Commit 1b9b8265 authored by Tinderbox User's avatar Tinderbox User
Browse files

prep 9.15.3

parent d6a94079
...@@ -53,7 +53,7 @@ is a tool for sending DNS queries and validating the results, using the same int ...@@ -53,7 +53,7 @@ is a tool for sending DNS queries and validating the results, using the same int
\fBnamed\fR\&. \fBnamed\fR\&.
.PP .PP
\fBdelv\fR \fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&. will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP .PP
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR \fBdelv\fR
...@@ -139,9 +139,7 @@ BIND ...@@ -139,9 +139,7 @@ BIND
.sp .sp
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR \fB+root=NAME\fR
options\&. DNSSEC Lookaside Validation can also be turned on by using the options\&.
\fB+dlv=NAME\fR
to specify the name of a zone containing DLV records\&.
.sp .sp
Note: When reading the trust anchor file, Note: When reading the trust anchor file,
\fBdelv\fR \fBdelv\fR
...@@ -392,25 +390,16 @@ output\&. The default is to do so\&. Note that (unlike in ...@@ -392,25 +390,16 @@ output\&. The default is to do so\&. Note that (unlike in
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR \fB\-i\fR
or or
\fB+noroot\fR \fB+noroot\fR\&.
and
\fB+nodlv\fR\&.
.RE .RE
.PP .PP
\fB+[no]root[=ROOT]\fR \fB+[no]root[=ROOT]\fR
.RS 4 .RS 4
Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
\fB\-a\fR \fB\-a\fR
must be used to specify a file containing the key\&. must be used to specify a file containing the key\&.
.RE .RE
.PP .PP
\fB+[no]dlv[=DLV]\fR
.RS 4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
\fB\-a\fR
option must also be used to specify a file containing the DLV key\&.
.RE
.PP
\fB+[no]tcp\fR \fB+[no]tcp\fR
.RS 4 .RS 4
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&. Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
......
...@@ -83,7 +83,7 @@ ...@@ -83,7 +83,7 @@
<span class="command"><strong>delv</strong></span> will send to a specified name server all <span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation. to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and behavior of a name server configured for DNSSEC validating and
...@@ -193,10 +193,7 @@ ...@@ -193,10 +193,7 @@
<p> <p>
Keys that do not match the root zone name are ignored. Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the An alternate key name can be specified using the
<code class="option">+root=NAME</code> options. DNSSEC Lookaside <code class="option">+root=NAME</code> options.
Validation can also be turned on by using the
<code class="option">+dlv=NAME</code> to specify the name of a
zone containing DLV records.
</p> </p>
<p> <p>
Note: When reading the trust anchor file, Note: When reading the trust anchor file,
...@@ -520,14 +517,13 @@ ...@@ -520,14 +517,13 @@
request DNSSEC records or whether to validate them. request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code> and <code class="option">-i</code> or <code class="option">+noroot</code>.
<code class="option">+nodlv</code>.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt> <dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd> <dd>
<p> <p>
Indicates whether to perform conventional (non-lookaside) Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is a trust anchor of "." (the root zone), for which there is
...@@ -536,15 +532,6 @@ ...@@ -536,15 +532,6 @@
containing the key. containing the key.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
<dd>
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The <code class="option">-a</code> option must also be used to specify
a file containing the DLV key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt> <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd> <dd>
<p> <p>
......
...@@ -361,14 +361,20 @@ Display [do not display] the CLASS when printing the record\&. ...@@ -361,14 +361,20 @@ Display [do not display] the CLASS when printing the record\&.
.PP .PP
\fB+[no]cmd\fR \fB+[no]cmd\fR
.RS 4 .RS 4
Toggles the printing of the initial comment in the output identifying the version of Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR \fBdig\fR
and the query options that have been applied\&. This comment is printed by default\&. and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE .RE
.PP .PP
\fB+[no]comments\fR \fB+[no]comments\fR
.RS 4 .RS 4
Toggle the display of comment lines in the output\&. The default is to print comments\&. Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
.sp
Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
\fB+[no]cmd\fR,
\fB+[no]question\fR,
\fB+[no]stats\fR, and
\fB+[no]rrcomments\fR\&.
.RE .RE
.PP .PP
\fB+[no]cookie\fR\fB[=####]\fR \fB+[no]cookie\fR\fB[=####]\fR
...@@ -566,12 +572,12 @@ would cause a 48\-byte query to be padded to 64 bytes\&. The default block size ...@@ -566,12 +572,12 @@ would cause a 48\-byte query to be padded to 64 bytes\&. The default block size
.PP .PP
\fB+[no]qr\fR \fB+[no]qr\fR
.RS 4 .RS 4
Print [do not print] the query as it is sent\&. By default, the query is not printed\&. Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE .RE
.PP .PP
\fB+[no]question\fR \fB+[no]question\fR
.RS 4 .RS 4
Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&. Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE .RE
.PP .PP
\fB+[no]raflag\fR \fB+[no]raflag\fR
...@@ -624,7 +630,7 @@ determines if the name will be treated as relative or not and hence whether a se ...@@ -624,7 +630,7 @@ determines if the name will be treated as relative or not and hence whether a se
.PP .PP
\fB+[no]short\fR \fB+[no]short\fR
.RS 4 .RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&. Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE .RE
.PP .PP
\fB+[no]showsearch\fR \fB+[no]showsearch\fR
...@@ -654,7 +660,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char ...@@ -654,7 +660,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char
.PP .PP
\fB+[no]stats\fR \fB+[no]stats\fR
.RS 4 .RS 4
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&. Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE .RE
.PP .PP
\fB+[no]subnet=addr[/prefix\-length]\fR \fB+[no]subnet=addr[/prefix\-length]\fR
......
...@@ -481,16 +481,28 @@ ...@@ -481,16 +481,28 @@
<dd> <dd>
<p> <p>
Toggles the printing of the initial comment in the Toggles the printing of the initial comment in the
output identifying the version of <span class="command"><strong>dig</strong></span> output, identifying the version of <span class="command"><strong>dig</strong></span>
and the query options that have been applied. This and the query options that have been applied. This option
comment is printed by default. always has global effect; it cannot be set globally
and then overridden on a per-lookup basis. The default
is to print this comment.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt> <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd> <dd>
<p> <p>
Toggle the display of comment lines in the output. Toggles the display of some comment lines in the output,
The default is to print comments. containing information about the packet header and
OPT pseudosection, and the names of the response
section. The default is to print these comments.
</p>
<p>
Other types of comments in the output are not affected by
this option, but can be controlled using other command
line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
<span class="command"><strong>+[no]question</strong></span>,
<span class="command"><strong>+[no]stats</strong></span>, and
<span class="command"><strong>+[no]rrcomments</strong></span>.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt> <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
...@@ -764,14 +776,14 @@ ...@@ -764,14 +776,14 @@
<dt><span class="term"><code class="option">+[no]qr</code></span></dt> <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
<dd> <dd>
<p> <p>
Print [do not print] the query as it is sent. By Toggles the display of the query message as it is sent.
default, the query is not printed. By default, the query is not printed.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+[no]question</code></span></dt> <dt><span class="term"><code class="option">+[no]question</code></span></dt>
<dd> <dd>
<p> <p>
Print [do not print] the question section of a query Toggles the display of the question section of a query
when an answer is returned. The default is to print when an answer is returned. The default is to print
the question section as a comment. the question section as a comment.
</p> </p>
...@@ -841,7 +853,9 @@ ...@@ -841,7 +853,9 @@
<dd> <dd>
<p> <p>
Provide a terse answer. The default is to print the Provide a terse answer. The default is to print the
answer in a verbose form. answer in a verbose form. This option always has global
effect; it cannot be set globally and then overridden on
a per-lookup basis.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt> <dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
...@@ -874,10 +888,9 @@ ...@@ -874,10 +888,9 @@
<dt><span class="term"><code class="option">+[no]stats</code></span></dt> <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
<dd> <dd>
<p> <p>
This query option toggles the printing of statistics: Toggles the printing of statistics: when the query was made,
when the query was made, the size of the reply and the size of the reply and so on. The default behavior is to
so on. The default behavior is to print the query print the query statistics as a comment after each lookup.
statistics.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt> <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
......
...@@ -50,11 +50,9 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool ...@@ -50,11 +50,9 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool
.PP .PP
The The
\fBdnssec\-dsfromkey\fR \fBdnssec\-dsfromkey\fR
command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the
\fB\-l\fR
option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
\fB\-C\fR \fB\-C\fR
it outputs CDS (Child DS) RRs\&. option\&.
.PP .PP
The input keys can be specified in a number of ways: The input keys can be specified in a number of ways:
.PP .PP
...@@ -119,9 +117,7 @@ zone file mode\&. ...@@ -119,9 +117,7 @@ zone file mode\&.
.PP .PP
\-C \-C
.RS 4 .RS 4
Generate CDS records rather than DS records\&. This is mutually exclusive with the Generate CDS records rather than DS records\&.
\fB\-l\fR
option for generating DLV records\&.
.RE .RE
.PP .PP
\-f \fIfile\fR \-f \fIfile\fR
...@@ -156,15 +152,6 @@ files in ...@@ -156,15 +152,6 @@ files in
\fBdirectory\fR\&. \fBdirectory\fR\&.
.RE .RE
.PP .PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set instead of a DS set\&. The specified
\fIdomain\fR
is appended to the name for each record in the set\&. This is mutually exclusive with the
\fB\-C\fR
option for generating CDS records\&.
.RE
.PP
\-s \-s
.RS 4 .RS 4
Keyset mode: Keyset mode:
...@@ -224,8 +211,6 @@ A keyfile error can give a "file not found" even if the file exists\&. ...@@ -224,8 +211,6 @@ A keyfile error can give a "file not found" even if the file exists\&.
BIND 9 Administrator Reference Manual, BIND 9 Administrator Reference Manual,
RFC 3658 RFC 3658
(DS RRs), (DS RRs),
RFC 4431
(DLV RRs),
RFC 4509 RFC 4509
(SHA\-256 for DS RRs), (SHA\-256 for DS RRs),
RFC 6605 RFC 6605
......
...@@ -97,10 +97,8 @@ ...@@ -97,10 +97,8 @@
<p> <p>
The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
Signer) resource records (RRs) and other similarly-constructed RRs: Signer) resource records (RRs), or CDS (Child DS) RRs with the
with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside <code class="option">-C</code> option.
Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
DS) RRs.
</p> </p>
<p> <p>
...@@ -182,9 +180,7 @@ ...@@ -182,9 +180,7 @@
<dt><span class="term">-C</span></dt> <dt><span class="term">-C</span></dt>
<dd> <dd>
<p> <p>
Generate CDS records rather than DS records. This is mutually Generate CDS records rather than DS records.
exclusive with the <code class="option">-l</code> option for generating DLV
records.
</p> </p>
</dd> </dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt> <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
...@@ -219,16 +215,6 @@ ...@@ -219,16 +215,6 @@
<code class="option">directory</code>. <code class="option">directory</code>.
</p> </p>
</dd> </dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Generate a DLV set instead of a DS set. The specified
<em class="replaceable"><code>domain</code></em> is appended to the name for each
record in the set.
This is mutually exclusive with the <code class="option">-C</code> option
for generating CDS records.
</p>
</dd>
<dt><span class="term">-s</span></dt> <dt><span class="term">-s</span></dt>
<dd> <dd>
<p> <p>
...@@ -311,7 +297,6 @@ ...@@ -311,7 +297,6 @@
</span>, </span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em> (DS RRs), <em class="citetitle">RFC 3658</em> (DS RRs),
<em class="citetitle">RFC 4431</em> (DLV RRs),
<em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs), <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
<em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs), <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
<em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs). <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
......
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
dnssec-signzone \- DNSSEC zone signing tool dnssec-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBdnssec\-signzone\fR\ 'u .HP \w'\fBdnssec\-signzone\fR\ 'u
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] \fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
.SH "DESCRIPTION" .SH "DESCRIPTION"
.PP .PP
\fBdnssec\-signzone\fR \fBdnssec\-signzone\fR
...@@ -113,11 +113,6 @@ Key repository: Specify a directory to search for DNSSEC keys\&. If not specifie ...@@ -113,11 +113,6 @@ Key repository: Specify a directory to search for DNSSEC keys\&. If not specifie
Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&. Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
.RE .RE
.PP .PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
.RE
.PP
\-M \fImaxttl\fR \-M \fImaxttl\fR
.RS 4 .RS 4
Sets the maximum TTL for the signed zone\&. Any TTL higher than Sets the maximum TTL for the signed zone\&. Any TTL higher than
...@@ -296,6 +291,13 @@ forces ...@@ -296,6 +291,13 @@ forces
to remove signatures from keys that are no longer active\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.1 ("Pre\-Publish Key Rollover")\&. to remove signatures from keys that are no longer active\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.1 ("Pre\-Publish Key Rollover")\&.
.RE .RE
.PP .PP
\-q
.RS 4
Quiet mode: Suppresses unnecessary output\&. Without this option, when
\fBdnssec\-signzone\fR
is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information, and finally the filename containing the signed zone\&. With it, that output is suppressed, leaving only the filename\&.
.RE
.PP
\-R \-R
.RS 4 .RS 4
Remove signatures from keys that are no longer published\&. Remove signatures from keys that are no longer published\&.
......
...@@ -55,6 +55,7 @@ ...@@ -55,6 +55,7 @@
[<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
[<code class="option">-P</code>] [<code class="option">-P</code>]
[<code class="option">-Q</code>] [<code class="option">-Q</code>]
[<code class="option">-q</code>]
[<code class="option">-R</code>] [<code class="option">-R</code>]
[<code class="option">-S</code>] [<code class="option">-S</code>]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
...@@ -173,13 +174,6 @@ ...@@ -173,13 +174,6 @@
key flags. This option may be specified multiple times. key flags. This option may be specified multiple times.
</p> </p>
</dd> </dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt> <dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
<dd> <dd>
<p> <p>
...@@ -429,6 +423,18 @@ ...@@ -429,6 +423,18 @@
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover"). RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
</p> </p>
</dd> </dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses unnecessary output. Without this
option, when <span class="command"><strong>dnssec-signzone</strong></span> is run it
will print to standard output the number of keys in use,
the algorithms used to verify the zone was signed correctly
and other status information, and finally the filename
containing the signed zone. With it, that output is
suppressed, leaving only the filename.
</p>
</dd>
<dt><span class="term">-R</span></dt> <dt><span class="term">-R</span></dt>
<dd> <dd>
<p> <p>
......
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
dnssec-verify \- DNSSEC zone verification tool dnssec-verify \- DNSSEC zone verification tool
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBdnssec\-verify\fR\ 'u .HP \w'\fBdnssec\-verify\fR\ 'u
\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile} \fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-q\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
.SH "DESCRIPTION" .SH "DESCRIPTION"
.PP .PP
\fBdnssec\-verify\fR \fBdnssec\-verify\fR
...@@ -81,6 +81,13 @@ Sets the debugging level\&. ...@@ -81,6 +81,13 @@ Sets the debugging level\&.
Prints version information\&. Prints version information\&.
.RE .RE
.PP .PP
\-q
.RS 4
Quiet mode: Suppresses output\&. Without this option, when
\fBdnssec\-verify\fR
is run it will print to standard output the number of keys in use, the algorithms used to verify the zone was signed correctly and other status information\&. With it, all non\-error output is suppressed, and only the exit code will indicate success\&.
.RE
.PP
\-x \-x
.RS 4 .RS 4
Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the
......
...@@ -37,6 +37,7 @@ ...@@ -37,6 +37,7 @@
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>] [<code class="option">-V</code>]
[<code class="option">-x</code>] [<code class="option">-x</code>]
...@@ -112,6 +113,17 @@ ...@@ -112,6 +113,17 @@
Prints version information. Prints version information.
</p> </p>
</dd> </dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode: Suppresses output. Without this option, when
<span class="command"><strong>dnssec-verify</strong></span> is run it will print to
standard output the number of keys in use, the algorithms
used to verify the zone was signed correctly and other
status information. With it, all non-error output is
suppressed, and only the exit code will indicate success.
</p>
</dd>
<dt><span class="term">-x</span></dt> <dt><span class="term">-x</span></dt>
<dd> <dd>
<p> <p>
......