From: Evan Hunt Date: Sat, 1 Mar 2014 05:29:19 +0000 (-0800) Subject: [master] improved doc for "rndc signing -list" X-Git-Tag: v9.10.0b2~75 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=3ef4b7383ab4310df48ee5143e361ab1cfa3c8e8;p=thirdparty%2Fbind9.git [master] improved doc for "rndc signing -list" 3769. [doc] Improved documentation of "rndc signing -list". [RT #30652] --- diff --git a/CHANGES b/CHANGES index 0249275da8e..f1fff7c4cdc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3769. [doc] Improved documentation of "rndc signing -list". + [RT #30652] + 3768. [bug] "dnssec-checkds" was missing the SHA-384 digest algorithm. [RT #34000] diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index 7b967586e72..b8ec9ad5822 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -672,8 +672,8 @@ signing ( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) ) zone class view - List, edit, or remove the DNSSEC signing state for - the specified zone. The status of ongoing DNSSEC + List, edit, or remove the DNSSEC signing state records + for the specified zone. The status of ongoing DNSSEC operations (such as signing or generating NSEC3 chains) is stored in the zone in the form of DNS resource records of type diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index c44a9aded89..d5f8bcf6f8f 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5704,34 +5704,34 @@ options { - max-zone-ttl - - - Specifies a maximum permissible TTL value. - When loading a zone file using a - of - text or raw, - any record encountered with a TTL higher than - will cause the zone to - be rejected. - - - This is useful in DNSSEC-signed zones because when - rolling to a new DNSKEY, the old key needs to remain - available until RRSIG records have expired from - caches. The option guarantees - that the largest TTL in the zone will be no higher - the set value. - - - (NOTE: Because map-format files - load directly into memory, this option cannot be - used with them.) - - - - - + max-zone-ttl + + + Specifies a maximum permissible TTL value. + When loading a zone file using a + of + text or raw, + any record encountered with a TTL higher than + will cause the zone to + be rejected. + + + This is useful in DNSSEC-signed zones because when + rolling to a new DNSKEY, the old key needs to remain + available until RRSIG records have expired from + caches. The option guarantees + that the largest TTL in the zone will be no higher + the set value. + + + (NOTE: Because map-format files + load directly into memory, this option cannot be + used with them.) + + + + + zone-statistics @@ -6273,17 +6273,17 @@ options { If yes, then a SIT (Source Identity Token) EDNS option is sent along with the query. If the - resolver has previously talked to the server, the SIT - returned in the previous transaction is sent. This - is used by the server to determine whether the resolver - has talked to it before. A resolver sending the correct - SIT is assumed not to be an off-path attacker sending a - spoofed-source query; the query is therefore unlikely to - be part of a reflection/amplification attack, so resolvers - sending a correct SIT option are not subject to response - rate limiting (RRL). Resolvers which do not send a correct - SIT option may be limited to receiving smaller responses - via the nosit-udp-size option. + resolver has previously talked to the server, the SIT + returned in the previous transaction is sent. This + is used by the server to determine whether the resolver + has talked to it before. A resolver sending the correct + SIT is assumed not to be an off-path attacker sending a + spoofed-source query; the query is therefore unlikely to + be part of a reflection/amplification attack, so resolvers + sending a correct SIT option are not subject to response + rate limiting (RRL). Resolvers which do not send a correct + SIT option may be limited to receiving smaller responses + via the nosit-udp-size option. @@ -7271,53 +7271,53 @@ options { no-case-compress - Specifies a list of addresses which require responses - to use case-insensitive compression. This ACL can be - used when named needs to work with - clients that do not comply with the requirement in RFC - 1034 to use case-insensitive name comparisons when - checking for matching domain names. - - - If left undefined, the ACL defaults to - none: case-insensitive compression - will be used for all clients. If the ACL is defined and - matches a client, then case will be ignored when - compressing domain names in DNS responses sent to that - client. - - - This can result in slightly smaller responses: if - a response contains the names "example.com" and - "example.COM", case-insensitive compression would treat - the second one as a duplicate. It also ensures - that the case of the query name exactly matches the - case of the owner names of returned records, rather - than matching the case of the records entered in - the zone file. This allows responses to exactly - match the query, which is required by some clients - due to incorrect use of case-sensitive comparisions. - - - Case-insensitive compression is always - used in AXFR and IXFR responses, regardless of whether - the client matches this ACL. - - - There are circusmstances in which named - will not preserve the case of owner names of records: - if a zone file defines records of different types with - the same name, but the capitalization of the name is - different (e.g., "www.example.com/A" and - "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that - name will use the first version - of the name that was used in the zone file. This - limitation may be addressed in a future release. However, - domain names specified in the rdata of resource records - (i.e., records of type NS, MX, CNAME, etc) will always - have their case preserved unless the client matches this - ACL. - + Specifies a list of addresses which require responses + to use case-insensitive compression. This ACL can be + used when named needs to work with + clients that do not comply with the requirement in RFC + 1034 to use case-insensitive name comparisons when + checking for matching domain names. + + + If left undefined, the ACL defaults to + none: case-insensitive compression + will be used for all clients. If the ACL is defined and + matches a client, then case will be ignored when + compressing domain names in DNS responses sent to that + client. + + + This can result in slightly smaller responses: if + a response contains the names "example.com" and + "example.COM", case-insensitive compression would treat + the second one as a duplicate. It also ensures + that the case of the query name exactly matches the + case of the owner names of returned records, rather + than matching the case of the records entered in + the zone file. This allows responses to exactly + match the query, which is required by some clients + due to incorrect use of case-sensitive comparisions. + + + Case-insensitive compression is always + used in AXFR and IXFR responses, regardless of whether + the client matches this ACL. + + + There are circusmstances in which named + will not preserve the case of owner names of records: + if a zone file defines records of different types with + the same name, but the capitalization of the name is + different (e.g., "www.example.com/A" and + "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that + name will use the first version + of the name that was used in the zone file. This + limitation may be addressed in a future release. However, + domain names specified in the rdata of resource records + (i.e., records of type NS, MX, CNAME, etc) will always + have their case preserved unless the client matches this + ACL. + @@ -8675,7 +8675,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Specify a private RDATA type to be used when generating - key signing records. The default is + signing state records. The default is 65534. @@ -8683,13 +8683,20 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; in a future version once there is a standard type. - These records can be removed from the zone once named - has completed signing the zone with the matching key - using nsupdate or - rndc signing -clear. - rndc signing -clear is the only supported - way to remove these records from - inline-signing zones. + Signing state records are used to internally by + named to track the current state of + a zone-signing process, i.e., whether it is still active + or has been completed. The records can be inspected + using the command + rndc signing -list zone. + Once named has finished signing + a zone with a particular key, the signing state + record associated with that key can be removed from + the zone by running + rndc signing -clear keyid/algorithm zone. + To clear all of the completed signing state + records for a zone, use + rndc signing -clear all zone. @@ -9847,9 +9854,9 @@ deny-answer-aliases { "example.net"; }; DNSSEC requests (DO=1) unless break-dnssec yes is in use, because the response would depend on whether or not RRSIG records were found during resolution. - Using this option can cause error responses such as SERVFAIL to - appear to be rewritten, since no recursion is being done to - discover problems at the authoritative server. + Using this option can cause error responses such as SERVFAIL to + appear to be rewritten, since no recursion is being done to + discover problems at the authoritative server.