Commit 3f42cf2f authored by Mark Andrews's avatar Mark Andrews
Browse files

2349. [func] Provide incremental re-signing support for secure

                        dynamic zones. [RT #1091]

back out incorrect branch rt1091 and apply correct branch rt1091a.
parent 60318da7
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: config.c,v 1.84 2008/01/22 23:28:04 tbox Exp $ */ /* $Id: config.c,v 1.85 2008/04/02 02:37:41 marka Exp $ */
/*! \file */ /*! \file */
...@@ -172,6 +172,9 @@ options {\n\ ...@@ -172,6 +172,9 @@ options {\n\
min-refresh-time 300;\n\ min-refresh-time 300;\n\
multi-master no;\n\ multi-master no;\n\
sig-validity-interval 30; /* days */\n\ sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
sig-signing-type 65535;\n\
zone-statistics false;\n\ zone-statistics false;\n\
max-journal-size unlimited;\n\ max-journal-size unlimited;\n\
ixfr-from-differences false;\n\ ixfr-from-differences false;\n\
......
...@@ -17,7 +17,7 @@ ...@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- $Id: named.conf.docbook,v 1.36 2008/01/02 23:47:01 tbox Exp $ --> <!-- $Id: named.conf.docbook,v 1.37 2008/04/02 02:37:41 marka Exp $ -->
<refentry> <refentry>
<refentryinfo> <refentryinfo>
<date>Aug 13, 2004</date> <date>Aug 13, 2004</date>
...@@ -316,7 +316,12 @@ options { ...@@ -316,7 +316,12 @@ options {
max-refresh-time <replaceable>integer</replaceable>; max-refresh-time <replaceable>integer</replaceable>;
min-refresh-time <replaceable>integer</replaceable>; min-refresh-time <replaceable>integer</replaceable>;
multi-master <replaceable>boolean</replaceable>; multi-master <replaceable>boolean</replaceable>;
sig-validity-interval <replaceable>integer</replaceable>; sig-validity-interval <replaceable>integer</replaceable>;
sig-re-signing-interval <replaceable>integer</replaceable>;
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
transfer-source ( <replaceable>ipv4_address</replaceable> | * ) transfer-source ( <replaceable>ipv4_address</replaceable> | * )
<optional> port ( <replaceable>integer</replaceable> | * ) </optional>; <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: update.c,v 1.144 2008/04/01 23:47:10 tbox Exp $ */ /* $Id: update.c,v 1.145 2008/04/02 02:37:41 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -322,6 +322,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, ...@@ -322,6 +322,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff. * Create a singleton diff.
*/ */
dns_diff_init(diff->mctx, &temp_diff); dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/* /*
...@@ -1842,8 +1843,6 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, ...@@ -1842,8 +1843,6 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdata_rrsig_t rrsig; dns_rdata_rrsig_t rrsig;
isc_boolean_t found; isc_boolean_t found;
fprintf(stderr, "del_keysigs\n");
dns_rdataset_init(&rdataset); dns_rdataset_init(&rdataset);
result = dns_db_findnode(db, name, ISC_FALSE, &node); result = dns_db_findnode(db, name, ISC_FALSE, &node);
...@@ -1944,6 +1943,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, ...@@ -1944,6 +1943,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_diff_init(client->mctx, &affected); dns_diff_init(client->mctx, &affected);
dns_diff_init(client->mctx, &sig_diff); dns_diff_init(client->mctx, &sig_diff);
sig_diff.resign = dns_zone_getsigresigninginterval(zone);
dns_diff_init(client->mctx, &nsec_diff); dns_diff_init(client->mctx, &nsec_diff);
dns_diff_init(client->mctx, &nsec_mindiff); dns_diff_init(client->mctx, &nsec_mindiff);
...@@ -2037,7 +2037,6 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, ...@@ -2037,7 +2037,6 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
* Special case changes to the zone's DNSKEY records * Special case changes to the zone's DNSKEY records
* to support offline KSKs. * to support offline KSKs.
*/ */
fprintf(stderr, "delete signatures %u\n", type);
if (type == dns_rdatatype_dnskey) if (type == dns_rdatatype_dnskey)
del_keysigs(db, newver, name, &sig_diff, del_keysigs(db, newver, name, &sig_diff,
zone_keys, nkeys); zone_keys, nkeys);
...@@ -2547,7 +2546,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone, ...@@ -2547,7 +2546,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
static isc_result_t static isc_result_t
add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver, add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
dns_diff_t *diff) dns_rdatatype_t privatetype, dns_diff_t *diff)
{ {
isc_result_t result = ISC_R_SUCCESS; isc_result_t result = ISC_R_SUCCESS;
dns_difftuple_t *tuple, *newtuple = NULL; dns_difftuple_t *tuple, *newtuple = NULL;
...@@ -2579,7 +2578,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver, ...@@ -2579,7 +2578,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
buf[3] = 0; buf[3] = 0;
rdata.data = buf; rdata.data = buf;
rdata.length = sizeof(buf); rdata.length = sizeof(buf);
rdata.type = 0xFFFF; /* XXXMPA make user settable */ rdata.type = privatetype;
rdata.rdclass = tuple->rdata.rdclass; rdata.rdclass = tuple->rdata.rdclass;
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
...@@ -2812,18 +2811,17 @@ update_action(isc_task_t *task, isc_event_t *event) { ...@@ -2812,18 +2811,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
* "Unlike traditional dynamic update, the client * "Unlike traditional dynamic update, the client
* is forbidden from updating NSEC records." * is forbidden from updating NSEC records."
*/ */
if (dns_db_isdnssec(db)) { if (dns_db_issecure(db)) {
if (rdata.type == dns_rdatatype_nsec) { if (rdata.type == dns_rdatatype_nsec) {
FAILC(DNS_R_REFUSED, FAILC(DNS_R_REFUSED,
"explicit NSEC updates are not allowed " "explicit NSEC updates are not allowed "
"in secure zones"); "in secure zones");
} } else if (rdata.type == dns_rdatatype_rrsig &&
else if (rdata.type == dns_rdatatype_rrsig && !dns_name_equal(name, zonename)) {
!dns_name_equal(name, zonename)) {
FAILC(DNS_R_REFUSED, FAILC(DNS_R_REFUSED,
"explicit RRSIG updates are currently " "explicit RRSIG updates are currently "
"not supported in secure zones except " "not supported in secure zones except "
"at the apex."); "at the apex");
} }
} }
...@@ -3113,7 +3111,9 @@ update_action(isc_task_t *task, isc_event_t *event) { ...@@ -3113,7 +3111,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
CHECK(remove_orphaned_ds(db, ver, &diff)); CHECK(remove_orphaned_ds(db, ver, &diff));
CHECK(add_signing_records(db, zonename, ver, &diff)); CHECK(add_signing_records(db, zonename, ver,
dns_zone_getprivatetype(zone),
&diff));
CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey, CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
0, &has_dnskey)); 0, &has_dnskey));
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: zoneconf.c,v 1.142 2008/01/18 23:46:57 tbox Exp $ */ /* $Id: zoneconf.c,v 1.143 2008/04/02 02:37:41 marka Exp $ */
/*% */ /*% */
...@@ -365,6 +365,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ...@@ -365,6 +365,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE; isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
isc_boolean_t ixfrdiff; isc_boolean_t ixfrdiff;
dns_masterformat_t masterformat; dns_masterformat_t masterformat;
int seconds;
i = 0; i = 0;
if (zconfig != NULL) { if (zconfig != NULL) {
...@@ -665,8 +666,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ...@@ -665,8 +666,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL; obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj); result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS); INSIST(result == ISC_R_SUCCESS);
dns_zone_setsigvalidityinterval(zone, {
cfg_obj_asuint32(obj) * 86400); const cfg_obj_t *validity, *resign;
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity) * 86400;
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else {
if (seconds > 7 * 86400)
seconds = cfg_obj_asuint32(resign) *
86400;
else
seconds = cfg_obj_asuint32(resign) *
3600;
}
dns_zone_setsigresigninginterval(zone, seconds);
}
obj = NULL; obj = NULL;
result = ns_config_get(maps, "key-directory", &obj); result = ns_config_get(maps, "key-directory", &obj);
...@@ -681,6 +700,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ...@@ -681,6 +700,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
RETERR(dns_zone_setkeydirectory(zone, filename)); RETERR(dns_zone_setkeydirectory(zone, filename));
} }
obj = NULL;
result = ns_config_get(maps, "sig-signing-signatures", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "sig-signing-nodes", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "sig-signing-type", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update-forwarding", ac, zone,
dns_zone_setforwardacl,
dns_zone_clearforwardacl));
}
/*%
* Primary master functionality.
*/
if (ztype == dns_zone_master) {
obj = NULL; obj = NULL;
result = ns_config_get(maps, "check-wildcard", &obj); result = ns_config_get(maps, "check-wildcard", &obj);
if (result == ISC_R_SUCCESS) if (result == ISC_R_SUCCESS)
...@@ -739,59 +791,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ...@@ -739,59 +791,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(0); INSIST(0);
dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn); dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore); dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
obj = NULL;
result = ns_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
}
/*
* Configure update-related options. These apply to
* primary masters only.
*/
if (ztype == dns_zone_master) {
dns_acl_t *updateacl;
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update", ac, zone,
dns_zone_setupdateacl,
dns_zone_clearupdateacl));
updateacl = dns_zone_getupdateacl(zone);
if (updateacl != NULL && dns_acl_isinsecure(updateacl))
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"zone '%s' allows updates by IP "
"address, which is insecure",
zname);
RETERR(configure_zone_ssutable(zoptions, zone));
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsigvalidityinterval(zone,
cfg_obj_asuint32(obj) * 86400);
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
if (result == ISC_R_SUCCESS) {
filename = cfg_obj_asstring(obj);
if (!isc_file_isabsolute(filename)) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
"key-directory '%s' "
"is not absolute", filename);
return (ISC_R_FAILURE);
}
RETERR(dns_zone_setkeydirectory(zone, filename));
}
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update-forwarding", ac, zone,
dns_zone_setforwardacl,
dns_zone_clearforwardacl));
} }
/* /*
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: nsupdate.c,v 1.158 2008/04/01 01:37:24 marka Exp $ */ /* $Id: nsupdate.c,v 1.159 2008/04/02 02:37:41 marka Exp $ */
/*! \file */ /*! \file */
...@@ -1126,8 +1126,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { ...@@ -1126,8 +1126,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
result = dns_message_gettemprdata(updatemsg, &rdata); result = dns_message_gettemprdata(updatemsg, &rdata);
check_result(result, "dns_message_gettemprdata"); check_result(result, "dns_message_gettemprdata");
rdata->data = NULL; dns_rdata_init(rdata);
rdata->length = 0;
if (isrrset && ispositive) { if (isrrset && ispositive) {
retval = parse_rdata(&cmdline, rdataclass, rdatatype, retval = parse_rdata(&cmdline, rdataclass, rdatatype,
...@@ -1446,10 +1445,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { ...@@ -1446,10 +1445,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
result = dns_message_gettemprdata(updatemsg, &rdata); result = dns_message_gettemprdata(updatemsg, &rdata);
check_result(result, "dns_message_gettemprdata"); check_result(result, "dns_message_gettemprdata");
rdata->rdclass = 0; dns_rdata_init(rdata);
rdata->type = 0;
rdata->data = NULL;
rdata->length = 0;
/* /*
* If this is an add, read the TTL and verify that it's in range. * If this is an add, read the TTL and verify that it's in range.
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: lwtest.c,v 1.31 2008/01/14 23:46:56 tbox Exp $ */ /* $Id: lwtest.c,v 1.32 2008/04/02 02:37:42 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -764,7 +764,7 @@ main(void) { ...@@ -764,7 +764,7 @@ main(void) {
test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1); test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1);
test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1); test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1);
test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0); test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0);
test_getrrsetbyname("e.example1.", 1, 46, 1, 0, 1); test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
test_getrrsetbyname("", 1, 1, 0, 0, 0); test_getrrsetbyname("", 1, 1, 0, 0, 0);
if (fails == 0) if (fails == 0)
......
; File written on Wed Mar 5 10:20:40 2008
; dnssec_signzone version 9.3.4-P1
e.example1. 300 IN SOA mname1. . (
2002082210 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
300 RRSIG SOA 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KtYwrnKM7Tu53BNf8XuTix53r9kDdCneJ1X7
xklFbp4YjRKC3NhwVK9PFe0jdHOkIDMtrwxn
n7/Rp07xIyURqw== )
300 NS ns.e.example1.
300 RRSIG NS 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KBPx3XmNl4swVPdwuUEFuzZedMSfsyK2a0Fu
o2wBnbCuS7G7DtfW9690lP/eTyixLOIwlFLQ
MrjN3+XgpkdgIw== )
300 A 10.0.1.1
300 RRSIG A 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KYlxMQUvv8DQtVgS23lNL5tFYmRppJ7vTgH3
btvgKbyHxW/04ewRsgCa82iu3iJipdEhKM11
ALkRNhqL7frnig== )
3600 NSEC ns.e.example1. A NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 5 2 3600 20010101000000 (
20000101000000 14043 e.example1.
azSgagb7bldM06qSZg8nDZWOY2FbqeZY0/T8
nC+6VhCs7YTfNvXynLWmvmpqL7gVT6/O+Yi2
2lmdntld7GORrQ== )
300 DNSKEY 256 3 5 (
AwEAAcvAUMfH7wA0z077fJaF7RMrxAFyvo0/
7aAL4d2/yA5TqTaUCVnJtE+XgGO34kH9mwae
we+Nyv2kRWDeLl6nhGk=
) ; key id = 14043
300 RRSIG DNSKEY 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
BQFWOHopXuBNdzcopkdl1YVKGF0QvIaYpywM
fcpG5gi+sy9EoTofQ1UGsLOjU3nFXCvJFG4K
1gUhzEEti440/g== )
ns.e.example1. 300 IN A 10.53.0.1
300 RRSIG A 5 3 300 20010101000000 (
20000101000000 14043 e.example1.
cYPzsWNQ/eL4h2lihKRjKT2jhGpOqV9woGJA
/Jstx2iethOAvYtgY22CsAbCUr/6E4bSgBZR
TMoC604cNdFzIw== )
3600 NSEC e.example1. A RRSIG NSEC
3600 RRSIG NSEC 5 3 3600 20010101000000 (
20000101000000 14043 e.example1.
J8Md544zDLP4GjyAtkjH/rSFvpzXY/7bgJRS
YDoARwFQRmlrJvavXEjqElb2fTQqlNNz1cal
QROz/WJ3GLwOWw== )
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE. ; PERFORMANCE OF THIS SOFTWARE.
; $Id: example1.db,v 1.17 2007/06/19 23:47:04 tbox Exp $ ; $Id: example1.db,v 1.18 2008/04/02 02:37:42 marka Exp $
$TTL 300 ; 5 minutes $TTL 300 ; 5 minutes
@ IN SOA mname1. . ( @ IN SOA mname1. . (
...@@ -32,7 +32,4 @@ a3 CNAME nowhere ...@@ -32,7 +32,4 @@ a3 CNAME nowhere
b AAAA eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff b AAAA eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
8.8.7.7 DNAME net 8.8.7.7 DNAME net
0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR dname 0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR dname
e A 10.0.1.1 e NS ns.e
RRSIG A 1 1 300 20001202003412 (
20001102003412 1 example. abcd )
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.19 2007/06/19 23:47:04 tbox Exp $ */ /* $Id: named.conf,v 1.20 2008/04/02 02:37:42 marka Exp $ */
controls { /* empty */ }; controls { /* empty */ };
...@@ -43,6 +43,11 @@ zone "example1." { ...@@ -43,6 +43,11 @@ zone "example1." {
file "example1.db"; file "example1.db";
}; };
zone "e.example1." {
type master;
file "e.example1.db";
};
zone "example2." { zone "example2." {
type master; type master;
file "example2.db"; file "example2.db";
......
...@@ -18,7 +18,7 @@ ...@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.347 2008/03/31 14:42:50 fdupont Exp $ --> <!-- File: $Id: Bv9ARM-book.xml,v 1.348 2008/04/02 02:37:42 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude"> <book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title> <title>BIND 9 Administrator Reference Manual</title>
...@@ -4553,6 +4553,10 @@ category notify { null; }; ...@@ -4553,6 +4553,10 @@ category notify { null; };
<optional> max-ncache-ttl <replaceable>number</replaceable>; </optional> <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
<optional> max-cache-ttl <replaceable>number</replaceable>; </optional> <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
<optional> sig-validity-interval <replaceable>number</replaceable> ; </optional> <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
<optional> min-roots <replaceable>number</replaceable>; </optional> <optional> min-roots <replaceable>number</replaceable>; </optional>
<optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional> <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
<optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional> <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
...@@ -7256,22 +7260,76 @@ query-source-v6 address * port *; ...@@ -7256,22 +7260,76 @@ query-source-v6 address * port *;
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><command>sig-validity-interval</command></term> <term><command>sig-validity-interval</command></term>
<listitem> <listitem>
<para> <para>
Specifies the number of days into the Specifies the number of days into the future when
future when DNSSEC signatures automatically generated as a DNSSEC signatures automatically generated as a
result result of dynamic updates (<xref
of dynamic updates (<xref linkend="dynamic_update"/>) linkend="dynamic_update"/>) will expire. There
will expire. The default is <literal>30</literal> days. is a optional second field which specifies how
The maximum value is 10 years (3660 days). The signature long before expiry that the signatures will be
inception time is unconditionally set to one hour before the regenerated. If not specified the signatures will
current time be regenerated at 1/4 of base interval. The second
to allow for a limited amount of clock skew. field is specified in days if the base interval is
</para> greater than 7 days otherwise it is specified in hours.
</listitem> The default base interval is <literal>30</literal> days
</varlistentry> giving a re-signing interval of 7 1/2 days . The maximum
values are 10 years (3660 days).
</para>
<para>
The signature inception time is unconditionally
set to one hour before the current time to allow
for a limited amount of clock skew.
</para>