- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.docbook,v 1.8.18.7 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.8.18.8 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
- chroot to <filename>directory</filename> so that
+ Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
<term>-z</term>
<listitem>
<para>
- Perform a check load the master zonefiles found in
- <filename>named.conf</filename>.
+ Perform a test load of all master zones found in
+ <filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkzone.docbook,v 1.11.18.17 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.11.18.18 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.named-checkzone">
<refentryinfo>
<date>June 13, 2000</date>
<term>-i <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
- Perform post load zone integrity checks. Possible modes are
+ Perform post-load zone integrity checks. Possible modes are
<command>"full"</command> (default),
<command>"full-sibling"</command>,
<command>"local"</command>,
<para>
Mode <command>"full"</command> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
- hostnames). It also checks that glue addresses records
+ hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <command>"local"</command> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
- chroot to <filename>directory</filename> so that
+ Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dig.docbook,v 1.17.18.17 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.17.18.18 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.dig">
<refentryinfo>
arguments, it also has a batch mode of operation for reading lookup
requests from a file. A brief summary of its command-line arguments
and options is printed when the <option>-h</option> option is given.
- Unlike earlier versions, the BIND9 implementation of
+ Unlike earlier versions, the BIND 9 implementation of
<command>dig</command> allows multiple lookups to be issued
from the
command line.
in batch mode by reading a list of lookup requests to process from the
file <parameter>filename</parameter>. The file contains a
number of
- queries, one per line. Each entry in the file should be organised in
+ queries, one per line. Each entry in the file should be organized in
the same way they would be presented as queries to
<command>dig</command> using the command-line interface.
</para>
The <option>-t</option> option sets the query type to
<parameter>type</parameter>. It can be any valid query type
which is
- supported in BIND9. The default query type "A", unless the
+ supported in BIND 9. The default query type "A", unless the
<option>-x</option> option is supplied to indicate a reverse lookup.
A zone transfer can be requested by specifying a type of AXFR. When
an incremental zone transfer (IXFR) is required,
<para>
The <option>-q</option> option sets the query name to
- <parameter>name</parameter>. This useful do distingish the
+ <parameter>name</parameter>. This useful do distinguish the
<parameter>name</parameter> from other arguments.
</para>
<para>
- Reverse lookups - mapping addresses to names - are simplified by the
+ Reverse lookups — mapping addresses to names — are simplified by the
<option>-x</option> option. <parameter>addr</parameter> is
an IPv4
address in dotted-decimal notation, or a colon-delimited IPv6 address.
<listitem>
<para>
Use [do not use] TCP when querying name servers. The default
- behaviour is to use UDP unless an AXFR or IXFR query is
+ behavior is to use UDP unless an AXFR or IXFR query is
requested, in
which case a TCP connection is used.
</para>
This query option toggles the printing of statistics: when the
query
was made, the size of the reply and so on. The default
- behaviour is
+ behavior is
to print the query statistics.
</para>
</listitem>
<para>
Sets the timeout for a query to
- <parameter>T</parameter> seconds. The default time
- out is 5 seconds.
+ <parameter>T</parameter> seconds. The default
+ timeout is 5 seconds.
An attempt to set <parameter>T</parameter> to less
than 1 will result
in a query timeout of 1 second being applied.
default is
to not try the next server which is the reverse of normal stub
resolver
- behaviour.
+ behavior.
</para>
</listitem>
</varlistentry>
<term><option>+[no]topdown</option></term>
<listitem>
<para>
- When chasing DNSSEC signature chains perform a top down
+ When chasing DNSSEC signature chains perform a top-down
validation.
Requires dig be compiled with -DDIG_SIGCHASE.
</para>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: host.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: host.docbook,v 1.5.18.10 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.host">
<refentryinfo>
attempt to resolve <parameter>name</parameter>. The
<option>-r</option> option enables <command>host</command>
to mimic
- the behaviour of a name server by making non-recursive queries and
+ the behavior of a name server by making non-recursive queries and
expecting to receive answers to those queries that are usually
referrals to other name servers.
</para>
<para>
The <option>-t</option> option is used to select the query type.
- <parameter>type</parameter> can be any recognised query
+ <parameter>type</parameter> can be any recognized query
type: CNAME,
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<command>host</command> automatically selects an appropriate
The <option>-s</option> option tells <command>host</command>
<emphasis>not</emphasis> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
- reverse of normal stub resolver behaviour.
+ reverse of normal stub resolver behavior.
</para>
<para>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nslookup.docbook,v 1.4.2.10 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: nslookup.docbook,v 1.4.2.11 2007/05/09 01:38:19 marka Exp $ -->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
<replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
- Turn debugging mode on. A lot more information is
- printed about the packet sent to the server and the
- resulting answer.
+ Turn on or off the display of the full response packet and
+ any intermediate response packets when searching.
</para>
<para>
(Default = nodebug; abbreviation = <optional>no</optional>deb)
<replaceable><optional>no</optional></replaceable>d2</constant></term>
<listitem>
<para>
- Turn debugging mode on. A lot more information is
- printed about the packet sent to the server and the
- resulting answer.
+ Turn debugging mode on or off. This displays more about
+ about what nslookup is doing.
</para>
<para>
(Default = nod2)
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.7.18.9 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.7.18.10 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
<title>DESCRIPTION</title>
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
- and RFC <TBA\>. It can also generate keys for use with
+ and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
</para>
</refsect1>
</listitem>
</itemizedlist>
<para><command>dnssec-keygen</command>
- creates two file, with names based
+ creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
statement).
</para>
<para>
- The <filename>.private</filename> file contains algorithm
- specific
+ The <filename>.private</filename> file contains
+ algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
<para>
Both <filename>.key</filename> and <filename>.private</filename>
- files are generated for symmetric encryption algorithm such as
+ files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</para>
</refsect1>
In this example, <command>dnssec-keygen</command> creates
the files <filename>Kexample.com.+003+26160.key</filename>
and
- <filename>Kexample.com.+003+26160.private</filename>
+ <filename>Kexample.com.+003+26160.private</filename>.
</para>
</refsect1>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.10.18.15 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.10.18.16 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 30, 2000</date>
The name of the output file containing the signed zone. The
default is to append <filename>.signed</filename> to
the
- input file.
+ input filename.
</para>
</listitem>
</varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
- When a previously signed zone is passed as input, records
+ When a previously-signed zone is passed as input, records
may be resigned. The <option>interval</option> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
- a previously signed zone is passed as input to the signer,
- all expired signatures has to be regenerated at about the
+ a previously-signed zone is passed as input to the signer,
+ all expired signatures have to be regenerated at about the
same time. The <option>jitter</option> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
<term>key</term>
<listitem>
<para>
- The keys used to sign the zone. If no keys are specified, the
- default all zone keys that have private key files in the
- current directory.
+ Specify which keys should be used to sign the zone. If
+ no keys are specified, then the zone will be examined
+ for DNSKEY records at the zone apex. If these are found and
+ there are matching private keys, in the current directory,
+ then these will be used for signing.
</para>
</listitem>
</varlistentry>
<title>EXAMPLE</title>
<para>
The following command signs the <userinput>example.com</userinput>
- zone with the DSA key generated in the <command>dnssec-keygen</command>
- man page. The zone's keys must be in the zone. If there are
- <filename>keyset</filename> files associated with child
- zones,
- they must be in the current directory.
- <userinput>example.com</userinput>, the following command would be
- issued:
- </para>
- <para><userinput>dnssec-signzone -o example.com db.example.com
- Kexample.com.+003+26160</userinput>
- </para>
- <para>
- The command would print a string of the form:
+ zone with the DSA key generated by <command>dnssec-keygen</command>
+ (Kexample.com.+003+17247). The zone's keys must be in the master
+ file (<filename>db.example.com</filename>). This invocation looks
+ for <filename>keyset</filename> files, in the current directory,
+ so that DS records can be generated from them (<command>-g</command>).
</para>
+<programlisting>% dnssec-signzone -g -o example.com db.example.com \
+Kexample.com.+003+17247
+db.example.com.signed
+%</programlisting>
<para>
- In this example, <command>dnssec-signzone</command> creates
+ In the above example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This
- file
- should be referenced in a zone statement in a
+ file should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
+ <para>
+ This example re-signs a previously signed zone with default parameters.
+ The private keys are assumed to be in the current directory.
+ </para>
+<programlisting>% cp db.example.com.signed db.example.com
+% dnssec-signzone -o example.com db.example.com
+db.example.com.signed
+%</programlisting>
</refsect1>
<refsect1>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: lwresd.docbook,v 1.7.18.5 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: lwresd.docbook,v 1.7.18.6 2007/05/09 01:38:19 marka Exp $ -->
<refentry>
<refentryinfo>
<date>June 30, 2000</date>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
- <para><function>chroot()</function>
+ <para>Chroot
to <replaceable class="parameter">directory</replaceable> after
processing the command line arguments, but before
reading the configuration file.
This option should be used in conjunction with the
<option>-u</option> option, as chrooting a process
running as root doesn't enhance security on most
- systems; the way <function>chroot()</function> is
+ systems; the way <function>chroot(2)</function> is
defined allows a process with root privileges to
escape a chroot jail.
</para>
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
- <para><function>setuid()</function>
+ <para>Setuid
to <replaceable class="parameter">user</replaceable> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.conf.docbook,v 1.1.2.25 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.1.2.26 2007/05/09 01:38:19 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
<citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
- <citerefentry>
- <refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle>
- </citerefentry>.
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.docbook,v 1.7.18.8 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: named.docbook,v 1.7.18.9 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.named">
<refentryinfo>
<date>June 30, 2000</date>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
- <para><function>chroot()</function>
+ <para>Chroot
to <replaceable class="parameter">directory</replaceable> after
processing the command line arguments, but before
reading the configuration file.
This option should be used in conjunction with the
<option>-u</option> option, as chrooting a process
running as root doesn't enhance security on most
- systems; the way <function>chroot()</function> is
+ systems; the way <function>chroot(2)</function> is
defined allows a process with root privileges to
escape a chroot jail.
</para>
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
- <para><function>setuid()</function>
+ <para>Setuid
to <replaceable class="parameter">user</replaceable> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
<para>
On Linux, <command>named</command> uses the kernel's
capability mechanism to drop all root privileges
- except the ability to <function>bind()</function> to
+ except the ability to <function>bind(2)</function> to
a
privileged port and set process resource limits.
Unfortunately, this means that the <option>-u</option>
run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
later, since previous kernels did not allow privileges
- to be retained after <function>setuid()</function>.
+ to be retained after <function>setuid(2)</function>.
</para>
</note>
</listitem>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.docbook,v 1.18.18.8 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.18.18.9 2007/05/09 01:38:19 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Jun 30, 2000</date>
Once other algorithms are defined for TSIG, applications will need to
ensure they select the appropriate algorithm as well as the key when
authenticating each other.
- For instance suitable
+ For instance, suitable
<type>key</type>
and
<type>server</type>
This may be preferable when a batch of update requests is made.
</para>
<para>
- The <option>-t</option> option sets the maximum time a update request
+ The <option>-t</option> option sets the maximum time an update request
can
take before it is aborted. The default is 300 seconds. Zero can be
used
<para>
The <option>-u</option> option sets the UDP retry interval. The default
is
- 3 seconds. If zero the interval will be computed from the timeout
+ 3 seconds. If zero, the interval will be computed from the timeout
interval
and number of UDP retries.
</para>
<para>
The <option>-r</option> option sets the number of UDP retries. The
default is
- 3. If zero only one update request will be made.
+ 3. If zero, only one update request will be made.
</para>
</refsect1>
<listitem>
<para>
Specify the default class.
- If no <parameter>class</parameter> is specified the
+ If no <parameter>class</parameter> is specified, the
default class is
<parameter>IN</parameter>.
</para>
</term>
<listitem>
<para>
- Specifies that all updates are to be TSIG signed using the
+ Specifies that all updates are to be TSIG-signed using the
<parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
The <command>key</command> command
overrides any key specified on the command line via
Any A records for
<type>oldhost.example.com</type>
are deleted.
- and an A record for
+ And an A record for
<type>newhost.example.com</type>
- it IP address 172.16.1.1 is added.
- The newly-added record has a 1 day TTL (86400 seconds)
+ with IP address 172.16.1.1 is added.
+ The newly-added record has a 1 day TTL (86400 seconds).
<programlisting>
# nsupdate
> prereq nxdomain nickname.example.com
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc.conf.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: rndc.conf.docbook,v 1.5.18.10 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.rndc.conf">
<refentryinfo>
<date>June 30, 2000</date>
key testkey {
algorithm hmac-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
- }
+ };
</programlisting>
</para>
A complete <filename>rndc.conf</filename> file, including
the
randomly generated key, will be written to the standard
- output. Commented out <option>key</option> and
+ output. Commented-out <option>key</option> and
<option>controls</option> statements for
<filename>named.conf</filename> are also printed.
</para>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc.docbook,v 1.8.18.8 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: rndc.docbook,v 1.8.18.9 2007/05/09 01:38:19 marka Exp $ -->
<refentry id="man.rndc">
<refentryinfo>
<date>June 30, 2000</date>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>
+ </citerefentry>,
<citerefentry>
<refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
projects / thirdparty / bind9.git / commitdiff
