Merge branch 'prep-release' into security-master

CHANGES

+	--- 9.15.6 released ---
+
 5319.	[func]		Trust anchors can now be configured using DS
 			format to represent a key digest, by using the
 			new "initial-ds" or "static-ds" keywords in

PLATFORMS

@@ -4,10 +4,11 @@ Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
 system with a C11-compliant C compiler, BSD-style sockets with
-RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
-cryptography library. Atomic operations support from the compiler is
-needed, either in the form of builtin operations, C11 atomics or the
-Interlocked family of functions on Windows.
+RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
+asynchronous I/O library, and the OpenSSL cryptography library. Atomic
+operations support from the compiler is needed, either in the form of
+builtin operations, C11 atomics, or the Interlocked family of functions on
+Windows.
 
 BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x).
 For some of the older systems listed below, you will have to install

PLATFORMS.md

@@ -12,10 +12,10 @@
 
 In general, this version of BIND will build and run on any POSIX-compliant
 system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
-IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
-Atomic operations support from the compiler is needed, either in the form of
-builtin operations, C11 atomics or the Interlocked family of functions on
-Windows.
+IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
+and the OpenSSL cryptography library.  Atomic operations support from the
+compiler is needed, either in the form of builtin operations, C11 atomics,
+or the `Interlocked` family of functions on Windows.
 
 BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x).  For
 some of the older systems listed below, you will have to install updated libuv

README

@@ -48,7 +48,8 @@ the file HISTORY.
 For a detailed list of changes made throughout the history of BIND 9, see
 the file CHANGES. See below for details on the CHANGES file format.
 
-For up-to-date versions and release notes, see https://www.isc.org/download/.
+For up-to-date versions and release notes, see https://www.isc.org/
+download/.
 
 For information about supported platforms, see PLATFORMS.
 
@@ -110,25 +111,30 @@ BIND 9.15 features
 BIND 9.15 is the newest development branch of BIND 9. It includes a number
 of changes from BIND 9.14 and earlier releases. New features include:
 
+  * New "dnssec-policy" statement to configure a key and signing policy
+    for zones, enabling automatic key regeneration and rollover.
+  * New new network manager based on libuv.
   * Support for the new GeoIP2 geolocation API
-  * Improved DNSSEC key configuration using dnssec-keys
+  * Improved DNSSEC trust anchor configuration using dnssec-keys,
+    permitting configuration of trust anchors in DS as well as DNSKEY
+    format.
   * YAML output for dig, mdig, and delv.
 
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. Successful builds have
-been observed on many versions of Linux and UNIX, including RHEL/CentOS,
-Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
-NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
-OpenWRT.
-
-BIND requires a cryptography provider library such as OpenSSL or a
-hardware service module supporting PKCS#11. On Linux, BIND requires the
-libcap library to set process privileges, though this requirement can be
-overridden by disabling capability support at compile time. See
-Compile-time options below for details on other libraries that may be
-required to support optional features.
+basic POSIX support, and a 64-bit integer type. BIND also requires the
+libuv asynchronous I/O library, and a cryptography provider library such
+as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
+requires the libcap library to set process privileges, though this
+requirement can be overridden by disabling capability support at compile
+time. See Compile-time options below for details on other libraries that
+may be required to support optional features.
+
+Successful builds have been observed on many versions of Linux and UNIX,
+including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
+Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
+HP-UX, and OpenWRT.
 
 BIND is also available for Windows Server 2008 and higher. See win32utils/
 build.txt for details on building for Windows systems.

README.md

@@ -129,25 +129,29 @@ include:
 
 * New "dnssec-policy" statement to configure a key and signing policy
   for zones, enabling automatic key regeneration and rollover.
-* A new network manager based on libuv.
+* New new network manager based on libuv.
 * Support for the new GeoIP2 geolocation API
-* Improved DNSSEC trust anchor configuration using `dnssec-keys`
+* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
+  permitting configuration of trust anchors in DS as well as
+  DNSKEY format.
 * YAML output for `dig`, `mdig`, and `delv`.
 
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
-basic POSIX support, and a 64-bit integer type. Successful builds have been
-observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
-Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
-OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
-
-BIND requires a cryptography provider library such as OpenSSL or a
-hardware service module supporting PKCS#11. On Linux, BIND requires
-the `libcap` library to set process privileges, though this requirement
-can be overridden by disabling capability support at compile time.
-See [Compile-time options](#opts) below for details on other libraries
-that may be required to support optional features.
+basic POSIX support, and a 64-bit integer type.  BIND also requires the
+`libuv` asynchronous I/O library, and a cryptography provider library
+such as OpenSSL or a hardware service module supporting PKCS#11. On
+Linux, BIND requires the `libcap` library to set process privileges,
+though this requirement can be overridden by disabling capability
+support at compile time. See [Compile-time options](#opts) below
+for details on other libraries that may be required to support
+optional features.
+
+Successful builds have been observed on many versions of Linux and
+UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
+Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
+OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
 
 BIND is also available for Windows Server 2008 and higher.  See
 `win32utils/build.txt` for details on building for Windows

bin/dnssec/dnssec-keygen.8

@@ -39,7 +39,7 @@
 dnssec-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -109,6 +109,11 @@ option suppresses them\&.
 Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
 .RE
 .PP
+\-d \fIbits\fR
+.RS 4
+Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&.
+.RE
+.PP
 \-E \fIengine\fR
 .RS 4
 Specifies the cryptographic hardware to use, when applicable\&.
@@ -142,6 +147,17 @@ Prints a short summary of the options and arguments to
 Sets the directory in which the key files are to be written\&.
 .RE
 .PP
+\-k \fIpolicy\fR
+.RS 4
+Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys,
+\fBdnssec\-keygen\fR
+will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&.
+.sp
+This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that
+\fBdnssec\-keygen\fR
+provides\&.
+.RE
+.PP
 \-L \fIttl\fR
 .RS 4
 Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
@@ -151,6 +167,12 @@ none
 is the same as leaving it unset\&.
 .RE
 .PP
+\-l \fIfile\fR
+.RS 4
+Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with
+\fB\-k\fR)\&.
+.RE
+.PP
 \-n \fInametype\fR
 .RS 4
 Specifies the owner type of the key\&. The value of

bin/dnssec/dnssec-keygen.html

@@ -41,6 +41,7 @@
        [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
        [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
        [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
        [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
        [<code class="option">-G</code>]
@@ -49,8 +50,9 @@
        [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
        [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-k</code>]
+       [<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
        [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+       [<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
        [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
        [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
@@ -59,6 +61,7 @@
        [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
        [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
        [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
+       [<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
        [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
        [<code class="option">-V</code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
@@ -168,6 +171,15 @@
 	    the specified class.  If not specified, class IN is used.
 	  </p>
 	</dd>
+<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
+<dd>
+	  <p>
+	    Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
+	    RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
+	    DH size is between 128 and 4096. This option is ignored for
+	    algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
+	  </p>
+	</dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
 	  <p>
@@ -218,6 +230,21 @@
 	    Sets the directory in which the key files are to be written.
 	  </p>
 	</dd>
+<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
+<dd>
+	  <p>
+	    Create keys for a specific dnssec-policy.  If a policy uses
+	    multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
+	    multiple keys.  This will also create a ".state" file to keep
+	    track of the key state.
+	  </p>
+	  <p>
+	    This option creates keys according to the dnssec-policy
+	    configuration, hence it cannot be used together with many of
+	    the other options that <span class="command"><strong>dnssec-keygen</strong></span>
+	    provides.
+	  </p>
+	</dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd>
 	  <p>
@@ -231,6 +258,13 @@
 	    or <code class="literal">none</code> is the same as leaving it unset.
 	  </p>
 	</dd>
+<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
+<dd>
+	  <p>
+	    Provide a configuration file that contains a dnssec-policy
+	    statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
+	  </p>
+	</dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd>
 	  <p>

bin/dnssec/dnssec-settime.8

@@ -39,7 +39,7 @@
 dnssec-settime \- set the key timing metadata for a DNSSEC key
 .SH "SYNOPSIS"
 .HP \w'\fBdnssec\-settime\fR\ 'u
-\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-s\fR] [\fB\-g\ \fR\fB\fIstate\fR\fR] [\fB\-d\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-z\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-settime\fR
@@ -59,7 +59,25 @@ simply prints the key timing metadata already stored in the key\&.
 .PP
 When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key
 and
-Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
+Knnnn\&.+aaa+iiiii\&.private) are regenerated\&.
+.PP
+Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
+.PP
+When working with state files, it is possible to update the timing metadata in those files as well with
+\fB\-s\fR\&. If this option is used you can also update key states with
+\fB\-d\fR
+(DS),
+\fB\-k\fR
+(DNSKEY),
+\fB\-r\fR
+(RRSIG of KSK), or
+\fB\-z\fR
+(RRSIG of ZSK)\&. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE\&.
+.PP
+You can also set the goal state of the key with
+\fB\-g\fR\&. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published)\&.
+.PP
+It is NOT RECOMMENDED to manipulate state files manually except for testing purposes\&.
 .SH "OPTIONS"
 .PP
 \-f
@@ -156,6 +174,39 @@ If the key is being set to be an explicit successor to another key, then the def
 .sp
 As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
 .RE
+.SH "KEY STATE OPTIONS"
+.PP
+Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE\&. These should not be set manually except for testing purposes\&.
+.PP
+\-s
+.RS 4
+When setting key timing data, also update the state file\&.
+.RE
+.PP
+\-g
+.RS 4
+Set the goal state for this key\&. Must be HIDDEN or OMNIPRESENT\&.
+.RE
+.PP
+\-d
+.RS 4
+Set the DS state for this key, and when it was last changed\&.
+.RE
+.PP
+\-k
+.RS 4
+Set the DNSKEY state for this key, and when it was last changed\&.
+.RE
+.PP
+\-r
+.RS 4
+Set the RRSIG (KSK) state for this key, and when it was last changed\&.
+.RE
+.PP
+\-z
+.RS 4
+Set the RRSIG (ZSK) state for this key, and when it was last changed\&.
+.RE
 .SH "PRINTING OPTIONS"
 .PP
 \fBdnssec\-settime\fR

bin/dnssec/dnssec-settime.html

@@ -49,6 +49,12 @@
        [<code class="option">-V</code>]
        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
        [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
+       [<code class="option">-s</code>]
+       [<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
+       [<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
+       [<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
        {keyfile}
     </p></div>
   </div>
@@ -74,11 +80,30 @@
       When key metadata fields are changed, both files of a key
       pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
       <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
+    </p>
+    <p>
       Metadata fields are stored in the private file.  A human-readable
       description of the metadata is also placed in comments in the key
       file.  The private file's permissions are always set to be
       inaccessible to anyone other than the owner (mode 0600).
     </p>
+    <p>
+      When working with state files, it is possible to update the timing
+      metadata in those files as well with <code class="option">-s</code>.  If this
+      option is used you can also update key states with <code class="option">-d</code>
+      (DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
+      or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
+      RUMOURED, OMNIPRESENT, and UNRETENTIVE.
+    </p>
+    <p>
+      You can also set the goal state of the key with <code class="option">-g</code>.
+      This should be either HIDDEN or OMNIPRESENT (representing whether the
+      key should be removed from the zone, or published).
+    </p>
+    <p>
+      It is NOT RECOMMENDED to manipulate state files manually except for
+      testing purposes.
+    </p>
   </div>
 
   <div class="refsection">
@@ -262,7 +287,57 @@
   </div>
 
   <div class="refsection">
-<a name="id-1.10"></a><h2>PRINTING OPTIONS</h2>
+<a name="id-1.10"></a><h2>KEY STATE OPTIONS</h2>
+
+    <p>
+      Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
+      These should not be set manually except for testing purposes.
+    </p>
+
+    <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-s</span></dt>
+<dd>
+          <p>
+	    When setting key timing data, also update the state file.
+          </p>
+        </dd>
+<dt><span class="term">-g</span></dt>
+<dd>
+          <p>
+	    Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
+          </p>
+        </dd>
+<dt><span class="term">-d</span></dt>
+<dd>
+          <p>
+	    Set the DS state for this key, and when it was last changed.
+          </p>
+        </dd>
+<dt><span class="term">-k</span></dt>
+<dd>
+          <p>
+	    Set the DNSKEY state for this key, and when it was last changed.
+          </p>
+        </dd>
+<dt><span class="term">-r</span></dt>
+<dd>
+          <p>
+	    Set the RRSIG (KSK) state for this key, and when it was last
+	    changed.
+          </p>
+        </dd>
+<dt><span class="term">-z</span></dt>
+<dd>
+          <p>
+	    Set the RRSIG (ZSK) state for this key, and when it was last
+	    changed.
+          </p>
+        </dd>
+</dl></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.11"></a><h2>PRINTING OPTIONS</h2>
 
     <p>
       <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
@@ -298,7 +373,7 @@
   </div>
 
   <div class="refsection">
-<a name="id-1.11"></a><h2>SEE ALSO</h2>
+<a name="id-1.12"></a><h2>SEE ALSO</h2>
 
     <p><span class="citerefentry">
         <span class="refentrytitle">dnssec-keygen</span>(8)

bin/named/named.conf.5

@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-08-07
+.\"      Date: 2019-08-12
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -104,7 +104,8 @@ dlz \fIstring\fR {
 .\}
 .nf
 dnssec\-keys { \fIstring\fR ( static\-key |
-    initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+    initial\-key | static\-ds | initial\-ds )
+    \fIinteger\fR \fIinteger\fR \fIinteger\fR
     \fIquoted_string\fR; \&.\&.\&. };
 .fi
 .if n \{\
@@ -170,9 +171,9 @@ Deprecated \- see DNSSEC\-KEYS\&.
 .\}
 .nf
 managed\-keys { \fIstring\fR ( static\-key
-    | initial\-key ) \fIinteger\fR
-    \fIinteger\fR \fIinteger\fR
-    \fIquoted_string\fR; \&.\&.\&. }; deprecated
+    | initial\-key | static\-ds |
+    initial\-ds ) \fIinteger\fR \fIinteger\fR
+    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; deprecated
 .fi
 .if n \{\
 .RE
@@ -230,7 +231,7 @@ options {
 	    [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
 	    \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
 	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
-	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
 	check\-dup\-records ( fail | warn | ignore );
 	check\-integrity \fIboolean\fR;
 	check\-mx ( fail | warn | ignore );
@@ -312,18 +313,18 @@ options {
 	fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
 	fstrm\-set\-output\-queue\-model ( mpsc | spsc );
 	fstrm\-set\-output\-queue\-size \fIinteger\fR;
-	fstrm\-set\-reopen\-interval \fIttlval\fR;
+	fstrm\-set\-reopen\-interval \fIduration\fR;
 	geoip\-directory ( \fIquoted_string\fR | none );
 	glue\-cache \fIboolean\fR;
 	heartbeat\-interval \fIinteger\fR;
 	hostname ( \fIquoted_string\fR | none );
 	inline\-signing \fIboolean\fR;
-	interface\-interval \fIttlval\fR;
+	interface\-interval \fIduration\fR;
 	ixfr\-from\-differences ( primary | master | secondary | slave |
 	    \fIboolean\fR );
 	keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
 	key\-directory \fIquoted_string\fR;
-	lame\-ttl \fIttlval\fR;
+	lame\-ttl \fIduration\fR;
 	listen\-on [ port \fIinteger\fR ] [ dscp
 	    \fIinteger\fR ] {
 	    \fIaddress_match_element\fR; \&.\&.\&. };
@@ -337,28 +338,28 @@ options {
 	masterfile\-style ( full | relative );
 	match\-mapped\-addresses \fIboolean\fR;
 	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
-	max\-cache\-ttl \fIttlval\fR;
+	max\-cache\-ttl \fIduration\fR;
 	max\-clients\-per\-query \fIinteger\fR;
 	max\-journal\-size ( default | unlimited | \fIsizeval\fR );
-	max\-ncache\-ttl \fIttlval\fR;
+	max\-ncache\-ttl \fIduration\fR;
 	max\-records \fIinteger\fR;
 	max\-recursion\-depth \fIinteger\fR;
 	max\-recursion\-queries \fIinteger\fR;
 	max\-refresh\-time \fIinteger\fR;
 	max\-retry\-time \fIinteger\fR;
 	max\-rsa\-exponent\-size \fIinteger\fR;
-	max\-stale\-ttl \fIttlval\fR;
+	max\-stale\-ttl \fIduration\fR;
 	max\-transfer\-idle\-in \fIinteger\fR;
 	max\-transfer\-idle\-out \fIinteger\fR;
 	max\-transfer\-time\-in \fIinteger\fR;
 	max\-transfer\-time\-out \fIinteger\fR;
 	max\-udp\-size \fIinteger\fR;
-	max\-zone\-ttl ( unlimited | \fIttlval\fR );
+	max\-zone\-ttl ( unlimited | \fIduration\fR );
 	memstatistics \fIboolean\fR;
 	memstatistics\-file \fIquoted_string\fR;
 	message\-compression \fIboolean\fR;
-	min\-cache\-ttl \fIttlval\fR;
-	min\-ncache\-ttl \fIttlval\fR;
+	min\-cache\-ttl \fIduration\fR;
+	min\-ncache\-ttl \fIduration\fR;
 	min\-refresh\-time \fIinteger\fR;
 	min\-retry\-time \fIinteger\fR;
 	minimal\-any \fIboolean\fR;
@@ -375,8 +376,8 @@ options {
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
 	    [ dscp \fIinteger\fR ];
 	notify\-to\-soa \fIboolean\fR;
-	nta\-lifetime \fIttlval\fR;
-	nta\-recheck \fIttlval\fR;
+	nta\-lifetime \fIduration\fR;
+	nta\-recheck \fIduration\fR;
 	nxdomain\-redirect \fIstring\fR;
 	pid\-file ( \fIquoted_string\fR | none );
 	port \fIinteger\fR;
@@ -423,13 +424,13 @@ options {
 	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
 	    \fIinteger\fR;
 	response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
-	    \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
-	    \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
+	    \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
+	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
 	    nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
 	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
-	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
-	    min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
+	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
+	    min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [
 	    nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
 	    [ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [
@@ -443,7 +444,7 @@ options {
 	serial\-query\-rate \fIinteger\fR;
 	serial\-update\-method ( date | increment | unixtime );
 	server\-id ( \fIquoted_string\fR | none | hostname );
-	servfail\-ttl \fIttlval\fR;
+	servfail\-ttl \fIduration\fR;
 	session\-keyalg \fIstring\fR;
 	session\-keyfile ( \fIquoted_string\fR | none );
 	session\-keyname \fIstring\fR;
@@ -454,7 +455,7 @@ options {
 	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
 	stacksize ( default | unlimited | \fIsizeval\fR );
 	stale\-answer\-enable \fIboolean\fR;
-	stale\-answer\-ttl \fIttlval\fR;
+	stale\-answer\-ttl \fIduration\fR;
 	startup\-notify\-rate \fIinteger\fR;
 	statistics\-file \fIquoted_string\fR;
 	synth\-from\-dnssec \fIboolean\fR;
@@ -612,7 +613,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	    [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
 	    \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
 	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
-	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
 	check\-dup\-records ( fail | warn | ignore );
 	check\-integrity \fIboolean\fR;
 	check\-mx ( fail | warn | ignore );
@@ -655,8 +656,9 @@ view \fIstring\fR [ \fIclass\fR ] {
 	dnssec\-accept\-expired \fIboolean\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-keys { \fIstring\fR ( static\-key |
-	    initial\-key ) \fIinteger\fR \fIinteger\fR
-	    \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+	    initial\-key | static\-ds | initial\-ds
+	    ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+	    \fIquoted_string\fR; \&.\&.\&. };