- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.369 2008/09/25 05:49:26 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.370 2008/09/25 06:08:49 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
</para>
<para>
- Updating of secure zones (zones using DNSSEC) follows
- RFC 3007: RRSIG and NSEC records affected by updates are automatically
- regenerated by the server using an online zone key.
- Update authorization is based
- on transaction signatures and an explicit server policy.
+ Updating of secure zones (zones using DNSSEC) follows RFC
+ 3007: RRSIG, NSEC and NSEC3 records affected by updates are
+ automatically regenerated by the server using an online
+ zone key. Update authorization is based on transaction
+ signatures and an explicit server policy.
</para>
<sect2 id="journal">
<sect2>
<title>Signing the Zone</title>
- <para>
- The <command>dnssec-signzone</command> program is used
- to
- sign a zone.
- </para>
+ <para>
+ The <command>dnssec-signzone</command> program is used
+ to sign a zone.
+ </para>
- <para>
- Any <filename>keyset</filename> files corresponding
- to secure subzones should be present. The zone signer will
- generate <literal>NSEC</literal> and <literal>RRSIG</literal>
- records for the zone, as well as <literal>DS</literal>
- for
- the child zones if <literal>'-d'</literal> is specified.
- If <literal>'-d'</literal> is not specified, then
- DS RRsets for
- the secure child zones need to be added manually.
- </para>
+ <para>
+ Any <filename>keyset</filename> files corresponding to
+ secure subzones should be present. The zone signer will
+ generate <literal>NSEC</literal>, <literal>NSEC3</literal>
+ and <literal>RRSIG</literal> records for the zone, as
+ well as <literal>DS</literal> for the child zones if
+ <literal>'-g'</literal> is specified. If <literal>'-g'</literal>
+ is not specified, then DS RRsets for the secure child
+ zones need to be added manually.
+ </para>
<para>
The following command signs the zone, assuming it is in a
specify a fully-qualified domain name.
</para>
- <para>
- If no types are explicitly specified, this rule matches all
- types except
- RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
- "ANY" (ANY matches all types except NSEC, which can never be
- updated).
- Note that when an attempt is made to delete all records
- associated with a
- name, the rules are checked for each existing record type.
- </para>
+ <para>
+ If no types are explicitly specified, this rule matches
+ all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
+ may be specified by name, including "ANY" (ANY matches
+ all types except NSEC and NSEC3, which can never be
+ updated). Note that when an attempt is made to delete
+ all records associated with a name, the rules are
+ checked for each existing record type.
+ </para>
</sect3>
</sect2>
</sect1>
</para>
</entry>
</row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NSEC3
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Used in DNSSECbis to securely indicate that
+ RRs with an owner name in a certain name
+ interval do not exist in a zone and indicate
+ what RR types are present for an existing
+ name. NSEC3 differs from NSEC in that it
+ prevents zone enumeration but is more
+ computationally expensive on both the server
+ and the client than NSEC. Described in RFC
+ 5155.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NSEC3PARAM
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Used in DNSSECbis to tell the authoritative
+ server which NSEC3 chains are available to use.
+ Described in RFC 5155.
+ </para>
+ </entry>
+ </row>
<row rowsep="0">
<entry colname="1">
<para>
projects / thirdparty / bind9.git / commitdiff
