Commit 3853b3cf authored by Evan Hunt's avatar Evan Hunt

update documentation

- change references to trusted-keys to dnssec-keys with static-key
- rebuild doc/misc/options and other generated grammar doc
- add a "see MANAGED-KEYS" note when building named.conf.docbook
parent d07053c8
...@@ -218,14 +218,17 @@ ...@@ -218,14 +218,17 @@
</para> </para>
<para> <para>
Note: When reading the trust anchor file, Note: When reading the trust anchor file,
<command>delv</command> treats <option>managed-keys</option> <command>delv</command> treats <option>dnssec-keys</option>
statements and <option>trusted-keys</option> statements <option>initial-key</option> and <option>static-key</option>
identically. That is, for a managed key, it is the entries identically. That is, even if a key is configured
<emphasis>initial</emphasis> key that is trusted; RFC 5011 with <command>initial-key</command>, indicating that it is
key management is not supported. <command>delv</command> meant to be used only as an initializing key for RFC 5011
will not consult the managed-keys database maintained by key maintenance, it is still treated by <command>delv</command>
<command>named</command>. This means that if either of the as if it had been configured as a <command>static-key</command>.
keys in <filename>/etc/bind.keys</filename> is revoked <command>delv</command> does not consult the managed keys
database maintained by <command>named</command>. This means
that if either of the keys in
<filename>/etc/bind.keys</filename> is revoked
and rolled over, it will be necessary to update and rolled over, it will be necessary to update
<filename>/etc/bind.keys</filename> to use DNSSEC <filename>/etc/bind.keys</filename> to use DNSSEC
validation in <command>delv</command>. validation in <command>delv</command>.
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf"> <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info> <info>
<date>2018-12-07</date> <date>2019-05-10</date>
</info> </info>
<refentryinfo> <refentryinfo>
<corpname>ISC</corpname> <corpname>ISC</corpname>
...@@ -80,14 +80,12 @@ ...@@ -80,14 +80,12 @@
</refsection> </refsection>
<refsection><info><title>ACL</title></info> <refsection><info><title>ACL</title></info>
<literallayout class="normal"> <literallayout class="normal">
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... }; acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>CONTROLS</title></info> <refsection><info><title>CONTROLS</title></info>
<literallayout class="normal"> <literallayout class="normal">
controls { controls {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
...@@ -104,7 +102,6 @@ controls { ...@@ -104,7 +102,6 @@ controls {
</refsection> </refsection>
<refsection><info><title>DLZ</title></info> <refsection><info><title>DLZ</title></info>
<literallayout class="normal"> <literallayout class="normal">
dlz <replaceable>string</replaceable> { dlz <replaceable>string</replaceable> {
database <replaceable>string</replaceable>; database <replaceable>string</replaceable>;
...@@ -113,8 +110,15 @@ dlz <replaceable>string</replaceable> { ...@@ -113,8 +110,15 @@ dlz <replaceable>string</replaceable> {
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>DYNDB</title></info> <refsection><info><title>DNSSEC-KEYS</title></info>
<literallayout class="normal">
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal"> <literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> { dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
<replaceable>unspecified-text</replaceable> }; <replaceable>unspecified-text</replaceable> };
...@@ -122,7 +126,6 @@ dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> ...@@ -122,7 +126,6 @@ dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable>
</refsection> </refsection>
<refsection><info><title>KEY</title></info> <refsection><info><title>KEY</title></info>
<literallayout class="normal"> <literallayout class="normal">
key <replaceable>string</replaceable> { key <replaceable>string</replaceable> {
algorithm <replaceable>string</replaceable>; algorithm <replaceable>string</replaceable>;
...@@ -132,7 +135,6 @@ key <replaceable>string</replaceable> { ...@@ -132,7 +135,6 @@ key <replaceable>string</replaceable> {
</refsection> </refsection>
<refsection><info><title>LOGGING</title></info> <refsection><info><title>LOGGING</title></info>
<literallayout class="normal"> <literallayout class="normal">
logging { logging {
category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
...@@ -154,15 +156,15 @@ logging { ...@@ -154,15 +156,15 @@ logging {
<refsection><info><title>MANAGED-KEYS</title></info> <refsection><info><title>MANAGED-KEYS</title></info>
<para>See DNSSEC-KEYS.</para>
<literallayout class="normal"> <literallayout class="normal">
managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable> <replaceable>integer</replaceable> managed-keys { <replaceable>string</replaceable> ( static-key |
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>MASTERS</title></info> <refsection><info><title>MASTERS</title></info>
<literallayout class="normal"> <literallayout class="normal">
masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceable> ] [ dscp masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceable> ] [ dscp
<replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
...@@ -172,7 +174,6 @@ masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceab ...@@ -172,7 +174,6 @@ masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceab
</refsection> </refsection>
<refsection><info><title>OPTIONS</title></info> <refsection><info><title>OPTIONS</title></info>
<literallayout class="normal"> <literallayout class="normal">
options { options {
allow-new-zones <replaceable>boolean</replaceable>; allow-new-zones <replaceable>boolean</replaceable>;
...@@ -251,7 +252,6 @@ options { ...@@ -251,7 +252,6 @@ options {
dnsrps-options { <replaceable>unspecified-text</replaceable> }; dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>; dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>; dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>; dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no ); <replaceable>string</replaceable> | auto | no );
...@@ -403,11 +403,12 @@ options { ...@@ -403,11 +403,12 @@ options {
resolver-retry-interval <replaceable>integer</replaceable>; resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>; <replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname | <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
disabled | drop | given | no-op | nodata | nxdomain | passthru <replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [ nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ] nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
...@@ -474,7 +475,6 @@ options { ...@@ -474,7 +475,6 @@ options {
</refsection> </refsection>
<refsection><info><title>PLUGIN</title></info> <refsection><info><title>PLUGIN</title></info>
<literallayout class="normal"> <literallayout class="normal">
plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-text</replaceable> plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-text</replaceable>
} ]; } ];
...@@ -482,7 +482,6 @@ plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified- ...@@ -482,7 +482,6 @@ plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-
</refsection> </refsection>
<refsection><info><title>SERVER</title></info> <refsection><info><title>SERVER</title></info>
<literallayout class="normal"> <literallayout class="normal">
server <replaceable>netprefix</replaceable> { server <replaceable>netprefix</replaceable> {
bogus <replaceable>boolean</replaceable>; bogus <replaceable>boolean</replaceable>;
...@@ -520,7 +519,6 @@ server <replaceable>netprefix</replaceable> { ...@@ -520,7 +519,6 @@ server <replaceable>netprefix</replaceable> {
</refsection> </refsection>
<refsection><info><title>STATISTICS-CHANNELS</title></info> <refsection><info><title>STATISTICS-CHANNELS</title></info>
<literallayout class="normal"> <literallayout class="normal">
statistics-channels { statistics-channels {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
...@@ -532,15 +530,15 @@ statistics-channels { ...@@ -532,15 +530,15 @@ statistics-channels {
</refsection> </refsection>
<refsection><info><title>TRUSTED-KEYS</title></info> <refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal"> <literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>VIEW</title></info> <refsection><info><title>VIEW</title></info>
<literallayout class="normal"> <literallayout class="normal">
view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
allow-new-zones <replaceable>boolean</replaceable>; allow-new-zones <replaceable>boolean</replaceable>;
...@@ -612,7 +610,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -612,7 +610,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnsrps-options { <replaceable>unspecified-text</replaceable> }; dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>; dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>; dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-enable <replaceable>boolean</replaceable>; dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>; dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no ); <replaceable>string</replaceable> | auto | no );
...@@ -650,9 +650,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -650,9 +650,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
key-directory <replaceable>quoted_string</replaceable>; key-directory <replaceable>quoted_string</replaceable>;
lame-ttl <replaceable>ttlval</replaceable>; lame-ttl <replaceable>ttlval</replaceable>;
lmdb-mapsize <replaceable>sizeval</replaceable>; lmdb-mapsize <replaceable>sizeval</replaceable>;
managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable> managed-keys { <replaceable>string</replaceable> ( static-key |
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
masterfile-format ( map | raw | text ); masterfile-format ( map | raw | text );
masterfile-style ( full | relative ); masterfile-style ( full | relative );
match-clients { <replaceable>address_match_element</replaceable>; ... }; match-clients { <replaceable>address_match_element</replaceable>; ... };
...@@ -735,11 +735,12 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -735,11 +735,12 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
resolver-retry-interval <replaceable>integer</replaceable>; resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>; <replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname | <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
disabled | drop | given | no-op | nodata | nxdomain | passthru <replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [ nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ] nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
...@@ -801,9 +802,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -801,9 +802,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ]; ] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable> trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; <replaceable>integer</replaceable> <replaceable>integer</replaceable>
... }; <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
try-tcp-refresh <replaceable>boolean</replaceable>; try-tcp-refresh <replaceable>boolean</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>; update-check-ksk <replaceable>boolean</replaceable>;
use-alt-transfer-source <replaceable>boolean</replaceable>; use-alt-transfer-source <replaceable>boolean</replaceable>;
...@@ -915,7 +917,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -915,7 +917,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
</refsection> </refsection>
<refsection><info><title>ZONE</title></info> <refsection><info><title>ZONE</title></info>
<literallayout class="normal"> <literallayout class="normal">
zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
allow-notify { <replaceable>address_match_element</replaceable>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... };
......
...@@ -458,7 +458,7 @@ ...@@ -458,7 +458,7 @@
<term><userinput>managed-keys <replaceable>(status | refresh | sync | destroy)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> <term><userinput>managed-keys <replaceable>(status | refresh | sync | destroy)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem> <listitem>
<para> <para>
Inspect and control the "managed-keys" database which Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view; is specified, these commands are applied to that view;
otherwise they are applied to all views. otherwise they are applied to all views.
...@@ -467,14 +467,14 @@ ...@@ -467,14 +467,14 @@
<listitem> <listitem>
<para> <para>
When run with the <literal>status</literal> keyword, prints When run with the <literal>status</literal> keyword, prints
the current status of the managed-keys database. the current status of the managed keys database.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
When run with the <literal>refresh</literal> keyword, When run with the <literal>refresh</literal> keyword,
forces an immediate refresh query to be sent for all forces an immediate refresh query to be sent for all
the managed keys, updating the managed-keys database the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal if any new keys are found, without waiting the normal
refresh interval. refresh interval.
</para> </para>
...@@ -482,7 +482,7 @@ ...@@ -482,7 +482,7 @@
<listitem> <listitem>
<para> <para>
When run with the <literal>sync</literal> keyword, forces an When run with the <literal>sync</literal> keyword, forces an
immediate dump of the managed-keys database to disk immediate dump of the managed keys database to disk
(in the file <filename>managed-keys.bind</filename> or (in the file <filename>managed-keys.bind</filename> or
(<filename><replaceable>viewname</replaceable>.mkeys</filename>). (<filename><replaceable>viewname</replaceable>.mkeys</filename>).
This synchronizes the database with its journal file, so This synchronizes the database with its journal file, so
...@@ -493,7 +493,7 @@ ...@@ -493,7 +493,7 @@
<listitem> <listitem>
<para> <para>
When run with the <literal>destroy</literal> keyword, the When run with the <literal>destroy</literal> keyword, the
managed-keys database is shut down and deleted, and all key managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only maintenance is terminated. This command should be used only
with extreme caution. with extreme caution.
</para> </para>
...@@ -772,9 +772,10 @@ ...@@ -772,9 +772,10 @@
<listitem> <listitem>
<para> <para>
Dump the security roots (i.e., trust anchors Dump the security roots (i.e., trust anchors
configured via <command>trusted-keys</command>, configured via <command>dnssec-keys</command> statements,
<command>managed-keys</command>, or or the synonymous <command>managed-keys</command> or
<command>dnssec-validation auto</command>) and negative trust the deprecated <command>trusted-keys</command> statements, or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or they are configured as trusted keys, managed keys, or
......
...@@ -259,8 +259,8 @@ key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; }; ...@@ -259,8 +259,8 @@ key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };
view "test-view" in { view "test-view" in {
key "viewkey" { algorithm "xxx" ; secret "eXl5" ; }; key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
also-notify { 10.2.2.3; }; also-notify { 10.2.2.3; };
trusted-keys { managed-keys {
foo.com. 4 3 2 "abdefghijklmnopqrstuvwxyz"; foo.com. static 4 3 2 "abdefghijklmnopqrstuvwxyz";
}; };
sig-validity-interval 45; sig-validity-interval 45;
max-cache-size 100000; max-cache-size 100000;
...@@ -342,8 +342,8 @@ zone "." { ...@@ -342,8 +342,8 @@ zone "." {
// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; // pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
}; };
trusted-keys { managed-keys {
"." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; "." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
}; };
......
...@@ -2087,7 +2087,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; ...@@ -2087,7 +2087,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
zone key of another zone above this one in the DNS tree. zone key of another zone above this one in the DNS tree.
</para> </para>
<section xml:id="dnssec_keys"><info><title>Generating Keys</title></info> <section xml:id="generating_dnssec_keys"><info><title>Generating Keys</title></info>
<para> <para>
The <command>dnssec-keygen</command> program is used to The <command>dnssec-keygen</command> program is used to
...@@ -2212,8 +2212,9 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; ...@@ -2212,8 +2212,9 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<userinput>yes</userinput>, DNSSEC validation will only occur <userinput>yes</userinput>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename> in <filename>named.conf</filename>
using a <command>trusted-keys</command> or using a <command>dnssec-keys</command> statement (or the
<command>managed-keys</command> statement. synonymous <command>managed-keys</command> or the deprecated
<command>trusted-keys</command> statements).
</para> </para>
<para> <para>
When <command>dnssec-validation</command> is set to When <command>dnssec-validation</command> is set to
...@@ -2226,23 +2227,20 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; ...@@ -2226,23 +2227,20 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para> </para>
<para> <para>
<command>trusted-keys</command> are copies of DNSKEY RRs The keys specified in <command>dnssec-keys</command>
for zones that are used to form the first link in the copies of DNSKEY RRs for zones that are used to form the
cryptographic chain of trust. All keys listed in first link in the cryptographic chain of trust. Keys configured
<command>trusted-keys</command> (and corresponding zones) with the keyword <command>static-key</command> are loaded directly
are deemed to exist and only the listed keys will be used into the table of trust anchors, and can only be changed by
to validated the DNSKEY RRset that they are from. altering the configuration. Keys configured with
<command>initial-key</command> are used to initialize
RFC 5011 trust anchor maintenance, and will be kept up to
date automatically after the first time <command>named</command>
runs.
</para> </para>
<para> <para>
<command>managed-keys</command> are trusted keys which are <command>dnssec-keys</command> is described in more detail
automatically kept up to date via RFC 5011 trust anchor
maintenance.
</para>
<para>
<command>trusted-keys</command> and
<command>managed-keys</command> are described in more detail
later in this document. later in this document.
</para> </para>
...@@ -2265,7 +2263,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; ...@@ -2265,7 +2263,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para> </para>
<programlisting> <programlisting>
managed-keys { dnssec-keys {
/* Root Key */ /* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
...@@ -2277,11 +2275,8 @@ managed-keys { ...@@ -2277,11 +2275,8 @@ managed-keys {
66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3"; dgxbcDTClU0CRBdiieyLMNzXG3";
};
trusted-keys {
/* Key for our organization's forward zone */ /* Key for our organization's forward zone */
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6 example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
...@@ -2294,7 +2289,7 @@ trusted-keys { ...@@ -2294,7 +2289,7 @@ trusted-keys {
1OTQ09A0="; 1OTQ09A0=";
/* Key for our reverse zone. */ /* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc 2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
xOdNax071L18QqZnQQQAVVr+i xOdNax071L18QqZnQQQAVVr+i
LhGTnNGp3HoWQLUIzKrJVZ3zg LhGTnNGp3HoWQLUIzKrJVZ3zg
gy3WwNT6kZo6c0tszYqbtvchm gy3WwNT6kZo6c0tszYqbtvchm
...@@ -3205,11 +3200,17 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. ...@@ -3205,11 +3200,17 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</row> </row>
<row rowsep="0"> <row rowsep="0">
<entry colname="1"> <entry colname="1">
<para><command>trusted-keys</command></para> <para><command>dnssec-keys</command></para>
</entry> </entry>
<entry colname="2"> <entry colname="2">
<para> <para>
defines trusted DNSSEC keys. defines DNSSEC keys: if used with the
<command>initial-key</command> keyword,
keys are kept up to date using RFC 5011
trust anchor maintenance, and if used with
<command>static-key</command>, keys are permanent.
Identical to <command>managed-keys</command>,
but has been added for improved clarity.
</para> </para>
</entry> </entry>
</row> </row>
...@@ -3219,8 +3220,22 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. ...@@ -3219,8 +3220,22 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</entry> </entry>
<entry colname="2"> <entry colname="2">
<para> <para>
lists DNSSEC keys to be kept up to date is identical to <command>dnssec-keys</command>,
using RFC 5011 trust anchor maintenance. and is retained for backward compatibility.
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para><command>trusted-keys</command></para>
</entry>
<entry colname="2">
<para>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
of <command>dnssec-keys</command> with
the <command>static-key</command> keyword,
and may be removed in a future release.
</para> </para>
</entry> </entry>
</row> </row>
...@@ -4595,10 +4610,12 @@ badresp:1,adberr:0,findfail:0,valfail:0] ...@@ -4595,10 +4610,12 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<listitem> <listitem>
<para> <para>
Specifies the directory in which to store the files that Specifies the directory in which to store the files that
track managed DNSSEC keys. By default, this is the working track managed DNSSEC keys (i.e., those configured using
directory. The directory <emphasis>must</emphasis> the <command>initial-key</command> keyword in a
be writable by the effective user ID of the <command>dnssec-keys</command> statement). By default,
<command>named</command> process. this is the working directory. The directory
<emphasis>must</emphasis> be writable by the effective
user ID of the <command>named</command> process.
</para> </para>
<para> <para>
If <command>named</command> is not configured to use views, If <command>named</command> is not configured to use views,
...@@ -5100,10 +5117,10 @@ options { ...@@ -5100,10 +5117,10 @@ options {
then <command>named</command> will only accept answers if then <command>named</command> will only accept answers if
they are secure. If <userinput>no</userinput>, then normal they are secure. If <userinput>no</userinput>, then normal
DNSSEC validation applies allowing for insecure answers to DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be under a be accepted. The specified domain must be defined as a
<command>trusted-keys</command> or trust anchor, for instance in a <command>dnssec-keys</command>
<command>managed-keys</command> statement, or statement, or <command>dnssec-validation auto</command> must
<command>dnssec-validation auto</command> must be active. be active.
</para> </para>
</listitem> </listitem>