+ --- 9.7.0b1 released ---
+
2713. [bug] powerpc: atomic operations missing asm("ics") /
__isync() calls.
- --- 9.7.0b1 released ---
-
2712. [func] New 'auto-dnssec' zone option allows zone signing
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
#define TRUSTED_KEYS "\
trusted-keys {\n\
- # NOTE: This key is current as of September 2009.\n\
+ # NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
#define MANAGED_KEYS "\
managed-keys {\n\
- # NOTE: This key is current as of September 2009.\n\
+ # NOTE: This key is current as of October 2009.\n\
# If it fails to initialize correctly, it may have expired;\n\
# see https://www.isc.org/solutions/dlv for a replacement.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.conf.docbook,v 1.42 2009/10/10 01:47:59 each Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.43 2009/10/16 02:59:41 each Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
</literallayout>
</refsect1>
+ <refsect1>
+ <title>MANAGED-KEYS</title>
+ <literallayout>
+managed-keys {
+ <replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
+};
+</literallayout>
+ </refsect1>
+
<refsect1>
<title>CONTROLS</title>
<literallayout>
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-validation <replaceable>boolean</replaceable>;
dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+ dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
zone-statistics <replaceable>boolean</replaceable>;
key-directory <replaceable>quoted_string</replaceable>;
+ auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
try-tcp-refresh <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
+ deny-answer-addresses {
+ <replaceable>address_match_list</replaceable>
+ } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
+ deny-answer-aliases {
+ <replaceable>namelist</replaceable>
+ } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
nsec3-test-zone <replaceable>boolean</replaceable>; // testing only
};
trusted-keys {
- <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
+ <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
+ <optional>...</optional>
};
allow-recursion { <replaceable>address_match_element</replaceable>; ... };
allow-transfer { <replaceable>address_match_element</replaceable>; ... };
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
- update-policy {
+ update-policy <replaceable>local</replaceable> | <replaceable> {
( grant | deny ) <replaceable>string</replaceable>
( name | subdomain | wildcard | self | selfsub | selfwild |
krb5-self | ms-self | krb5-subdomain | ms-subdomain |
- tcp-self | 6to4-self ) <replaceable>string</replaceable>
- <replaceable>rrtypelist</replaceable>; ...
- };
+ tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
+ <replaceable>rrtypelist</replaceable>;
+ <optional>...</optional>
+ }</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.docbook,v 1.40 2009/08/26 21:34:44 jreed Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.41 2009/10/16 02:59:41 each Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Aug 25, 2009</date>
<refsect1>
<title>DESCRIPTION</title>
<para><command>nsupdate</command>
- is used to submit Dynamic DNS Update requests as defined in RFC2136
+ is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
This allows resource records to be added or removed from a zone
without manually editing the zone file.
<para>
Transaction signatures can be used to authenticate the Dynamic
DNS updates. These use the TSIG resource record type described
- in RFC2845 or the SIG(0) record described in RFC3535 and
- RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on
+ in RFC 2845 or the SIG(0) record described in RFC 2535 and
+ RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on
a shared secret that should only be known to
<command>nsupdate</command> and the name server. Currently,
the only supported encryption algorithm for TSIG is HMAC-MD5,
record in a zone served by the name server.
<command>nsupdate</command> does not read
<filename>/etc/named.conf</filename>.
- GSS-TSIG uses Kerberos credentials.
+ </para>
+ <para>
+ GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
+ is switched on with the <option>-g</option> flag. A
+ non-standards-compliant variant of GSS-TSIG used by Windows
+ 2000 can be switched on with the <option>-o</option> flag.
</para>
<para><command>nsupdate</command>
uses the <option>-y</option> or <option>-k</option> option
If there are, the update request fails.
If this name does not exist, a CNAME for it is added.
This ensures that when the CNAME is added, it cannot conflict with the
- long-standing rule in RFC1034 that a name must not exist as any other
+ long-standing rule in RFC 1034 that a name must not exist as any other
record type if it exists as a CNAME.
- (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+ (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
RRSIG, DNSKEY and NSEC records.)
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
- <para><citerefentry>
- <refentrytitle>RFC2136</refentrytitle>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>RFC3007</refentrytitle>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>RFC2104</refentrytitle>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>RFC2845</refentrytitle>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>RFC1034</refentrytitle>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>RFC2535</refentrytitle>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>RFC2931</refentrytitle>
- </citerefentry>,
+ <para>
+ <citetitle>RFC 2136</citetitle>,
+ <citetitle>RFC 3007</citetitle>,
+ <citetitle>RFC 2104</citetitle>,
+ <citetitle>RFC 2845</citetitle>,
+ <citetitle>RFC 1034</citetitle>,
+ <citetitle>RFC 2535</citetitle>,
+ <citetitle>RFC 2931</citetitle>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
-
</refsect1>
+
<refsect1>
<title>BUGS</title>
<para>
managed-keys {
- # NOTE: This key is current as of September 2009.
+ # NOTE: This key is current as of October 2009.
# If it fails to initialize correctly, it may have expired;
# see https://www.isc.org/solutions/dlv for a replacement.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.436 2009/10/14 12:49:11 jreed Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.437 2009/10/16 02:59:41 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
validator with an alternate method to validate DNSKEY
records at the top of a zone. When a DNSKEY is at or
below a domain specified by the deepest
- <command>dnssec-lookaside</command>, and the normal dnssec
+ <command>dnssec-lookaside</command>, and the normal DNSSEC
validation has left the key untrusted, the trust-anchor
- will be append to the key name and a DLV record will be
+ will be appended to the key name and a DLV record will be
looked up to see if it can validate the key. If the DLV
- record validates a DNSKEY (similarly to the way a DS record
- does) the DNSKEY RRset is deemed to be trusted.
+ record validates a DNSKEY (similarly to the way a DS
+ record does) the DNSKEY RRset is deemed to be trusted.
</para>
<para>
If <command>dnssec-lookaside</command> is set to
<userinput>auto</userinput>, then built-in default
- values for the domain and trust anchor will be
+ values for the DLV domain and trust anchor will be
used, along with a built-in key for validation.
</para>
- <para>
- NOTE: Since the built-in key may expire, it can be
- overridden without recompiling <command>named</command>
- by placing a new key in the file
- <filename>bind.keys</filename>.
+ <para>
+ The default DLV key is stored in the file
+ <filename>bind.keys</filename>, which
+ <command>named</command> loads at startup if
+ <command>dnssec-lookaside</command> is set to
+ <constant>auto</constant>. A copy of that file is
+ installed along with <acronym>BIND</acronym> 9, and is
+ current as of the release date. If the DLV key expires, a
+ new copy of <filename>bind.keys</filename> can be downloaded
+ from <ulink>https://www.isc.org/solutions/dlv</ulink>.
+ </para>
+ <para>
+ (To prevent problems if <filename>bind.keys</filename> is
+ not found, the current key is also compiled in to
+ <command>named</command>. Relying on this is not
+ recommended, however, as it requires <command>named</command>
+ to be recompiled with a new key when the DLV key expires.)
+ </para>
+ <para>
+ NOTE: Using <filename>bind.keys</filename> to store
+ locally-configured keys is possible, but not
+ recommended, as the file will be overwritten whenever
+ <acronym>BIND</acronym> 9 is re-installed or upgraded.
</para>
</listitem>
</varlistentry>
*/
/*
- * $Id: dnssec.c,v 1.104 2009/10/12 23:48:01 tbox Exp $
+ * $Id: dnssec.c,v 1.105 2009/10/16 02:59:41 each Exp $
*/
/*! \file */
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
- continue;
+ goto again;
/* Corrupted .key file? */
if (!dns_name_equal(origin, dst_key_name(pubkey)))
- continue;
+ goto again;
if (public) {
addkey(keylist, &pubkey, savekeys, mctx);
- continue;
+ goto again;
}
result = dst_key_fromfile(dst_key_name(pubkey),
directory, mctx, &privkey);
if (result == ISC_R_FILENOTFOUND) {
addkey(keylist, &pubkey, savekeys, mctx);
- continue;
+ goto again;
}
RETERR(result);
- if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
- /* We should never get here. */
- dst_key_free(&pubkey);
- dst_key_free(&privkey);
- continue;
- }
+ /* This should never happen. */
+ if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
+ goto again;
addkey(keylist, &privkey, savekeys, mctx);
-
- dst_key_free(&pubkey);
+ again:
+ if (pubkey != NULL)
+ dst_key_free(&pubkey);
+ if (privkey != NULL)
+ dst_key_free(&privkey);
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
projects / thirdparty / bind9.git / commitdiff
