From: Tinderbox User Date: Thu, 16 Jan 2014 01:05:38 +0000 (+0000) Subject: regen master X-Git-Tag: v9.10.0a2~78 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=6ea2385360e9e2167e65f9286447da9eea189457;p=thirdparty%2Fbind9.git regen master --- diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index 0e1ea162488..7d6751b3052 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -67,7 +67,9 @@ Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used .PP \-E \fIengine\fR .RS 4 -Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pkcs11". +Specifies the cryptographic hardware to use. +.sp +When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11". .RE .PP \-l \fIlabel\fR diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index a8f9f81a1d5..7c25807f90e 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> + diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 21e923fe914..f6955ae689d 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,38 +70,29 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
-
-
PKCS #11 (Cryptoki) support
-
-
Prerequisites
-
Building BIND 9 with PKCS#11
-
PKCS #11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Validating Resolver
+
Authoritative Server
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -1070,7 +1061,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1096,7 +1087,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1132,7 +1123,7 @@ options {
 

While the initial signing and NSEC/NSEC3 chain generation is happening, other updates are possible as well.

-Fully automatic zone signing

+Fully automatic zone signing

To enable automatic signing, add the auto-dnssec option to the zone statement in named.conf. @@ -1188,7 +1179,7 @@ options { configuration. If this has not been done, the configuration will fail.

-Private-type records

+Private-type records

The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -1229,12 +1220,12 @@ options {

-DNSKEY rollovers

+DNSKEY rollovers

As with insecure-to-secure conversions, rolling DNSSEC keys can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

-Dynamic DNS update method

+Dynamic DNS update method

To perform key rollovers via dynamic update, you need to add the K* files for the new keys so that named can find them. You can then add the new @@ -1256,7 +1247,7 @@ options { named will clean out any signatures generated by the old key after the update completes.

-Automatic key rollovers

+Automatic key rollovers

When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), if the auto-dnssec zone option is set to @@ -1271,27 +1262,27 @@ options { completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE

Add the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3

To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC

To do this, use nsupdate to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.

-Converting from secure to insecure

+Converting from secure to insecure

To convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using nsupdate. All signatures, NSEC or NSEC3 chains, @@ -1306,14 +1297,14 @@ options { allow instead (or it will re-sign).

-Periodic re-signing

+Periodic re-signing

In any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action. The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT

named only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT @@ -1335,7 +1326,7 @@ options { configuration files.

-Validating Resolver

+Validating Resolver

To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a managed-keys statement. Information about @@ -1346,7 +1337,7 @@ options {

-Authoritative Server

+Authoritative Server

To set up an authoritative zone for RFC 5011 trust anchor maintenance, generate two (or more) key signing keys (KSKs) for the zone. Sign the zone with one of them; this is the "active" @@ -1408,428 +1399,7 @@ $ dnssec-signzone -S -K keys example.net< keys with their original unrevoked key ID's.

-
-

-PKCS #11 (Cryptoki) support

-

PKCS #11 (Public Key Cryptography Standard #11) defines a - platform- independent API for the control of hardware security - modules (HSMs) and other cryptographic support devices.

-

BIND 9 is known to work with two HSMs: The Sun SCA 6000 - cryptographic acceleration board, tested under Solaris x86, and - the AEP Keyper network-attached key storage device, tested with - Debian Linux, Solaris x86 and Windows Server 2003.

-
-

-Prerequisites

-

See the HSM vendor documentation for information about - installing, initializing, testing and troubleshooting the - HSM.

-

BIND 9 uses OpenSSL for cryptography, but stock OpenSSL - does not yet fully support PKCS #11. However, a PKCS #11 engine - for OpenSSL is available from the OpenSolaris project. It has - been modified by ISC to work with with BIND 9, and to provide - new features such as PIN management and key by - reference.

-

The patched OpenSSL depends on a "PKCS #11 provider". - This is a shared library object, providing a low-level PKCS #11 - interface to the HSM hardware. It is dynamically loaded by - OpenSSL at runtime. The PKCS #11 provider comes from the HSM - vendor, and is specific to the HSM to be controlled.

-

There are two "flavors" of PKCS #11 support provided by - the patched OpenSSL, one of which must be chosen at - configuration time. The correct choice depends on the HSM - hardware:

-
    -
  • Use 'crypto-accelerator' with HSMs that have hardware - cryptographic acceleration features, such as the SCA 6000 - board. This causes OpenSSL to run all supported - cryptographic operations in the HSM.

  • -
  • Use 'sign-only' with HSMs that are designed to - function primarily as secure key storage devices, but lack - hardware acceleration. These devices are highly secure, but - are not necessarily any faster at cryptography than the - system CPU — often, they are slower. It is therefore - most efficient to use them only for those cryptographic - functions that require access to the secured private key, - such as zone signing, and to use the system CPU for all - other computationally-intensive operations. The AEP Keyper - is an example of such a device.

  • -
-

The modified OpenSSL code is included in the BIND 9 release, - in the form of a context diff against the latest verions of - OpenSSL. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are supported; there are - separate diffs for each version. In the examples to follow, - we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0 - and 1.0.1. -

-
-

Note

- The latest OpenSSL versions at the time of the BIND release - are 0.9.8y, 1.0.0k and 1.0.1e. - ISC will provide an updated patch as new versions of OpenSSL - are released. The version number in the following examples - is expected to change.
-

- Before building BIND 9 with PKCS #11 support, it will be - necessary to build OpenSSL with this patch in place and inform - it of the path to the HSM-specific PKCS #11 provider - library.

-

Obtain OpenSSL 0.9.8s:

-
-$ wget http://www.openssl.org/source/openssl-0.9.8s.tar.gz
-
-

Extract the tarball:

-
-$ tar zxf openssl-0.9.8s.tar.gz
-
-

Apply the patch from the BIND 9 release:

-
-$ patch -p1 -d openssl-0.9.8s \
-            < bind9/bin/pkcs11/openssl-0.9.8s-patch
-
-
-

Note

(Note that the patch file may not be compatible with the - "patch" utility on all operating systems. You may need to - install GNU patch.)
-

When building OpenSSL, place it in a non-standard - location so that it does not interfere with OpenSSL libraries - elsewhere on the system. In the following examples, we choose - to install into "/opt/pkcs11/usr". We will use this location - when we configure BIND 9.

-
-

-Building OpenSSL for the AEP Keyper on Linux

-

The AEP Keyper is a highly secure key storage device, - but does not provide hardware cryptographic acceleration. It - can carry out cryptographic operations, but it is probably - slower than your system's CPU. Therefore, we choose the - 'sign-only' flavor when building OpenSSL.

-

The Keyper-specific PKCS #11 provider library is - delivered with the Keyper software. In this example, we place - it /opt/pkcs11/usr/lib:

-
-$ cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so
-
-

This library is only available for Linux as a 32-bit - binary. If we are compiling on a 64-bit Linux system, it is - necessary to force a 32-bit build, by specifying -m32 in the - build options.

-

Finally, the Keyper library requires threads, so we - must specify -pthread.

-
-$ cd openssl-0.9.8s
-$ ./Configure linux-generic32 -m32 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr
-
-

After configuring, run "make" - and "make test". If "make - test" fails with "pthread_atfork() not found", you forgot to - add the -pthread above.

-
-
-

-Building OpenSSL for the SCA 6000 on Solaris

-

The SCA-6000 PKCS #11 provider is installed as a system - library, libpkcs11. It is a true crypto accelerator, up to 4 - times faster than any CPU, so the flavor shall be - 'crypto-accelerator'.

-

In this example, we are building on Solaris x86 on an - AMD64 system.

-
-$ cd openssl-0.9.8s
-$ ./Configure solaris64-x86_64-cc \
-            --pk11-libname=/usr/lib/64/libpkcs11.so \
-            --pk11-flavor=crypto-accelerator \
-            --prefix=/opt/pkcs11/usr
-
-

(For a 32-bit build, use "solaris-x86-cc" and - /usr/lib/libpkcs11.so.)

-

After configuring, run - make and - make test.

-
-
-

-Building OpenSSL for SoftHSM

-

SoftHSM is a software library provided by the OpenDNSSEC - project (http://www.opendnssec.org) which provides a PKCS#11 - interface to a virtual HSM, implemented in the form of encrypted - data on the local filesystem. It uses the Botan library for - encryption and SQLite3 for data storage. Though less secure - than a true HSM, it can provide more secure key storage than - traditional key files, and can allow you to experiment with - PKCS#11 when an HSM is not available.

-

The SoftHSM cryptographic store must be installed and - initialized before using it with OpenSSL, and the SOFTHSM_CONF - environment variable must always point to the SoftHSM configuration - file:

-
-$  cd softhsm-1.3.0 
-$  configure --prefix=/opt/pkcs11/usr 
-$  make 
-$  make install 
-$  export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf 
-$  echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF 
-$  /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm 
-
-

SoftHSM can perform all cryptographic operations, but - since it only uses your system CPU, there is no need to use it - for anything but signing. Therefore, we choose the 'sign-only' - flavor when building OpenSSL.

-
-$ cd openssl-0.9.8s
-$ ./Configure linux-x86_64 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr
-
-

After configuring, run "make" - and "make test".

-
-

Once you have built OpenSSL, run - "apps/openssl engine pkcs11" to confirm - that PKCS #11 support was compiled in correctly. The output - should be one of the following lines, depending on the flavor - selected:

-
-        (pkcs11) PKCS #11 engine support (sign only)
-
-

Or:

-
-        (pkcs11) PKCS #11 engine support (crypto accelerator)
-
-

Next, run - "apps/openssl engine pkcs11 -t". This will - attempt to initialize the PKCS #11 engine. If it is able to - do so successfully, it will report - “[ available ]”.

-

If the output is correct, run - "make install" which will install the - modified OpenSSL suite to - /opt/pkcs11/usr.

-
-
-

-Building BIND 9 with PKCS#11

-

When building BIND 9, the location of the custom-built - OpenSSL library must be specified via configure.

-
-

-Configuring BIND 9 for Linux with the AEP Keyper

-

To link with the PKCS #11 provider, threads must be - enabled in the BIND 9 build.

-

The PKCS #11 library for the AEP Keyper is currently - only available as a 32-bit binary. If we are building on a - 64-bit host, we must force a 32-bit build by adding "-m32" to - the CC options on the "configure" command line.

-
-$ cd ../bind9
-$ ./configure CC="gcc -m32" --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so
-
-
-
-

-Configuring BIND 9 for Solaris with the SCA 6000

-

To link with the PKCS #11 provider, threads must be - enabled in the BIND 9 build.

-
-$ cd ../bind9
-$ ./configure CC="cc -xarch=amd64" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr \
-            --with-pkcs11=/usr/lib/64/libpkcs11.so
-
-

(For a 32-bit build, omit CC="cc -xarch=amd64".)

-

If configure complains about OpenSSL not working, you - may have a 32/64-bit architecture mismatch. Or, you may have - incorrectly specified the path to OpenSSL (it should be the - same as the --prefix argument to the OpenSSL - Configure).

-
-
-

-Configuring BIND 9 for SoftHSM

-
-$ cd ../bind9
-$ ./configure --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so
-
-
-

After configuring, run - "make", - "make test" and - "make install".

-

(Note: If "make test" fails in the "pkcs11" system test, you may - have forgotten to set the SOFTHSM_CONF environment variable.)

-
-
-

-PKCS #11 Tools

-

BIND 9 includes a minimal set of tools to operate the - HSM, including - pkcs11-keygen to generate a new key pair - within the HSM, - pkcs11-list to list objects currently - available, and - pkcs11-destroy to remove objects.

-

In UNIX/Linux builds, these tools are built only if BIND - 9 is configured with the --with-pkcs11 option. (NOTE: If - --with-pkcs11 is set to "yes", rather than to the path of the - PKCS #11 provider, then the tools will be built but the - provider will be left undefined. Use the -m option or the - PKCS11_PROVIDER environment variable to specify the path to the - provider.)

-
-
-

-Using the HSM

-

First, we must set up the runtime environment so the - OpenSSL and PKCS #11 libraries can be loaded:

-
-$ export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
-
-

When operating an AEP Keyper, it is also necessary to - specify the location of the "machine" file, which stores - information about the Keyper for use by PKCS #11 provider - library. If the machine file is in - /opt/Keyper/PKCS11Provider/machine, - use:

-
-$ export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
-
-

These environment variables must be set whenever running - any tool that uses the HSM, including - pkcs11-keygen, - pkcs11-list, - pkcs11-destroy, - dnssec-keyfromlabel, - dnssec-signzone, - dnssec-keygen(which will use the HSM for - random number generation), and - named.

-

We can now create and use keys in the HSM. In this case, - we will create a 2048 bit key and give it the label - "sample-ksk":

-
-$ pkcs11-keygen -b 2048 -l sample-ksk
-
-

To confirm that the key exists:

-
-$ pkcs11-list
-Enter PIN:
-object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
-object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
-
-

Before using this key to sign a zone, we must create a - pair of BIND 9 key files. The "dnssec-keyfromlabel" utility - does this. In this case, we will be using the HSM key - "sample-ksk" as the key-signing key for "example.net":

-
-$ dnssec-keyfromlabel -l sample-ksk -f KSK example.net
-
-

The resulting K*.key and K*.private files can now be used - to sign the zone. Unlike normal K* files, which contain both - public and private key data, these files will contain only the - public key data, plus an identifier for the private key which - remains stored within the HSM. The HSM handles signing with the - private key.

-

If you wish to generate a second key in the HSM for use - as a zone-signing key, follow the same procedure above, using a - different keylabel, a smaller key size, and omitting "-f KSK" - from the dnssec-keyfromlabel arguments:

-
-$ pkcs11-keygen -b 1024 -l sample-zsk
-$ dnssec-keyfromlabel -l sample-zsk example.net
-
-

Alternatively, you may prefer to generate a conventional - on-disk key, using dnssec-keygen:

-
-$ dnssec-keygen example.net
-
-

This provides less security than an HSM key, but since - HSMs can be slow or cumbersome to use for security reasons, it - may be more efficient to reserve HSM keys for use in the less - frequent key-signing operation. The zone-signing key can be - rolled more frequently, if you wish, to compensate for a - reduction in key security.

-

Now you can sign the zone. (Note: If not using the -S - option to - dnssec-signzone, it will be necessary to add - the contents of both - K*.key files to the zone master file before - signing it.)

-
-$ dnssec-signzone -S example.net
-Enter PIN:
-Verifying the zone using the following algorithms:
-NSEC3RSASHA1.
-Zone signing complete:
-Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
-example.net.signed
-
-
-
-

-Specifying the engine on the command line

-

The OpenSSL engine can be specified in - named and all of the BIND - dnssec-* tools by using the "-E - <engine>" command line option. If BIND 9 is built with - the --with-pkcs11 option, this option defaults to "pkcs11". - Specifying the engine will generally not be necessary unless - for some reason you wish to use a different OpenSSL - engine.

-

If you wish to disable use of the "pkcs11" engine — - for troubleshooting purposes, or because the HSM is unavailable - — set the engine to the empty string. For example:

-
-$ dnssec-signzone -E '' -S example.net
-
-

This causes - dnssec-signzone to run as if it were compiled - without the --with-pkcs11 option.

-
-
-

-Running named with automatic zone re-signing

-

If you want - named to dynamically re-sign zones using HSM - keys, and/or to to sign new records inserted via nsupdate, then - named must have access to the HSM PIN. This can be accomplished - by placing the PIN into the openssl.cnf file (in the above - examples, - /opt/pkcs11/usr/ssl/openssl.cnf).

-

The location of the openssl.cnf file can be overridden by - setting the OPENSSL_CONF environment variable before running - named.

-

Sample openssl.cnf:

-
-        openssl_conf = openssl_def
-        [ openssl_def ]
-        engines = engine_section
-        [ engine_section ]
-        pkcs11 = pkcs11_section
-        [ pkcs11_section ]
-        PIN = <PLACE PIN HERE>
-
-

This will also allow the dnssec-* tools to access the HSM - without PIN entry. (The pkcs11-* tools access the HSM directly, - not via OpenSSL, so a PIN will still be required to use - them.)

-
-

Warning

-

Placing the HSM's PIN in a text file in - this manner may reduce the security advantage of using an - HSM. Be sure this is what you want to do before configuring - OpenSSL in this way.

-
-
-
-
+<xi:include></xi:include>

DLZ (Dynamically Loadable Zones)

@@ -1869,7 +1439,7 @@ $ dnssec-signzone -E '' -S example.net

-Configuring DLZ

+Configuring DLZ

A DLZ database is configured with a dlz statement in named.conf: @@ -1918,7 +1488,7 @@ $ dnssec-signzone -E '' -S example.net

-Sample DLZ Driver

+Sample DLZ Driver

For guidance in implementation of DLZ modules, the directory contrib/dlz/example contains a basic diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 5327a4471e1..d7a8d1f354e 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -78,28 +78,28 @@

server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Definition and Usage
-
managed-keys Statement Grammar
+
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -5481,15 +5481,37 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; and is equivalent to 4096.

prefetch
-

- Specifies the trigger ttl value (range [1..10]) - at which prefetch of the current query will be - made and optionally the minimum ttl value that will be - accepted for the records to be candidates for - prefetching. The defaults are 2 and 9 respectively. - Setting a trigger ttl value of 0 will disable - prefetching. A minimum delta of 6 is enforced. -

+
+

+ When a query is received for cached data which + is to expire shortly, named can + refresh the data from the authoritative server + immediately, ensuring that the cache always has an + answer available. +

+

+ The prefetch specifies the the + "trigger" TTL value at which prefetch of the current + query will take place: when a cache record with a + lower TTL value is encountered during query processing, + it will be refreshed. Valid trigger TTL values are 1 to + 10 seconds. Setting a trigger TTL to zero disables + prefetch. +

+

+ An optional second argument can be used + to set the smallest original + TTL value that will be accepted for a record to be + eligible for prefetching. The difference between + the trigger TTL and the eligibility TTL must be + at least 6 seconds. +

+

+ The default trigger and eligibility TTLs are + 2 and 9, + respectively. +

+
@@ -5830,7 +5852,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Content Filtering

+Content Filtering

BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5953,7 +5975,7 @@ deny-answer-aliases { "example.net"; };

-Response Policy Zone (RPZ) Rewriting

+Response Policy Zone (RPZ) Rewriting

BIND 9 includes a limited mechanism to modify DNS responses for requests @@ -6315,7 +6337,7 @@ example.com CNAME rpz-tcp-only.

-Response Rate Limiting

+Response Rate Limiting

Excessive almost identical UDP responses can be controlled by configuring a @@ -6744,7 +6766,7 @@ example.com CNAME rpz-tcp-only.

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement @@ -6860,7 +6882,7 @@ example.com CNAME rpz-tcp-only.

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

The trusted-keys statement defines @@ -6900,7 +6922,7 @@ example.com CNAME rpz-tcp-only.

-managed-keys Statement Grammar

+managed-keys Statement Grammar
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7038,7 +7060,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

-view Statement Definition and Usage

+view Statement Definition and Usage

The view statement is a powerful feature @@ -7358,10 +7380,10 @@ zone zone_name [

-zone Statement Definition and Usage

+zone Statement Definition and Usage

-Zone Types

+Zone Types
@@ -7679,7 +7701,7 @@ zone zone_name [

-Class

+Class

The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), @@ -7701,7 +7723,7 @@ zone zone_name [

-Zone Options

+Zone Options
allow-notify

@@ -8615,7 +8637,7 @@ example.com. NS ns2.example.net.

-Multiple views

+Multiple views

When multiple views are in use, a zone may be referenced by more than one of them. Often, the views @@ -8662,7 +8684,7 @@ view external {

-Zone File

+Zone File

Types of Resource Records and When to Use Them

@@ -8675,7 +8697,7 @@ view external {

-Resource Records

+Resource Records

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -9412,7 +9434,7 @@ view external {

-Textual expression of RRs

+Textual expression of RRs

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -9615,7 +9637,7 @@ view external {

-Discussion of MX Records

+Discussion of MX Records

As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -9871,7 +9893,7 @@ view external {

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain @@ -9932,7 +9954,7 @@ view external {

-Other Zone File Directives

+Other Zone File Directives

The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -9947,7 +9969,7 @@ view external {

-The @ (at-sign)

+The @ (at-sign)

When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -9958,7 +9980,7 @@ view external {

-The $ORIGIN Directive

+The $ORIGIN Directive

Syntax: $ORIGIN domain-name @@ -9987,7 +10009,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $INCLUDE Directive

+The $INCLUDE Directive

Syntax: $INCLUDE filename @@ -10023,7 +10045,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $TTL Directive

+The $TTL Directive

Syntax: $TTL default-ttl @@ -10042,7 +10064,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-BIND Master File Extension: the $GENERATE Directive

+BIND Master File Extension: the $GENERATE Directive

Syntax: $GENERATE range @@ -10484,7 +10506,7 @@ HOST-127.EXAMPLE. MX 0 .

-Name Server Statistics Counters

+Name Server Statistics Counters
@@ -11080,7 +11102,7 @@ HOST-127.EXAMPLE. MX 0 .

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters
@@ -11234,7 +11256,7 @@ HOST-127.EXAMPLE. MX 0 .

-Resolver Statistics Counters

+Resolver Statistics Counters
@@ -11617,7 +11639,7 @@ HOST-127.EXAMPLE. MX 0 .

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

Socket I/O statistics counters are defined per socket types, which are @@ -11772,7 +11794,7 @@ HOST-127.EXAMPLE. MX 0 .

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 74daec54392..d22587e6ab8 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -46,10 +46,10 @@

Table of Contents

Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
@@ -114,7 +114,7 @@ zone "example.com" {

-Chroot and Setuid +Chroot and Setuid

On UNIX servers, it is possible to run BIND @@ -140,7 +140,7 @@ zone "example.com" {

-The chroot Environment

+The chroot Environment

In order for a chroot environment to @@ -168,7 +168,7 @@ zone "example.com" {

-Using the setuid Function

+Using the setuid Function

Prior to running the named daemon, use diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index cde9559527f..52e0d94ee18 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -45,18 +45,18 @@

-Common Problems

+Common Problems

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that @@ -95,7 +95,7 @@

-Where Can I Get Help?

+Where Can I Get Help?

The Internet Systems Consortium (ISC) offers a wide range diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 0730ae532f4..b1023b02495 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -45,31 +45,31 @@

-Acknowledgments

+Acknowledgments

A Brief History of the DNS and BIND @@ -172,7 +172,7 @@

-General DNS Reference Information

+General DNS Reference Information

IPv6 addresses (AAAA)

@@ -260,17 +260,17 @@

-Bibliography

+Bibliography

Standards

-

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

+

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

-

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

+

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

-

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and +

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and Specification. November 1987.

@@ -278,42 +278,42 @@

Proposed Standards

-

[RFC2181] R., R. Bush Elz. Clarifications to the DNS +

[RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997.

-

[RFC2308] M. Andrews. Negative Caching of DNS +

[RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998.

-

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

+

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

-

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

+

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

-

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

+

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

-

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

+

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

-

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

+

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

-

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

+

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

-

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

+

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

-

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

+

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

-

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

+

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

-

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret +

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.

@@ -322,19 +322,19 @@

DNS Security Proposed Standards

-

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

+

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

-

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

+

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

-

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

+

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

-

[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

+

[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

-

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS +

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS Security Extensions. March 2005.

@@ -342,146 +342,146 @@

Other Important RFCs About DNS Implementation

-

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely +

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.

-

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation +

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993.

-

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

+

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

-

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS +

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.

Resource Record Types

-

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

+

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

-

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

+

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

-

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using +

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.

-

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the +

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain Name System. January 1996.

-

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the +

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of Services.. October 1996.

-

[RFC2163] A. Allocchio. Using the Internet DNS to +

[RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.

-

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

+

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

-

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

+

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

-

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

+

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

-

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

+

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

-

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

+

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

-

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

+

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

-

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

+

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

-

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

+

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

-

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

+

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

-

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

+

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

-

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP +

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP version 6. October 2003.

-

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

+

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

DNS and the Internet

-

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names +

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989.

-

[RFC1123] Braden. Requirements for Internet Hosts - Application and +

[RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989.

-

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

+

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

-

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

+

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

-

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

+

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

-

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

+

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

DNS Operations

-

[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

+

[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

-

[RFC1537] P. Beertema. Common DNS Data File +

[RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993.

-

[RFC1912] D. Barr. Common DNS Operational and +

[RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996.

-

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

+

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

-

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for +

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997.

Internationalized Domain Names

-

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, +

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.

-

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

+

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

-

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

+

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

-

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode +

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA). March 2003.

@@ -497,47 +497,47 @@

-

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String +

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993.

-

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

+

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

-

[RFC1794] T. Brisco. DNS Support for Load +

[RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995.

-

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

+

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

-

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

+

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

-

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

+

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

-

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

+

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

-

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via +

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.

-

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

+

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

Obsolete and Unimplemented Experimental RFC

-

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical +

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical Location. November 1994.

-

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

+

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

-

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation +

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation and Renumbering. July 2000.

@@ -551,39 +551,39 @@

-

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

+

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

-

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

+

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

-

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

+

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

-

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) +

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) Signing Authority. November 2000.

-

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

+

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

-

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

+

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

-

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

+

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

-

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

+

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

-

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

+

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

-

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record +

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.

-

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

+

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

@@ -604,14 +604,14 @@

-Other Documents About BIND +Other Documents About BIND

-Bibliography

+Bibliography
-

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

+

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

@@ -648,7 +648,7 @@

-Prerequisite

+Prerequisite

GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -657,7 +657,7 @@

-Compilation

+Compilation
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -672,7 +672,7 @@ $ make
 
 

-Installation

+Installation
 $ cd lib/export
 $ make install
@@ -694,7 +694,7 @@ $ make install
 
 

-Known Defects/Restrictions

+Known Defects/Restrictions
  • Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -734,7 +734,7 @@ $ make

-The dns.conf File

+The dns.conf File

The IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -752,14 +752,14 @@ $ make

-Sample Applications

+Sample Applications

Some sample application programs using this API are provided for reference. The following is a brief description of these applications.

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -823,7 +823,7 @@ $ make

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

Similar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -864,7 +864,7 @@ $ make

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

It sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -905,7 +905,7 @@ $ make

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

This is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -922,7 +922,7 @@ $ make

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

It accepts a single update command as a command-line argument, sends an update request message to the @@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

It checks a set of domains to see the name servers of the domains behave @@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm

-Library References

+Library References

As of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index ef958da5081..910ede8769f 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -113,38 +113,29 @@

DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
-
-
PKCS #11 (Cryptoki) support
-
-
Prerequisites
-
Building BIND 9 with PKCS#11
-
PKCS #11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Validating Resolver
+
Authoritative Server
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -192,28 +183,28 @@
server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Definition and Usage
-
managed-keys Statement Grammar
+
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -222,41 +213,41 @@
7. BIND 9 Security Considerations
Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
8. Troubleshooting
-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?
A. Appendices
-
Acknowledgments
+
Acknowledgments
A Brief History of the DNS and BIND
-
General DNS Reference Information
+
General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
-
Other Documents About BIND
+
Other Documents About BIND
BIND 9 DNS Library Support
-
Prerequisite
-
Compilation
-
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
-
Library References
+
Prerequisite
+
Compilation
+
Installation
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
+
Library References
I. Manual pages
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 52a9a0420a3..b4f1a72fe58 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@

arpaname {ipaddress ...}

-

DESCRIPTION

+

DESCRIPTION

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index aa14bf4791e..b59df988e58 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -50,7 +50,7 @@

ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]

-

DESCRIPTION

+

DESCRIPTION

ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -77,7 +77,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm

@@ -144,7 +144,7 @@

-

SEE ALSO

+

SEE ALSO

nsupdate(1), named.conf(5), named(8), @@ -152,7 +152,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 0aaf24fa0cb..88b7b6d0bc0 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -152,7 +152,7 @@

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid @@ -256,7 +256,7 @@

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -623,7 +623,7 @@

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -669,7 +669,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -683,14 +683,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -698,7 +698,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index b32cff939da..65cd9f8ed1f 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@

dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-

DESCRIPTION

+

DESCRIPTION

dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@

-

OPTIONS

+

OPTIONS

-f file

@@ -88,14 +88,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8),

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 3157a13f3b2..0d126327ee3 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@

dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

-

DESCRIPTION

+

DESCRIPTION

dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@

-

OPTIONS

+

OPTIONS

-K directory

@@ -192,7 +192,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-checkds(8), dnssec-dsfromkey(8), @@ -201,7 +201,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index fcb9c674ec7..bd4a0942fad 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -51,14 +51,14 @@

dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-T TTL] [-f file] [-A] [-v level] {dnsname}

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

@@ -135,7 +135,7 @@

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -150,7 +150,7 @@

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -164,13 +164,13 @@

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -180,7 +180,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 6112450fefd..fc5de31ee47 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] [-y] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -63,7 +63,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -97,10 +97,19 @@ default.

-E engine
-

- Specifies the name of the crypto hardware (OpenSSL engine). - When compiled with PKCS#11 support it defaults to "pkcs11". -

+
+

+ Specifies the cryptographic hardware to use. +

+

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

+
-l label

Specifies the label of the key pair in the crypto hardware. @@ -192,7 +201,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -239,7 +248,7 @@

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -278,7 +287,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -286,7 +295,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 0aa48549e27..d8f4c1abc63 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -151,12 +151,19 @@ the specified class. If not specified, class IN is used.

-E engine
-

- Uses a crypto hardware (OpenSSL engine) for random number - and, when supported, key generation. When compiled with PKCS#11 - support it defaults to pkcs11; the empty name resets it to - no engine. -

+
+

+ Specifies the cryptographic hardware to use, when applicable. +

+

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

+
-f flag

Set the specified flag in the flag field of the KEY/DNSKEY record. @@ -274,7 +281,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -345,7 +352,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -391,7 +398,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -412,7 +419,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -421,7 +428,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index b34e10b99ff..45358d0bf0f 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@

dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] [-R] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -78,10 +78,19 @@ Sets the debugging level.

-E engine
-

- Use the given OpenSSL engine. When compiled with PKCS#11 support - it defaults to pkcs11; the empty name resets it to no engine. -

+
+

+ Specifies the cryptographic hardware to use, when applicable. +

+

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

+
-f

Force overwrite: Causes dnssec-revoke to @@ -96,14 +105,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 3211b8b85d6..1e57e2685a7 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, @@ -76,7 +76,7 @@

-

OPTIONS

+

OPTIONS

-f

@@ -111,14 +111,23 @@ Sets the debugging level.

-E engine
-

- Use the given OpenSSL engine. When compiled with PKCS#11 support - it defaults to pkcs11; the empty name resets it to no engine. -

+
+

+ Specifies the cryptographic hardware to use, when applicable. +

+

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

+
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -197,7 +206,7 @@

-

PRINTING OPTIONS

+

PRINTING OPTIONS

dnssec-settime can also be used to print the timing metadata associated with a key. @@ -223,7 +232,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -231,7 +240,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 37afe2e3920..595f7754276 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@

dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

-

OPTIONS

+

OPTIONS

-a

@@ -97,12 +97,21 @@ -O map, or serial number updating.

-E engine
-

- Uses a crypto hardware (OpenSSL engine) for the crypto operations - it supports, for instance signing with private keys from - a secure key store. When compiled with PKCS#11 support - it defaults to pkcs11; the empty name resets it to no engine. -

+
+

+ When applicable, specifies the hardware to use for + cryptographic operations, such as a secure key store used + for signing. +

+

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

+
-g

Generate DS records for child zones from @@ -481,7 +490,7 @@

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -511,14 +520,14 @@ db.example.com.signed %

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033, RFC 4641.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 019bf559471..e2bfd0f044d 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@

dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-x] [-z] {zonefile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,12 +58,26 @@

-

OPTIONS

+

OPTIONS

-c class

Specifies the DNS class of the zone.

+
-E engine
+
+

+ Specifies the cryptographic hardware to use, when applicable. +

+

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

+
-I input-format

The format of the input zone file. @@ -120,7 +134,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -128,7 +142,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 42a497aba82..3641b348526 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@

genrandom [-n number] {size} {filename}

-

DESCRIPTION

+

DESCRIPTION

genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@

-

ARGUMENTS

+

ARGUMENTS

-n number

@@ -77,14 +77,14 @@

-

SEE ALSO

+

SEE ALSO

rand(3), arc4random(3)

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 6812c3136f1..dfe0e7a9409 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

-

DESCRIPTION

+

DESCRIPTION

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@

-

IDN SUPPORT

+

IDN SUPPORT

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8).

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 6f37c00ab65..8916a5fcb7c 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@

isc-hmac-fixup {algorithm} {secret}

-

DESCRIPTION

+

DESCRIPTION

Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@

-

SECURITY CONSIDERATIONS

+

SECURITY CONSIDERATIONS

Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 2104.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 7853d162cd8..c771748f5d4 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@

named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -119,21 +119,21 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index c91dd5b9ddb..f8a08308096 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -297,14 +297,14 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), RFC 1035, @@ -312,7 +312,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index c01de103618..ca88b3fb383 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@

named-journalprint {journal}

-

DESCRIPTION

+

DESCRIPTION

named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@

-

SEE ALSO

+

SEE ALSO

named(8), nsupdate(8), @@ -84,7 +84,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 14e9d320372..8a6c7b179a3 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@

named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -105,13 +105,21 @@ not examined.

-E engine-name
-

- Use a crypto hardware (OpenSSL engine) for the crypto operations - it supports, for instance re-signing with private keys from - a secure key store. When compiled with PKCS#11 support - engine-name - defaults to pkcs11, the empty name resets it to no engine. -

+
+

+ When applicable, specifies the hardware to use for + cryptographic operations, such as a secure key store used + for signing. +

+

+ When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". +

+
-f

Run the server in the foreground (i.e. do not daemonize). @@ -263,7 +271,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -284,7 +292,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -301,7 +309,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -314,7 +322,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -327,7 +335,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 542c8fed38f..7c327636c40 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@

nsec3hash {salt} {algorithm} {iterations} {domain}

-

DESCRIPTION

+

DESCRIPTION

nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@

-

ARGUMENTS

+

ARGUMENTS

salt

@@ -80,14 +80,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 5155.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index c7ff2c85ccc..d75c93204c5 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@

nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -226,7 +226,7 @@

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from filename @@ -514,7 +514,7 @@

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate @@ -568,7 +568,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -591,7 +591,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 2136, RFC 3007, @@ -606,7 +606,7 @@

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 2c8ccc0b64b..e3cf89eede7 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@

rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@

-

OPTIONS

+

OPTIONS

-a
@@ -180,7 +180,7 @@
-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -197,7 +197,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), named(8), @@ -205,7 +205,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 95411016a1b..783d6ab707a 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@

-

EXAMPLE

+

EXAMPLE

       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -220,7 +220,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), @@ -228,7 +228,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index efb803ba2b0..94031623b72 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@

-

OPTIONS

+

OPTIONS

-b source-address

@@ -147,7 +147,7 @@

-

COMMANDS

+

COMMANDS

A list of commands supported by rndc can be seen by running rndc without arguments. @@ -523,7 +523,7 @@

-

LIMITATIONS

+

LIMITATIONS

There is currently no way to provide the shared secret for a key_id without using the configuration file. @@ -533,7 +533,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -543,7 +543,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml index 91018df4f14..9abf7f82ec2 100644 --- a/doc/arm/pkcs11.xml +++ b/doc/arm/pkcs11.xml @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>