Commit 25e416fb authored by Tinderbox User's avatar Tinderbox User

prep 9.15.0

parent 07218e08
--- 9.15.0 released ---
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
......
......@@ -88,3 +88,11 @@ Debian armhf documentation):
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
NetBSD 6 i386
The i386 build of NetBSD requires the libatomic library, available from
the gcc5-libs package. Because this library is in a non-standard path, its
location must be specified in the configure command line:
LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure
......@@ -103,9 +103,7 @@ format-patch.
BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.14 and earlier releases. New features include:
* TBD
of changes from BIND 9.14 and earlier releases.
Building BIND
......
......@@ -120,10 +120,7 @@ including your patch as an attachment, preferably generated by
### <a name="features"/> BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.14 and earlier releases. New features
include:
* TBD
number of changes from BIND 9.14 and earlier releases.
### <a name="build"/> Building BIND
......
......@@ -450,6 +450,11 @@ clears the EDNS options to be sent\&.
Send an EDNS Expire option\&.
.RE
.PP
\fB+[no]expandaaaa\fR
.RS 4
When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
.RE
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
......
......@@ -598,6 +598,13 @@
Send an EDNS Expire option.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
<dd>
<p>
When printing AAAA record print all zero nibbles rather
than the default RFC 5952 preferred presentation format.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd>
<p>
......
......@@ -10,12 +10,12 @@
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2012-05-02
.\" Date: 2019-05-08
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......@@ -83,13 +83,13 @@ file, as generated by
\-1
.RS 4
An abbreviation for
\fB\-a SHA1\fR
\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-2
.RS 4
An abbreviation for
\fB\-a SHA\-256\fR
\fB\-a SHA\-256\fR\&.
.RE
.PP
\-a \fIalgorithm\fR
......@@ -98,7 +98,7 @@ Specify a digest algorithm to use when converting DNSKEY records to DS records\&
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-A
......
......@@ -135,13 +135,15 @@
<dt><span class="term">-1</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA1</code>
An abbreviation for <code class="option">-a SHA-1</code>.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
An abbreviation for <code class="option">-a SHA-256</code>
An abbreviation for <code class="option">-a SHA-256</code>.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
......@@ -157,6 +159,8 @@
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
(Note: The SHA-1 algorithm is no longer recommended for use
when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-A</span></dt>
......
......@@ -39,7 +39,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
......@@ -58,6 +58,13 @@ may be preferable to direct use of
\fBdnssec\-keygen\fR\&.
.SH "OPTIONS"
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
......@@ -83,29 +90,15 @@ to generate TSIG keys\&.
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
\fB\-f KSK\fR) default to 2048 bits\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata\&. By default,
Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
\fBdnssec\-keygen\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
......@@ -150,11 +143,6 @@ Prints a short summary of the options and arguments to
Sets the directory in which the key files are to be written\&.
.RE
.PP
\-k
.RS 4
Deprecated in favor of \-T KEY\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
......@@ -164,9 +152,17 @@ none
is the same as leaving it unset\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
.RE
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
Sets the protocol value for the generated key, for use with
\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-q
......@@ -193,26 +189,24 @@ Specifies the strength value of the key\&. The strength is a number between 0 an
Specifies the resource record type to use for the key\&.
\fBrrtype\fR
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
Specifying any TSIG algorithm (HMAC\-* or DH) with
\fB\-a\fR
forces this option to KEY\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key\&.
Indicates the use of the key, for use with
\fB\-T KEY\fR\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
\-v \fIlevel\fR
\-V
.RS 4
Sets the debugging level\&.
Prints version information\&.
.RE
.PP
\-V
\-v \fIlevel\fR
.RS 4
Prints version information\&.
Sets the debugging level\&.
.RE
.SH "TIMING OPTIONS"
.PP
......@@ -314,23 +308,24 @@ contains the private key\&.
.PP
The
\&.key
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
file contains a DNSKEY or KEY record\&. When a zone is being signed by
\fBnamed\fR
or
\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
\&.key
file can be inserted into a zone file manually or with a
\fB$INCLUDE\fR
statement\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
.PP
Both
\&.key
and
\&.private
files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
.SH "EXAMPLE"
.PP
To generate an ECDSAP256SHA256 key for the domain
\fBexample\&.com\fR, the following command would be issued:
To generate an ECDSAP256SHA256 zone\-signing key for the zone
\fBexample\&.com\fR, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR
\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
.PP
The command would print a string of the form:
.PP
......@@ -342,6 +337,10 @@ creates the files
Kexample\&.com\&.+013+26160\&.key
and
Kexample\&.com\&.+013+26160\&.private\&.
.PP
To generate a matching key\-signing key, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
......
......@@ -33,11 +33,10 @@
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
......@@ -52,6 +51,7 @@
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
......@@ -62,7 +62,6 @@
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-z</code>]
{name}
</p></div>
</div>
......@@ -95,6 +94,16 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
......@@ -130,11 +139,9 @@
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
between 1024 and 4096 bits. Diffie Hellman keys must be between
128 and 4096 bits. Elliptic curve algorithms don't need this
parameter.
</p>
<p>
If the key size is not specified, some algorithms have
......@@ -144,36 +151,15 @@
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
Compatibility mode: generates an old-style key, without any
timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored with
the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include this
data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
......@@ -234,12 +220,6 @@
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Deprecated in favor of -T KEY.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
......@@ -253,13 +233,24 @@
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
Sets the protocol value for the generated key, for use
with <code class="option">-T KEY</code>. The protocol is a number between 0
and 255. The default is 3 (DNSSEC). Other possible values for
this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
......@@ -306,32 +297,27 @@
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
<p>
Specifying any TSIG algorithm (HMAC-* or DH) with
<code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
Indicates the use of the key, for use with <code class="option">-T
KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
refers to the ability to authenticate data, and CONF the ability
to encrypt data.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Sets the debugging level.
Prints version information.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Prints version information.
Sets the debugging level.
</p>
</dd>
</dl></div>
......@@ -476,10 +462,12 @@
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
When a zone is being signed by <span class="command"><strong>named</strong></span>
or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
records are included automatically. In other cases,
the <code class="filename">.key</code> file can be inserted into a zone file
manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
......@@ -487,22 +475,17 @@
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric cryptography algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
To generate an ECDSAP256SHA256 key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
To generate an ECDSAP256SHA256 zone-signing key for the zone
<strong class="userinput"><code>example.com</code></strong>, issue the command:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
</p>
<p>
The command would print a string of the form:
......@@ -515,6 +498,12 @@
and
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
<p>
To generate a matching key-signing key, issue the command:
</p>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
</p>
</div>
<div class="refsection">
......
......@@ -46,6 +46,15 @@ dnssec-checkds \- DNSSEC delegation consistency checking tool
verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS or DLV records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
If a
......
......@@ -55,8 +55,22 @@
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS or DLV records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
......
......@@ -49,7 +49,7 @@ and
\fBdnssec\-settime\fR\&.
.PP
DNSSEC policy can be read from a configuration file (default
/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a default policy used for all zones\&.
/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a "default" policy used for all zones\&.
.PP
When
\fBdnssec\-keymgr\fR
......@@ -181,7 +181,8 @@ would be used for zones that had unusually high security needs\&.
.sp -1
.IP \(bu 2.3
.\}
Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
\fIAlgorithm policies:\fR
(\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using
\fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&.
.RE
......@@ -194,59 +195,60 @@ Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&
.sp -1
.IP \(bu 2.3
.\}
Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
\fIZone policies:\fR
(\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a
\fBpolicy\fR
option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&.
option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&. If a zone does not have its own policy then the "default" policy applies\&.
.RE
.PP
Options that can be specified in policies:
.PP
\fBalgorithm\fR
\fBalgorithm\fR \fIname\fR;
.RS 4
The key algorithm\&. If no policy is defined, the default is RSASHA256\&.
.RE
.PP
\fBcoverage\fR
\fBcoverage\fR \fIduration\fR;
.RS 4
The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&.
.RE
.PP
\fBdirectory\fR
\fBdirectory\fR \fIpath\fR;
.RS 4
Specifies the directory in which keys should be stored\&.
.RE
.PP
\fBkey\-size\fR
\fBkey\-size\fR \fIkeytype\fR \fIsize\fR;
.RS 4
Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
Specifies the number of bits to use in creating keys\&. The keytype is either "zsk" or "ksk"\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
.RE
.PP
\fBkeyttl\fR
\fBkeyttl\fR \fIduration\fR;
.RS 4
The key TTL\&. If no policy is defined, the default is one hour\&.
.RE
.PP
\fBpost\-publish\fR
\fBpost\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long after inactivation a key should be deleted from the zone\&. Note: If
\fBroll\-period\fR
is not set, this value is ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
\fBpre\-publish\fR
\fBpre\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long before activation a key should be published\&. Note: If
\fBroll\-period\fR
is not set, this value is ignored\&. Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
\fBroll\-period\fR
\fBroll\-period\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How frequently keys should be rolled over\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not roll over by default\&.
How frequently keys should be rolled over\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSKs\&. KSKs do not roll over by default\&.
.RE
.PP
\fBstandby\fR
\fBstandby\fR \fIkeytype\fR \fInumber\fR;
.RS 4
Not yet implemented\&.
.RE
......
......@@ -57,11 +57,12 @@
</p>
<p>
DNSSEC policy can be read from a configuration file (default
<code class="filename">/etc/dnssec-policy.conf</code>), from which the key
parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
<code class="filename">/etc/dnssec-policy.conf</code>), from which the
key parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
per-zone basis, or to set a default policy used for all zones.
per-zone basis, or to set a "<code class="literal">default</code>" policy
used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
......@@ -210,7 +211,7 @@
</li>
<li class="listitem">
<p>
Algorithm policies:
<span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
......@@ -220,11 +221,13 @@
</li>
<li class="listitem">
<p>
Zone policies:
<span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
If a zone does not have its own policy then the
"<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
......@@ -232,81 +235,90 @@
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">