BADCOOKIE or if you are + getting a lot of forged DNS requests with DNS COOKIES + present. Setting this to yes will + result in reduced amplification effect in a reflection + attack, as the BADCOOKIE response will be smaller than + a full response, while also requiring a legitimate client + to follow up with a second query with the new, valid, cookie.

answer-cookie
@@ -4347,6 +4382,7 @@ options { do not send a correct COOKIE option may be limited to receiving smaller responses via the nocookie-udp-size option. + The default is yes.

stale-answer-enable
@@ -4959,7 +4995,9 @@ options {

Synthesize answers from cached NSEC, NSEC3 and other RRsets that have been proved to be correct - using DNSSEC. The default is yes. + using DNSSEC. The default is no, + but it will become yes again + in the future releases.

Note: @@ -6469,10 +6507,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when - the configuration file is loaded. After the scan, the - server will - begin listening for queries on any newly discovered - interfaces (provided they are allowed by the + the configuration file is loaded, or when + automatic-interface-scan is enabled + and supported by the operating system. After the scan, the + server will begin listening for queries on any newly + discovered interfaces (provided they are allowed by the listen-on configuration), and will stop listening on interfaces that have gone away. For convenience, TTL-style time unit suffixes may be @@ -6511,7 +6550,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; The first element (which may be an IP address, an IP prefix, an ACL name or a nested address_match_list) of each top level list is checked against the source address of - the query until a match is found. + the query until a match is found. When the addresses in the + first element overlap, the first rule to match gets selected.

Once the source address of the query has been matched, if the @@ -6823,6 +6863,20 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; rndc serve-stale on.

+
resolver-nonbackoff-tries
+
+

+ Specifies how many retries occur before exponential + backoff kicks in. The default is 3. +

+
+
resolver-retry-interval
+
+

+ The base retry interval in milliseconds. + The default is 800. +

+
sig-validity-interval

@@ -8798,7 +8852,8 @@ example.com CNAME rpz-tcp-only. dnssec-keys Statement Grammar 

 dnssec-keys { string ( static-key |
-    initial-key ) integer integer integer
+    initial-key | static-ds | initial-ds )
+    integer integer integer
     quoted_string; ... };
@@ -8812,12 +8867,12 @@ example.com CNAME rpz-tcp-only. trust anchors. DNSSEC is described in the section called “DNSSEC”.

- A trust anchor is defined when the public key for - a non-authoritative zone is known, but cannot be securely - obtained through DNS, either because it is the DNS root zone - or because its parent zone is unsigned. Once a key has been - configured as a trust anchor, it is treated as if it had - been validated and proven secure. + A trust anchor is defined when the public key or public key + digest for a non-authoritative zone is known, but cannot be + securely obtained through DNS, either because it is the DNS + root zone or because its parent zone is unsigned. Once a key + or digest has been configured as a trust anchor, it is treated + as if it had been validated and proven secure.

The resolver attempts DNSSEC validation on all DNS data @@ -8829,19 +8884,9 @@ example.com CNAME rpz-tcp-only.

All keys listed in dnssec-keys, and their corresponding zones, are deemed to exist regardless - of what parent zones say. Only keys configured as trust anchors + of what parent zones say. Only keys configured as trust anchors are used to validate the DNSKEY RRset for the corresponding - name. The parent's DS RRset will not be used. -

-

- The dnssec-keys statement can contain - multiple key entries, each consisting of the key's - domain name, followed by the static-key or - initial-key keyword, then the key's flags, - protocol, algorithm, and the Base64 representation of the key - data. Spaces, tabs, newlines and carriage returns are ignored - in the key data, so the configuration may be split up into - multiple lines. + name. The parent's DS RRset will not be used.

dnssec-keys may be set at the top level @@ -8851,11 +8896,33 @@ example.com CNAME rpz-tcp-only. defined in a view are only used within that view.

- dnssec-keys entries can be configured with - two keywords: static-key or - initial-key. Keys configured with - static-key are immutable, - while keys configured with initial-key + The dnssec-keys statement can contain + multiple trust anchor entries, each consisting of a + domain name, followed by an "anchor type" keyword indicating + the trust anchor's format, followed by the key or digest data. +

+

+ If the anchor type is static-key or + initial-key, then it is followed with the + key's flags, protocol, algorithm, and the Base64 representation + of the public key data. This is identical to the text + representation of a DNSKEY record. Spaces, tabs, newlines and + carriage returns are ignored in the key data, so the + configuration may be split up into multiple lines. +

+

+ If the anchor type is static-ds or + initial-ds, then it is followed with the + key tag, algorithm, digest type, and the hexidecimal + representation of the key digest. This is identical to the + text representation of a DS record. Spaces, tabs, newlines + and carriage returns are ignored. +

+

+ Trust anchors configured with the + static-key or static-ds + anchor types are immutable, while keys configured with + initial-key or initial-ds can be kept up to date automatically, without intervention from the resolver operator. (static-key keys are identical to keys configured using the deprecated @@ -8865,45 +8932,55 @@ example.com CNAME rpz-tcp-only. Suppose, for example, that a zone's key-signing key was compromised, and the zone owner had to revoke and replace the key. A resolver which had the original key - configured as a static-key would be - unable to validate this zone any longer; it would - reply with a SERVFAIL response code. This would - continue until the resolver operator had updated the - dnssec-keys statement with the new key. + configured using static-key or + static-ds would be unable to validate + this zone any longer; it would reply with a SERVFAIL response + code. This would continue until the resolver operator had + updated the dnssec-keys statement with + the new key.

If, however, the trust anchor had been configured with - initial-key instead, then the - zone owner could add a "stand-by" key to their zone in advance. - named would store the stand-by key, and - when the original key was revoked, named - would be able to transition smoothly to the new key. It would - also recognize that the old key had been revoked, and cease - using that key to validate answers, minimizing the damage that - the compromised key could do. This is the process used to - keep the ICANN root DNSSEC key up to date. -

-

- Whereas static-key - keys continue to be trusted until they are removed from + initial-key or initial-ds + instead, then the zone owner could add a "stand-by" key to + their zone in advance. named would store + the stand-by key, and when the original key was revoked, + named would be able to transition smoothly + to the new key. It would also recognize that the old key had + been revoked, and cease using that key to validate answers, + minimizing the damage that the compromised key could do. + This is the process used to keep the ICANN root DNSSEC key + up to date. +

+

+ Whereas static-key and + static-ds trust anchors continue + to be trusted until they are removed from named.conf, an - initial-key is only trusted - once: for as long as it + initial-key or initial-ds + is only trusted once: for as long as it takes to load the managed key database and start the RFC 5011 key maintenance process.

+

+ It is not possible to mix static with initial trust anchors + for the same domain name. It is also not possible to mix + key with ds trust anchors. +

The first time named runs with an - initial-key configured in - named.conf, it fetches the + initial-key or initial-ds + configured in named.conf, it fetches the DNSKEY RRset directly from the zone apex, and validates it - using the key specified in dnssec-keys. - If the DNSKEY RRset is validly signed, then it is - used as the basis for a new managed keys database. + using the trust anchor specified in dnssec-keys. + If the DNSKEY RRset is validly signed by a key matching + the trust anchor, then it is used as the basis for a new + managed keys database.

From that point on, whenever named runs, it - sees the initial-key listed in + sees the initial-key or + initial-ds listed in dnssec-keys, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The @@ -8914,13 +8991,13 @@ example.com CNAME rpz-tcp-only.

The next time named runs after an - initial-key has been - removed from the + initial-key or initial-ds + trust anchor has been removed from the dnssec-keys statement (or changed to - a static-key), the corresponding - zone will be removed from the managed keys database, - and RFC 5011 key maintenance will no longer be used for that - domain. + a static-key or static-ds), + the corresponding keys will be removed from the managed keys + database, and RFC 5011 key maintenance will no longer be used + for that domain.

In the current implementation, the managed keys database @@ -8965,12 +9042,216 @@ example.com CNAME rpz-tcp-only.

+dnssec-policy Statement Grammar

+ 
+dnssec-policy string {
+    dnskey-ttl ttlval;
+    keys { ( csk | ksk | zsk ) key-directory duration integer [ integer ] ; ... };
+    parent-ds-ttl duration;
+    parent-propagation-delay duration;
+    parent-registration-delay duration;
+    publish-safety duration;
+    retire-safety duration;
+    signatures-refresh duration;
+    signatures-validity duration;
+    signatures-validity-dnskey duration;
+    zone-max-ttl duration;
+    zone-propagation-delay duration;
+};
+
+
+ +
+

+dnssec-policy Statement Definition + and Usage

+ +

+ The dnssec-policy statement defines a key and + signing policy (KASP) for zones. +

+

+ KASP is used to determine how one or more zones need to be signed + with DNSSEC. For example, how often RRSIG records need to be + refreshed, or what cryptographic algorithms to use. +

+

+ You can configure multiple policies. To attach a policy to a zone + simply add dnssec-policy "policy_name" + option to the zone statement with a matching + policy name. +

+ +
+
dnskey-ttl
+
+

+ The TTL of the DNSKEY resource records. + Default is 3600 seconds. +

+
+
keys
+
+

+ A list of keys to use. Each line represents one key. Here is + an example (for illustration purposes only) of some possible + keys in a dnssec-policy: +

+ +
keys {
+    ksk key-directory lifetime P5Y algorithm 8 2048;
+    zsk key-directory lifetime P30D algorithm 8;
+    csk key-directory lifetime P6MT12H3M15S algorithm 13;
+};
+
+ +

+ This example lists three keys. The first token determines + what RRsets the key will sign. If set to + ksk the key will sign the DNSKEY, CDS, + and CDNSKEY RRsets, if set to zsk the + key will sign the other RRsets, and if set to + csk the key will sign all RRsets. +

+

+ The following part determines where the key will be stored. + Currently keys can only be stored in the configured + key-directory. +

+

+ The third token tells how long the key may be used. In the + example the first key has a lifetime of 5 years, the second + key may be used for 30 days and the third key has a rather + peculiar lifetime of 6 months, 12 hours, 3 minutes and 15 + seconds. +

+

+ The last token(s) are the key's algorithm and algorithm + length. The length may be omitted as shown in the + example for the second and third key. +

+
+
publish-safety
+
+

+ A margin that is added to the publish interval in key + timing equations to give some extra time to cover + unforeseen events. Default is PT5M + (5 minutes). +

+
+
retire-safety
+
+

+ A margin that is added to the retire interval in key + timing equations to give some extra time to cover + unforeseen events. Default is PT5M + (5 minutes). +

+
+
signatures-refresh
+
+

+ This determines when a RRSIG record needs to be + refreshed. The signatures is renewed when the time until + the expiration time is closer than + signatures-refresh. + signatures-resign interval. Default + is P5D (5 days), meaning a signature + that will expire in 5 days or sooner will be refreshed. +

+
+
signatures-validity
+
+

+ The validity period of an RRSIG record (minus the + inception offset and jitter). Default is + P2W (2 weeks). +

+
+
signatures-validity-dnskey
+
+

+ Like signatures-validity but for + DNSKEY records. Default is P2W (2 + weeks). +

+
+
zone-max-ttl
+
+

+ Like max-zone-ttl, specifies the + maximum permissible TTL value in seconds. When loading a + zone file using a masterfile-format or + text or raw, + any record encountered with a TTL higher than + zone-max-ttl will be capped to the + maximum permissible TTL value. +

+

+ This is needed in DNSSEC-maintained zones because when + rolling to a new DNSKEY, the old key needs to remain + available until RRSIG records have expired from caches. + The zone-max-ttl option guarantees that + the largest TTL in the zone will be no higher than the + set value. +

+

+ (NOTE: Because map-format files + load directly into memory, this option cannot be + used with them.) +

+

+ The default value is PT24H (24 hours). + A zone-max-ttl of zero is treated as if + the default value is in use. +

+
+
zone-propagation-delay
+
+

+ The expected propagation delay from when a zone is + updated and when the new version of the zone is served by + all its name servers. Default is + PT5M (5 minutes). +

+
+
parent-ds-ttl
+
+

+ The TTL of the DS RRset that the parent uses. Default is + PT1H (1 hour). +

+
+
parent-propagation-delay
+
+

+ The expected propagation delay from when the parent zone + is updated and when the new version of the parent zone is + served by all its name servers. Default is + PT1H (1 hour). +

+
+
parent-registration-delay
+
+

+ The expected registration delay from when a DS RRset + change is requested and when the DS RRset has been + updated in the parent zone. Default is + P1D (1 day). +

+
+
+
+ +
+

managed-keys Statement Grammar

 managed-keys { string ( static-key
-    | initial-key ) integer
-    integer integer
-    quoted_string; ... }; deprecated
+    | initial-key | static-ds |
+    initial-ds ) integer integer
+    integer quoted_string; ... }; deprecated
@@ -9180,6 +9461,7 @@ view "external" { dnskey-sig-validity integer; dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; + dnssec-policy string; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); file quoted_string; @@ -9195,7 +9477,7 @@ view "external" { max-records integer; max-transfer-idle-out integer; max-transfer-time-out integer; - max-zone-ttl ( unlimited | ttlval ); + max-zone-ttl ( unlimited | duration ); notify ( explicit | master-only | boolean ); notify-delay integer; notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ dscp integer ]; @@ -9231,6 +9513,7 @@ view "external" { dnskey-sig-validity integer; dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; + dnssec-policy string; dnssec-update-mode ( maintain | no-resign ); file quoted_string; forward ( first | only ); @@ -9386,7 +9669,7 @@ view "external" { masterfile-style ( full | relative ); masters [ port integer ] [ dscp integer ] { ( masters | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ]; ... }; max-records integer; - max-zone-ttl ( unlimited | ttlval ); + max-zone-ttl ( unlimited | duration ); zone-statistics ( full | terse | none | boolean ); }; @@ -10052,6 +10335,14 @@ view "external" { Usage”.

+
dnssec-policy
+
+

+ The key and signing policy for this zone. Set to + "default" if you want to make use + of the default policy. +

+
dnssec-update-mode

@@ -14897,6 +15188,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 18673c4048f..fea99a3a916 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 50d1cf31f36..090d34a1c52 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index f1445852faf..cab45fea048 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,17 +36,19 @@

Table of Contents

-
Release Notes for BIND Version 9.15.5
+
Release Notes for BIND Version 9.15.6
Introduction
Note on Version Numbering
Supported Platforms
Download
-
Security Fixes
-
New Features
-
Removed Features
-
Feature Changes
-
Bug Fixes
+
Notes for BIND 9.15.6
+
Notes for BIND 9.15.5
+
Notes for BIND 9.15.4
+
Notes for BIND 9.15.3
+
Notes for BIND 9.15.2
+
Notes for BIND 9.15.1
+
Notes for BIND 9.15.0
License
End of Life
Thank You
@@ -55,7 +57,7 @@

-Release Notes for BIND Version 9.15.5

+Release Notes for BIND Version 9.15.6

@@ -119,362 +121,559 @@ Download

The latest versions of BIND 9 software can always be found at - http://www.isc.org/downloads/. + https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

+

-Security Fixes

-
    -
  • -

    - The TCP client quota set using the tcp-clients - option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. This flaw is disclosed in - CVE-2018-5743. [GL #615] -

    -
    • -
  • -

    - In certain configurations, named could crash - with an assertion failure if nxdomain-redirect - was in use and a redirected query resulted in an NXDOMAIN from the - cache. This flaw is disclosed in CVE-2019-6467. [GL #880] -

    -
    • -
  • -

    - A race condition could trigger an assertion failure when - a large number of incoming packets were being rejected. - This flaw is disclosed in CVE-2019-6471. [GL #942] -

    -
    • -
  • -

    - named could crash with an assertion failure - if a forwarder returned a referral, rather than resolving the - query, when QNAME minimization was enabled. This flaw is - disclosed in CVE-2019-6476. [GL #1051] -

    -
    • -
  • -

    - A flaw in DNSSEC verification when transferring mirror zones - could allow data to be incorrectly marked valid. This flaw - is disclosed in CVE-2019-6475. [GL #1252] -

    -
    • +Notes for BIND 9.15.6
+ +
+

+New Features

+
    +
  • +

    + A new asynchronous network communications system based on + libuv is now used by named + for listening for incoming requests and responding to them. + This change will make it easier to improve performance and + implement new protocol layers (for example, DNS over TLS) in + the future. [GL #29] +

    +
    • +
  • +

    + The new dnssec-policy option allows the + configuration key and signing policy (KASP) for zones. This + option enables named to generate new keys + as needed and automatically roll both ZSK and KSK keys. + (Note that the syntax for this statement differs from the DNSSEC + policy used by dnssec-keymgr.) [GL #1134] +

    +
    • +
  • +

    + Two new keywords have been added to the + dnssec-keys statement: + initial-ds and static-ds. + These allow the use of trust anchors in DS format instead of + DNSKEY format. DS format allows trust anchors to be configured + for keys that have not yet been published; this is the format + used by IANA when announcing future root keys. +

    +

    + As with the initial-key and + static-key keywords, initial-ds + configures a dynamic trust anchor to be maintained via RFC 5011, and + static-ds configures a permanent trust anchor. +

    +

    + (Note: Currently, DNSKEY-format and DS-format trust anchors + cannot both be used for the same domain name.) [GL #6] [GL #622] +

    +
    • +
+
+ +
+

+Feature Changes

+
    +
  • +

    + NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default + because it was found to have a significant performance impact on the + recursive service. The NSEC Aggressive Cache will be enable by default + in the future releases. [GL #1265] +

    +
    • +
  • +

    + The DNSSEC validation code has been refactored for clarity and to + reduce code duplication. [GL #622] +

    +
+
+ +
+

+Security Fixes

+
  • +

    + Too many simultaneous pipelined TCP queries could cause + resource overuse. We now prevent this by enforcing a limit + on the number of simultaneous requests per active connection. + This flaw`is disclosed in CVE-2019-6477. [GL #1264] +

    +
+
+

-New Features

-
    -
  • -

    - Added a new command line option to dig: - +[no]unexpected. By default, dig - won't accept a reply from a source other than the one to which - it sent the query. Add the +unexpected argument - to enable it to process replies from unexpected sources. -

    -
    • -
  • -

    - The GeoIP2 API from MaxMind is now supported. Geolocation support - will be compiled in by default if the libmaxminddb - library is found at compile time, but can be turned off by using - configure --disable-geoip. -

    -

    - The default path to the GeoIP2 databases will be set based - on the location of the libmaxminddb library; - for example, if it is in /usr/local/lib, - then the default path will be - /usr/local/share/GeoIP. - This value can be overridden in named.conf - using the geoip-directory option. -

    -

    - Some geoip ACL settings that were available with - legacy GeoIP, including searches for netspeed, - org, and three-letter ISO country codes, will - no longer work when using GeoIP2. Supported GeoIP2 database - types are country, city, - domain, isp, and - as. All of these databases support both IPv4 - and IPv6 lookups. [GL #182] [GL #1112] -

    -
    • -
  • -

    - In order to clarify the configuration of DNSSEC keys, - the trusted-keys and - managed-keys statements have been - deprecated, and the new dnssec-keys - statement should now be used for both types of key. -

    -

    - When used with the keyword initial-key, - dnssec-keys has the same behavior as - managed-keys, i.e., it configures - a trust anchor that is to be maintained via RFC 5011. -

    -

    - When used with the new keyword static-key, it - has the same behavior as trusted-keys, - configuring a permanent trust anchor that will not automatically - be updated. (This usage is not recommended for the root key.) - [GL #6] -

    -
    • -
  • -

    - The new add-soa option specifies whether - or not the response-policy zone's SOA record - should be included in the additional section of RPZ responses. - [GL #865] -

    -
    • -
  • -

    - Two new metrics have been added to the - statistics-channel to report DNSSEC - signing operations. For each key in each zone, the - dnssec-sign counter indicates the total - number of signatures named has generated - using that key since server startup, and the - dnssec-refresh counter indicates how - many of those signatures were refreshed during zone - maintenance, as opposed to having been generated - as a result of a zone update. [GL #513] -

    -
    • -
  • -

    +Notes for BIND 9.15.5

+ +
+

+Security Fixes

+
    +
  • +

    + named could crash with an assertion failure + if a forwarder returned a referral, rather than resolving the + query, when QNAME minimization was enabled. This flaw is + disclosed in CVE-2019-6476. [GL #1051] +

    +
    • +
  • +

    + A flaw in DNSSEC verification when transferring mirror zones + could allow data to be incorrectly marked valid. This flaw + is disclosed in CVE-2019-6475. [GL #1252] +

    +
    • +
+
+ + +
+

+Notes for BIND 9.15.4

+ +
+

+New Features

+
    +
  • +

    + Added a new command line option to dig: + +[no]unexpected. By default, dig + won't accept a reply from a source other than the one to which + it sent the query. Add the +unexpected argument + to enable it to process replies from unexpected sources. +

    +
    • +
  • +

    + dig, mdig and + delv can all now take a +yaml + option to print output in a a detailed YAML format. [RT #1145] +

    +
    • +
+
+ +
+

+Bug Fixes

+
  • +

    + When a response-policy zone expires, ensure + that its policies are removed from the RPZ summary database. + [GL #1146] +

    +
+
+ +
+
+

+Notes for BIND 9.15.3

+ +
+

+New Features

+
  • +

    Statistics channel groups are now toggleable. [GL #1030] -

    -
    • -
  • -

    - dig, mdig and - delv can all now take a +yaml - option to print output in a a detailed YAML format. [RT #1145] -

    -
    • +

    +
+
+ +
+

+Removed Features

+
  • +

    + DNSSEC Lookaside Validation (DLV) is now obsolete. + The dnssec-lookaside option has been + marked as deprecated; when used in named.conf, + it will generate a warning but will otherwise be ignored. + All code enabling the use of lookaside validation has been removed + from the validator, delv, and the DNSSEC tools. + [GL #7] +

    +
+
+ +
+

+Feature Changes

+
    +
  • +

    + A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and + made default. Old non-default HMAC-SHA based DNS Cookie algorithms + have been removed, and only the default AES algorithm is being kept + for legacy reasons. This change doesn't have any operational impact + in most common scenarios. [GL #605] +

    +

    + If you are running multiple DNS Servers (different versions of BIND 9 + or DNS server from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), you'll have to make + sure that all the servers are configured with the same DNS Cookie + algorithm and same Server Secret for the best performance. +

    +
    • +
  • +

    + The information from the dnssec-signzone and + dnssec-verify commands is now printed to standard + output. The standard error output is only used to print warnings and + errors, and in case the user requests the signed zone to be printed to + standard output with -f - option. A new + configuration option -q has been added to silence + all output on standard output except for the name of the signed zone. +

    +
    • +
  • +

    + DS records included in DNS referral messages can now be validated + and cached immediately, reducing the number of queries needed for + a DNSSEC validation. [GL #964] +

    +
    • +
+
+ +
+

+Bug Fixes

+
    +
  • +

    + Cache database statistics counters could report invalid values + when stale answers were enabled, because of a bug in counter + maintenance when cache data becomes stale. The statistics counters + have been corrected to report the number of RRsets for each + RR type that are active, stale but still potentially served, + or stale and marked for deletion. [GL #602] +

    +
    • +
  • +

    + Interaction between DNS64 and RPZ No Data rule (CNAME *.) could + cause unexpected results; this has been fixed. [GL #1106] +

    +
    • +
  • +

    + named-checkconf now checks DNS64 prefixes + to ensure bits 64-71 are zero. [GL #1159] +

    +
    • +
  • +

    + named-checkconf now correctly reports a missing + dnstap-output option when + dnstap is set. [GL #1136] +

    +
    • +
  • +

    + Handle ETIMEDOUT error on connect() with a non-blocking + socket. [GL #1133] +

    +
    • +
  • +

    + dig now correctly expands the IPv6 address + when run with +expandaaaa +short. [GL #1152] +

    +
+
+

-Removed Features

-
    -
  • -

    - The dnssec-enable option has been obsoleted and - no longer has any effect. DNSSEC responses are always enabled - if signatures and other DNSSEC data are present. [GL #866] -

    -
    • -
  • -

    - The cleaning-interval option has been - removed. [GL !1731] -

    -
    • -
  • -

    - DNSSEC Lookaside Validation (DLV) is now obsolete. - The dnssec-lookaside option has been - marked as deprecated; when used in named.conf, - it will generate a warning but will otherwise be ignored. - All code enabling the use of lookaside validation has been removed - from the validator, delv, and the DNSSEC tools. - [GL #7] -

    -
    • +Notes for BIND 9.15.2
+ +
+

+New Features

+
    +
  • +

    + The GeoIP2 API from MaxMind is now supported. Geolocation support + will be compiled in by default if the libmaxminddb + library is found at compile time, but can be turned off by using + configure --disable-geoip. +

    +

    + The default path to the GeoIP2 databases will be set based + on the location of the libmaxminddb library; + for example, if it is in /usr/local/lib, + then the default path will be + /usr/local/share/GeoIP. + This value can be overridden in named.conf + using the geoip-directory option. +

    +

    + Some geoip ACL settings that were available with + legacy GeoIP, including searches for netspeed, + org, and three-letter ISO country codes, will + no longer work when using GeoIP2. Supported GeoIP2 database + types are country, city, + domain, isp, and + as. All of these databases support both IPv4 + and IPv6 lookups. [GL #182] [GL #1112] +

    +
    • +
  • +

    + Two new metrics have been added to the + statistics-channel to report DNSSEC + signing operations. For each key in each zone, the + dnssec-sign counter indicates the total + number of signatures named has generated + using that key since server startup, and the + dnssec-refresh counter indicates how + many of those signatures were refreshed during zone + maintenance, as opposed to having been generated + as a result of a zone update. [GL #513] +

    +
    • +
+
+ +
+

+Bug Fixes

+
    +
  • +

    + When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded when minimization + was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055] +

    +
    • +
  • +

    + ./configure no longer sets + --sysconfdir to /etc or + --localstatedir to /var + when --prefix is not specified and the + aforementioned options are not specified explicitly. Instead, + Autoconf's defaults of $prefix/etc and + $prefix/var are respected. +

    +
    • +
  • +

    + Glue address records were not being returned in responses + to root priming queries; this has been corrected. [GL #1092] +

    +
+
+

-Feature Changes

-
    -
  • -

    - named will now log a warning if - a static key is configured for the root zone. [GL #6] -

    -
    • -
  • -

    - When static and managed DNSSEC keys were both configured for the - same name, or when a static key was used to - configure a trust anchor for the root zone and - dnssec-validation was set to the default - value of auto, automatic RFC 5011 key - rollovers would be disabled. This combination of settings was - never intended to work, but there was no check for it in the - parser. This has been corrected, and it is now a fatal - configuration error. [GL #868] -

    -
    • -
  • -

    - DS and CDS records are now generated with SHA-256 digests - only, instead of both SHA-1 and SHA-256. This affects the - default output of dnssec-dsfromkey, the - dsset files generated by - dnssec-signzone, the DS records added to - a zone by dnssec-signzone based on - keyset files, the CDS records added to - a zone by named and - dnssec-signzone based on "sync" timing - parameters in key files, and the checks performed by - dnssec-checkds. -

    -
    • -
  • -

    - JSON-C is now the only supported library for enabling JSON - support for BIND statistics. The configure - option has been renamed from --with-libjson - to --with-json-c. Use - PKG_CONFIG_PATH to specify a custom path to - the json-c library as the new - configure option does not take the library - installation path as an optional argument. -

    -
    • -
  • -

    - A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and - made default. Old non-default HMAC-SHA based DNS Cookie algorithms - have been removed, and only the default AES algorithm is being kept - for legacy reasons. This change doesn't have any operational impact - in most common scenarios. [GL #605] -

    -

    - If you are running multiple DNS Servers (different versions of BIND 9 - or DNS server from multiple vendors) responding from the same IP - address (anycast or load-balancing scenarios), you'll have to make - sure that all the servers are configured with the same DNS Cookie - algorithm and same Server Secret for the best performance. -

    -
    • -
  • -

    - The information from the dnssec-signzone and - dnssec-verify commands is now printed to standard - output. The standard error output is only used to print warnings and - errors, and in case the user requests the signed zone to be printed to - standard output with -f - option. A new - configuration option -q has been added to silence - all output on standard output except for the name of the signed zone. -

    -
    • -
  • -

    - DS records included in DNS referral messages can now be validated - and cached immediately, reducing the number of queries needed for - a DNSSEC validation. [GL #964] -

    -
    • +Notes for BIND 9.15.1
+ +
+

+Security Fixes

+
  • +

    + A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942] +

    +
+
+ +
+

+New Features

+
  • +

    + In order to clarify the configuration of DNSSEC keys, + the trusted-keys and + managed-keys statements have been + deprecated, and the new dnssec-keys + statement should now be used for both types of key. +

    +

    + When used with the keyword initial-key, + dnssec-keys has the same behavior as + managed-keys, i.e., it configures + a trust anchor that is to be maintained via RFC 5011. +

    +

    + When used with the new keyword static-key, it + has the same behavior as trusted-keys, + configuring a permanent trust anchor that will not automatically + be updated. (This usage is not recommended for the root key.) + [GL #6] +

    +
+
+ +
+

+Removed Features

+
  • +

    + The cleaning-interval option has been + removed. [GL !1731] +

    +
+
+ +
+

+Feature Changes

+
    +
  • +

    + named will now log a warning if + a static key is configured for the root zone. [GL #6] +

    +
    • +
  • +

    + JSON-C is now the only supported library for enabling JSON + support for BIND statistics. The configure + option has been renamed from --with-libjson + to --with-json-c. Use + PKG_CONFIG_PATH to specify a custom path to + the json-c library as the new + configure option does not take the library + installation path as an optional argument. +

    +
+
+

-Bug Fixes

-
    -
  • -

    - The allow-update and - allow-update-forwarding options were - inadvertently treated as configuration errors when used at the - options or view level. - This has now been corrected. - [GL #913] -

    -
    • -
  • -

    - When qname-minimization was set to - relaxed, some improperly configured domains - would fail to resolve, but would have succeeded when minimization - was disabled. named will now fall back to normal - resolution in such cases, and also uses type A rather than NS for - minimal queries in order to reduce the likelihood of encountering - the problem. [GL #1055] -

    -
    • -
  • -

    - ./configure no longer sets - --sysconfdir to /etc or - --localstatedir to /var - when --prefix is not specified and the - aforementioned options are not specified explicitly. Instead, - Autoconf's defaults of $prefix/etc and - $prefix/var are respected. -

    -
    • -
  • -

    - Glue address records were not being returned in responses - to root priming queries; this has been corrected. [GL #1092] -

    -
    • -
  • -

    - Interaction between DNS64 and RPZ No Data rule (CNAME *.) could - cause unexpected results; this has been fixed. [GL #1106] -

    -
    • -
  • -

    - named-checkconf now checks DNS64 prefixes - to ensure bits 64-71 are zero. [GL #1159] -

    -
    • -
  • -

    - named-checkconf now correctly reports a missing - dnstap-output option when - dnstap is set. [GL #1136] -

    -
    • -
  • -

    - Handle ETIMEDOUT error on connect() with a non-blocking - socket. [GL #1133] -

    -
    • -
  • -

    - Cache database statistics counters could report invalid values - when stale answers were enabled, because of a bug in counter - maintenance when cache data becomes stale. The statistics counters - have been corrected to report the number of RRsets for each - RR type that are active, stale but still potentially served, - or stale and marked for deletion. [GL #602] -

    -
    • -
  • -

    - dig now correctly expands the IPv6 address - when run with +expandaaaa +short. [GL #1152] -

    -
    • -
  • -

    - When a response-policy zone expires, ensure - that its policies are removed from the RPZ summary database. - [GL #1146] -

    -
    • +Notes for BIND 9.15.0
+ +
+

+Security Fixes

+
    +
  • +

    + In certain configurations, named could crash + with an assertion failure if nxdomain-redirect + was in use and a redirected query resulted in an NXDOMAIN from the + cache. This flaw is disclosed in CVE-2019-6467. [GL #880] +

    +
    • +
  • +

    + The TCP client quota set using the tcp-clients + option could be exceeded in some cases. This could lead to + exhaustion of file descriptors. This flaw is disclosed in + CVE-2018-5743. [GL #615] +

    +
    • +
+
+ +
+

+New Features

+
  • +

    + The new add-soa option specifies whether + or not the response-policy zone's SOA record + should be included in the additional section of RPZ responses. + [GL #865] +

    +
+
+ +
+

+Removed Features

+
  • +

    + The dnssec-enable option has been obsoleted and + no longer has any effect. DNSSEC responses are always enabled + if signatures and other DNSSEC data are present. [GL #866] +

    +
+
+ +
+

+Feature Changes

+
    +
  • +

    + When static and managed DNSSEC keys were both configured for the + same name, or when a static key was used to + configure a trust anchor for the root zone and + dnssec-validation was set to the default + value of auto, automatic RFC 5011 key + rollovers would be disabled. This combination of settings was + never intended to work, but there was no check for it in the + parser. This has been corrected, and it is now a fatal + configuration error. [GL #868] +

    +
    • +
  • +

    + DS and CDS records are now generated with SHA-256 digests + only, instead of both SHA-1 and SHA-256. This affects the + default output of dnssec-dsfromkey, the + dsset files generated by + dnssec-signzone, the DS records added to + a zone by dnssec-signzone based on + keyset files, the CDS records added to + a zone by named and + dnssec-signzone based on "sync" timing + parameters in key files, and the checks performed by + dnssec-checkds. +

    +
+
+ +
+

+Bug Fixes

+
  • +

    + The allow-update and + allow-update-forwarding options were + inadvertently treated as configuration errors when used at the + options or view level. + This has now been corrected. + [GL #913] +

    +
+
+ +

License

@@ -511,7 +710,7 @@ For those needing long term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See - https://www.isc.org/downloads/software-support-policy/ + https://kb.isc.org/docs/aa-00896 for details of ISC's software support policy.

@@ -522,7 +721,7 @@ Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at - http://www.isc.org/donate/. + https://www.isc.org/donate/.

@@ -545,6 +744,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 251aae8d6fd..a3eb5fbe941 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 392fc0ac866..b99f9b41056 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index d8fbfe3a295..fa313f9df2e 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -176,7 +176,8 @@ $ make named.conf, except that all managed-keys entries will be treated as if they were configured with the static-key - keyword, even if they are configured with initial-key. + or static-ds keywords, even if they are configured + with initial-key or iniital-ds. (See the section called “managed-keys Statement Grammar” for syntax details.)

@@ -537,6 +538,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index a48773dc954..00867fe2743 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 44dbe57b0fd..0a511638872 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.15.5

+

BIND Version 9.15.6

Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")

@@ -109,18 +109,18 @@
DNSSEC, Dynamic Zones, and Automatic Signing
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
@@ -195,6 +195,9 @@
dnssec-keys Statement Grammar
dnssec-keys Statement Definition and Usage
+
dnssec-policy Statement Grammar
+
dnssec-policy Statement Definition + and Usage
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
@@ -245,17 +248,19 @@
A. Release Notes
-
Release Notes for BIND Version 9.15.5
+
Release Notes for BIND Version 9.15.6
Introduction
Note on Version Numbering
Supported Platforms
Download
-
Security Fixes
-
New Features
-
Removed Features
-
Feature Changes
-
Bug Fixes
+
Notes for BIND 9.15.6
+
Notes for BIND 9.15.5
+
Notes for BIND 9.15.4
+
Notes for BIND 9.15.3
+
Notes for BIND 9.15.2
+
Notes for BIND 9.15.1
+
Notes for BIND 9.15.0
License
End of Life
Thank You
@@ -443,6 +448,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index d713cc2da85..af7bbf175f5 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index b338b4c0278..5519e36137a 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 1566d0a24d4..7a3ce8d33ad 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 14bb9db815d..c282c413160 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -621,6 +621,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 7dd4d0853e8..f244b24c481 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index 13576db90d1..6fb7a96c7b9 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 7b918884077..fdf37a853b0 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -156,6 +156,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 718c2c6bd59..f22748ac177 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 183cc725918..3cb1b5ba200 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -341,6 +341,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index a1651b4a428..9d8c3125f92 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 4071867a8ed..9ba381b7b5a 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -498,6 +498,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 88124727e8a..48737e16122 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -59,6 +59,7 @@ [-c class] [-D date/offset] [-D sync date/offset] + [-d bits] [-E engine] [-f flag] [-G] @@ -67,8 +68,9 @@ [-I date/offset] [-i interval] [-K directory] - [-k] + [-k policy] [-L ttl] + [-l file] [-n nametype] [-P date/offset] [-P sync date/offset] @@ -77,6 +79,7 @@ [-R date/offset] [-S key] [-s strength] + [-T rrtype] [-t type] [-V] [-v level] @@ -186,6 +189,15 @@ the specified class. If not specified, class IN is used.

+
-d bits
+
+

+ Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, + RSASHA256 and RSASHA512 the key size must be in range 1024-4096. + DH size is between 128 and 4096. This option is ignored for + algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448. +

+
-E engine

@@ -236,6 +248,21 @@ Sets the directory in which the key files are to be written.

+
-k policy
+
+

+ Create keys for a specific dnssec-policy. If a policy uses + multiple keys, dnssec-keygen will generate + multiple keys. This will also create a ".state" file to keep + track of the key state. +

+

+ This option creates keys according to the dnssec-policy + configuration, hence it cannot be used together with many of + the other options that dnssec-keygen + provides. +

+
-L ttl

@@ -249,6 +276,13 @@ or none is the same as leaving it unset.

+
-l file
+
+

+ Provide a configuration file that contains a dnssec-policy + statement (matching the policy set with -k). +

+
-n nametype

@@ -555,6 +589,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index 391ef72af0f..2192952465c 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -405,6 +405,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 8174fd8903e..38836fafb58 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 66979faeeac..caef6c99812 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -67,6 +67,12 @@ [-V] [-v level] [-E engine] + [-s] + [-g state] + [-d state date/offset] + [-k state date/offset] + [-r state date/offset] + [-z state date/offset] {keyfile}

@@ -92,11 +98,30 @@ When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated. +

+

Metadata fields are stored in the private file. A human-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).

+

+ When working with state files, it is possible to update the timing + metadata in those files as well with -s. If this + option is used you can also update key states with -d + (DS), -k (DNSKEY), -r (RRSIG of KSK), + or -z (RRSIG of ZSK). Allowed states are HIDDEN, + RUMOURED, OMNIPRESENT, and UNRETENTIVE. +

+

+ You can also set the goal state of the key with -g. + This should be either HIDDEN or OMNIPRESENT (representing whether the + key should be removed from the zone, or published). +

+

+ It is NOT RECOMMENDED to manipulate state files manually except for + testing purposes. +

@@ -280,7 +305,57 @@
-

PRINTING OPTIONS

+

KEY STATE OPTIONS

+ +

+ Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE. + These should not be set manually except for testing purposes. +

+ +
+
-s
+
+

+ When setting key timing data, also update the state file. +

+
+
-g
+
+

+ Set the goal state for this key. Must be HIDDEN or OMNIPRESENT. +

+
+
-d
+
+

+ Set the DS state for this key, and when it was last changed. +

+
+
-k
+
+

+ Set the DNSKEY state for this key, and when it was last changed. +

+
+
-r
+
+

+ Set the RRSIG (KSK) state for this key, and when it was last + changed. +

+
+
-z
+
+

+ Set the RRSIG (ZSK) state for this key, and when it was last + changed. +

+
+
+
+ +
+

PRINTING OPTIONS

dnssec-settime can also be used to print the @@ -316,7 +391,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8) @@ -349,6 +424,6 @@

-

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index baedb13a367..f19ba5640f1 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -707,6 +707,6 @@ db.example.com.signed -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 8cbd293f1bc..f27179a2545 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -214,6 +214,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index a8496e25b38..3f112ad45a7 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 62e7c6c37c7..b2b95d3c7db 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index c7d07101695..2a4a962a289 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 15af64a9a1d..b0d39dcc515 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -610,6 +610,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 6b1dbe4f47e..862d9868262 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -214,6 +214,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 2b1dfc82fee..87566d92622 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 088a9fbda24..58bfe42a0d8 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 977b700f29c..179e23bedeb 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 0abbbc6d6ff..3d8af355736 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 1269c37303c..01fdefd45a0 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -113,7 +113,8 @@ dlz

DNSSEC-KEYS


dnssec-keys { string ( static-key |
-    initial-key ) integer integer integer
+    initial-key | static-ds | initial-ds )
+    integer integer integer
    quoted_string; ... };

@@ -162,9 +163,9 @@ logging

Deprecated - see DNSSEC-KEYS.


managed-keys { string ( static-key
-    | initial-key ) integer
-    integer integer
-    quoted_string; ... }; deprecated
+    | initial-key | static-ds |
+    initial-ds ) integer integer
+    integer quoted_string; ... }; deprecated

@@ -214,7 +215,7 @@ options     [ dscp integer ] { ( masters | ipv4_address [ port
    integer ] | ipv6_address [ port integer ] ) [ key
    string ]; ... } ] [ zone-directory quoted_string ] [
-     in-memory boolean ] [ min-update-interval ttlval ]; ... };
+     in-memory boolean ] [ min-update-interval duration ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity boolean;
check-mx ( fail | warn | ignore );
@@ -296,18 +297,18 @@ options fstrm-set-output-notify-threshold integer;
fstrm-set-output-queue-model ( mpsc | spsc );
fstrm-set-output-queue-size integer;
- fstrm-set-reopen-interval ttlval;
+ fstrm-set-reopen-interval duration;
geoip-directory ( quoted_string | none );
glue-cache boolean;
heartbeat-interval integer;
hostname ( quoted_string | none );
inline-signing boolean;
- interface-interval ttlval;
+ interface-interval duration;
ixfr-from-differences ( primary | master | secondary | slave |
    boolean );
keep-response-order { address_match_element; ... };
key-directory quoted_string;
- lame-ttl ttlval;
+ lame-ttl duration;
listen-on [ port integer ] [ dscp
    integer ] {
    address_match_element; ... };
@@ -321,28 +322,28 @@ options masterfile-style ( full | relative );
match-mapped-addresses boolean;
max-cache-size ( default | unlimited | sizeval | percentage );
- max-cache-ttl ttlval;
+ max-cache-ttl duration;
max-clients-per-query integer;
max-journal-size ( default | unlimited | sizeval );
- max-ncache-ttl ttlval;
+ max-ncache-ttl duration;
max-records integer;
max-recursion-depth integer;
max-recursion-queries integer;
max-refresh-time integer;
max-retry-time integer;
max-rsa-exponent-size integer;
- max-stale-ttl ttlval;
+ max-stale-ttl duration;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-udp-size integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
memstatistics boolean;
memstatistics-file quoted_string;
message-compression boolean;
- min-cache-ttl ttlval;
- min-ncache-ttl ttlval;
+ min-cache-ttl duration;
+ min-ncache-ttl duration;
min-refresh-time integer;
min-retry-time integer;
minimal-any boolean;
@@ -359,8 +360,8 @@ options notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
    [ dscp integer ];
notify-to-soa boolean;
- nta-lifetime ttlval;
- nta-recheck ttlval;
+ nta-lifetime duration;
+ nta-recheck duration;
nxdomain-redirect string;
pid-file ( quoted_string | none );
port integer;
@@ -407,13 +408,13 @@ options response-padding { address_match_element; ... } block-size
    integer;
response-policy { zone string [ add-soa boolean ] [ log
-     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
-     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
+     boolean ] [ max-policy-ttl duration ] [ min-update-interval
+     duration ] [ policy ( cname | disabled | drop | given | no-op |
    nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
    recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ]; ... } [ add-soa boolean ] [
-     break-dnssec boolean ] [ max-policy-ttl ttlval ] [
-     min-update-interval ttlval ] [ min-ns-dots integer ] [
+     break-dnssec boolean ] [ max-policy-ttl duration ] [
+     min-update-interval duration ] [ min-ns-dots integer ] [
    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
    [ recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ] [ dnsrps-enable boolean ] [
@@ -427,7 +428,7 @@ options serial-query-rate integer;
serial-update-method ( date | increment | unixtime );
server-id ( quoted_string | none | hostname );
- servfail-ttl ttlval;
+ servfail-ttl duration;
session-keyalg string;
session-keyfile ( quoted_string | none );
session-keyname string;
@@ -438,7 +439,7 @@ options sortlist { address_match_element; ... };
stacksize ( default | unlimited | sizeval );
stale-answer-enable boolean;
- stale-answer-ttl ttlval;
+ stale-answer-ttl duration;
startup-notify-rate integer;
statistics-file quoted_string;
synth-from-dnssec boolean;
@@ -575,7 +576,7 @@ view     [ dscp integer ] { ( masters | ipv4_address [ port
    integer ] | ipv6_address [ port integer ] ) [ key
    string ]; ... } ] [ zone-directory quoted_string ] [
-     in-memory boolean ] [ min-update-interval ttlval ]; ... };
+     in-memory boolean ] [ min-update-interval duration ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity boolean;
check-mx ( fail | warn | ignore );
@@ -618,8 +619,9 @@ view dnssec-accept-expired boolean;
dnssec-dnskey-kskonly boolean;
dnssec-keys { string ( static-key |
-     initial-key ) integer integer
-     integer quoted_string; ... };
+     initial-key | static-ds | initial-ds
+     ) integer integer integer
+     quoted_string; ... };
dnssec-loadkeys-interval integer;
dnssec-must-be-secure string boolean;
dnssec-secure-to-insecure boolean;
@@ -653,10 +655,11 @@ view secret string;
};
key-directory quoted_string;
- lame-ttl ttlval;
+ lame-ttl duration;
lmdb-mapsize sizeval;
managed-keys { string (
    static-key | initial-key
+     | static-ds | initial-ds
    ) integer integer
    integer
    quoted_string; ... }; deprecated
@@ -666,25 +669,25 @@ view match-destinations { address_match_element; ... };
match-recursive-only boolean;
max-cache-size ( default | unlimited | sizeval | percentage );
- max-cache-ttl ttlval;
+ max-cache-ttl duration;
max-clients-per-query integer;
max-journal-size ( default | unlimited | sizeval );
- max-ncache-ttl ttlval;
+ max-ncache-ttl duration;
max-records integer;
max-recursion-depth integer;
max-recursion-queries integer;
max-refresh-time integer;
max-retry-time integer;
- max-stale-ttl ttlval;
+ max-stale-ttl duration;
max-transfer-idle-in integer;
max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-udp-size integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
message-compression boolean;
- min-cache-ttl ttlval;
- min-ncache-ttl ttlval;
+ min-cache-ttl duration;
+ min-ncache-ttl duration;
min-refresh-time integer;
min-retry-time integer;
minimal-any boolean;
@@ -700,8 +703,8 @@ view notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
    [ dscp integer ];
notify-to-soa boolean;
- nta-lifetime ttlval;
- nta-recheck ttlval;
+ nta-lifetime duration;
+ nta-recheck duration;
nxdomain-redirect string;
plugin ( query ) string [ {
    unspecified-text } ];
@@ -743,13 +746,13 @@ view response-padding { address_match_element; ... } block-size
    integer;
response-policy { zone string [ add-soa boolean ] [ log
-     boolean ] [ max-policy-ttl ttlval ] [ min-update-interval
-     ttlval ] [ policy ( cname | disabled | drop | given | no-op |
+     boolean ] [ max-policy-ttl duration ] [ min-update-interval
+     duration ] [ policy ( cname | disabled | drop | given | no-op |
    nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
    recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ]; ... } [ add-soa boolean ] [
-     break-dnssec boolean ] [ max-policy-ttl ttlval ] [
-     min-update-interval ttlval ] [ min-ns-dots integer ] [
+     break-dnssec boolean ] [ max-policy-ttl duration ] [
+     min-update-interval duration ] [ min-ns-dots integer ] [
    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
    [ recursive-only boolean ] [ nsip-enable boolean ] [
    nsdname-enable boolean ] [ dnsrps-enable boolean ] [
@@ -794,14 +797,14 @@ view     integer | * ) ] [ dscp integer ];
transfers integer;
};
- servfail-ttl ttlval;
+ servfail-ttl duration;
sig-signing-nodes integer;
sig-signing-signatures integer;
sig-signing-type integer;
sig-validity-interval integer [ integer ];
sortlist { address_match_element; ... };
stale-answer-enable boolean;
- stale-answer-ttl ttlval;
+ stale-answer-ttl duration;
synth-from-dnssec boolean;
transfer-format ( many-answers | one-answer );
transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [
@@ -853,6 +856,7 @@ view dnskey-sig-validity integer;
dnssec-dnskey-kskonly boolean;
dnssec-loadkeys-interval integer;
+ dnssec-policy string;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
file quoted_string;
@@ -878,7 +882,7 @@ view max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
min-refresh-time integer;
min-retry-time integer;
multi-master boolean;
@@ -955,6 +959,7 @@ zone dnskey-sig-validity integer;
dnssec-dnskey-kskonly boolean;
dnssec-loadkeys-interval integer;
+ dnssec-policy string;
dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
file quoted_string;
@@ -979,7 +984,7 @@ zone max-transfer-idle-out integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
- max-zone-ttl ( unlimited | ttlval );
+ max-zone-ttl ( unlimited | duration );
min-refresh-time integer;
min-retry-time integer;
multi-master boolean;
@@ -1021,14 +1026,35 @@ zone
-

FILES

+

DNSSEC-POLICY

+ +


+dnssec-policy string {
+ dnskey-ttl ttlval;
+ keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... };
+ parent-ds-ttl duration;
+ parent-propagation-delay duration;
+ parent-registration-delay duration;
+ publish-safety duration;
+ retire-safety duration;
+ signatures-refresh duration;
+ signatures-validity duration;
+ signatures-validity-dnskey duration;
+ zone-max-ttl duration;
+ zone-propagation-delay duration;
+};
+

+
+ +
+

FILES

/etc/named.conf

-

SEE ALSO

+

SEE ALSO

ddns-confgen(8) @@ -1069,6 +1095,6 @@ zone

-

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index c2ff92224d0..ba891658bea 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index dc35fe16860..cb55a7ca50c 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index ebe13859dbd..72fffc2468d 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10 -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 6c7ae79b8bd..8b7cf8f348f 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index 4fa7f31d18f..3ad081cc08a 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index 53b984aa314..f2c02960717 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 2a93a18b886..0dfe6abb74e 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index 115f7270da7..3669753d23c 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 448ba701321..37f663ed3e7 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 563ffc87a0c..d9166b6a7fc 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 5f3fc68fe08..59ef50a938e 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -382,7 +382,8 @@ allowed to incrementally re-sign over time.

- This command requires that the + This command requires that the zone is configured with a + dnssec-policy, or that the auto-dnssec zone option be set to maintain, and also requires the zone to be configured to @@ -737,7 +738,8 @@ re-signed with the new key set.

- This command requires that the + This command requires that the zone is configured with a + dnssec-policy, or that the auto-dnssec zone option be set to allow or maintain, @@ -930,6 +932,8 @@

Enable, disable, or check the current status of DNSSEC validation. By default, validation is enabled. + The cache is flushed when validation is turned on or off + to avoid using data that might differ between states.

zonestatus zone [class [view]]
@@ -1017,6 +1021,6 @@ -

BIND 9.15.5 (Development Release)

+

BIND 9.15.6 (Development Release)

diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 6f90126c7d3..456e64b1ebd 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

-Release Notes for BIND Version 9.15.5

+Release Notes for BIND Version 9.15.6

@@ -114,19 +114,61 @@ policy used by dnssec-keymgr.) [GL #1134]

+
  • +

    + Two new keywords have been added to the + dnssec-keys statement: + initial-ds and static-ds. + These allow the use of trust anchors in DS format instead of + DNSKEY format. DS format allows trust anchors to be configured + for keys that have not yet been published; this is the format + used by IANA when announcing future root keys. +

    +

    + As with the initial-key and + static-key keywords, initial-ds + configures a dynamic trust anchor to be maintained via RFC 5011, and + static-ds configures a permanent trust anchor. +

    +

    + (Note: Currently, DNSKEY-format and DS-format trust anchors + cannot both be used for the same domain name.) [GL #6] [GL #622] +

    +

    • Feature Changes

    -
    • +
        +

      • NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default because it was found to have a significant performance impact on the recursive service. The NSEC Aggressive Cache will be enable by default in the future releases. [GL #1265]

        +
        • +
      • +

        + The DNSSEC validation code has been refactored for clarity and to + reduce code duplication. [GL #622] +

        +
        • +
      +
    + +
    +

    +Security Fixes

    +
    • +

      + Too many simultaneous pipelined TCP queries could cause + resource overuse. We now prevent this by enforcing a limit + on the number of simultaneous requests per active connection. + This flaw`is disclosed in CVE-2019-6477. [GL #1264] +

    diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index c94930c039e..29d78a170bf 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index 195add133c8..4c61f7ee63e 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.15.5 +Release Notes for BIND Version 9.15.6 Introduction @@ -64,6 +64,19 @@ New Features that the syntax for this statement differs from the DNSSEC policy used by dnssec-keymgr.) [GL #1134] + * Two new keywords have been added to the dnssec-keys statement: + initial-ds and static-ds. These allow the use of trust anchors in DS + format instead of DNSKEY format. DS format allows trust anchors to be + configured for keys that have not yet been published; this is the + format used by IANA when announcing future root keys. + + As with the initial-key and static-key keywords, initial-ds configures + a dynamic trust anchor to be maintained via RFC 5011, and static-ds + configures a permanent trust anchor. + + (Note: Currently, DNSKEY-format and DS-format trust anchors cannot + both be used for the same domain name.) [GL #6] [GL #622] + Feature Changes * NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default @@ -71,6 +84,16 @@ Feature Changes recursive service. The NSEC Aggressive Cache will be enable by default in the future releases. [GL #1265] + * The DNSSEC validation code has been refactored for clarity and to + reduce code duplication. [GL #622] + +Security Fixes + + * Too many simultaneous pipelined TCP queries could cause resource + overuse. We now prevent this by enforcing a limit on the number of + simultaneous requests per active connection. This flaw`is disclosed in + CVE-2019-6477. [GL #1264] + Notes for BIND 9.15.5 Security Fixes diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt index 694d84eb69f..335306f210f 100644 --- a/doc/misc/master.zoneopt +++ b/doc/misc/master.zoneopt @@ -39,7 +39,7 @@ zone [ ] { max-records ; max-transfer-idle-out ; max-transfer-time-out ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); notify ( explicit | master-only | ); notify-delay ; notify-source ( | * ) [ port ( | * ) ] [ dscp ]; diff --git a/doc/misc/options b/doc/misc/options index 38881ac0c9d..e5f44ea0359 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -27,19 +27,19 @@ dnssec-keys { ( static-key | ; ... }; // may occur multiple times dnssec-policy { - dnskey-ttl ; - keys { ( csk | ksk | zsk ) key-directory lifetime algorithm - [ ]; ... }; - parent-ds-ttl ; - parent-propagation-delay ; - parent-registration-delay ; + dnskey-ttl ; + keys { ( csk | ksk | zsk ) ( key-directory ) lifetime + algorithm [ ]; ... }; + parent-ds-ttl ; + parent-propagation-delay ; + parent-registration-delay ; publish-safety ; retire-safety ; signatures-refresh ; signatures-validity ; signatures-validity-dnskey ; zone-max-ttl ; - zone-propagation-delay ; + zone-propagation-delay ; }; // may occur multiple times dyndb { @@ -116,7 +116,7 @@ options { [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... } ] [ zone-directory ] [ - in-memory ] [ min-update-interval ]; ... }; + in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); @@ -167,6 +167,7 @@ options { trust-anchor | auto | no ); // obsolete, may occur multiple times dnssec-must-be-secure ; // may occur multiple times + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -209,8 +210,8 @@ options { fstrm-set-output-notify-threshold ; // not configured fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured - fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); + fstrm-set-reopen-interval ; // not configured + geoip-directory ( | none ); // not configured geoip-use-ecs ; // obsolete glue-cache ; has-old-clients ; // ancient @@ -219,19 +220,19 @@ options { host-statistics-max ; // ancient hostname ( | none ); inline-signing ; - interface-interval ; + interface-interval ; ixfr-from-differences ( primary | master | secondary | slave | ); keep-response-order { ; ... }; key-directory ; - lame-ttl ; + lame-ttl ; listen-on [ port ] [ dscp ] { ; ... }; // may occur multiple times listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); maintain-ixfr-base ; // ancient managed-keys-directory ; @@ -240,29 +241,29 @@ options { match-mapped-addresses ; max-acache-size ( unlimited | ); // obsolete max-cache-size ( default | unlimited | | ); - max-cache-ttl ; + max-cache-ttl ; max-clients-per-query ; max-ixfr-log-size ( default | unlimited | ); // ancient max-journal-size ( default | unlimited | ); - max-ncache-ttl ; + max-ncache-ttl ; max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; max-retry-time ; max-rsa-exponent-size ; - max-stale-ttl ; + max-stale-ttl ; max-transfer-idle-in ; max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; max-udp-size ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); memstatistics ; memstatistics-file ; message-compression ; - min-cache-ttl ; - min-ncache-ttl ; + min-cache-ttl ; + min-ncache-ttl ; min-refresh-time ; min-retry-time ; min-roots ; // ancient @@ -284,8 +285,8 @@ options { [ dscp ]; notify-to-soa ; nsec3-test-zone ; // test only - nta-lifetime ; - nta-recheck ; + nta-lifetime ; + nta-recheck ; nxdomain-redirect ; pid-file ( | none ); port ; @@ -335,13 +336,13 @@ options { response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log - ] [ max-policy-ttl ] [ min-update-interval - ] [ policy ( cname | disabled | drop | given | no-op | - nodata | nxdomain | passthru | tcp-only ) ] [ + ] [ max-policy-ttl ] [ min-update-interval + ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ]; ... } [ add-soa ] [ - break-dnssec ] [ max-policy-ttl ] [ - min-update-interval ] [ min-ns-dots ] [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ @@ -357,7 +358,7 @@ options { serial-query-rate ; serial-update-method ( date | increment | unixtime ); server-id ( | none | hostname ); - servfail-ttl ; + servfail-ttl ; session-keyalg ; session-keyfile ( | none ); session-keyname ; @@ -369,7 +370,7 @@ options { sortlist { ; ... }; stacksize ( default | unlimited | ); stale-answer-enable ; - stale-answer-ttl ; + stale-answer-ttl ; startup-notify-rate ; statistics-file ; statistics-interval ; // ancient @@ -494,7 +495,7 @@ view [ ] { [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... } ] [ zone-directory ] [ - in-memory ] [ min-update-interval ]; ... }; + in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); @@ -547,6 +548,7 @@ view [ ] { trust-anchor | auto | no ); // obsolete, may occur multiple times dnssec-must-be-secure ; // may occur multiple times + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -582,8 +584,8 @@ view [ ] { secret ; }; // may occur multiple times key-directory ; - lame-ttl ; - lmdb-mapsize ; + lame-ttl ; + lmdb-mapsize ; // non-operational maintain-ixfr-base ; // ancient managed-keys { ( static-key | initial-key @@ -598,26 +600,26 @@ view [ ] { match-recursive-only ; max-acache-size ( unlimited | ); // obsolete max-cache-size ( default | unlimited | | ); - max-cache-ttl ; + max-cache-ttl ; max-clients-per-query ; max-ixfr-log-size ( default | unlimited | ); // ancient max-journal-size ( default | unlimited | ); - max-ncache-ttl ; + max-ncache-ttl ; max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; max-retry-time ; - max-stale-ttl ; + max-stale-ttl ; max-transfer-idle-in ; max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; max-udp-size ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); message-compression ; - min-cache-ttl ; - min-ncache-ttl ; + min-cache-ttl ; + min-ncache-ttl ; min-refresh-time ; min-retry-time ; min-roots ; // ancient @@ -636,8 +638,8 @@ view [ ] { [ dscp ]; notify-to-soa ; nsec3-test-zone ; // test only - nta-lifetime ; - nta-recheck ; + nta-lifetime ; + nta-recheck ; nxdomain-redirect ; plugin ( query ) [ { } ]; // may occur multiple times @@ -682,13 +684,13 @@ view [ ] { response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log - ] [ max-policy-ttl ] [ min-update-interval - ] [ policy ( cname | disabled | drop | given | no-op | - nodata | nxdomain | passthru | tcp-only ) ] [ + ] [ max-policy-ttl ] [ min-update-interval + ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ]; ... } [ add-soa ] [ - break-dnssec ] [ max-policy-ttl ] [ - min-update-interval ] [ min-ns-dots ] [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ @@ -736,14 +738,14 @@ view [ ] { | * ) ] [ dscp ]; transfers ; }; // may occur multiple times - servfail-ttl ; + servfail-ttl ; sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; sig-validity-interval [ ]; sortlist { ; ... }; stale-answer-enable ; - stale-answer-ttl ; + stale-answer-ttl ; suppress-initial-notify ; // not yet implemented synth-from-dnssec ; topology { ; ... }; // ancient @@ -798,6 +800,7 @@ view [ ] { dnskey-sig-validity ; dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); file ; @@ -828,7 +831,7 @@ view [ ] { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); min-refresh-time ; min-retry-time ; multi-master ; @@ -903,6 +906,7 @@ zone [ ] { dnskey-sig-validity ; dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); file ; @@ -931,7 +935,7 @@ zone [ ] { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); min-refresh-time ; min-retry-time ; multi-master ; diff --git a/doc/misc/options.active b/doc/misc/options.active index e4123c69c5b..0e687277398 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -26,6 +26,22 @@ dnssec-keys { ( static-key | ; ... }; // may occur multiple times +dnssec-policy { + dnskey-ttl ; + keys { ( csk | ksk | zsk ) ( key-directory ) lifetime + algorithm [ ]; ... }; + parent-ds-ttl ; + parent-propagation-delay ; + parent-registration-delay ; + publish-safety ; + retire-safety ; + signatures-refresh ; + signatures-validity ; + signatures-validity-dnskey ; + zone-max-ttl ; + zone-propagation-delay ; +}; // may occur multiple times + dyndb { }; // may occur multiple times @@ -93,7 +109,7 @@ options { [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... } ] [ zone-directory ] [ - in-memory ] [ min-update-interval ]; ... }; + in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); @@ -138,6 +154,7 @@ options { dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -175,53 +192,53 @@ options { fstrm-set-output-notify-threshold ; // not configured fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured - fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); + fstrm-set-reopen-interval ; // not configured + geoip-directory ( | none ); // not configured glue-cache ; heartbeat-interval ; hostname ( | none ); inline-signing ; - interface-interval ; + interface-interval ; ixfr-from-differences ( primary | master | secondary | slave | ); keep-response-order { ; ... }; key-directory ; - lame-ttl ; + lame-ttl ; listen-on [ port ] [ dscp ] { ; ... }; // may occur multiple times listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); managed-keys-directory ; masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); match-mapped-addresses ; max-cache-size ( default | unlimited | | ); - max-cache-ttl ; + max-cache-ttl ; max-clients-per-query ; max-journal-size ( default | unlimited | ); - max-ncache-ttl ; + max-ncache-ttl ; max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; max-retry-time ; max-rsa-exponent-size ; - max-stale-ttl ; + max-stale-ttl ; max-transfer-idle-in ; max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; max-udp-size ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); memstatistics ; memstatistics-file ; message-compression ; - min-cache-ttl ; - min-ncache-ttl ; + min-cache-ttl ; + min-ncache-ttl ; min-refresh-time ; min-retry-time ; minimal-any ; @@ -238,8 +255,8 @@ options { notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; - nta-lifetime ; - nta-recheck ; + nta-lifetime ; + nta-recheck ; nxdomain-redirect ; pid-file ( | none ); port ; @@ -286,13 +303,13 @@ options { response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log - ] [ max-policy-ttl ] [ min-update-interval - ] [ policy ( cname | disabled | drop | given | no-op | - nodata | nxdomain | passthru | tcp-only ) ] [ + ] [ max-policy-ttl ] [ min-update-interval + ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ]; ... } [ add-soa ] [ - break-dnssec ] [ max-policy-ttl ] [ - min-update-interval ] [ min-ns-dots ] [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ @@ -306,7 +323,7 @@ options { serial-query-rate ; serial-update-method ( date | increment | unixtime ); server-id ( | none | hostname ); - servfail-ttl ; + servfail-ttl ; session-keyalg ; session-keyfile ( | none ); session-keyname ; @@ -317,7 +334,7 @@ options { sortlist { ; ... }; stacksize ( default | unlimited | ); stale-answer-enable ; - stale-answer-ttl ; + stale-answer-ttl ; startup-notify-rate ; statistics-file ; synth-from-dnssec ; @@ -428,7 +445,7 @@ view [ ] { [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... } ] [ zone-directory ] [ - in-memory ] [ min-update-interval ]; ... }; + in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); @@ -476,6 +493,7 @@ view [ ] { ; ... }; // may occur multiple times dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -507,8 +525,8 @@ view [ ] { secret ; }; // may occur multiple times key-directory ; - lame-ttl ; - lmdb-mapsize ; + lame-ttl ; + lmdb-mapsize ; // non-operational managed-keys { ( static-key | initial-key | static-ds | initial-ds @@ -521,25 +539,25 @@ view [ ] { match-destinations { ; ... }; match-recursive-only ; max-cache-size ( default | unlimited | | ); - max-cache-ttl ; + max-cache-ttl ; max-clients-per-query ; max-journal-size ( default | unlimited | ); - max-ncache-ttl ; + max-ncache-ttl ; max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; max-retry-time ; - max-stale-ttl ; + max-stale-ttl ; max-transfer-idle-in ; max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; max-udp-size ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); message-compression ; - min-cache-ttl ; - min-ncache-ttl ; + min-cache-ttl ; + min-ncache-ttl ; min-refresh-time ; min-retry-time ; minimal-any ; @@ -555,8 +573,8 @@ view [ ] { notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; - nta-lifetime ; - nta-recheck ; + nta-lifetime ; + nta-recheck ; nxdomain-redirect ; plugin ( query ) [ { } ]; // may occur multiple times @@ -598,13 +616,13 @@ view [ ] { response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log - ] [ max-policy-ttl ] [ min-update-interval - ] [ policy ( cname | disabled | drop | given | no-op | - nodata | nxdomain | passthru | tcp-only ) ] [ + ] [ max-policy-ttl ] [ min-update-interval + ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ]; ... } [ add-soa ] [ - break-dnssec ] [ max-policy-ttl ] [ - min-update-interval ] [ min-ns-dots ] [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ @@ -649,14 +667,14 @@ view [ ] { | * ) ] [ dscp ]; transfers ; }; // may occur multiple times - servfail-ttl ; + servfail-ttl ; sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; sig-validity-interval [ ]; sortlist { ; ... }; stale-answer-enable ; - stale-answer-ttl ; + stale-answer-ttl ; synth-from-dnssec ; transfer-format ( many-answers | one-answer ); transfer-source ( | * ) [ port ( | * ) ] [ @@ -708,6 +726,7 @@ view [ ] { dnskey-sig-validity ; dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); file ; @@ -733,7 +752,7 @@ view [ ] { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); min-refresh-time ; min-retry-time ; multi-master ; @@ -805,6 +824,7 @@ zone [ ] { dnskey-sig-validity ; dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; + dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); file ; @@ -829,7 +849,7 @@ zone [ ] { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); min-refresh-time ; min-retry-time ; multi-master ; diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt index a127de9bbf8..2a755de9d84 100644 --- a/doc/misc/redirect.zoneopt +++ b/doc/misc/redirect.zoneopt @@ -8,6 +8,6 @@ zone [ ] { masterfile-style ( full | relative ); masters [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; max-records ; - max-zone-ttl ( unlimited | ); + max-zone-ttl ( unlimited | ); zone-statistics ( full | terse | none | ); }; diff --git a/lib/bind9/api b/lib/bind9/api index c72183594a2..c65b577dfa4 100644 --- a/lib/bind9/api +++ b/lib/bind9/api @@ -11,5 +11,5 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 LIBINTERFACE = 1501 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/dns/api b/lib/dns/api index faf692f58da..289644a9e50 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1504 +LIBINTERFACE = 1505 LIBREVISION = 0 -LIBAGE = 1 +LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index ceb49d16753..4a2e46bdbb8 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1503 +LIBINTERFACE = 1504 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isccfg/api b/lib/isccfg/api index c65b577dfa4..effc9e71d2c 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1501 -LIBREVISION = 1 +LIBINTERFACE = 1502 +LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index c65b577dfa4..effc9e71d2c 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1501 -LIBREVISION = 1 +LIBINTERFACE = 1502 +LIBREVISION = 0 LIBAGE = 0 diff --git a/version b/version index f125284d8a5..5ecff75a8da 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Development Release)" MAJORVER=9 MINORVER=15 -PATCHVER=5 +PATCHVER=6 RELEASETYPE= RELEASEVER= EXTENSIONS=