.PP
\-A \fIalgorithm\fR
.RS 4
-Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5, or if MD5 was disabled at compile time, hmac\-sha256\&.
-.sp
-Note: Use of hmac\-md5 is no longer recommended, and the default value will be changed to hmac\-sha256 in a future release\&.
+Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
.RE
.PP
\-b \fIkeysize\fR
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5, or
- if MD5 was disabled at compile time, hmac-sha256.
- </p>
- <p>
- Note: Use of hmac-md5 is no longer recommended, and the default
- value will be changed to hmac-sha256 in a future release.
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
dnssec-checkds \- DNSSEC delegation consistency checking tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-checkds\fR\ 'u
-\fBdnssec\-checkds\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
-\fBdnssec\-dsfromkey\fR [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] {zone}
+\fBdnssec\-checkds\fR [\fB\-d\ \fR\fB\fIdig\ path\fR\fR] [\fB\-D\ \fR\fB\fIdsfromkey\ path\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\ \fR\fB\fIfile\fR\fR] {zone}
.SH "DESCRIPTION"
.PP
\fBdnssec\-checkds\fR
Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone\*(Aqs parent\&.
.RE
.PP
+\-s \fIfile\fR
+.RS 4
+Specifies a prepared dsset file, such as would be generated by
+\fBdnssec\-signzone\fR, to use as a source for the DS RRset instead of querying the parent\&.
+.RE
+.PP
\-d \fIdig path\fR
.RS 4
Specifies a path to a
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-checkds</code>
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
- {zone}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-dsfromkey</code>
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
+ [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+ [<code class="option">-s <em class="replaceable"><code>file</code></em></code>]
{zone}
- </p></div>
+ </p></div>
</div>
<div class="refsection">
instead of checking for a DS record in the zone's parent.
</p>
</dd>
+<dt><span class="term">-s <em class="replaceable"><code>file</code></em></span></dt>
+<dd>
+ <p>
+ Specifies a prepared dsset file, such as would be generated
+ by <span class="command"><strong>dnssec-signzone</strong></span>, to use as a source for
+ the DS RRset instead of querying the parent.
+ </p>
+ </dd>
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
<dd>
<p>
server waits on an idle TCP connection before closing
it when the client is using the EDNS TCP keepalive
option. The default is 300 (30 seconds), the maximum
- is 1200 (two minutes), and the minimum is 1 (one tenth
+ is 65535 (about 1.8 hours), and the minimum is 1 (one tenth
of a second). Values above the maximum or below the minimum
will be adjusted with a logged warning.
This value may be greater than
keepalive option. This informs a client of the
amount of time it may keep the session open.
The default is 300 (30 seconds), the maximum is
- 1200 (two minutes), and the minimum is 0, which
+ 65535 (about 1.8 hours), and the minimum is 0, which
signals that the clients must close TCP connections
immediately. Ordinarily this should be set to the
same value as <span class="command"><strong>tcp-keepalive-timeout</strong></span>.
<span class="command"><strong>dnssec-settime</strong></span>, etc. [RT #46149]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-checkds -s</strong></span> specifies a file from
+ which to read a DS set rather than querying the parent zone.
+ This can be used to check zone correctness prior to
+ publication. Thanks to Niall O'Reilly [RT #44667]
+ </p>
+ </li>
</ul></div>
</div>
<li class="listitem">
<p>
The use of HMAC-MD5 for RNDC keys is no longer recommended.
- For compatibility, this is still the default algorithm generated
- by <span class="command"><strong>rndc-confgen</strong></span>, but it will print a
- warning message. The default algorithm in
- <span class="command"><strong>rndc-confgen</strong></span> will be changed to HMAC-SHA256
- in a future release. [RT #42272]
+ The default algorithm generated by <span class="command"><strong>rndc-confgen</strong></span>,
+ is now HMAC-256, and a warning message will be printed if
+ HMAC-MD5 is used. [RT #42272]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>isc-hmac-fixup</strong></span> command, which was created
+ to address an interoperability problem in TSIG keys between
+ early versions of BIND and other DNS implmentations, is now
+ obsolete and has been removed. [RT #46411]
</p>
</li>
</ul></div>
are not writable by the effective user ID. [RT #46077]
</p>
</li>
+<li class="listitem">
+ <p>
+ Initializing keys specified in a <span class="command"><strong>managed-keys</strong></span>
+ statement or by <span class="command"><strong>dnssec-validation auto;</strong></span> are
+ now tagged as "initializing", until they have been updated by a
+ key refresh query. If key maintenance fails to initialize,
+ this will be visible when running <span class="command"><strong>rndc secroots</strong></span>.
+ [RT #46267]
+ </p>
+ </li>
<li class="listitem">
<p>
Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
queries. [RT #45847]
</p>
</li>
+<li class="listitem">
+ <p>
+ A new statistics counter has been added to track priming
+ queries. [RT #46313]
+ </p>
+ </li>
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-signzone -x</strong></span> flag and the
<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> — DNS lookup utility</span>
</dt>
<dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> — fixes HMAC keys generated by older versions of BIND</span>
-</dt>
-<dt>
<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> — DNS pipelined lookup utility</span>
</dt>
<dt>
-
</div>
<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> — DNS lookup utility</span>
</dt>
<dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> — fixes HMAC keys generated by older versions of BIND</span>
-</dt>
-<dt>
<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> — DNS pipelined lookup utility</span>
</dt>
<dt>
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-checkds</code>
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
- {zone}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-dsfromkey</code>
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
+ [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
+ [<code class="option">-s <em class="replaceable"><code>file</code></em></code>]
{zone}
- </p></div>
+ </p></div>
</div>
<div class="refsection">
instead of checking for a DS record in the zone's parent.
</p>
</dd>
+<dt><span class="term">-s <em class="replaceable"><code>file</code></em></span></dt>
+<dd>
+ <p>
+ Specifies a prepared dsset file, such as would be generated
+ by <span class="command"><strong>dnssec-signzone</strong></span>, to use as a source for
+ the DS RRset instead of querying the parent.
+ </p>
+ </dd>
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
<dd>
<p>
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
<link rel="prev" href="man.genrandom.html" title="genrandom">
-<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
+<link rel="next" href="man.mdig.html" title="mdig">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<td width="20%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a>Â </td>
<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
+<td width="20%" align="right">Â <a accesskey="n" href="man.mdig.html">Next</a>
</td>
</tr>
</table>
<td width="40%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a>Â </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
+<td width="40%" align="right">Â <a accesskey="n" href="man.mdig.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">genrandom</span>Â </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">isc-hmac-fixup</span>
+<td width="40%" align="right" valign="top">Â <span class="application">mdig</span>
</td>
</tr>
</table>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
+<link rel="prev" href="man.host.html" title="host">
<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<tr><th colspan="3" align="center"><span class="application">mdig</span></th></tr>
<tr>
<td width="20%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a>Â </td>
+<a accesskey="p" href="man.host.html">Prev</a>Â </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right">Â <a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</div>
<div class="refsection">
-<a name="id-1.14.22.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.21.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>mdig</strong></span>
is a multiple/pipelined query version of <span class="command"><strong>dig</strong></span>:
</div>
<div class="refsection">
-<a name="id-1.14.22.8"></a><h2>ANYWHERE OPTIONS</h2>
+<a name="id-1.14.21.8"></a><h2>ANYWHERE OPTIONS</h2>
<p>
</div>
<div class="refsection">
-<a name="id-1.14.22.9"></a><h2>GLOBAL OPTIONS</h2>
+<a name="id-1.14.21.9"></a><h2>GLOBAL OPTIONS</h2>
<p>
</div>
<div class="refsection">
-<a name="id-1.14.22.10"></a><h2>LOCAL OPTIONS</h2>
+<a name="id-1.14.21.10"></a><h2>LOCAL OPTIONS</h2>
<p>
</div>
<div class="refsection">
-<a name="id-1.14.22.11"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.21.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a>Â </td>
+<a accesskey="p" href="man.host.html">Prev</a>Â </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right">Â <a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">isc-hmac-fixup</span>Â </td>
+<td width="40%" align="left" valign="top">host </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">Â <span class="application">named-checkconf</span>
</td>
</div>
<div class="refsection">
-<a name="id-1.14.23.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.22.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
</div>
<div class="refsection">
-<a name="id-1.14.23.8"></a><h2>OPTIONS</h2>
+<a name="id-1.14.22.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.23.9"></a><h2>RETURN VALUES</h2>
+<a name="id-1.14.22.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
returns an exit status of 1 if
</div>
<div class="refsection">
-<a name="id-1.14.23.10"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.22.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</div>
<div class="refsection">
-<a name="id-1.14.24.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.23.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
</div>
<div class="refsection">
-<a name="id-1.14.24.8"></a><h2>OPTIONS</h2>
+<a name="id-1.14.23.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
</div>
<div class="refsection">
-<a name="id-1.14.24.9"></a><h2>RETURN VALUES</h2>
+<a name="id-1.14.23.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
returns an exit status of 1 if
</div>
<div class="refsection">
-<a name="id-1.14.24.10"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.23.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</div>
<div class="refsection">
-<a name="id-1.14.25.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.24.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>named-journalprint</strong></span>
</div>
<div class="refsection">
-<a name="id-1.14.25.8"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.24.8"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
</div>
<div class="refsect1">
-<a name="id-1.14.26.6"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.25.6"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>named-nzd2nzf</strong></span> converts an NZD database to NZF
</div>
<div class="refsect1">
-<a name="id-1.14.26.7"></a><h2>ARGUMENTS</h2>
+<a name="id-1.14.25.7"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">filename</span></dt>
</div>
<div class="refsect1">
-<a name="id-1.14.26.8"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.25.8"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>
</div>
<div class="refsect1">
-<a name="id-1.14.26.9"></a><h2>AUTHOR</h2>
+<a name="id-1.14.25.9"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="refsection">
-<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.26.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-rrchecker</strong></span>
read a individual DNS resource record from standard input and checks if it
</div>
<div class="refsection">
-<a name="id-1.14.27.8"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.26.8"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 1034</em>,
</div>
<div class="refsection">
-<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2>
<p><code class="filename">named.conf</code> is the configuration file
for
</div>
<div class="refsection">
-<a name="id-1.14.28.8"></a><h2>ACL</h2>
+<a name="id-1.14.27.8"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.9"></a><h2>CONTROLS</h2>
+<a name="id-1.14.27.9"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
controls {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.10"></a><h2>DLZ</h2>
+<a name="id-1.14.27.10"></a><h2>DLZ</h2>
<div class="literallayout"><p><br>
dlz <em class="replaceable"><code>string</code></em> {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.11"></a><h2>DYNDB</h2>
+<a name="id-1.14.27.11"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.12"></a><h2>KEY</h2>
+<a name="id-1.14.27.12"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.13"></a><h2>LOGGING</h2>
+<a name="id-1.14.27.13"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.14"></a><h2>MANAGED-KEYS</h2>
+<a name="id-1.14.27.14"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
</div>
<div class="refsection">
-<a name="id-1.14.28.15"></a><h2>MASTERS</h2>
+<a name="id-1.14.27.15"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.16"></a><h2>OPTIONS</h2>
+<a name="id-1.14.27.16"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.17"></a><h2>SERVER</h2>
+<a name="id-1.14.27.17"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.18"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.14.27.18"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.19"></a><h2>TRUSTED-KEYS</h2>
+<a name="id-1.14.27.19"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
</div>
<div class="refsection">
-<a name="id-1.14.28.20"></a><h2>VIEW</h2>
+<a name="id-1.14.27.20"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.21"></a><h2>ZONE</h2>
+<a name="id-1.14.27.21"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
</div>
<div class="refsection">
-<a name="id-1.14.28.22"></a><h2>FILES</h2>
+<a name="id-1.14.27.22"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.14.28.23"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.27.23"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
</div>
<div class="refsection">
-<a name="id-1.14.29.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named</strong></span>
is a Domain Name System (DNS) server,
</div>
<div class="refsection">
-<a name="id-1.14.29.8"></a><h2>OPTIONS</h2>
+<a name="id-1.14.28.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
</div>
<div class="refsection">
-<a name="id-1.14.29.9"></a><h2>SIGNALS</h2>
+<a name="id-1.14.28.9"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
</div>
<div class="refsection">
-<a name="id-1.14.29.10"></a><h2>CONFIGURATION</h2>
+<a name="id-1.14.28.10"></a><h2>CONFIGURATION</h2>
<p>
The <span class="command"><strong>named</strong></span> configuration file is too complex
</div>
<div class="refsection">
-<a name="id-1.14.29.11"></a><h2>FILES</h2>
+<a name="id-1.14.28.11"></a><h2>FILES</h2>
<div class="variablelist"><dl class="variablelist">
</div>
<div class="refsection">
-<a name="id-1.14.29.12"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.28.12"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
</div>
<div class="refsection">
-<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.29.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>nsec3hash</strong></span> generates an NSEC3 hash based on
</div>
<div class="refsection">
-<a name="id-1.14.30.8"></a><h2>ARGUMENTS</h2>
+<a name="id-1.14.29.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">salt</span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.30.9"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.29.9"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</div>
<div class="refsection">
-<a name="id-1.14.31.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>Nslookup</strong></span>
is a program to query Internet domain name servers. <span class="command"><strong>Nslookup</strong></span>
</div>
<div class="refsection">
-<a name="id-1.14.31.8"></a><h2>ARGUMENTS</h2>
+<a name="id-1.14.30.8"></a><h2>ARGUMENTS</h2>
<p>
Interactive mode is entered in the following cases:
</div>
<div class="refsection">
-<a name="id-1.14.31.9"></a><h2>INTERACTIVE COMMANDS</h2>
+<a name="id-1.14.30.9"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.31.10"></a><h2>RETURN VALUES</h2>
+<a name="id-1.14.30.10"></a><h2>RETURN VALUES</h2>
<p>
<span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
if any query failed, and 0 otherwise.
</div>
<div class="refsection">
-<a name="id-1.14.31.11"></a><h2>FILES</h2>
+<a name="id-1.14.30.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.14.31.12"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.30.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</div>
<div class="refsection">
-<a name="id-1.14.32.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.31.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
</div>
<div class="refsection">
-<a name="id-1.14.32.8"></a><h2>OPTIONS</h2>
+<a name="id-1.14.31.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
</div>
<div class="refsection">
-<a name="id-1.14.32.9"></a><h2>INPUT FORMAT</h2>
+<a name="id-1.14.31.9"></a><h2>INPUT FORMAT</h2>
<p><span class="command"><strong>nsupdate</strong></span>
reads input from
</div>
<div class="refsection">
-<a name="id-1.14.32.10"></a><h2>EXAMPLES</h2>
+<a name="id-1.14.31.10"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
</div>
<div class="refsection">
-<a name="id-1.14.32.11"></a><h2>FILES</h2>
+<a name="id-1.14.31.11"></a><h2>FILES</h2>
<div class="variablelist"><dl class="variablelist">
</div>
<div class="refsection">
-<a name="id-1.14.32.12"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.31.12"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
</div>
<div class="refsection">
-<a name="id-1.14.32.13"></a><h2>BUGS</h2>
+<a name="id-1.14.31.13"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
</div>
<div class="refsection">
-<a name="id-1.14.33.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.32.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-destroy</strong></span> destroys keys stored in a
</div>
<div class="refsection">
-<a name="id-1.14.33.8"></a><h2>ARGUMENTS</h2>
+<a name="id-1.14.32.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.33.9"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.32.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
</div>
<div class="refsection">
-<a name="id-1.14.34.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.33.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
</div>
<div class="refsection">
-<a name="id-1.14.34.8"></a><h2>ARGUMENTS</h2>
+<a name="id-1.14.33.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.34.9"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.33.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
</div>
<div class="refsection">
-<a name="id-1.14.35.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.34.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-list</strong></span>
</div>
<div class="refsection">
-<a name="id-1.14.35.8"></a><h2>ARGUMENTS</h2>
+<a name="id-1.14.34.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P</span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.35.9"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.34.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
</div>
<div class="refsection">
-<a name="id-1.14.36.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.35.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>pkcs11-tokens</strong></span>
</div>
<div class="refsection">
-<a name="id-1.14.36.8"></a><h2>ARGUMENTS</h2>
+<a name="id-1.14.35.8"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.36.9"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.35.9"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry">
</div>
<div class="refsection">
-<a name="id-1.14.37.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.36.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>rndc-confgen</strong></span>
generates configuration files
</div>
<div class="refsection">
-<a name="id-1.14.37.8"></a><h2>OPTIONS</h2>
+<a name="id-1.14.36.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5, or
- if MD5 was disabled at compile time, hmac-sha256.
- </p>
- <p>
- Note: Use of hmac-md5 is no longer recommended, and the default
- value will be changed to hmac-sha256 in a future release.
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
</div>
<div class="refsection">
-<a name="id-1.14.37.9"></a><h2>EXAMPLES</h2>
+<a name="id-1.14.36.9"></a><h2>EXAMPLES</h2>
<p>
To allow <span class="command"><strong>rndc</strong></span> to be used with
</div>
<div class="refsection">
-<a name="id-1.14.37.10"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.36.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</div>
<div class="refsection">
-<a name="id-1.14.38.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.37.7"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
</div>
<div class="refsection">
-<a name="id-1.14.38.8"></a><h2>EXAMPLE</h2>
+<a name="id-1.14.37.8"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
</div>
<div class="refsection">
-<a name="id-1.14.38.9"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id-1.14.37.9"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
</div>
<div class="refsection">
-<a name="id-1.14.38.10"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.37.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</div>
<div class="refsection">
-<a name="id-1.14.39.7"></a><h2>DESCRIPTION</h2>
+<a name="id-1.14.38.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>rndc</strong></span>
controls the operation of a name
</div>
<div class="refsection">
-<a name="id-1.14.39.8"></a><h2>OPTIONS</h2>
+<a name="id-1.14.38.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
</div>
<div class="refsection">
-<a name="id-1.14.39.9"></a><h2>COMMANDS</h2>
+<a name="id-1.14.38.9"></a><h2>COMMANDS</h2>
<p>
A list of commands supported by <span class="command"><strong>rndc</strong></span> can
</div>
<div class="refsection">
-<a name="id-1.14.39.10"></a><h2>LIMITATIONS</h2>
+<a name="id-1.14.38.10"></a><h2>LIMITATIONS</h2>
<p>
There is currently no way to provide the shared secret for a
</div>
<div class="refsection">
-<a name="id-1.14.39.11"></a><h2>SEE ALSO</h2>
+<a name="id-1.14.38.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc.conf</span>(5)
<span class="command"><strong>dnssec-settime</strong></span>, etc. [RT #46149]
</p>
</li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-checkds -s</strong></span> specifies a file from
+ which to read a DS set rather than querying the parent zone.
+ This can be used to check zone correctness prior to
+ publication. Thanks to Niall O'Reilly [RT #44667]
+ </p>
+ </li>
</ul></div>
</div>
<li class="listitem">
<p>
The use of HMAC-MD5 for RNDC keys is no longer recommended.
- For compatibility, this is still the default algorithm generated
- by <span class="command"><strong>rndc-confgen</strong></span>, but it will print a
- warning message. The default algorithm in
- <span class="command"><strong>rndc-confgen</strong></span> will be changed to HMAC-SHA256
- in a future release. [RT #42272]
+ The default algorithm generated by <span class="command"><strong>rndc-confgen</strong></span>,
+ is now HMAC-256, and a warning message will be printed if
+ HMAC-MD5 is used. [RT #42272]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>isc-hmac-fixup</strong></span> command, which was created
+ to address an interoperability problem in TSIG keys between
+ early versions of BIND and other DNS implmentations, is now
+ obsolete and has been removed. [RT #46411]
</p>
</li>
</ul></div>
are not writable by the effective user ID. [RT #46077]
</p>
</li>
+<li class="listitem">
+ <p>
+ Initializing keys specified in a <span class="command"><strong>managed-keys</strong></span>
+ statement or by <span class="command"><strong>dnssec-validation auto;</strong></span> are
+ now tagged as "initializing", until they have been updated by a
+ key refresh query. If key maintenance fails to initialize,
+ this will be visible when running <span class="command"><strong>rndc secroots</strong></span>.
+ [RT #46267]
+ </p>
+ </li>
<li class="listitem">
<p>
Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
queries. [RT #45847]
</p>
</li>
+<li class="listitem">
+ <p>
+ A new statistics counter has been added to track priming
+ queries. [RT #46313]
+ </p>
+ </li>
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-signzone -x</strong></span> flag and the
projects / thirdparty / bind9.git / commitdiff
