with cached copies of the old DNSKEY RRset. The :option:`-Q` option forces
:program:`dnssec-signzone` to remove signatures from keys that are no longer
active. This enables ZSK rollover using the procedure described in
- :rfc:`6781#4.1.1.1` ("Pre-Publish Key Rollover").
+ :rfc:`6781#section-4.1.1.1` ("Pre-Publish Zone Signing Key Rollover").
.. option:: -q
This option is similar to :option:`-Q`, except it forces
:program:`dnssec-signzone` to remove signatures from keys that are no longer
published. This enables ZSK rollover using the procedure described in
- :rfc:`6781#4.1.1.2` ("Double Signature Zone Signing Key
+ :rfc:`6781#section-4.1.1.2` ("Double Signature Zone Signing Key
Rollover").
.. option:: -S
To support the HTTP statistics channel, the server must be linked with
at least one of the following libraries: ``libxml2``
-(http://xmlsoft.org) or ``json-c`` (https://github.com/json-c/json-c).
-If these are installed at a nonstandard location, then:
+(https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home) or ``json-c``
+(https://github.com/json-c/json-c). If these are installed at a
+nonstandard location, then:
- for ``libxml2``, specify the prefix using ``--with-libxml2=/prefix``,
- for ``json-c``, adjust ``PKG_CONFIG_PATH``.
For DNSTAP packet logging, ``libfstrm``
(https://github.com/farsightsec/fstrm) and ``libprotobuf-c``
-(https://developers.google.com/protocol-buffers) must be installed, and
+(https://protobuf.dev) must be installed, and
BIND must be configured with ``--enable-dnstap``.
To support internationalized domain names in :iscman:`dig`, ``libidn2``
Building on macOS assumes that the “Command Tools for Xcode” are
installed. These can be downloaded from
-https://developer.apple.com/download/more/ or, if Xcode is already
+https://developer.apple.com/xcode/resources/ or, if Xcode is already
installed, simply run ``xcode-select --install``. (Note that an Apple ID
may be required to access the download page.)
.. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/
.. _Internet Engineering Task Force: https://www.ietf.org/about/
-.. _Request for Comments: https://www.ietf.org/standards/rfcs/
+.. _Request for Comments: https://www.ietf.org/process/rfcs/
Some of these RFCs, though DNS-related, are not concerned with implementing
software.
cultures treat as unlucky. The 512-byte UDP data limit
is no longer a limiting factor and all root servers now support both IPv4 and IPv6. In addition, almost all the
root servers use **anycast**, with well over
-300 instances of the root servers now providing service worldwide (see further information at https://www.root-servers.org).
+300 instances of the root servers now providing service worldwide (see further information at https://root-servers.org).
The root servers are the starting point for all **name resolution** within the DNS.
Name Resolution
^^^^^^^^^^^^^^^^^^
SoftHSMv2, the latest development version of SoftHSM, is available from
-https://github.com/opendnssec/SoftHSMv2. It is a software library
+https://github.com/softhsm/SoftHSMv2. It is a software library
developed by the OpenDNSSEC project (https://www.opendnssec.org) which
provides a PKCS#11 interface to a virtual HSM, implemented in the form
of an SQLite3 database on the local filesystem. It provides less security
https://github.com/farsightsec/fstrm) to send event payloads which
are encoded using Protocol Buffers (``libprotobuf-c``, a mechanism
for serializing structured data developed by Google, Inc.; see
- https://developers.google.com/protocol-buffers/).
+ https://protobuf.dev).
To enable :any:`dnstap` at compile time, the ``fstrm`` and
``protobuf-c`` libraries must be available, and BIND must be
Cipher list which defines allowed ciphers, such as
``HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384``. The string must be
formed according to the rules specified in the OpenSSL documentation
- (see https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
+ (see https://docs.openssl.org/1.1.1/man1/ciphers/
for details).
.. namedconf:statement:: prefer-server-ciphers
The ``*`` at the beginning of these CNAME target names is special, and it
causes the original query name to be prepended to the CNAME target. So if a
user tries to visit the Conficker command and control domain
-http://racaldftn.com.ai/ (which was a valid Conficker command and control
+racaldftn.com.ai (which was a valid Conficker command and control
domain name on 19-October-2011), the RPZ-configured recursive name server
will send back this answer:
want their users' DNS queries to be rerouted unexpectedly. However,
Mozilla provides a mechanism to disable the DoH-by-default setting:
if the Mozilla-owned domain `use-application-dns.net
-<https://use-application-dns.net>`_ returns an NXDOMAIN response code, Firefox
-will not use DoH.
+<https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet>`_
+returns an NXDOMAIN response code, Firefox will not use DoH.
To accomplish this using RPZ:
Such workarounds cause unnecessary resolution delays, increase code
complexity, and prevent deployment of new DNS features. In February
2019, all major DNS software vendors removed these
-workarounds; see https://dnsflagday.net/2019 for further details. This change
+workarounds; see https://www.dnsflagday.net/2019/ for further details. This change
was implemented in BIND as of release 9.14.0.
As a result, some domains may be non-resolvable without manual
requesting all ``.gov`` subdomains to be DNSSEC-signed by December
2009. This explains why ``.gov`` is the most-deployed DNSSEC domain
currently, with `around 90% of subdomains
- signed. <https://fedv6-deployment.antd.nist.gov/cgi-bin/generate-gov>`__
+ signed. <https://usgv6-deploymon.nist.gov/cgi-bin/generate-gov>`__
.. _how_does_dnssec_change_my_job:
subsequently published as :rfc:`7583`.
Icons made by `Freepik <https://www.freepik.com/>`__ and
-`SimpleIcon <https://www.simpleicon.com/>`__ from
+`SimpleIcon <https://simpleicon.com/>`__ from
`Flaticon <https://www.flaticon.com/>`__, licensed under `Creative Commons BY
3.0 <https://creativecommons.org/licenses/by/3.0/>`__.
server for DNS resolution; then use one of these web-based tests to
confirm that it is in fact validating DNS responses.
-- `Internet.nl <https://en.conn.internet.nl/connection/>`__
+- `Internet.nl <http://conn.internet.nl/connection/>`__
- `DNSSEC or Not (VeriSign) <https://www.dnssec-or-not.com/>`__
projects / thirdparty / bind9.git / commitdiff
