From: Tinderbox User
-
-
@@ -1080,7 +1080,7 @@ options {
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.
Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1142,7 +1142,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1205,7 +1205,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1246,12 +1246,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1273,7 +1273,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1288,27 +1288,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1323,14 +1323,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1352,7 +1352,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1363,7 +1363,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1460,7 +1460,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1469,7 +1469,7 @@ $ dnssec-signzone -S -K keys example.net<
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
@@ -1502,7 +1502,7 @@ $ ./configure --enable-native-pkcs11 \
SoftHSMv2, the latest development version of SoftHSM, is available
from
@@ -1540,7 +1540,7 @@ $ /opt/pkcs11/usr/bin/softhsm-util --init-token
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1598,7 +1598,7 @@ $ /opt/pkcs11/usr/bin/softhsm-util --init-token
$ wget http://www.openssl.org/source/openssl-0.9.8zc.tar.gz
@@ -1631,7 +1631,7 @@ $ patch -p1 -d openssl-0.9.8zc \
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1673,7 +1673,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1702,7 +1702,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM (version 1) is a software library developed by the
OpenDNSSEC project
@@ -1777,7 +1777,7 @@ $ ./Configure linux-x86_64 -pthread \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1797,7 +1797,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1819,7 +1819,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1840,7 +1840,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1863,7 +1863,7 @@ $ ./configure --enable-threads \
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1984,7 +1984,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -2016,7 +2016,7 @@ $ dnssec-signzone -E '' -S example.net
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2103,7 +2103,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -2152,7 +2152,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 90aa8090586..1abc553c323 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -92,14 +92,14 @@
Statement Grammar
zone Statement Definition and Usage
-Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -8157,6 +8157,16 @@ zone zone_name [
+
+ The type keyword is required
+ for the zone configuration unless
+ it is an in-view configuration. Its
+ acceptable values include: delegation-only,
+ forward, hint,
+ master, redirect,
+ slave, static-stub,
+ and stub.
+
@@ -8474,7 +8484,7 @@ zone zone_name [
The zone's name may optionally be followed by a class. If
a class is not specified, class IN (for Internet),
@@ -8496,7 +8506,7 @@ zone zone_name [
- allow-notify
@@ -9427,7 +9437,7 @@ example.com. NS ns2.example.net.
When multiple views are in use, a zone may be
referenced by more than one of them. Often, the views
@@ -9489,7 +9499,7 @@ view external {
@@ -9502,7 +9512,7 @@ view external {
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -10650,7 +10660,7 @@ view external {
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -10853,7 +10863,7 @@ view external {
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -11108,7 +11118,7 @@ view external {
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -11169,7 +11179,7 @@ view external {
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -11184,7 +11194,7 @@ view external {
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
@@ -11195,7 +11205,7 @@ view external {
Syntax: $ORIGIN
domain-name
@@ -11224,7 +11234,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
@@ -11260,7 +11270,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $TTL
default-ttl
@@ -11279,7 +11289,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $GENERATE
range
@@ -11722,7 +11732,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -12345,7 +12355,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -12499,7 +12509,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -12882,7 +12892,7 @@ HOST-127.EXAMPLE. MX 0 .
Socket I/O statistics counters are defined per socket
types, which are
@@ -13037,7 +13047,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available
in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 55973cd652c..d432b1da00e 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
Table of Contents
@@ -245,7 +245,7 @@ allow-query { !{ !10/8; any; }; key example; };
On UNIX servers, it is possible to run BIND
@@ -271,7 +271,7 @@ allow-query { !{ !10/8; any; }; key example; };
In order for a chroot environment
to
@@ -299,7 +299,7 @@ allow-query { !{ !10/8; any; }; key example; };
Prior to running the named daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 2e41da62e19..df5bfb2f176 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
The Internet Systems Consortium
(ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 7b5cba30975..062a20fe5ed 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,7 +45,7 @@
Table of Contents
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 44fc8415652..749e2c3d494 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -44,13 +44,7 @@
-
-
-