</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2665947">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610729">Native PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611356">OpenSSL-based PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638329">PKCS#11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638365">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638788">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638836">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666014">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610728">Native PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611352">OpenSSL-based PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638464">PKCS#11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638500">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638854">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638902">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638900">Configuring DLZ</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610848">Sample DLZ Driver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638967">Configuring DLZ</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610846">Sample DLZ Driver</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571523">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
been tested with Debian Linux, Solaris x86 and Windows Server 2003;
the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
cryptographic acceleration board, tested with Solaris x86. In
- addition, BIND can be used with SoftHSM, a software-based HSM
- simulator produced by the OpenDNSSEC project.
+ addition, BIND can be used with all current versions of SoftHSM,
+ a software-based HSM simulator library produced by the OpenDNSSEC
+ project.
</p>
<p>
PKCS#11 makes use of a "provider library": a dynamically loadable
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2665947"></a>Prerequisites</h3></div></div></div>
+<a name="id2666014"></a>Prerequisites</h3></div></div></div>
<p>
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610729"></a>Native PKCS#11</h3></div></div></div>
+<a name="id2610728"></a>Native PKCS#11</h3></div></div></div>
<p>
Native PKCS#11 mode will only work with an HSM capable of carrying
out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
need. The HSM's provider library must have a complete implementation
of the PKCS#11 API, so that all these functions are accessible. As of
- this writing, only the Thales nShield HSM and the latest development
- version of SoftHSM can be used in this fashion. For other HSM's,
- including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM,
- use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of
- supporting native PKCS#11, it is expected that OpenSSL-based
- PKCS#11 will eventually be deprecated.)
+ this writing, only the Thales nShield HSM and SoftHSMv2 can be used
+ in this fashion. For other HSMs, including the AEP Keyper, Sun SCA
+ 6000 and older versions of SoftHSM, use OpenSSL-based PKCS#11.
+ (Note: Eventually, when more HSMs become capable of supporting
+ native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
+ be deprecated.)
</p>
<p>
To build BIND with native PKCS#11, configure as follows:
<span><strong class="command">dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
the <span><strong class="command">pkcs11-*</strong></span> tools.)
</p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2611286"></a>Building SoftHSMv2</h4></div></div></div>
+<p>
+ SoftHSMv2, the latest development version of SoftHSM, is available
+ from
+ <a href="https://github.com/opendnssec/SoftHSMv2" target="_top">
+ https://github.com/opendnssec/SoftHSMv2
+ </a>.
+ It is a software library developed by the OpenDNSSEC project
+ (<a href="http://www.opendnssec.org" target="_top">
+ http://www.opendnssec.org
+ </a>)
+ which provides a PKCS#11 interface to a virtual HSM, implemented in
+ the form of a SQLite3 database on the local filesystem. It provides
+ less security than a true HSM, but it allows you to experiment with
+ native PKCS#11 when an HSM is not available. SoftHSMv2 can be
+ configured to use either OpenSSL or the Botan library to perform
+ cryptographic functions, but when using it for native PKCS#11 in
+ BIND, OpenSSL is required.
+ </p>
+<p>
+ By default, the SoftHSMv2 configuration file is
+ <em class="replaceable"><code>prefix</code></em>/etc/softhsm2.conf (where
+ <em class="replaceable"><code>prefix</code></em> is configured at compile time).
+ This location can be overridden by the SOFTHSM2_CONF environment
+ variable. The SoftHSMv2 cryptographic store must be installed and
+ initialized before using it with BIND.
+ </p>
+<pre class="screen">
+$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
+$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
+$ <strong class="userinput"><code> make </code></strong>
+$ <strong class="userinput"><code> make install </code></strong>
+$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
+ </pre>
+</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2611356"></a>OpenSSL-based PKCS#11</h3></div></div></div>
+<a name="id2611352"></a>OpenSSL-based PKCS#11</h3></div></div></div>
<p>
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p>
- Use 'crypto-accelerator' with HSMs that have hardware
- cryptographic acceleration features, such as the SCA 6000
- board. This causes OpenSSL to run all supported
- cryptographic operations in the HSM.
- </p></li>
+ Use 'crypto-accelerator' with HSMs that have hardware
+ cryptographic acceleration features, such as the SCA 6000
+ board. This causes OpenSSL to run all supported
+ cryptographic operations in the HSM.
+ </p></li>
<li><p>
- Use 'sign-only' with HSMs that are designed to
- function primarily as secure key storage devices, but lack
- hardware acceleration. These devices are highly secure, but
- are not necessarily any faster at cryptography than the
- system CPU — often, they are slower. It is therefore
- most efficient to use them only for those cryptographic
- functions that require access to the secured private key,
- such as zone signing, and to use the system CPU for all
- other computationally-intensive operations. The AEP Keyper
- is an example of such a device.
- </p></li>
+ Use 'sign-only' with HSMs that are designed to
+ function primarily as secure key storage devices, but lack
+ hardware acceleration. These devices are highly secure, but
+ are not necessarily any faster at cryptography than the
+ system CPU — often, they are slower. It is therefore
+ most efficient to use them only for those cryptographic
+ functions that require access to the secured private key,
+ such as zone signing, and to use the system CPU for all
+ other computationally-intensive operations. The AEP Keyper
+ is an example of such a device.
+ </p></li>
</ul></div>
<p>
The modified OpenSSL code is included in the BIND 9 release,
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
- The latest OpenSSL versions as of this writing (January 2014)
- are 0.9.8y, 1.0.0l, and 1.0.1f.
+ The latest OpenSSL versions as of this writing (January 2015)
+ are 0.9.8zc, 1.0.0o, and 1.0.1j.
ISC will provide updated patches as new versions of OpenSSL
are released. The version number in the following examples
is expected to change.
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2611394"></a>Patching OpenSSL</h4></div></div></div>
+<a name="id2611389"></a>Patching OpenSSL</h4></div></div></div>
<pre class="screen">
-$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8y.tar.gz</a></code></strong>
+$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
</pre>
<p>Extract the tarball:</p>
<pre class="screen">
-$ <strong class="userinput"><code>tar zxf openssl-0.9.8y.tar.gz</code></strong>
+$ <strong class="userinput"><code>tar zxf openssl-0.9.8zc.tar.gz</code></strong>
</pre>
<p>Apply the patch from the BIND 9 release:</p>
<pre class="screen">
-$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8y \
- < bind9/bin/pkcs11/openssl-0.9.8y-patch</code></strong>
+$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
+ < bind9/bin/pkcs11/openssl-0.9.8zc-patch</code></strong>
</pre>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
- Note that the patch file may not be compatible with the
- "patch" utility on all operating systems. You may need to
- install GNU patch.
+ Note that the patch file may not be compatible with the
+ "patch" utility on all operating systems. You may need to
+ install GNU patch.
</div>
<p>
- When building OpenSSL, place it in a non-standard
- location so that it does not interfere with OpenSSL libraries
- elsewhere on the system. In the following examples, we choose
- to install into "/opt/pkcs11/usr". We will use this location
- when we configure BIND 9.
+ When building OpenSSL, place it in a non-standard
+ location so that it does not interfere with OpenSSL libraries
+ elsewhere on the system. In the following examples, we choose
+ to install into "/opt/pkcs11/usr". We will use this location
+ when we configure BIND 9.
</p>
<p>
- Later, when building BIND 9, the location of the custom-built
- OpenSSL library will need to be specified via configure.
+ Later, when building BIND 9, the location of the custom-built
+ OpenSSL library will need to be specified via configure.
</p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2611521"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
+<a name="id2611721"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
<p>
- The AEP Keyper is a highly secure key storage device,
- but does not provide hardware cryptographic acceleration. It
- can carry out cryptographic operations, but it is probably
- slower than your system's CPU. Therefore, we choose the
- 'sign-only' flavor when building OpenSSL.
+ The AEP Keyper is a highly secure key storage device,
+ but does not provide hardware cryptographic acceleration. It
+ can carry out cryptographic operations, but it is probably
+ slower than your system's CPU. Therefore, we choose the
+ 'sign-only' flavor when building OpenSSL.
</p>
<p>
- The Keyper-specific PKCS#11 provider library is
- delivered with the Keyper software. In this example, we place
- it /opt/pkcs11/usr/lib:
+ The Keyper-specific PKCS#11 provider library is
+ delivered with the Keyper software. In this example, we place
+ it /opt/pkcs11/usr/lib:
</p>
<pre class="screen">
$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
</pre>
<p>
- This library is only available for Linux as a 32-bit
- binary. If we are compiling on a 64-bit Linux system, it is
- necessary to force a 32-bit build, by specifying -m32 in the
- build options.
+ This library is only available for Linux as a 32-bit
+ binary. If we are compiling on a 64-bit Linux system, it is
+ necessary to force a 32-bit build, by specifying -m32 in the
+ build options.
</p>
<p>
- Finally, the Keyper library requires threads, so we
- must specify -pthread.
+ Finally, the Keyper library requires threads, so we
+ must specify -pthread.
</p>
<pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
+$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
$ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
- --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
- --pk11-flavor=sign-only \
- --prefix=/opt/pkcs11/usr</code></strong>
+ --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+ --pk11-flavor=sign-only \
+ --prefix=/opt/pkcs11/usr</code></strong>
</pre>
<p>
- After configuring, run "<span><strong class="command">make</strong></span>"
- and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
- test</strong></span>" fails with "pthread_atfork() not found", you forgot to
- add the -pthread above.
+ After configuring, run "<span><strong class="command">make</strong></span>"
+ and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
+ test</strong></span>" fails with "pthread_atfork() not found", you forgot to
+ add the -pthread above.
</p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2611728"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
+<a name="id2611790"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
<p>
- The SCA-6000 PKCS#11 provider is installed as a system
- library, libpkcs11. It is a true crypto accelerator, up to 4
- times faster than any CPU, so the flavor shall be
- 'crypto-accelerator'.
+ The SCA-6000 PKCS#11 provider is installed as a system
+ library, libpkcs11. It is a true crypto accelerator, up to 4
+ times faster than any CPU, so the flavor shall be
+ 'crypto-accelerator'.
</p>
<p>
- In this example, we are building on Solaris x86 on an
- AMD64 system.
+ In this example, we are building on Solaris x86 on an
+ AMD64 system.
</p>
<pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
+$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
$ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
- --pk11-libname=/usr/lib/64/libpkcs11.so \
- --pk11-flavor=crypto-accelerator \
- --prefix=/opt/pkcs11/usr</code></strong>
+ --pk11-libname=/usr/lib/64/libpkcs11.so \
+ --pk11-flavor=crypto-accelerator \
+ --prefix=/opt/pkcs11/usr</code></strong>
</pre>
<p>
- (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
+ (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
</p>
<p>
- After configuring, run
- <span><strong class="command">make</strong></span> and
- <span><strong class="command">make test</strong></span>.
+ After configuring, run
+ <span><strong class="command">make</strong></span> and
+ <span><strong class="command">make test</strong></span>.
</p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2611778"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
-<p>
- SoftHSM is a software library provided by the OpenDNSSEC
- project (http://www.opendnssec.org) which provides a PKCS#11
- interface to a virtual HSM, implemented in the form of encrypted
- data on the local filesystem. SoftHSM can be configured to use
- either OpenSSL or the Botan library for encryption, and SQLite3
- for data storage. Though less secure than a true HSM, it can
- provide more secure key storage than traditional key files,
- and can allow you to experiment with PKCS#11 when an HSM is
- not available.
- </p>
-<p>
- The SoftHSM cryptographic store must be installed and
- initialized before using it with OpenSSL, and the SOFTHSM_CONF
- environment variable must always point to the SoftHSM configuration
- file:
+<a name="id2638122"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
+<p>
+ SoftHSM (version 1) is a software library developed by the
+ OpenDNSSEC project
+ (<a href="http://www.opendnssec.org" target="_top">
+ http://www.opendnssec.org
+ </a>)
+ which provides a
+ PKCS#11 interface to a virtual HSM, implemented in the form of
+ a SQLite3 database on the local filesystem. SoftHSM uses
+ the Botan library to perform cryptographic functions. Though
+ less secure than a true HSM, it can allow you to experiment
+ with PKCS#11 when an HSM is not available.
+ </p>
+<p>
+ The SoftHSM cryptographic store must be installed and
+ initialized before using it with OpenSSL, and the SOFTHSM_CONF
+ environment variable must always point to the SoftHSM configuration
+ file:
</p>
<pre class="screen">
-$ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
+$ <strong class="userinput"><code> cd softhsm-1.3.7 </code></strong>
$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
$ <strong class="userinput"><code> make </code></strong>
$ <strong class="userinput"><code> make install </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
</pre>
<p>
- SoftHSM can perform all cryptographic operations, but
- since it only uses your system CPU, there is no advantage to using
- it for anything but signing. Therefore, we choose the 'sign-only'
- flavor when building OpenSSL.
+ SoftHSM can perform all cryptographic operations, but
+ since it only uses your system CPU, there is no advantage to using
+ it for anything but signing. Therefore, we choose the 'sign-only'
+ flavor when building OpenSSL.
</p>
<pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8y</code></strong>
+$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
$ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
- --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
- --pk11-flavor=sign-only \
- --prefix=/opt/pkcs11/usr</code></strong>
+ --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
+ --pk11-flavor=sign-only \
+ --prefix=/opt/pkcs11/usr</code></strong>
</pre>
<p>
- After configuring, run "<span><strong class="command">make</strong></span>"
- and "<span><strong class="command">make test</strong></span>".
+ After configuring, run "<span><strong class="command">make</strong></span>"
+ and "<span><strong class="command">make test</strong></span>".
</p>
</div>
<p>
selected:
</p>
<pre class="screen">
- (pkcs11) PKCS #11 engine support (sign only)
+ (pkcs11) PKCS #11 engine support (sign only)
</pre>
<p>Or:</p>
<pre class="screen">
- (pkcs11) PKCS #11 engine support (crypto accelerator)
+ (pkcs11) PKCS #11 engine support (crypto accelerator)
</pre>
<p>
Next, run
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2638212"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
+<a name="id2638278"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
<p>
- To link with the PKCS#11 provider, threads must be
- enabled in the BIND 9 build.
+ To link with the PKCS#11 provider, threads must be
+ enabled in the BIND 9 build.
</p>
<p>
- The PKCS#11 library for the AEP Keyper is currently
- only available as a 32-bit binary. If we are building on a
- 64-bit host, we must force a 32-bit build by adding "-m32" to
- the CC options on the "configure" command line.
+ The PKCS#11 library for the AEP Keyper is currently
+ only available as a 32-bit binary. If we are building on a
+ 64-bit host, we must force a 32-bit build by adding "-m32" to
+ the CC options on the "configure" command line.
</p>
<pre class="screen">
$ <strong class="userinput"><code>cd ../bind9</code></strong>
$ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
- --with-openssl=/opt/pkcs11/usr \
- --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
+ --with-openssl=/opt/pkcs11/usr \
+ --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2638244"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
+<a name="id2638310"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
<p>
- To link with the PKCS#11 provider, threads must be
- enabled in the BIND 9 build.
+ To link with the PKCS#11 provider, threads must be
+ enabled in the BIND 9 build.
</p>
<pre class="screen">
$ <strong class="userinput"><code>cd ../bind9</code></strong>
$ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
- --with-openssl=/opt/pkcs11/usr \
- --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
+ --with-openssl=/opt/pkcs11/usr \
+ --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
</pre>
<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
<p>
- If configure complains about OpenSSL not working, you
- may have a 32/64-bit architecture mismatch. Or, you may have
- incorrectly specified the path to OpenSSL (it should be the
- same as the --prefix argument to the OpenSSL
- Configure).
+ If configure complains about OpenSSL not working, you
+ may have a 32/64-bit architecture mismatch. Or, you may have
+ incorrectly specified the path to OpenSSL (it should be the
+ same as the --prefix argument to the OpenSSL
+ Configure).
</p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2638280"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
+<a name="id2638346"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>cd ../bind9</code></strong>
$ <strong class="userinput"><code>./configure --enable-threads \
- --with-openssl=/opt/pkcs11/usr \
- --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
+ --with-openssl=/opt/pkcs11/usr \
+ --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
</pre>
</div>
<p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2638329"></a>PKCS#11 Tools</h3></div></div></div>
+<a name="id2638464"></a>PKCS#11 Tools</h3></div></div></div>
<p>
BIND 9 includes a minimal set of tools to operate the
HSM, including
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2638365"></a>Using the HSM</h3></div></div></div>
+<a name="id2638500"></a>Using the HSM</h3></div></div></div>
<p>
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2638788"></a>Specifying the engine on the command line</h3></div></div></div>
+<a name="id2638854"></a>Specifying the engine on the command line</h3></div></div></div>
<p>
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in <span><strong class="command">named</strong></span> and all of
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2638836"></a>Running named with automatic zone re-signing</h3></div></div></div>
+<a name="id2638902"></a>Running named with automatic zone re-signing</h3></div></div></div>
<p>
If you want <span><strong class="command">named</strong></span> to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
</p>
<p>Sample openssl.cnf:</p>
<pre class="programlisting">
- openssl_conf = openssl_def
- [ openssl_def ]
- engines = engine_section
- [ engine_section ]
- pkcs11 = pkcs11_section
- [ pkcs11_section ]
- PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
+ openssl_conf = openssl_def
+ [ openssl_def ]
+ engines = engine_section
+ [ engine_section ]
+ pkcs11 = pkcs11_section
+ [ pkcs11_section ]
+ PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
</pre>
<p>
This will also allow the dnssec-* tools to access the HSM
<p>
In native PKCS#11 mode, the PIN can be provided in a file specified
as an attribute of the key's label. For example, if a key had the label
- <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin"</code></strong>,
+ <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin</code></strong>,
then the PIN would be read from the file
<code class="filename">/etc/hsmpin</code>.
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
<p>
- Placing the HSM's PIN in a text file in this manner may reduce the
- security advantage of using an HSM. Be sure this is what you want to
- do before configuring the system in this way.
+ Placing the HSM's PIN in a text file in this manner may reduce the
+ security advantage of using an HSM. Be sure this is what you want to
+ do before configuring the system in this way.
</p>
</div>
</div>
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2638900"></a>Configuring DLZ</h3></div></div></div>
+<a name="id2638967"></a>Configuring DLZ</h3></div></div></div>
<p>
A DLZ database is configured with a <span><strong class="command">dlz</strong></span>
statement in <code class="filename">named.conf</code>:
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610848"></a>Sample DLZ Driver</h3></div></div></div>
+<a name="id2610846"></a>Sample DLZ Driver</h3></div></div></div>
<p>
For guidance in implementation of DLZ modules, the directory
<code class="filename">contrib/dlz/example</code> contains a basic
initial packet sizes used in BIND 9.10 and higher when
contacting authoritative servers for the first time.
</p></li>
+<li><p>
+ Built-in "empty" zones did not correctly inherit the
+ "allow-transfer" ACL from the options or view. [RT #38310]
+ </p></li>
</ul></div>
</div>
<div class="sect2" lang="en">
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2665947">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610729">Native PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611356">OpenSSL-based PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638329">PKCS#11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638365">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638788">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638836">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2666014">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610728">Native PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611352">OpenSSL-based PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638464">PKCS#11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638500">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638854">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638902">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638900">Configuring DLZ</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610848">Sample DLZ Driver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2638967">Configuring DLZ</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610846">Sample DLZ Driver</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571523">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612168">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612178">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612202">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612438">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612515">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612541">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613787">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612242">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612251">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612276">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612375">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612452">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612478">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2613793">Library References</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2623264"></a><h2>DESCRIPTION</h2>
+<a name="id2621562"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2623278"></a><h2>SEE ALSO</h2>
+<a name="id2663971"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665481"></a><h2>AUTHOR</h2>
+<a name="id2663985"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2662788"></a><h2>DESCRIPTION</h2>
+<a name="id2662179"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">tsig-keygen</strong></span> and <span><strong class="command">ddns-confgen</strong></span>
are invocation methods for a utility that generates keys for use
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2662891"></a><h2>OPTIONS</h2>
+<a name="id2663306"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2664473"></a><h2>SEE ALSO</h2>
+<a name="id2667960"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2664512"></a><h2>AUTHOR</h2>
+<a name="id2667998"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616061"></a><h2>DESCRIPTION</h2>
+<a name="id2616067"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">delv</strong></span>
(Domain Entity Lookup & Validation) is a tool for sending
DNS queries and validating the results, using the the same internal
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2616134"></a><h2>SIMPLE USAGE</h2>
+<a name="id2616276"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">delv</strong></span> looks like:
</p>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2616402"></a><h2>OPTIONS</h2>
+<a name="id2616680"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2671428"></a><h2>QUERY OPTIONS</h2>
+<a name="id2671638"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">delv</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2672012"></a><h2>FILES</h2>
+<a name="id2672086"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsect1" lang="en">
-<a name="id2672032"></a><h2>SEE ALSO</h2>
+<a name="id2672105"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">RFC4034</em>,
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2614323"></a><h2>DESCRIPTION</h2>
+<a name="id2614192"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614562"></a><h2>SIMPLE USAGE</h2>
+<a name="id2614294"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614688"></a><h2>OPTIONS</h2>
+<a name="id2614625"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2666243"></a><h2>QUERY OPTIONS</h2>
+<a name="id2666248"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667488"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2667629"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667709"></a><h2>IDN SUPPORT</h2>
+<a name="id2667715"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667738"></a><h2>FILES</h2>
+<a name="id2667744"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667760"></a><h2>SEE ALSO</h2>
+<a name="id2667765"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667797"></a><h2>BUGS</h2>
+<a name="id2667802"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616882"></a><h2>DESCRIPTION</h2>
+<a name="id2617160"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-checkds</strong></span>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2616896"></a><h2>OPTIONS</h2>
+<a name="id2617174"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616998"></a><h2>SEE ALSO</h2>
+<a name="id2617276"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2617305"></a><h2>AUTHOR</h2>
+<a name="id2617310"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2617516"></a><h2>DESCRIPTION</h2>
+<a name="id2617522"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-coverage</strong></span>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2617543"></a><h2>OPTIONS</h2>
+<a name="id2617548"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2617921"></a><h2>SEE ALSO</h2>
+<a name="id2618336"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2617964"></a><h2>AUTHOR</h2>
+<a name="id2618379"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2618561"></a><h2>DESCRIPTION</h2>
+<a name="id2619044"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2619052"></a><h2>OPTIONS</h2>
+<a name="id2619058"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2619315"></a><h2>EXAMPLE</h2>
+<a name="id2619457"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2619419"></a><h2>FILES</h2>
+<a name="id2619493"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2620485"></a><h2>CAVEAT</h2>
+<a name="id2619534"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2620494"></a><h2>SEE ALSO</h2>
+<a name="id2619544"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2620534"></a><h2>AUTHOR</h2>
+<a name="id2619584"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2619606"></a><h2>DESCRIPTION</h2>
+<a name="id2619748"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-importkey</strong></span>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2619634"></a><h2>OPTIONS</h2>
+<a name="id2619776"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2619771"></a><h2>TIMING OPTIONS</h2>
+<a name="id2620050"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2619886"></a><h2>FILES</h2>
+<a name="id2620097"></a><h2>FILES</h2>
<p>
A keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2619912"></a><h2>SEE ALSO</h2>
+<a name="id2620122"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2619945"></a><h2>AUTHOR</h2>
+<a name="id2620155"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2620960"></a><h2>DESCRIPTION</h2>
+<a name="id2620965"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2620985"></a><h2>OPTIONS</h2>
+<a name="id2620990"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2672380"></a><h2>TIMING OPTIONS</h2>
+<a name="id2672249"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2672502"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2672371"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2672664"></a><h2>SEE ALSO</h2>
+<a name="id2672465"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2672701"></a><h2>AUTHOR</h2>
+<a name="id2672502"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2621934"></a><h2>DESCRIPTION</h2>
+<a name="id2622827"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2621955"></a><h2>OPTIONS</h2>
+<a name="id2622848"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2675204"></a><h2>TIMING OPTIONS</h2>
+<a name="id2673025"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2675325"></a><h2>GENERATED KEYS</h2>
+<a name="id2673214"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2675501"></a><h2>EXAMPLE</h2>
+<a name="id2673390"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2675626"></a><h2>SEE ALSO</h2>
+<a name="id2673447"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2675657"></a><h2>AUTHOR</h2>
+<a name="id2673478"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2622391"></a><h2>DESCRIPTION</h2>
+<a name="id2624649"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2622405"></a><h2>OPTIONS</h2>
+<a name="id2624663"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2622816"></a><h2>SEE ALSO</h2>
+<a name="id2632583"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2622840"></a><h2>AUTHOR</h2>
+<a name="id2632608"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2632440"></a><h2>DESCRIPTION</h2>
+<a name="id2632718"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2632567"></a><h2>OPTIONS</h2>
+<a name="id2632845"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2635982"></a><h2>TIMING OPTIONS</h2>
+<a name="id2634281"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2636121"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2636058"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2636406"></a><h2>SEE ALSO</h2>
+<a name="id2636138"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2636439"></a><h2>AUTHOR</h2>
+<a name="id2636171"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2641454"></a><h2>DESCRIPTION</h2>
+<a name="id2642893"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2641474"></a><h2>OPTIONS</h2>
+<a name="id2642913"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2678222"></a><h2>EXAMPLE</h2>
+<a name="id2674883"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
%</pre>
</div>
<div class="refsect1" lang="en">
-<a name="id2678301"></a><h2>SEE ALSO</h2>
+<a name="id2675030"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2678397"></a><h2>AUTHOR</h2>
+<a name="id2675058"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2635206"></a><h2>DESCRIPTION</h2>
+<a name="id2643062"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-verify</strong></span>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2635220"></a><h2>OPTIONS</h2>
+<a name="id2643076"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2636496"></a><h2>SEE ALSO</h2>
+<a name="id2643259"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2636521"></a><h2>AUTHOR</h2>
+<a name="id2643421"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2623321"></a><h2>DESCRIPTION</h2>
+<a name="id2621620"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">genrandom</strong></span>
generates a file or a set of files containing a specified quantity
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2623336"></a><h2>ARGUMENTS</h2>
+<a name="id2621635"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2667907"></a><h2>SEE ALSO</h2>
+<a name="id2664635"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667933"></a><h2>AUTHOR</h2>
+<a name="id2664662"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2614900"></a><h2>DESCRIPTION</h2>
+<a name="id2614905"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2615768"></a><h2>IDN SUPPORT</h2>
+<a name="id2615705"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2615797"></a><h2>FILES</h2>
+<a name="id2615734"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2615811"></a><h2>SEE ALSO</h2>
+<a name="id2615748"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2623753"></a><h2>DESCRIPTION</h2>
+<a name="id2621984"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668018"></a><h2>SECURITY CONSIDERATIONS</h2>
+<a name="id2668296"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668034"></a><h2>SEE ALSO</h2>
+<a name="id2668312"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668051"></a><h2>AUTHOR</h2>
+<a name="id2668329"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2642969"></a><h2>DESCRIPTION</h2>
+<a name="id2643521"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2643040"></a><h2>OPTIONS</h2>
+<a name="id2643591"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2643468"></a><h2>RETURN VALUES</h2>
+<a name="id2643815"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2643482"></a><h2>SEE ALSO</h2>
+<a name="id2643829"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2643512"></a><h2>AUTHOR</h2>
+<a name="id2643859"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2679473"></a><h2>DESCRIPTION</h2>
+<a name="id2676065"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2679523"></a><h2>OPTIONS</h2>
+<a name="id2676115"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2680561"></a><h2>RETURN VALUES</h2>
+<a name="id2677153"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2680574"></a><h2>SEE ALSO</h2>
+<a name="id2677166"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2680608"></a><h2>AUTHOR</h2>
+<a name="id2677200"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2620402"></a><h2>DESCRIPTION</h2>
+<a name="id2618632"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2646389"></a><h2>SEE ALSO</h2>
+<a name="id2652060"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2646420"></a><h2>AUTHOR</h2>
+<a name="id2652091"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named-rrchecker</code> [<code class="option">-h</code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-u</code>] [<code class="option">-C</code>] [<code class="option">-T</code>] [<code class="option">-P</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2651603"></a><h2>DESCRIPTION</h2>
+<a name="id2618772"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-rrchecker</strong></span>
read a individual DNS resource record from standard input and checks if it
is syntactically correct.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2651659"></a><h2>SEE ALSO</h2>
+<a name="id2652416"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-D <em class="replaceable"><code>string</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2645859"></a><h2>DESCRIPTION</h2>
+<a name="id2645932"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2645890"></a><h2>OPTIONS</h2>
+<a name="id2645963"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2683233"></a><h2>SIGNALS</h2>
+<a name="id2677367"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2683283"></a><h2>CONFIGURATION</h2>
+<a name="id2677417"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2683332"></a><h2>FILES</h2>
+<a name="id2677466"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2683376"></a><h2>SEE ALSO</h2>
+<a name="id2677510"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2683446"></a><h2>AUTHOR</h2>
+<a name="id2677580"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2668846"></a><h2>DESCRIPTION</h2>
+<a name="id2668715"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668861"></a><h2>ARGUMENTS</h2>
+<a name="id2668730"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">salt</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2668923"></a><h2>SEE ALSO</h2>
+<a name="id2668792"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5155</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668940"></a><h2>AUTHOR</h2>
+<a name="id2668809"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2653249"></a><h2>DESCRIPTION</h2>
+<a name="id2653800"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2683645"></a><h2>INPUT FORMAT</h2>
+<a name="id2679486"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2684766"></a><h2>EXAMPLES</h2>
+<a name="id2680676"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2684817"></a><h2>FILES</h2>
+<a name="id2680726"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2684900"></a><h2>SEE ALSO</h2>
+<a name="id2680809"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2684957"></a><h2>BUGS</h2>
+<a name="id2680867"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2661470"></a><h2>DESCRIPTION</h2>
+<a name="id2660861"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2661537"></a><h2>OPTIONS</h2>
+<a name="id2660928"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2665353"></a><h2>EXAMPLES</h2>
+<a name="id2664949"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665410"></a><h2>SEE ALSO</h2>
+<a name="id2665005"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665448"></a><h2>AUTHOR</h2>
+<a name="id2665044"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2622705"></a><h2>DESCRIPTION</h2>
+<a name="id2621140"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2659058"></a><h2>EXAMPLE</h2>
+<a name="id2660087"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2661159"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2660345"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2661185"></a><h2>SEE ALSO</h2>
+<a name="id2660371"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2661223"></a><h2>AUTHOR</h2>
+<a name="id2660409"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2656265"></a><h2>DESCRIPTION</h2>
+<a name="id2654700"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2656315"></a><h2>OPTIONS</h2>
+<a name="id2654750"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2661589"></a><h2>COMMANDS</h2>
+<a name="id2660980"></a><h2>COMMANDS</h2>
<p>
A list of commands supported by <span><strong class="command">rndc</strong></span> can
be seen by running <span><strong class="command">rndc</strong></span> without arguments.
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2687625"></a><h2>LIMITATIONS</h2>
+<a name="id2684422"></a><h2>LIMITATIONS</h2>
<p>
There is currently no way to provide the shared secret for a
<code class="option">key_id</code> without using the configuration file.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2687643"></a><h2>SEE ALSO</h2>
+<a name="id2684440"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2687699"></a><h2>AUTHOR</h2>
+<a name="id2684496"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
initial packet sizes used in BIND 9.10 and higher when
contacting authoritative servers for the first time.
</p></li>
+<li><p>
+ Built-in "empty" zones did not correctly inherit the
+ "allow-transfer" ACL from the options or view. [RT #38310]
+ </p></li>
</ul></div>
</div>
<div class="sect2" lang="en">
projects / thirdparty / bind9.git / commitdiff
