Commit 3970098d authored by Mark Andrews's avatar Mark Andrews

regen documentation

parent 93d6dfaf
......@@ -19,7 +19,7 @@
named-checkconf \- named configuration file syntax checking tool
.SH SYNOPSIS
.sp
\fBnamed-checkconf\fR [ \fB-v\fR ] [ \fB-t \fIdirectory\fB\fR ] \fBfilename\fR [ \fB-z\fR ]
\fBnamed-checkconf\fR [ \fB-v\fR ] [ \fB-j\fR ] [ \fB-t \fIdirectory\fB\fR ] \fBfilename\fR [ \fB-z\fR ]
.SH "DESCRIPTION"
.PP
\fBnamed-checkconf\fR checks the syntax, but not
......@@ -39,6 +39,9 @@ program and exit.
Perform a check load the master zonefiles found in
\fInamed.conf\fR.
.TP
\fB-j\fR
When loading a zonefile read the journal if it exists.
.TP
\fBfilename\fR
The name of the configuration file to be checked. If not
specified, it defaults to \fI/etc/named.conf\fR.
......
......@@ -20,7 +20,7 @@
>named-checkconf</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
"></HEAD
><BODY
CLASS="REFENTRY"
......@@ -64,6 +64,9 @@ CLASS="OPTION"
>-v</TT
>] [<TT
CLASS="OPTION"
>-j</TT
>] [<TT
CLASS="OPTION"
>-t <TT
CLASS="REPLACEABLE"
><I
......@@ -78,7 +81,7 @@ CLASS="OPTION"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN24"
NAME="AEN26"
></A
><H2
>DESCRIPTION</H2
......@@ -93,7 +96,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN28"
NAME="AEN30"
></A
><H2
>OPTIONS</H2
......@@ -142,6 +145,13 @@ CLASS="FILENAME"
</P
></DD
><DT
>-j</DT
><DD
><P
> When loading a zonefile read the journal if it exists.
</P
></DD
><DT
>filename</DT
><DD
><P
......@@ -158,7 +168,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN52"
NAME="AEN58"
></A
><H2
>RETURN VALUES</H2
......@@ -173,7 +183,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN56"
NAME="AEN62"
></A
><H2
>SEE ALSO</H2
......@@ -194,7 +204,7 @@ CLASS="CITETITLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN63"
NAME="AEN69"
></A
><H2
>AUTHOR</H2
......
......@@ -19,7 +19,7 @@
named-checkzone \- zone file validity checking tool
.SH SYNOPSIS
.sp
\fBnamed-checkzone\fR [ \fB-d\fR ] [ \fB-q\fR ] [ \fB-v\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-t \fIdirectory\fB\fR ] [ \fB-w \fIdirectory\fB\fR ] \fBzonename\fR \fBfilename\fR
\fBnamed-checkzone\fR [ \fB-d\fR ] [ \fB-j\fR ] [ \fB-q\fR ] [ \fB-v\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-n \fImode\fB\fR ] [ \fB-t \fIdirectory\fB\fR ] [ \fB-w \fIdirectory\fB\fR ] \fBzonename\fR \fBfilename\fR
.SH "DESCRIPTION"
.PP
\fBnamed-checkzone\fR checks the syntax and integrity of
......@@ -39,9 +39,18 @@ Quiet mode - exit code only.
Print the version of the \fBnamed-checkzone\fR
program and exit.
.TP
\fB-j\fR
When loading the zone file read the journal if it exists.
.TP
\fB-c \fIclass\fB\fR
Specify the class of the zone. If not specified "IN" is assumed.
.TP
\fB-n \fImode\fB\fR
Specify whether NS records should be checked to see if they
are addresses. Possible modes are \fB"fail"\fR,
\fB"warn"\fR (default) and
\fB"ignore"\fR.
.TP
\fB-t \fIdirectory\fB\fR
chroot to \fIdirectory\fR so that include
directives in the configuration file are processed as if
......
......@@ -20,7 +20,7 @@
>named-checkzone</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
"></HEAD
><BODY
CLASS="REFENTRY"
......@@ -64,6 +64,9 @@ CLASS="OPTION"
>-d</TT
>] [<TT
CLASS="OPTION"
>-j</TT
>] [<TT
CLASS="OPTION"
>-q</TT
>] [<TT
CLASS="OPTION"
......@@ -78,6 +81,14 @@ CLASS="REPLACEABLE"
></TT
>] [<TT
CLASS="OPTION"
>-n <TT
CLASS="REPLACEABLE"
><I
>mode</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-t <TT
CLASS="REPLACEABLE"
><I
......@@ -97,7 +108,7 @@ CLASS="REPLACEABLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN33"
NAME="AEN38"
></A
><H2
>DESCRIPTION</H2
......@@ -121,7 +132,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN39"
NAME="AEN44"
></A
><H2
>OPTIONS</H2
......@@ -156,6 +167,13 @@ CLASS="COMMAND"
</P
></DD
><DT
>-j</DT
><DD
><P
> When loading the zone file read the journal if it exists.
</P
></DD
><DT
>-c <TT
CLASS="REPLACEABLE"
><I
......@@ -168,6 +186,30 @@ CLASS="REPLACEABLE"
</P
></DD
><DT
>-n <TT
CLASS="REPLACEABLE"
><I
>mode</I
></TT
></DT
><DD
><P
> Specify whether NS records should be checked to see if they
are addresses. Possible modes are <B
CLASS="COMMAND"
>"fail"</B
>,
<B
CLASS="COMMAND"
>"warn"</B
> (default) and
<B
CLASS="COMMAND"
>"ignore"</B
>.
</P
></DD
><DT
>-t <TT
CLASS="REPLACEABLE"
><I
......@@ -225,7 +267,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN81"
NAME="AEN98"
></A
><H2
>RETURN VALUES</H2
......@@ -240,7 +282,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN85"
NAME="AEN102"
></A
><H2
>SEE ALSO</H2
......@@ -265,7 +307,7 @@ CLASS="CITETITLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN93"
NAME="AEN110"
></A
><H2
>AUTHOR</H2
......
......@@ -86,7 +86,8 @@ ANY, A, MX, SIG, etc.
.PP
The \fB-b\fR option sets the source IP address of the query
to \fIaddress\fR. This must be a valid address on
one of the host's network interfaces.
one of the host's network interfaces or "0.0.0.0" or "::". An optional port
may be specified by appending "#<port>"
.PP
The default query class (IN for internet) is overridden by the
\fB-c\fR option. \fIclass\fR is any valid
......@@ -126,9 +127,10 @@ When this option is used, there is no need to provide the
automatically performs a lookup for a name like
11.12.13.10.in-addr.arpa and sets the query type and
class to PTR and IN respectively. By default, IPv6 addresses are
looked up using the IP6.ARPA domain and binary labels as defined in
RFC2874. To use the older RFC1886 method using the IP6.INT domain and
"nibble" labels, specify the \fB-n\fR (nibble) option.
looked up using nibble format under the IP6.ARPA domain.
To use the older RFC1886 method using the IP6.INT domain
specify the \fB-i\fR option. Bit string labels (RFC2874)
are now experimental and are not attempted.
.PP
To sign the DNS queries sent by \fBdig\fR and their
responses using transaction signatures (TSIG), specify a TSIG key file
......@@ -190,7 +192,7 @@ The search list is not used by default.
Deprecated, treated as a synonym for \fI+[no]search\fR
.TP
\fB+[no]aaonly\fR
This option does nothing. It is provided for compatibilty with old
This option does nothing. It is provided for compatibility with old
versions of \fBdig\fR where it set an unimplemented
resolver flag.
.TP
......@@ -204,7 +206,13 @@ completeness.
Set [do not set] the CD (checking disabled) bit in the query. This
requests the server to not perform DNSSEC validation of responses.
.TP
\fB+[no]recursive\fR
\fB+[no]cl\fR
Display [do not display] the CLASS when printing the record.
.TP
\fB+[no]ttlid\fR
Display [do not display] the TTL when printing the record.
.TP
\fB+[no]recurse\fR
Toggle the setting of the RD (recursion desired) bit in the query.
This bit is set by default, which means \fBdig\fR
normally sends recursive queries. Recursion is automatically disabled
......@@ -323,7 +331,7 @@ The default is to not display malformed answers.
.TP
\fB+[no]dnssec\fR
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
in the the OPT record in the additional section of the query.
in the OPT record in the additional section of the query.
.SH "MULTIPLE QUERIES"
.PP
The BIND 9 implementation of \fBdig \fR supports
......
......@@ -20,7 +20,7 @@
>dig</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
"></HEAD
><BODY
CLASS="REFENTRY"
......@@ -312,7 +312,8 @@ CLASS="PARAMETER"
>address</I
></TT
>. This must be a valid address on
one of the host's network interfaces.</P
one of the host's network interfaces or "0.0.0.0" or "::". An optional port
may be specified by appending "#&lt;port&gt;"</P
><P
>The default query class (IN for internet) is overridden by the
<TT
......@@ -438,12 +439,13 @@ CLASS="LITERAL"
>11.12.13.10.in-addr.arpa</TT
> and sets the query type and
class to PTR and IN respectively. By default, IPv6 addresses are
looked up using the IP6.ARPA domain and binary labels as defined in
RFC2874. To use the older RFC1886 method using the IP6.INT domain and
"nibble" labels, specify the <TT
looked up using nibble format under the IP6.ARPA domain.
To use the older RFC1886 method using the IP6.INT domain
specify the <TT
CLASS="OPTION"
>-n</TT
> (nibble) option.</P
>-i</TT
> option. Bit string labels (RFC2874)
are now experimental and are not attempted.</P
><P
>To sign the DNS queries sent by <B
CLASS="COMMAND"
......@@ -647,7 +649,7 @@ CLASS="OPTION"
></DT
><DD
><P
>This option does nothing. It is provided for compatibilty with old
>This option does nothing. It is provided for compatibility with old
versions of <B
CLASS="COMMAND"
>dig</B
......@@ -679,7 +681,25 @@ requests the server to not perform DNSSEC validation of responses.</P
><DT
><TT
CLASS="OPTION"
>+[no]recursive</TT
>+[no]cl</TT
></DT
><DD
><P
>Display [do not display] the CLASS when printing the record.</P
></DD
><DT
><TT
CLASS="OPTION"
>+[no]ttlid</TT
></DT
><DD
><P
>Display [do not display] the TTL when printing the record.</P
></DD
><DT
><TT
CLASS="OPTION"
>+[no]recurse</TT
></DT
><DD
><P
......@@ -1020,7 +1040,7 @@ CLASS="OPTION"
><DD
><P
>Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
in the the OPT record in the additional section of the query.</P
in the OPT record in the additional section of the query.</P
></DD
></DL
></DIV
......@@ -1029,7 +1049,7 @@ in the the OPT record in the additional section of the query.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN345"
NAME="AEN355"
></A
><H2
>MULTIPLE QUERIES</H2
......@@ -1113,7 +1133,7 @@ CLASS="LITERAL"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN363"
NAME="AEN373"
></A
><H2
>FILES</H2
......@@ -1131,7 +1151,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN369"
NAME="AEN379"
></A
><H2
>SEE ALSO</H2
......@@ -1165,7 +1185,7 @@ CLASS="CITETITLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN382"
NAME="AEN392"
></A
><H2
>BUGS </H2
......
......@@ -19,7 +19,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH SYNOPSIS
.sp
\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR
\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-f \fIflag\fB\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR
.SH "DESCRIPTION"
.PP
\fBdnssec-keygen\fR generates keys for DNSSEC
......@@ -59,6 +59,10 @@ the specified class. If not specified, class IN is used.
\fB-e\fR
If generating an RSA key, use a large exponent.
.TP
\fB-f \fIflag\fB\fR
Set the specified flag in the flag field of the key record.
The only recognized flag is KSK (Key Signing Key).
.TP
\fB-g \fIgenerator\fB\fR
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
......
......@@ -20,7 +20,7 @@
>dnssec-keygen</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
"></HEAD
><BODY
CLASS="REFENTRY"
......@@ -87,6 +87,14 @@ CLASS="OPTION"
>-e</TT
>] [<TT
CLASS="OPTION"
>-f <TT
CLASS="REPLACEABLE"
><I
>flag</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-g <TT
CLASS="REPLACEABLE"
><I
......@@ -141,7 +149,7 @@ CLASS="REPLACEABLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN48"
NAME="AEN51"
></A
><H2
>DESCRIPTION</H2
......@@ -158,7 +166,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN52"
NAME="AEN55"
></A
><H2
>OPTIONS</H2
......@@ -246,6 +254,19 @@ CLASS="REPLACEABLE"
</P
></DD
><DT
>-f <TT
CLASS="REPLACEABLE"
><I
>flag</I
></TT
></DT
><DD
><P
> Set the specified flag in the flag field of the key record.
The only recognized flag is KSK (Key Signing Key).
</P
></DD
><DT
>-g <TT
CLASS="REPLACEABLE"
><I
......@@ -364,7 +385,7 @@ CLASS="REPLACEABLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN121"
NAME="AEN129"
></A
><H2
>GENERATED KEYS</H2
......@@ -460,7 +481,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN148"
NAME="AEN156"
></A
><H2
>EXAMPLE</H2
......@@ -511,7 +532,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN161"
NAME="AEN169"
></A
><H2
>SEE ALSO</H2
......@@ -558,7 +579,7 @@ CLASS="CITETITLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN177"
NAME="AEN185"
></A
><H2
>AUTHOR</H2
......
......@@ -19,11 +19,11 @@
dnssec-signzone \- DNSSEC zone signing tool
.SH SYNOPSIS
.sp
\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-h\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
.SH "DESCRIPTION"
.PP
\fBdnssec-signzone\fR signs a zone. It generates NXT
and SIG records and produces a signed version of the zone. If there
\fBdnssec-signzone\fR signs a zone. It generates NSEC
and RRSIG records and produces a signed version of the zone. If there
is a \fIsignedkey\fR file from the zone's parent,
the parent's signatures will be incorporated into the generated
signed zone file. The security status of delegations from the the
......@@ -38,26 +38,34 @@ Verify all generated signatures.
\fB-c \fIclass\fB\fR
Specifies the DNS class of the zone.
.TP
\fB-k \fIkey\fB\fR
Treat specified key as a key signing key ignoring any
key flags. This option may be specified multiple times.
.TP
\fB-d \fIdirectory\fB\fR
Look for \fIsignedkey\fR files in
\fBdirectory\fR as the directory
.TP
\fB-g\fR
Generate DS records for child zones from keyset files.
Existing DS records will be removed.
.TP
\fB-s \fIstart-time\fB\fR
Specify the date and time when the generated SIG records
Specify the date and time when the generated RRSIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no \fBstart-time\fR is specified, the current
time is used.
time minus 1 hour (to allow for clock skew) is used.
.TP
\fB-e \fIend-time\fB\fR
Specify the date and time when the generated SIG records
Specify the date and time when the generated RRSIG records
expire. As with \fBstart-time\fR, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
the start time. A time relative to the current time is
indicated with now+N. If no \fBend-time\fR is
specified, 30 days from the start time is used as a default.
.TP
......@@ -74,7 +82,7 @@ Prints a short summary of the options and arguments to
When a previously signed zone is passed as input, records
may be resigned. The \fBinterval\fR option
specifies the cycle interval as an offset from the current
time (in seconds). If a SIG record expires after the
time (in seconds). If a RRSIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
......@@ -83,7 +91,7 @@ between the signature end and start times. So if neither
\fBend-time\fR or \fBstart-time\fR
are specified, \fBdnssec-signzone\fR generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing SIG records
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
.TP
......@@ -117,6 +125,9 @@ Print statistics at completion.
\fB-v \fIlevel\fB\fR
Sets the debugging level.
.TP
\fB-z\fR
Ignore KSK flag on key when determining what to sign.
.TP
\fBzonefile\fR
The file containing the zone to be signed.
Sets the debugging level.
......
......@@ -20,7 +20,7 @@
>dnssec-signzone</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
"></HEAD
><BODY
CLASS="REFENTRY"
......@@ -80,14 +80,6 @@ CLASS="REPLACEABLE"
></TT
>] [<TT
CLASS="OPTION"
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-e <TT
CLASS="REPLACEABLE"
><I
......@@ -104,9 +96,20 @@ CLASS="REPLACEABLE"
></TT
>] [<TT
CLASS="OPTION"
>-g</TT
>] [<TT
CLASS="OPTION"
>-h</TT
>] [<TT
CLASS="OPTION"
>-k <TT
CLASS="REPLACEABLE"
><I
>key</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-i <TT
CLASS="REPLACEABLE"
><I
...