Commit 3853b3cf authored by Evan Hunt's avatar Evan Hunt

update documentation

- change references to trusted-keys to dnssec-keys with static-key
- rebuild doc/misc/options and other generated grammar doc
- add a "see MANAGED-KEYS" note when building named.conf.docbook
parent d07053c8
...@@ -218,14 +218,17 @@ ...@@ -218,14 +218,17 @@
</para> </para>
<para> <para>
Note: When reading the trust anchor file, Note: When reading the trust anchor file,
<command>delv</command> treats <option>managed-keys</option> <command>delv</command> treats <option>dnssec-keys</option>
statements and <option>trusted-keys</option> statements <option>initial-key</option> and <option>static-key</option>
identically. That is, for a managed key, it is the entries identically. That is, even if a key is configured
<emphasis>initial</emphasis> key that is trusted; RFC 5011 with <command>initial-key</command>, indicating that it is
key management is not supported. <command>delv</command> meant to be used only as an initializing key for RFC 5011
will not consult the managed-keys database maintained by key maintenance, it is still treated by <command>delv</command>
<command>named</command>. This means that if either of the as if it had been configured as a <command>static-key</command>.
keys in <filename>/etc/bind.keys</filename> is revoked <command>delv</command> does not consult the managed keys
database maintained by <command>named</command>. This means
that if either of the keys in
<filename>/etc/bind.keys</filename> is revoked
and rolled over, it will be necessary to update and rolled over, it will be necessary to update
<filename>/etc/bind.keys</filename> to use DNSSEC <filename>/etc/bind.keys</filename> to use DNSSEC
validation in <command>delv</command>. validation in <command>delv</command>.
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf"> <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info> <info>
<date>2018-12-07</date> <date>2019-05-10</date>
</info> </info>
<refentryinfo> <refentryinfo>
<corpname>ISC</corpname> <corpname>ISC</corpname>
...@@ -80,14 +80,12 @@ ...@@ -80,14 +80,12 @@
</refsection> </refsection>
<refsection><info><title>ACL</title></info> <refsection><info><title>ACL</title></info>
<literallayout class="normal"> <literallayout class="normal">
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... }; acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>CONTROLS</title></info> <refsection><info><title>CONTROLS</title></info>
<literallayout class="normal"> <literallayout class="normal">
controls { controls {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
...@@ -104,7 +102,6 @@ controls { ...@@ -104,7 +102,6 @@ controls {
</refsection> </refsection>
<refsection><info><title>DLZ</title></info> <refsection><info><title>DLZ</title></info>
<literallayout class="normal"> <literallayout class="normal">
dlz <replaceable>string</replaceable> { dlz <replaceable>string</replaceable> {
database <replaceable>string</replaceable>; database <replaceable>string</replaceable>;
...@@ -113,8 +110,15 @@ dlz <replaceable>string</replaceable> { ...@@ -113,8 +110,15 @@ dlz <replaceable>string</replaceable> {
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>DYNDB</title></info> <refsection><info><title>DNSSEC-KEYS</title></info>
<literallayout class="normal">
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal"> <literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> { dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
<replaceable>unspecified-text</replaceable> }; <replaceable>unspecified-text</replaceable> };
...@@ -122,7 +126,6 @@ dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> ...@@ -122,7 +126,6 @@ dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable>
</refsection> </refsection>
<refsection><info><title>KEY</title></info> <refsection><info><title>KEY</title></info>
<literallayout class="normal"> <literallayout class="normal">
key <replaceable>string</replaceable> { key <replaceable>string</replaceable> {
algorithm <replaceable>string</replaceable>; algorithm <replaceable>string</replaceable>;
...@@ -132,7 +135,6 @@ key <replaceable>string</replaceable> { ...@@ -132,7 +135,6 @@ key <replaceable>string</replaceable> {
</refsection> </refsection>
<refsection><info><title>LOGGING</title></info> <refsection><info><title>LOGGING</title></info>
<literallayout class="normal"> <literallayout class="normal">
logging { logging {
category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... }; category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
...@@ -154,15 +156,15 @@ logging { ...@@ -154,15 +156,15 @@ logging {
<refsection><info><title>MANAGED-KEYS</title></info> <refsection><info><title>MANAGED-KEYS</title></info>
<para>See DNSSEC-KEYS.</para>
<literallayout class="normal"> <literallayout class="normal">
managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable> <replaceable>integer</replaceable> managed-keys { <replaceable>string</replaceable> ( static-key |
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>MASTERS</title></info> <refsection><info><title>MASTERS</title></info>
<literallayout class="normal"> <literallayout class="normal">
masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceable> ] [ dscp masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceable> ] [ dscp
<replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
...@@ -172,7 +174,6 @@ masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceab ...@@ -172,7 +174,6 @@ masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceab
</refsection> </refsection>
<refsection><info><title>OPTIONS</title></info> <refsection><info><title>OPTIONS</title></info>
<literallayout class="normal"> <literallayout class="normal">
options { options {
allow-new-zones <replaceable>boolean</replaceable>; allow-new-zones <replaceable>boolean</replaceable>;
...@@ -251,7 +252,6 @@ options { ...@@ -251,7 +252,6 @@ options {
dnsrps-options { <replaceable>unspecified-text</replaceable> }; dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>; dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>; dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>; dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no ); <replaceable>string</replaceable> | auto | no );
...@@ -403,11 +403,12 @@ options { ...@@ -403,11 +403,12 @@ options {
resolver-retry-interval <replaceable>integer</replaceable>; resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>; <replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname | <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
disabled | drop | given | no-op | nodata | nxdomain | passthru <replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [ nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ] nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
...@@ -474,7 +475,6 @@ options { ...@@ -474,7 +475,6 @@ options {
</refsection> </refsection>
<refsection><info><title>PLUGIN</title></info> <refsection><info><title>PLUGIN</title></info>
<literallayout class="normal"> <literallayout class="normal">
plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-text</replaceable> plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-text</replaceable>
} ]; } ];
...@@ -482,7 +482,6 @@ plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified- ...@@ -482,7 +482,6 @@ plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-
</refsection> </refsection>
<refsection><info><title>SERVER</title></info> <refsection><info><title>SERVER</title></info>
<literallayout class="normal"> <literallayout class="normal">
server <replaceable>netprefix</replaceable> { server <replaceable>netprefix</replaceable> {
bogus <replaceable>boolean</replaceable>; bogus <replaceable>boolean</replaceable>;
...@@ -520,7 +519,6 @@ server <replaceable>netprefix</replaceable> { ...@@ -520,7 +519,6 @@ server <replaceable>netprefix</replaceable> {
</refsection> </refsection>
<refsection><info><title>STATISTICS-CHANNELS</title></info> <refsection><info><title>STATISTICS-CHANNELS</title></info>
<literallayout class="normal"> <literallayout class="normal">
statistics-channels { statistics-channels {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
...@@ -532,15 +530,15 @@ statistics-channels { ...@@ -532,15 +530,15 @@ statistics-channels {
</refsection> </refsection>
<refsection><info><title>TRUSTED-KEYS</title></info> <refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal"> <literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
</literallayout> </literallayout>
</refsection> </refsection>
<refsection><info><title>VIEW</title></info> <refsection><info><title>VIEW</title></info>
<literallayout class="normal"> <literallayout class="normal">
view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
allow-new-zones <replaceable>boolean</replaceable>; allow-new-zones <replaceable>boolean</replaceable>;
...@@ -612,7 +610,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -612,7 +610,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnsrps-options { <replaceable>unspecified-text</replaceable> }; dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>; dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>; dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-enable <replaceable>boolean</replaceable>; dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>; dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no ); <replaceable>string</replaceable> | auto | no );
...@@ -650,9 +650,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -650,9 +650,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
key-directory <replaceable>quoted_string</replaceable>; key-directory <replaceable>quoted_string</replaceable>;
lame-ttl <replaceable>ttlval</replaceable>; lame-ttl <replaceable>ttlval</replaceable>;
lmdb-mapsize <replaceable>sizeval</replaceable>; lmdb-mapsize <replaceable>sizeval</replaceable>;
managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable> managed-keys { <replaceable>string</replaceable> ( static-key |
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
masterfile-format ( map | raw | text ); masterfile-format ( map | raw | text );
masterfile-style ( full | relative ); masterfile-style ( full | relative );
match-clients { <replaceable>address_match_element</replaceable>; ... }; match-clients { <replaceable>address_match_element</replaceable>; ... };
...@@ -735,11 +735,12 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -735,11 +735,12 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
resolver-retry-interval <replaceable>integer</replaceable>; resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>; <replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname | <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
disabled | drop | given | no-op | nodata | nxdomain | passthru <replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [ nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ] nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
...@@ -801,9 +802,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -801,9 +802,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ]; ] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable> trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; <replaceable>integer</replaceable> <replaceable>integer</replaceable>
... }; <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
try-tcp-refresh <replaceable>boolean</replaceable>; try-tcp-refresh <replaceable>boolean</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>; update-check-ksk <replaceable>boolean</replaceable>;
use-alt-transfer-source <replaceable>boolean</replaceable>; use-alt-transfer-source <replaceable>boolean</replaceable>;
...@@ -915,7 +917,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { ...@@ -915,7 +917,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
</refsection> </refsection>
<refsection><info><title>ZONE</title></info> <refsection><info><title>ZONE</title></info>
<literallayout class="normal"> <literallayout class="normal">
zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] { zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
allow-notify { <replaceable>address_match_element</replaceable>; ... }; allow-notify { <replaceable>address_match_element</replaceable>; ... };
......
...@@ -458,7 +458,7 @@ ...@@ -458,7 +458,7 @@
<term><userinput>managed-keys <replaceable>(status | refresh | sync | destroy)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> <term><userinput>managed-keys <replaceable>(status | refresh | sync | destroy)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem> <listitem>
<para> <para>
Inspect and control the "managed-keys" database which Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view; is specified, these commands are applied to that view;
otherwise they are applied to all views. otherwise they are applied to all views.
...@@ -467,14 +467,14 @@ ...@@ -467,14 +467,14 @@
<listitem> <listitem>
<para> <para>
When run with the <literal>status</literal> keyword, prints When run with the <literal>status</literal> keyword, prints
the current status of the managed-keys database. the current status of the managed keys database.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
When run with the <literal>refresh</literal> keyword, When run with the <literal>refresh</literal> keyword,
forces an immediate refresh query to be sent for all forces an immediate refresh query to be sent for all
the managed keys, updating the managed-keys database the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal if any new keys are found, without waiting the normal
refresh interval. refresh interval.
</para> </para>
...@@ -482,7 +482,7 @@ ...@@ -482,7 +482,7 @@
<listitem> <listitem>
<para> <para>
When run with the <literal>sync</literal> keyword, forces an When run with the <literal>sync</literal> keyword, forces an
immediate dump of the managed-keys database to disk immediate dump of the managed keys database to disk
(in the file <filename>managed-keys.bind</filename> or (in the file <filename>managed-keys.bind</filename> or
(<filename><replaceable>viewname</replaceable>.mkeys</filename>). (<filename><replaceable>viewname</replaceable>.mkeys</filename>).
This synchronizes the database with its journal file, so This synchronizes the database with its journal file, so
...@@ -493,7 +493,7 @@ ...@@ -493,7 +493,7 @@
<listitem> <listitem>
<para> <para>
When run with the <literal>destroy</literal> keyword, the When run with the <literal>destroy</literal> keyword, the
managed-keys database is shut down and deleted, and all key managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only maintenance is terminated. This command should be used only
with extreme caution. with extreme caution.
</para> </para>
...@@ -772,9 +772,10 @@ ...@@ -772,9 +772,10 @@
<listitem> <listitem>
<para> <para>
Dump the security roots (i.e., trust anchors Dump the security roots (i.e., trust anchors
configured via <command>trusted-keys</command>, configured via <command>dnssec-keys</command> statements,
<command>managed-keys</command>, or or the synonymous <command>managed-keys</command> or
<command>dnssec-validation auto</command>) and negative trust the deprecated <command>trusted-keys</command> statements, or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or they are configured as trusted keys, managed keys, or
......
...@@ -259,8 +259,8 @@ key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; }; ...@@ -259,8 +259,8 @@ key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };
view "test-view" in { view "test-view" in {
key "viewkey" { algorithm "xxx" ; secret "eXl5" ; }; key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
also-notify { 10.2.2.3; }; also-notify { 10.2.2.3; };
trusted-keys { managed-keys {
foo.com. 4 3 2 "abdefghijklmnopqrstuvwxyz"; foo.com. static 4 3 2 "abdefghijklmnopqrstuvwxyz";
}; };
sig-validity-interval 45; sig-validity-interval 45;
max-cache-size 100000; max-cache-size 100000;
...@@ -342,8 +342,8 @@ zone "." { ...@@ -342,8 +342,8 @@ zone "." {
// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; // pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
}; };
trusted-keys { managed-keys {
"." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; "." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
}; };
......
This diff is collapsed.
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Generated by doc/misc/docbook-options.pl -->
<programlisting>
<command>dnssec-keys</command> { <replaceable>string</replaceable> ( static-key |
<command>initial-key</command> ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</programlisting>
...@@ -132,10 +132,14 @@ $ <userinput>make</userinput> ...@@ -132,10 +132,14 @@ $ <userinput>make</userinput>
parameters. By default the path to this configuration file is parameters. By default the path to this configuration file is
<filename>/etc/dns.conf</filename>. This module is very experimental <filename>/etc/dns.conf</filename>. This module is very experimental
and the configuration syntax or library interfaces may change in and the configuration syntax or library interfaces may change in
future versions. Currently, only the <command>trusted-keys</command> future versions. Currently, only static key configuration is supported.
statement is supported, whose syntax is the same as the same <command>managed-keys</command> and <command>trusted-keys</command>
statement in <filename>named.conf</filename>. (See statements are parsed exactly as they are in
<xref linkend="trusted-keys"/> for details.) <filename>named.conf</filename>, except that all
<command>managed-keys</command> entries will be treated as
if they were configured with the <command>static-key</command>
keyword, even if they are configured with <command>initial-key</command>.
(See <xref linkend="managed-keys"/> for syntax details.)
</para> </para>
</section> </section>
<section> <section>
......
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
<!-- Generated by doc/misc/docbook-options.pl --> <!-- Generated by doc/misc/docbook-options.pl -->
<programlisting> <programlisting>
<command>managed-keys</command> { <replaceable>string</replaceable> <replaceable>string</replaceable> <replaceable>integer</replaceable> <command>managed-keys</command> { <replaceable>string</replaceable> ( static-key |
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; <command>initial-key</command> ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</programlisting> </programlisting>
...@@ -24,11 +24,10 @@ ...@@ -24,11 +24,10 @@
<!-- TODO: command tag is overloaded for configuration and executables --> <!-- TODO: command tag is overloaded for configuration and executables -->
<para>To configure a validating resolver to use RFC 5011 to <para>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a maintain a trust anchor, configure the trust anchor using a
<command>managed-keys</command> statement. Information about <command>dnssec-keys</command> statement and the
<command>initial-key</command> keyword. Information about
this can be found in this can be found in
<xref linkend="managed-keys"/>.</para> <xref linkend="dnssec-keys"/>.</para>
<!-- TODO: managed-keys examples
also in DNSSEC section above here in ARM -->
</section> </section>
<section><info><title>Authoritative Server</title></info> <section><info><title>Authoritative Server</title></info>
......
...@@ -89,7 +89,6 @@ ...@@ -89,7 +89,6 @@
<command>dnsrps-options</command> { <replaceable>unspecified-text</replaceable> }; <command>dnsrps-options</command> { <replaceable>unspecified-text</replaceable> };
<command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>; <command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>;
<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>; <command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
<command>dnssec-enable</command> <replaceable>boolean</replaceable>;
<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>; <command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
<command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor <command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no ); <replaceable>string</replaceable> | auto | no );
...@@ -241,11 +240,12 @@ ...@@ -241,11 +240,12 @@
<command>resolver-retry-interval</command> <replaceable>integer</replaceable>; <command>resolver-retry-interval</command> <replaceable>integer</replaceable>;
<command>response-padding</command> { <replaceable>address_match_element</replaceable>; ... } block-size <command>response-padding</command> { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>; <replaceable>integer</replaceable>;
<command>response-policy</command> { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl <command>response-policy</command> { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname | <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<command>disabled</command> | drop | given | no-op | nodata | nxdomain | passthru <replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [ <command>nodata</command> | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
<command>nsip-enable</command> <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ <command>recursive-only</command> <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
<command>nsdname-enable</command> <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
<command>break-dnssec</command> <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ <command>break-dnssec</command> <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
<command>min-update-interval</command> <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [ <command>min-update-interval</command> <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
<command>nsip-wait-recurse</command> <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ] <command>nsip-wait-recurse</command> <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
......
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
<!-- Generated by doc/misc/docbook-options.pl --> <!-- Generated by doc/misc/docbook-options.pl -->
<programlisting> <programlisting>
<command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
</programlisting> </programlisting>
...@@ -71,5 +71,6 @@ docbook: options ...@@ -71,5 +71,6 @@ docbook: options
${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml ${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml
${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml ${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml
${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml ${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml ${PERL} docbook-grammars.pl options dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml
${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml ${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
...@@ -128,8 +128,9 @@ while (<FH>) { ...@@ -128,8 +128,9 @@ while (<FH>) {
s{ // not configured}{}; s{ // not configured}{};
s{ // non-operational}{}; s{ // non-operational}{};
s{ // may occur multiple times}{}; s{ (// )*may occur multiple times}{};
s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g; s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
s{ // deprecated,*}{// deprecated};
s{[[]}{[}g; s{[[]}{[}g;
s{[]]}{]}g; s{[]]}{]}g;
s{ }{\t}g; s{ }{\t}g;
...@@ -137,10 +138,24 @@ while (<FH>) { ...@@ -137,10 +138,24 @@ while (<FH>) {
my $HEADING = uc $1; my $HEADING = uc $1;
print <<END; print <<END;
<refsection><info><title>$HEADING</title></info> <refsection><info><title>$HEADING</title></info>
END
if ($1 eq "trusted-keys") {
print <<END;
<para>Deprecated - see DNSSEC-KEYS.</para>
END
}
if ($1 eq "managed-keys") {
print <<END;
<para>See DNSSEC-KEYS.</para>
END
}
print <<END;
<literallayout class="normal"> <literallayout class="normal">
END END
} }
if (m{^\s*$} && !$blank) { if (m{^\s*$} && !$blank) {
$blank = 1; $blank = 1;
......
...@@ -21,6 +21,10 @@ dlz <string> { ...@@ -21,6 +21,10 @@ dlz <string> {
search <boolean>; search <boolean>;
}; // may occur multiple times }; // may occur multiple times
dnssec-keys { <string> ( static-key |