\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
-By default, responses are validated using built\-in DNSSEC trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&. Records returned by
+By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
-9 and contains trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&.
+9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
-Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
-\fB+dlv=NAME\fR
-or
+Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
-options\&.
+options\&. DNSSEC Lookaside Validation can also be turned on by using the
+\fB+dlv=NAME\fR
+to specify the name of a zone containing DLV records\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
.PP
\fB+[no]dlv[=DLV]\fR
.RS 4
-Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The default is to perform lookaside validation using a trust anchor of "dlv\&.isc\&.org", for which there is a built\-in key\&. If specifying a different name, then
+Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
\fB\-a\fR
-must be used to specify a file containing the DLV key\&.
+option must also be used to specify a file containing the DLV key\&.
.RE
.PP
\fB+[no]tcp\fR
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
- anchors for the root zone (".") and for the ISC DNSSEC lookaside
- validation zone ("dlv.isc.org"). Records returned by
+ anchor for the root zone ("."). Records returned by
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
- trust anchors for the root zone (".") and for the ISC
- DNSSEC lookaside validation zone ("dlv.isc.org").
+ one or more trust anchors for the root zone (".").
</p>
<p>
- Keys that do not match the root or DLV trust-anchor
- names are ignored; these key names can be overridden
- using the <code class="option">+dlv=NAME</code> or
- <code class="option">+root=NAME</code> options.
+ Keys that do not match the root zone name are ignored.
+ An alternate key name can be specified using the
+ <code class="option">+root=NAME</code> options. DNSSEC Lookaside
+ Validation can also be turned on by using the
+ <code class="option">+dlv=NAME</code> to specify the name of a
+ zone containing DLV records.
</p>
<p>
Note: When reading the trust anchor file,
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
- The default is to perform lookaside validation using
- a trust anchor of "dlv.isc.org", for which there is a
- built-in key. If specifying a different name, then
- <code class="option">-a</code> must be used to specify a file
- containing the DLV key.
+ The <code class="option">-a</code> option must also be used to specify
+ a file containing the DLV key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.ad l
'\" t
.\" Title: dnssec-cds
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2017-10-02
.\" Manual: BIND9
.\" Source: ISC
.SH "NAME"
dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
.SH "SYNOPSIS"
-.HP 11
+.HP \w'\fBdnssec\-cds\fR\ 'u
\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
.SH "DESCRIPTION"
.PP
file, or with the
\fB\-T\fR
option, or using the
-\fBnsupdate\fR
-\fBttl\fR
+\fBnsupdate\fR\fBttl\fR
command\&.
.RE
.PP
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
- -
+ -
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-cds</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
-<div class="refnamediv">
+
+
+
+
+
+ <div class="refnamediv">
<h2>Name</h2>
-<p><span class="application">dnssec-cds</span> — change DS records for a child zone based on CDS/CDNSKEY</p>
+<p>
+ <span class="application">dnssec-cds</span>
+ — change DS records for a child zone based on CDS/CDNSKEY
+ </p>
</div>
-<div class="refsynopsisdiv">
+
+
+
+ <div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-cds</code> [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D</code>] {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>} {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>} [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {domain}</p></div>
-</div>
-<div class="refsection">
+ <div class="cmdsynopsis"><p>
+ <code class="command">dnssec-cds</code>
+ [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...]
+ [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
+ [<code class="option">-D</code>]
+ {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>}
+ {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>}
+ [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]]
+ [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
+ [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
+ [<code class="option">-u</code>]
+ [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
+ [<code class="option">-V</code>]
+ {domain}
+ </p></div>
+ </div>
+
+ <div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p>
+
+ <p>
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred.
</p>
-<p>
Two input files are required. The
<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
option specifies a file containing the child's CDS and/or CDNSKEY
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
run of <span class="command"><strong>dnssec-cds</strong></span>.
</p>
-<p>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
modification time of the <code class="filename">dsset-</code> file, or
from the <code class="option">-s</code> option.
</p>
-<p>
To protect against breaking the delegation,
<span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</p>
-<p>
By default, replacement DS records are written to the standard
output; with the <code class="option">-i</code> option the input file is
overwritten in place. The replacement DS records will be the
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</p>
-<p>
Warning: Be careful not to delete the DS records
when <span class="command"><strong>dnssec-cds</strong></span> fails!
</p>
-<p>
Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
You can use the <code class="option">-u</code> and <code class="option">-i</code>
options together to maintain a <code class="filename">dsset-</code> file
as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
</p>
-</div>
-<div class="refsection">
+
+ </div>
+
+ <div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+
+ <div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
-<p>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</p>
-<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</p>
-</dd>
+ </dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
+<dd>
+ <p>
Specifies the DNS class of the zones.
- </p></dd>
+ </p>
+ </dd>
<dt><span class="term">-D</span></dt>
-<dd><p>
+<dd>
+ <p>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
- </p></dd>
+ </p>
+ </dd>
<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
<dd>
-<p>
Location of the parent DS records.
The <em class="replaceable"><code>path</code></em> can be the name of a file
containing the DS records, or if it is a
a <code class="filename">dsset-</code> file for
the <em class="replaceable"><code>domain</code></em> inside the directory.
</p>
-<p>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <code class="filename">dsset-</code> file. This can be
adjusted with the <code class="option">-s</code> option.
</p>
-</dd>
+ </dd>
<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
<dd>
-<p>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</p>
-<p>
The EXAMPLES below describe how to generate this file.
</p>
-</dd>
+ </dd>
<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
<dd>
-<p>
Update the <code class="filename">dsset-</code> file in place,
instead of writing DS records to the standard output.
</p>
-<p>
There must be no space between the <code class="option">-i</code> and
the <em class="replaceable"><code>extension</code></em>. If you provide
no <em class="replaceable"><code>extension</code></em> then the
with the <em class="replaceable"><code>extension</code></em> appended to
its filename.
</p>
-<p>
To protect against replay attacks, the modification time
of the <code class="filename">dsset-</code> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</p>
-</dd>
+ </dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd>
-<p>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</p>
-<p>
If no <em class="replaceable"><code>start-time</code></em> is specified, the
modification time of the <code class="filename">dsset-</code> file
is used.
</p>
-</dd>
+ </dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
+<dd>
+ <p>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
- </p></dd>
+ </p>
+ </dd>
<dt><span class="term">-u</span></dt>
<dd>
-<p>
Write an <span class="command"><strong>nsupdate</strong></span> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</p>
-<p>
Note: The TTL of new records needs to be specified, either
in the original <code class="filename">dsset-</code> file, or with
the <code class="option">-T</code> option, or using
the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
command.
</p>
-</dd>
+ </dd>
<dt><span class="term">-V</span></dt>
-<dd><p>
+<dd>
+ <p>
Print version information.
- </p></dd>
+ </p>
+ </dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+<dd>
+ <p>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
- </p></dd>
+ </p>
+ </dd>
<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
+<dd>
+ <p>
The name of the delegation point / child zone apex.
- </p></dd>
+ </p>
+ </dd>
</dl></div>
-</div>
-<div class="refsection">
+ </div>
+
+ <div class="refsection">
<a name="id-1.9"></a><h2>EXIT STATUS</h2>
-<p>
+
+ <p>
The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
non-zero if an error occurred.
</p>
-<p>
In the success case, the DS records might or might not need
to be changed.
</p>
-</div>
-<div class="refsection">
+
+ </div>
+
+ <div class="refsection">
<a name="id-1.10"></a><h2>EXAMPLES</h2>
-<p>
+
+ <p>
Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
that the delegations are up-to-date by running
<span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
</p>
-<p>
To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
you can invoke <span class="command"><strong>dig</strong></span> as in the script below. It's
okay if the <span class="command"><strong>dig</strong></span> fails since
dnssec-cds -i -f /dev/stdin -d $f $d
done
</pre>
-<p>
+
+ <p>
When the parent zone is automatically signed by
<span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</pre>
-</div>
-<div class="refsection">
+ </div>
+
+ <div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
-<p>
- <span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
- <span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
- <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
- <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+
+ <p>
+ <span class="citerefentry">
+ <span class="refentrytitle">dig</span>(1)
+ </span>,
+ <span class="citerefentry">
+ <span class="refentrytitle">dnssec-settime</span>(8)
+ </span>,
+ <span class="citerefentry">
+ <span class="refentrytitle">dnssec-signzone</span>(8)
+ </span>,
+ <span class="citerefentry">
+ <span class="refentrytitle">nsupdate</span>(1)
+ </span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 7344</em>.
</p>
-</div>
+
+ </div>
+
</div></body>
</html>
'\" t
.\" Title: dnssec-dsfromkey
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2012-05-02
.\" Manual: BIND9
.\" Source: ISC
.SH "NAME"
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
-.HP 17
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
-.HP 17
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
-.HP 17
+.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
.SH "DESCRIPTION"
.PP
'\" t
.\" Title: dnssec-importkey
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.SH "NAME"
dnssec-importkey \- import DNSKEY records from external systems so they can be managed
.SH "SYNOPSIS"
-.HP 17
+.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
-.HP 17
+.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP
'\" t
.\" Title: dnssec-settime
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
.SH "NAME"
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
-.HP 15
+.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
-.\" Copyright (C) 2012-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.PP
\-l \fIdomain\fR
.RS 4
-Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone\*(Aqs parent\&. For example, to check for DLV records for "example\&.com" in ISC\*(Aqs DLV zone, use:
-\fBdnssec\-checkds \-l dlv\&.isc\&.org example\&.com\fR
+Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone\*(Aqs parent\&.
.RE
.PP
\-d \fIdig path\fR
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2012-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012-2017 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2012-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
<p>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
- For example, to check for DLV records for "example.com"
- in ISC's DLV zone, use:
- <span class="command"><strong>dnssec-checkds -l dlv.isc.org example.com</strong></span>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
maintain, and also requires the zone to be configured to allow dynamic DNS\&. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details\&.)
.RE
.PP
-\fBmanaged\-keys \fR\fB\fI(status | refresh | sync)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
-.RS 4
-When run with the "status" keyword, print the current status of the managed\-keys database for the specified view, or for all views if none is specified\&. When run with the "refresh" keyword, force an immediate refresh of all the managed\-keys in the specified view, or all views\&. When run with the "sync" keyword, force an immediate dump of the managed\-keys database to disk (in the file
+\fBmanaged\-keys \fR\fB\fI(status | refresh | sync | destroy)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
+.RS 4
+Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+When run with the
+status
+keyword, prints the current status of the managed\-keys database\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+When run with the
+refresh
+keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed\-keys database if any new keys are found, without waiting the normal refresh interval\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+When run with the
+sync
+keyword, forces an immediate dump of the managed\-keys database to disk (in the file
managed\-keys\&.bind
-or (\fIviewname\fR\&.mkeys)\&.
+or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal file, so that the database\*(Aqs current contents can be inspected visually\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+When run with the
+destroy
+keyword, the managed\-keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
+.sp
+Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used\&. However, key maintenance operations will cease until
+\fBnamed\fR
+is restarted or reconfigured, and all existing key maintenance state will be deleted\&.
+.sp
+Running
+\fBrndc reconfig\fR
+or restarting
+\fBnamed\fR
+immediately after this command will cause key maintenance to be reinitialized from scratch, just as if the server were being started for the first time\&. This is primarily intended for testing, but it may also be used, for example, to jumpstart the acquisition of new keys in the event of a trust anchor rollover, or as a brute\-force repair for key maintenance problems\&.
+.RE
.RE
.PP
\fBmodzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR\fB\fIconfiguration\fR\fR\fB \fR
Reference Manual for more details.)
</p>
</dd>
-<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- When run with the "status" keyword, print the current
- status of the managed-keys database for the specified
- view, or for all views if none is specified. When run
- with the "refresh" keyword, force an immediate refresh
- of all the managed-keys in the specified view, or all
- views. When run with the "sync" keyword, force an
- immediate dump of the managed-keys database to disk (in
- the file <code class="filename">managed-keys.bind</code> or
- (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
- </p>
+<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dd>
+ <p>
+ Inspect and control the "managed-keys" database which
+ handles RFC 5011 DNSSEC trust anchor maintenance. If a view
+ is specified, these commands are applied to that view;
+ otherwise they are applied to all views.
+ </p>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">status</code> keyword, prints
+ the current status of the managed-keys database.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">refresh</code> keyword,
+ forces an immediate refresh query to be sent for all
+ the managed keys, updating the managed-keys database
+ if any new keys are found, without waiting the normal
+ refresh interval.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">sync</code> keyword, forces an
+ immediate dump of the managed-keys database to disk
+ (in the file <code class="filename">managed-keys.bind</code> or
+ (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
+ This synchronizes the database with its journal file, so
+ that the database's current contents can be inspected
+ visually.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">destroy</code> keyword, the
+ managed-keys database is shut down and deleted, and all key
+ maintenance is terminated. This command should be used only
+ with extreme caution.
+ </p>
+ <p>
+ Existing keys that are already trusted are not deleted
+ from memory; DNSSEC validation can continue after this
+ command is used. However, key maintenance operations will
+ cease until <span class="command"><strong>named</strong></span> is restarted or
+ reconfigured, and all existing key maintenance state
+ will be deleted.
+ </p>
+ <p>
+ Running <span class="command"><strong>rndc reconfig</strong></span> or restarting
+ <span class="command"><strong>named</strong></span> immediately after this command
+ will cause key maintenance to be reinitialized from scratch,
+ just as if the server were being started for the first time.
+ This is primarily intended for testing, but it may also be
+ used, for example, to jumpstart the acquisition of new keys
+ in the event of a trust anchor rollover, or as a
+ brute-force repair for key maintenance problems.
+ </p>
+ </li>
+</ul></div>
</dd>
<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
<dd>
<p>
The pathname of a file to override the built-in trusted
keys provided by <span class="command"><strong>named</strong></span>.
- See the discussion of <span class="command"><strong>dnssec-lookaside</strong></span>
- and <span class="command"><strong>dnssec-validation</strong></span> for details.
- If not specified, the default is
+ See the discussion of <span class="command"><strong>dnssec-validation</strong></span>
+ for details. If not specified, the default is
<code class="filename">/etc/bind.keys</code>.
</p>
</dd>
record validates a DNSKEY (similarly to the way a DS
record does) the DNSKEY RRset is deemed to be trusted.
</p>
- <p>
- If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
- <strong class="userinput"><code>auto</code></strong>, then built-in default
- values for the DLV domain and trust anchor will be
- used, along with a built-in key for validation.
- </p>
<p>
If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
<strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
is not used.
</p>
<p>
- The default DLV key is stored in the file
- <code class="filename">bind.keys</code>;
- <span class="command"><strong>named</strong></span> will load that key at
- startup if <span class="command"><strong>dnssec-lookaside</strong></span> is set to
- <code class="constant">auto</code>. A copy of the file is
- installed along with <acronym class="acronym">BIND</acronym> 9, and is
- current as of the release date. If the DLV key expires, a
- new copy of <code class="filename">bind.keys</code> can be downloaded
- from <a class="link" href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
- </p>
- <p>
- (To prevent problems if <code class="filename">bind.keys</code> is
- not found, the current key is also compiled in to
- <span class="command"><strong>named</strong></span>. Relying on this is not
- recommended, however, as it requires <span class="command"><strong>named</strong></span>
- to be recompiled with a new key when the DLV key expires.)
- </p>
- <p>
- NOTE: <span class="command"><strong>named</strong></span> only loads certain specific
- keys from <code class="filename">bind.keys</code>: those for the
- DLV zone and for the DNS root zone. The file cannot be
- used to store keys for other zones.
+ NOTE: The ISC-provided DLV service at
+ <code class="literal">dlv.isc.org</code>, has been shut down.
+ The <span class="command"><strong>dnssec-lookaside auto;</strong></span>
+ configuration option, which set <span class="command"><strong>named</strong></span>
+ up to use ISC DLV with minimal configuration, has
+ accordingly been removed.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt>
be accepted. The specified domain must be under a
<span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement, or
- <span class="command"><strong>dnssec-lookaside</strong></span> must be active.
+ <span class="command"><strong>dnssec-validation auto</strong></span> must be active.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
Causes <span class="command"><strong>named</strong></span> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via <span class="command"><strong>trusted-keys</strong></span>,
- <span class="command"><strong>managed-keys</strong></span>,
- <span class="command"><strong>dnssec-validation auto</strong></span>, or
- <span class="command"><strong>dnssec-lookaside auto</strong></span>.
+ <span class="command"><strong>managed-keys</strong></span>, or
+ <span class="command"><strong>dnssec-validation auto</strong></span>.
</p>
<p>
The query name used for these queries has the
Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
set to <strong class="userinput"><code>yes</code></strong> to be effective.
If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
- is disabled. If set to <strong class="userinput"><code>auto</code></strong>,
- DNSSEC validation is enabled, and a default
- trust-anchor for the DNS root zone is used. If set to
- <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
- but a trust anchor must be manually configured using
- a <span class="command"><strong>trusted-keys</strong></span> or
- <span class="command"><strong>managed-keys</strong></span> statement. The default
+ is disabled.
+ </p>
+ <p>
+ If set to <strong class="userinput"><code>auto</code></strong>, DNSSEC validation
+ is enabled, and a default trust anchor for the DNS root
+ zone is used. If set to <strong class="userinput"><code>yes</code></strong>,
+ DNSSEC validation is enabled, but a trust anchor must be
+ manually configured using a <span class="command"><strong>trusted-keys</strong></span>
+ or <span class="command"><strong>managed-keys</strong></span> statement. The default
is <strong class="userinput"><code>yes</code></strong>.
</p>
+ <p>
+ The default root trust anchor is stored in the file
+ <code class="filename">bind.keys</code>.
+ <span class="command"><strong>named</strong></span> will load that key at
+ startup if <span class="command"><strong>dnssec-validation</strong></span> is
+ set to <code class="constant">auto</code>. A copy of the file is
+ installed along with BIND 9, and is current as of the
+ release date. If the root key expires, a new copy of
+ <code class="filename">bind.keys</code> can be downloaded
+ from <a class="link" href="https://www.isc.org/bind-keys" target="_top">https://www.isc.org/bind-keys</a>.
+ </p>
+ <p>
+ To prevent problems if <code class="filename">bind.keys</code> is
+ not found, the current trust anchor is also compiled in
+ to <span class="command"><strong>named</strong></span>. Relying on this is not
+ recommended, however, as it requires <span class="command"><strong>named</strong></span>
+ to be recompiled with a new key when the root key expires.)
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
+ <p>
+ <span class="command"><strong>named</strong></span> <span class="emphasis"><em>only</em></span>
+ loads the root key from <code class="filename">bind.keys</code>.
+ The file cannot be used to store keys for other zones.
+ The root key in <code class="filename">bind.keys</code> is ignored
+ if <span class="command"><strong>dnssec-validation auto</strong></span> is not in
+ use.
+ </p>
<p>
Whenever the resolver sends out queries to an
EDNS-compliant server, it always sets the DO bit
If the <span class="command"><strong>dnssec-validation</strong></span> option is
set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
will automatically initialize a managed key for the
- root zone. Similarly, if the <span class="command"><strong>dnssec-lookaside</strong></span>
- option is set to <strong class="userinput"><code>auto</code></strong>,
- <span class="command"><strong>named</strong></span> will automatically initialize
- a managed key for the zone <code class="literal">dlv.isc.org</code>.
- (Note: The ISC DLV service is expected to cease operation by
- the end of 2017.) In both cases, the key that is used to
- initialize the key maintenance process is built into
- <span class="command"><strong>named</strong></span>, and can be overridden from
- <span class="command"><strong>bindkeys-file</strong></span>.
+ root zone. The key that is used to initialize the key
+ maintenance process is stored in <code class="filename">bind.keys</code>;
+ the location of this file can be overridden with the
+ <span class="command"><strong>bindkeys-file</strong></span> option. As a fallback
+ in the event no <code class="filename">bind.keys</code> can be
+ found, the initializing key is also compiled directly
+ into <span class="command"><strong>named</strong></span>.
</p>
</div>
<strong class="userinput"><code>local</code></strong>. [RT #42585]
</p>
</li>
+<li class="listitem">
+ <p>
+ The new <span class="command"><strong>dnssec-cds</strong></span> command generates a new DS
+ set to place in a parent zone, based on the contents of a child
+ zone's validated CDS or CDNSKEY records. It can produce a
+ <code class="filename">dsset</code> file suitable for input to
+ <span class="command"><strong>dnssec-signzone</strong></span>, or a series of
+ <span class="command"><strong>nsupdate</strong></span> to update the parent zone via dynamic
+ DNS. Thanks to Tony Finch for the contribution. [RT #46090]
+ </p>
+ </li>
<li class="listitem">
<p>
<span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accepts
entropy source. [RT #31459] [RT #46047]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>rndc managed-keys destroy</strong></span> shuts down all
+ RFC 5011 DNSSEC trust anchor maintenance, and deletes any
+ existing managed keys database. If immediately followed by
+ <span class="command"><strong>rndc reconfig</strong></span>, this will reinitialize
+ key maintenance just as if the server was being started for
+ the first time.
+ </p>
+ <p>
+ This is intended for testing purposes, but can be used -- with
+ extreme caution -- as a brute-force repair for unrecoverable
+ problems with a managed keys database, to jumpstart the key
+ acquisition process if <code class="filename">bind.keys</code> is updated,
+ etc. [RT #32456]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-signzone -S</strong></span> can now add or remove
+ synchronization records (CDS and CDNSKEY) based on key metadata
+ set by the <span class="command"><strong>-Psync</strong></span> and <span class="command"><strong>-Dsync</strong></span>
+ options to <span class="command"><strong>dnssec-keygen</strong></span>,
+ <span class="command"><strong>dnssec-settime</strong></span>, etc. [RT #46149]
+ </p>
+ </li>
</ul></div>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The ISC DNSSEC Lookaside Validation (DLV) service has been shut
+ down; all DLV records in the dlv.isc.org zone have been removed.
+ References to the service have been removed from BIND documentation.
+ Lookaside validation is no longer used by default by
+ <span class="command"><strong>delv</strong></span>. The DLV key has been removed from
+ <code class="filename">bind.keys</code>. Setting
+ <span class="command"><strong>dnssec-lookaside</strong></span> set to
+ <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
+ anchor is now a fatal configuration error. [RT #46155]
+ </p>
+ </li>
<li class="listitem">
<p>
The lightweight resolver daemon and library (<span class="command"><strong>lwresd</strong></span>
validator messages.
</p>
</li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
+ zones to load correctly could leave the system in an inconsistent
+ state; while generally harmless, this could lead to a crash later
+ when using <span class="command"><strong>rndc addzone</strong></span>. Reconfiguration changes
+ are now fully rolled back in the event of failure. [RT #45841]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Fixed a bug that was introduced in an earlier development
+ release which caused multi-packet AXFR and IXFR messages to fail
+ validation if not all packets contained TSIG records; this
+ caused interoperability problems with some other DNS
+ implementations. [RT #45509]
+ </p>
+ </li>
<li class="listitem">
<p>
Multiple <span class="command"><strong>cookie-secret</strong></span> clauses are now
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
- anchors for the root zone (".") and for the ISC DNSSEC lookaside
- validation zone ("dlv.isc.org"). Records returned by
+ anchor for the root zone ("."). Records returned by
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
- trust anchors for the root zone (".") and for the ISC
- DNSSEC lookaside validation zone ("dlv.isc.org").
+ one or more trust anchors for the root zone (".").
</p>
<p>
- Keys that do not match the root or DLV trust-anchor
- names are ignored; these key names can be overridden
- using the <code class="option">+dlv=NAME</code> or
- <code class="option">+root=NAME</code> options.
+ Keys that do not match the root zone name are ignored.
+ An alternate key name can be specified using the
+ <code class="option">+root=NAME</code> options. DNSSEC Lookaside
+ Validation can also be turned on by using the
+ <code class="option">+dlv=NAME</code> to specify the name of a
+ zone containing DLV records.
</p>
<p>
Note: When reading the trust anchor file,
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
- The default is to perform lookaside validation using
- a trust anchor of "dlv.isc.org", for which there is a
- built-in key. If specifying a different name, then
- <code class="option">-a</code> must be used to specify a file
- containing the DLV key.
+ The <code class="option">-a</code> option must also be used to specify
+ a file containing the DLV key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<p>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
- For example, to check for DLV records for "example.com"
- in ISC's DLV zone, use:
- <span class="command"><strong>dnssec-checkds -l dlv.isc.org example.com</strong></span>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
Reference Manual for more details.)
</p>
</dd>
-<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- When run with the "status" keyword, print the current
- status of the managed-keys database for the specified
- view, or for all views if none is specified. When run
- with the "refresh" keyword, force an immediate refresh
- of all the managed-keys in the specified view, or all
- views. When run with the "sync" keyword, force an
- immediate dump of the managed-keys database to disk (in
- the file <code class="filename">managed-keys.bind</code> or
- (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
- </p>
+<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dd>
+ <p>
+ Inspect and control the "managed-keys" database which
+ handles RFC 5011 DNSSEC trust anchor maintenance. If a view
+ is specified, these commands are applied to that view;
+ otherwise they are applied to all views.
+ </p>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">status</code> keyword, prints
+ the current status of the managed-keys database.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">refresh</code> keyword,
+ forces an immediate refresh query to be sent for all
+ the managed keys, updating the managed-keys database
+ if any new keys are found, without waiting the normal
+ refresh interval.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">sync</code> keyword, forces an
+ immediate dump of the managed-keys database to disk
+ (in the file <code class="filename">managed-keys.bind</code> or
+ (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
+ This synchronizes the database with its journal file, so
+ that the database's current contents can be inspected
+ visually.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When run with the <code class="literal">destroy</code> keyword, the
+ managed-keys database is shut down and deleted, and all key
+ maintenance is terminated. This command should be used only
+ with extreme caution.
+ </p>
+ <p>
+ Existing keys that are already trusted are not deleted
+ from memory; DNSSEC validation can continue after this
+ command is used. However, key maintenance operations will
+ cease until <span class="command"><strong>named</strong></span> is restarted or
+ reconfigured, and all existing key maintenance state
+ will be deleted.
+ </p>
+ <p>
+ Running <span class="command"><strong>rndc reconfig</strong></span> or restarting
+ <span class="command"><strong>named</strong></span> immediately after this command
+ will cause key maintenance to be reinitialized from scratch,
+ just as if the server were being started for the first time.
+ This is primarily intended for testing, but it may also be
+ used, for example, to jumpstart the acquisition of new keys
+ in the event of a trust anchor rollover, or as a
+ brute-force repair for key maintenance problems.
+ </p>
+ </li>
+</ul></div>
</dd>
<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
<dd>
<strong class="userinput"><code>local</code></strong>. [RT #42585]
</p>
</li>
+<li class="listitem">
+ <p>
+ The new <span class="command"><strong>dnssec-cds</strong></span> command generates a new DS
+ set to place in a parent zone, based on the contents of a child
+ zone's validated CDS or CDNSKEY records. It can produce a
+ <code class="filename">dsset</code> file suitable for input to
+ <span class="command"><strong>dnssec-signzone</strong></span>, or a series of
+ <span class="command"><strong>nsupdate</strong></span> to update the parent zone via dynamic
+ DNS. Thanks to Tony Finch for the contribution. [RT #46090]
+ </p>
+ </li>
<li class="listitem">
<p>
<span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accepts
entropy source. [RT #31459] [RT #46047]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>rndc managed-keys destroy</strong></span> shuts down all
+ RFC 5011 DNSSEC trust anchor maintenance, and deletes any
+ existing managed keys database. If immediately followed by
+ <span class="command"><strong>rndc reconfig</strong></span>, this will reinitialize
+ key maintenance just as if the server was being started for
+ the first time.
+ </p>
+ <p>
+ This is intended for testing purposes, but can be used -- with
+ extreme caution -- as a brute-force repair for unrecoverable
+ problems with a managed keys database, to jumpstart the key
+ acquisition process if <code class="filename">bind.keys</code> is updated,
+ etc. [RT #32456]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-signzone -S</strong></span> can now add or remove
+ synchronization records (CDS and CDNSKEY) based on key metadata
+ set by the <span class="command"><strong>-Psync</strong></span> and <span class="command"><strong>-Dsync</strong></span>
+ options to <span class="command"><strong>dnssec-keygen</strong></span>,
+ <span class="command"><strong>dnssec-settime</strong></span>, etc. [RT #46149]
+ </p>
+ </li>
</ul></div>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The ISC DNSSEC Lookaside Validation (DLV) service has been shut
+ down; all DLV records in the dlv.isc.org zone have been removed.
+ References to the service have been removed from BIND documentation.
+ Lookaside validation is no longer used by default by
+ <span class="command"><strong>delv</strong></span>. The DLV key has been removed from
+ <code class="filename">bind.keys</code>. Setting
+ <span class="command"><strong>dnssec-lookaside</strong></span> set to
+ <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
+ anchor is now a fatal configuration error. [RT #46155]
+ </p>
+ </li>
<li class="listitem">
<p>
The lightweight resolver daemon and library (<span class="command"><strong>lwresd</strong></span>
validator messages.
</p>
</li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
+ zones to load correctly could leave the system in an inconsistent
+ state; while generally harmless, this could lead to a crash later
+ when using <span class="command"><strong>rndc addzone</strong></span>. Reconfiguration changes
+ are now fully rolled back in the event of failure. [RT #45841]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Fixed a bug that was introduced in an earlier development
+ release which caused multi-packet AXFR and IXFR messages to fail
+ validation if not all packets contained TSIG records; this
+ caused interoperability problems with some other DNS
+ implementations. [RT #45509]
+ </p>
+ </li>
<li class="listitem">
<p>
Multiple <span class="command"><strong>cookie-secret</strong></span> clauses are now
projects / thirdparty / bind9.git / commitdiff
