Commit 26cde05d authored by Tinderbox User's avatar Tinderbox User

regen master

parent ddcf6c7d
......@@ -55,7 +55,7 @@ is a tool for sending DNS queries and validating the results, using the same int
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&. Records returned by
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
......@@ -135,13 +135,13 @@ will perform a lookup for an A record\&.
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
9 and contains trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&.
9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
\fB+dlv=NAME\fR
or
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&.
options\&. DNSSEC Lookaside Validation can also be turned on by using the
\fB+dlv=NAME\fR
to specify the name of a zone containing DLV records\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
......@@ -404,9 +404,9 @@ must be used to specify a file containing the key\&.
.PP
\fB+[no]dlv[=DLV]\fR
.RS 4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The default is to perform lookaside validation using a trust anchor of "dlv\&.isc\&.org", for which there is a built\-in key\&. If specifying a different name, then
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
\fB\-a\fR
must be used to specify a file containing the DLV key\&.
option must also be used to specify a file containing the DLV key\&.
.RE
.PP
\fB+[no]tcp\fR
......
......@@ -91,8 +91,7 @@
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
anchor for the root zone ("."). Records returned by
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
......@@ -189,14 +188,15 @@
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
one or more trust anchors for the root zone (".").
</p>
<p>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <code class="option">+dlv=NAME</code> or
<code class="option">+root=NAME</code> options.
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<code class="option">+root=NAME</code> options. DNSSEC Lookaside
Validation can also be turned on by using the
<code class="option">+dlv=NAME</code> to specify the name of a
zone containing DLV records.
</p>
<p>
Note: When reading the trust anchor file,
......@@ -538,11 +538,8 @@
<p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<code class="option">-a</code> must be used to specify a file
containing the DLV key.
The <code class="option">-a</code> option must also be used to specify
a file containing the DLV key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
......
.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
......@@ -8,8 +8,8 @@
.ad l
'\" t
.\" Title: dnssec-cds
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2017-10-02
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,7 +38,7 @@
.SH "NAME"
dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
.SH "SYNOPSIS"
.HP 11
.HP \w'\fBdnssec\-cds\fR\ 'u
\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
.SH "DESCRIPTION"
.PP
......@@ -191,8 +191,7 @@ dsset\-
file, or with the
\fB\-T\fR
option, or using the
\fBnsupdate\fR
\fBttl\fR
\fBnsupdate\fR\fBttl\fR
command\&.
.RE
.PP
......
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
......@@ -10,27 +10,54 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-cds</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-cds</span> &#8212; change DS records for a child zone based on CDS/CDNSKEY</p>
<p>
<span class="application">dnssec-cds</span>
&#8212; change DS records for a child zone based on CDS/CDNSKEY
</p>
</div>
<div class="refsynopsisdiv">
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-cds</code> [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D</code>] {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>} {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>} [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {domain}</p></div>
</div>
<div class="refsection">
<div class="cmdsynopsis"><p>
<code class="command">dnssec-cds</code>
[<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D</code>]
{<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>}
{<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>}
[<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]]
[<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-u</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-V</code>]
{domain}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred.
</p>
<p>
<p>
Two input files are required. The
<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
option specifies a file containing the child's CDS and/or CDNSKEY
......@@ -43,20 +70,20 @@
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
run of <span class="command"><strong>dnssec-cds</strong></span>.
</p>
<p>
<p>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
modification time of the <code class="filename">dsset-</code> file, or
from the <code class="option">-s</code> option.
</p>
<p>
<p>
To protect against breaking the delegation,
<span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</p>
<p>
<p>
By default, replacement DS records are written to the standard
output; with the <code class="option">-i</code> option the input file is
overwritten in place. The replacement DS records will be the
......@@ -64,49 +91,56 @@
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</p>
<p>
<p>
Warning: Be careful not to delete the DS records
when <span class="command"><strong>dnssec-cds</strong></span> fails!
</p>
<p>
<p>
Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
You can use the <code class="option">-u</code> and <code class="option">-i</code>
options together to maintain a <code class="filename">dsset-</code> file
as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
<p>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</p>
<p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the DNS class of the zones.
</p></dd>
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd><p>
<dd>
<p>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
</p></dd>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
<dd>
<p>
<p>
Location of the parent DS records.
The <em class="replaceable"><code>path</code></em> can be the name of a file
containing the DS records, or if it is a
......@@ -114,31 +148,31 @@
a <code class="filename">dsset-</code> file for
the <em class="replaceable"><code>domain</code></em> inside the directory.
</p>
<p>
<p>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <code class="filename">dsset-</code> file. This can be
adjusted with the <code class="option">-s</code> option.
</p>
</dd>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
<dd>
<p>
<p>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</p>
<p>
<p>
The EXAMPLES below describe how to generate this file.
</p>
</dd>
</dd>
<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
<dd>
<p>
<p>
Update the <code class="filename">dsset-</code> file in place,
instead of writing DS records to the standard output.
</p>
<p>
<p>
There must be no space between the <code class="option">-i</code> and
the <em class="replaceable"><code>extension</code></em>. If you provide
no <em class="replaceable"><code>extension</code></em> then the
......@@ -148,17 +182,17 @@
with the <em class="replaceable"><code>extension</code></em> appended to
its filename.
</p>
<p>
<p>
To protect against replay attacks, the modification time
of the <code class="filename">dsset-</code> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</p>
</dd>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd>
<p>
<p>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
......@@ -168,69 +202,82 @@
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</p>
<p>
<p>
If no <em class="replaceable"><code>start-time</code></em> is specified, the
modification time of the <code class="filename">dsset-</code> file
is used.
</p>
</dd>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
</p></dd>
</p>
</dd>
<dt><span class="term">-u</span></dt>
<dd>
<p>
<p>
Write an <span class="command"><strong>nsupdate</strong></span> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</p>
<p>
<p>
Note: The TTL of new records needs to be specified, either
in the original <code class="filename">dsset-</code> file, or with
the <code class="option">-T</code> option, or using
the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
command.
</p>
</dd>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
<dd>
<p>
Print version information.
</p></dd>
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
<dd>
<p>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
</p></dd>
</p>
</dd>
<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
<dd>
<p>
The name of the delegation point / child zone apex.
</p></dd>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXIT STATUS</h2>
<p>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
non-zero if an error occurred.
</p>
<p>
<p>
In the success case, the DS records might or might not need
to be changed.
</p>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>EXAMPLES</h2>
<p>
<p>
Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
that the delegations are up-to-date by running
<span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
</p>
<p>
<p>
To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
you can invoke <span class="command"><strong>dig</strong></span> as in the script below. It's
okay if the <span class="command"><strong>dig</strong></span> fails since
......@@ -243,7 +290,8 @@ do
dnssec-cds -i -f /dev/stdin -d $f $d
done
</pre>
<p>
<p>
When the parent zone is automatically signed by
<span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
......@@ -256,17 +304,29 @@ dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</pre>
</div>
<div class="refsection">
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<p>
<span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-settime</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 7344</em>.
</p>
</div>
</div>
</div></body>
</html>
......@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2012-05-02
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,11 +38,11 @@
.SH "NAME"
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP 17
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
.HP 17
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
.HP 17
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
.SH "DESCRIPTION"
.PP
......
......@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-importkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,9 +38,9 @@
.SH "NAME"
dnssec-importkey \- import DNSKEY records from external systems so they can be managed
.SH "SYNOPSIS"
.HP 17
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
.HP 17
.HP \w'\fBdnssec\-importkey\fR\ 'u
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP
......
......@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,7 +38,7 @@
.SH "NAME"
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP 15
.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
......
.\" Copyright (C) 2012-2016 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2012-2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -57,8 +57,7 @@ is specified, then the zone is read from that file to find the DNSKEY records\&.
.PP
\-l \fIdomain\fR
.RS 4
Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone\*(Aqs parent\&. For example, to check for DLV records for "example\&.com" in ISC\*(Aqs DLV zone, use:
\fBdnssec\-checkds \-l dlv\&.isc\&.org example\&.com\fR
Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone\*(Aqs parent\&.
.RE
.PP
\-d \fIdig path\fR
......@@ -84,5 +83,5 @@ binary\&. Used for testing\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2012-2016 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2012-2017 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2012-2016 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2012-2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -77,9 +77,6 @@
<p>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com"
in ISC's DLV zone, use:
<span class="command"><strong>dnssec-checkds -l dlv.isc.org example.com</strong></span>
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
......
......@@ -282,11 +282,73 @@ zone option be set to
maintain, and also requires the zone to be configured to allow dynamic DNS\&. (See "Dynamic Update Policies" in the Administrator Reference Manual for more details\&.)
.RE
.PP
\fBmanaged\-keys \fR\fB\fI(status | refresh | sync)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
When run with the "status" keyword, print the current status of the managed\-keys database for the specified view, or for all views if none is specified\&. When run with the "refresh" keyword, force an immediate refresh of all the managed\-keys in the specified view, or all views\&. When run with the "sync" keyword, force an immediate dump of the managed\-keys database to disk (in the file
\fBmanaged\-keys \fR\fB\fI(status | refresh | sync | destroy)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When run with the
status
keyword, prints the current status of the managed\-keys database\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When run with the
refresh
keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed\-keys database if any new keys are found, without waiting the normal refresh interval\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When run with the
sync
keyword, forces an immediate dump of the managed\-keys database to disk (in the file
managed\-keys\&.bind
or (\fIviewname\fR\&.mkeys)\&.
or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal file, so that the database\*(Aqs current contents can be inspected visually\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When run with the
destroy
keyword, the managed\-keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
.sp