Commit 43b94483 authored by Tinderbox User's avatar Tinderbox User
Browse files

regen master

parent 27c3c21f
...@@ -141,7 +141,7 @@ Specify the format of the zone file. Possible formats are ...@@ -141,7 +141,7 @@ Specify the format of the zone file. Possible formats are
\fB"text"\fR \fB"text"\fR
(default), (default),
\fB"raw"\fR, and \fB"raw"\fR, and
\fB"fast"\fR. \fB"map"\fR.
.RE .RE
.PP .PP
\-F \fIformat\fR \-F \fIformat\fR
...@@ -152,7 +152,7 @@ Specify the format of the output file specified. For ...@@ -152,7 +152,7 @@ Specify the format of the output file specified. For
Possible formats are Possible formats are
\fB"text"\fR \fB"text"\fR
(default), which is the standard textual representation of the zone, and (default), which is the standard textual representation of the zone, and
\fB"fast"\fR, \fB"map"\fR,
\fB"raw"\fR, and \fB"raw"\fR, and
\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by \fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
\fBnamed\fR. \fBnamed\fR.
...@@ -177,7 +177,7 @@ checks with the specified failure mode. Possible modes are ...@@ -177,7 +177,7 @@ checks with the specified failure mode. Possible modes are
.PP .PP
\-L \fIserial\fR \-L \fIserial\fR
.RS 4 .RS 4
When compiling a zone to "raw" or "fast" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
.RE .RE
.PP .PP
\-m \fImode\fR \-m \fImode\fR
......
...@@ -132,7 +132,7 @@ ...@@ -132,7 +132,7 @@
<dd><p> <dd><p>
Specify the format of the zone file. Specify the format of the zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default), Possible formats are <span><strong class="command">"text"</strong></span> (default),
<span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"fast"</strong></span>. <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
</p></dd> </p></dd>
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt> <dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
<dd> <dd>
...@@ -145,7 +145,7 @@ ...@@ -145,7 +145,7 @@
<p> <p>
Possible formats are <span><strong class="command">"text"</strong></span> (default), Possible formats are <span><strong class="command">"text"</strong></span> (default),
which is the standard textual representation of the zone, which is the standard textual representation of the zone,
and <span><strong class="command">"fast"</strong></span>, <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
and <span><strong class="command">"raw=N"</strong></span>, which store the zone in a and <span><strong class="command">"raw=N"</strong></span>, which store the zone in a
binary format for rapid loading by <span><strong class="command">named</strong></span>. binary format for rapid loading by <span><strong class="command">named</strong></span>.
<span><strong class="command">"raw=N"</strong></span> specifies the format version of <span><strong class="command">"raw=N"</strong></span> specifies the format version of
...@@ -166,7 +166,7 @@ ...@@ -166,7 +166,7 @@
</p></dd> </p></dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt> <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd><p> <dd><p>
When compiling a zone to "raw" or "fast" format, set the When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial "source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing number. (This is expected to be used primarily for testing
purposes.) purposes.)
......
...@@ -78,7 +78,7 @@ Output only those record types automatically managed by ...@@ -78,7 +78,7 @@ Output only those record types automatically managed by
\fBdnssec\-signzone\fR, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with \fBdnssec\-signzone\fR, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with
\fB$INCLUDE\fR. This option cannot be combined with \fB$INCLUDE\fR. This option cannot be combined with
\fB\-O raw\fR, \fB\-O raw\fR,
\fB\-O fast\fR, or serial number updating. \fB\-O map\fR, or serial number updating.
.RE .RE
.PP .PP
\-E \fIengine\fR \-E \fIengine\fR
...@@ -180,7 +180,7 @@ The format of the input zone file. Possible formats are ...@@ -180,7 +180,7 @@ The format of the input zone file. Possible formats are
\fB"text"\fR \fB"text"\fR
(default), (default),
\fB"raw"\fR, and \fB"raw"\fR, and
\fB"fast"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones. \fB"map"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
.RE .RE
.PP .PP
\-j \fIjitter\fR \-j \fIjitter\fR
...@@ -194,7 +194,7 @@ Signature lifetime jitter also to some extent benefits validators and servers by ...@@ -194,7 +194,7 @@ Signature lifetime jitter also to some extent benefits validators and servers by
.PP .PP
\-L \fIserial\fR \-L \fIserial\fR
.RS 4 .RS 4
When writing a signed zone to "raw" or "fast" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) When writing a signed zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
.RE .RE
.PP .PP
\-n \fIncpus\fR \-n \fIncpus\fR
...@@ -240,7 +240,7 @@ The format of the output file containing the signed zone. Possible formats are ...@@ -240,7 +240,7 @@ The format of the output file containing the signed zone. Possible formats are
\fB"text"\fR \fB"text"\fR
(default), which is the standard textual representation of the zone; (default), which is the standard textual representation of the zone;
\fB"full"\fR, which is text output in a format suitable for processing by external scripts; and \fB"full"\fR, which is text output in a format suitable for processing by external scripts; and
\fB"fast"\fR, \fB"map"\fR,
\fB"raw"\fR, and \fB"raw"\fR, and
\fB"raw=N"\fR, which store the zone in binary formats for rapid loading by \fB"raw=N"\fR, which store the zone in binary formats for rapid loading by
\fBnamed\fR. \fBnamed\fR.
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]> [<!ENTITY mdash "&#8212;">]>
<!-- <!--
- Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium. - Copyright (C) 2000-2003 Internet Software Consortium.
- -
- Permission to use, copy, modify, and/or distribute this software for any - Permission to use, copy, modify, and/or distribute this software for any
...@@ -45,6 +45,7 @@ ...@@ -45,6 +45,7 @@
<year>2009</year> <year>2009</year>
<year>2011</year> <year>2011</year>
<year>2012</year> <year>2012</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder> <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright> </copyright>
<copyright> <copyright>
......
...@@ -76,7 +76,7 @@ ...@@ -76,7 +76,7 @@
included. The resulting file can be included in the original included. The resulting file can be included in the original
zone file with <span><strong class="command">$INCLUDE</strong></span>. This option zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
cannot be combined with <code class="option">-O raw</code>, cannot be combined with <code class="option">-O raw</code>,
<code class="option">-O fast</code>, or serial number updating. <code class="option">-O map</code>, or serial number updating.
</p></dd> </p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt> <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p> <dd><p>
...@@ -191,7 +191,7 @@ ...@@ -191,7 +191,7 @@
<dd><p> <dd><p>
The format of the input zone file. The format of the input zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default), Possible formats are <span><strong class="command">"text"</strong></span> (default),
<span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"fast"</strong></span>. <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
This option is primarily intended to be used for dynamic This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly. format containing updates can be signed directly.
...@@ -221,7 +221,7 @@ ...@@ -221,7 +221,7 @@
</dd> </dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt> <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd><p> <dd><p>
When writing a signed zone to "raw" or "fast" format, set the When writing a signed zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial "source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing number. (This is expected to be used primarily for testing
purposes.) purposes.)
...@@ -262,7 +262,7 @@ ...@@ -262,7 +262,7 @@
which is the standard textual representation of the zone; which is the standard textual representation of the zone;
<span><strong class="command">"full"</strong></span>, which is text output in a <span><strong class="command">"full"</strong></span>, which is text output in a
format suitable for processing by external scripts; format suitable for processing by external scripts;
and <span><strong class="command">"fast"</strong></span>, <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
and <span><strong class="command">"raw=N"</strong></span>, which store the zone in and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
binary formats for rapid loading by <span><strong class="command">named</strong></span>. binary formats for rapid loading by <span><strong class="command">named</strong></span>.
<span><strong class="command">"raw=N"</strong></span> specifies the format version of <span><strong class="command">"raw=N"</strong></span> specifies the format version of
......
...@@ -283,7 +283,7 @@ options { ...@@ -283,7 +283,7 @@ options {
allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
update\-check\-ksk \fIboolean\fR; update\-check\-ksk \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR;
masterfile\-format ( text | raw | fast ); masterfile\-format ( text | raw | map );
notify \fInotifytype\fR; notify \fInotifytype\fR;
notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
...@@ -454,7 +454,7 @@ view \fIstring\fR \fIoptional_class\fR { ...@@ -454,7 +454,7 @@ view \fIstring\fR \fIoptional_class\fR {
allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
update\-check\-ksk \fIboolean\fR; update\-check\-ksk \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR;
masterfile\-format ( text | raw | fast ); masterfile\-format ( text | raw | map );
notify \fInotifytype\fR; notify \fInotifytype\fR;
notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
...@@ -541,7 +541,7 @@ zone \fIstring\fR \fIoptional_class\fR { ...@@ -541,7 +541,7 @@ zone \fIstring\fR \fIoptional_class\fR {
}\fR; }\fR;
update\-check\-ksk \fIboolean\fR; update\-check\-ksk \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR;
masterfile\-format ( text | raw | fast ); masterfile\-format ( text | raw | map );
notify \fInotifytype\fR; notify \fInotifytype\fR;
notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]> [<!ENTITY mdash "&#8212;">]>
<!-- <!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- -
- Permission to use, copy, modify, and/or distribute this software for any - Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above - purpose with or without fee is hereby granted, provided that the above
...@@ -45,6 +45,7 @@ ...@@ -45,6 +45,7 @@
<year>2010</year> <year>2010</year>
<year>2011</year> <year>2011</year>
<year>2012</year> <year>2012</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder> <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright> </copyright>
</docinfo> </docinfo>
......
...@@ -285,7 +285,7 @@ options ...@@ -285,7 +285,7 @@ options
update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br> update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br> dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br>
<br> <br>
masterfile-format(text|raw|fast);<br> masterfile-format(text|raw|map);<br>
notify<em class="replaceable"><code>notifytype</code></em>;<br> notify<em class="replaceable"><code>notifytype</code></em>;<br>
notify-source(<em class="replaceable"><code>ipv4_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br> notify-source(<em class="replaceable"><code>ipv4_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br>
notify-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br> notify-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br>
...@@ -473,7 +473,7 @@ view ...@@ -473,7 +473,7 @@ view
update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br> update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br> dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br>
<br> <br>
masterfile-format(text|raw|fast);<br> masterfile-format(text|raw|map);<br>
notify<em class="replaceable"><code>notifytype</code></em>;<br> notify<em class="replaceable"><code>notifytype</code></em>;<br>
notify-source(<em class="replaceable"><code>ipv4_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br> notify-source(<em class="replaceable"><code>ipv4_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br>
notify-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br> notify-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br>
...@@ -569,7 +569,7 @@ zone ...@@ -569,7 +569,7 @@ zone
update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br> update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br> dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br>
<br> <br>
masterfile-format(text|raw|fast);<br> masterfile-format(text|raw|map);<br>
notify<em class="replaceable"><code>notifytype</code></em>;<br> notify<em class="replaceable"><code>notifytype</code></em>;<br>
notify-source(<em class="replaceable"><code>ipv4_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br> notify-source(<em class="replaceable"><code>ipv4_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br>
notify-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br> notify-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[<span class="optional">port(<em class="replaceable"><code>integer</code></em>|*)</span>];<br>
......
...@@ -70,38 +70,38 @@ ...@@ -70,38 +70,38 @@
</dl></dd> </dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt> <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl> <dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609253">Converting from insecure to secure</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609321">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563483">Dynamic DNS update method</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563483">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563520">Fully automatic zone signing</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563520">Fully automatic zone signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563896">Private-type records</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563896">Private-type records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563933">DNSKEY rollovers</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563933">DNSKEY rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563946">Dynamic DNS update method</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563946">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574492">Automatic key rollovers</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574561">Automatic key rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574519">NSEC3PARAM rollovers via UPDATE</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574587">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574529">Converting from NSEC to NSEC3</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574597">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574538">Converting from NSEC3 to NSEC</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574606">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574619">Converting from secure to insecure</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574619">Converting from secure to insecure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574657">Periodic re-signing</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574657">Periodic re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574666">NSEC3 and OPTOUT</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574666">NSEC3 and OPTOUT</a></span></dt>
</dl></dd> </dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt> <dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl> <dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608901">Validating Resolver</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608969">Validating Resolver</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608923">Authoritative Server</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608992">Authoritative Server</a></span></dt>
</dl></dd> </dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt> <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
<dd><dl> <dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612030">Prerequisites</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612099">Prerequisites</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609939">Building BIND 9 with PKCS#11</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610075">Building BIND 9 with PKCS#11</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612180">PKCS #11 Tools</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636483">PKCS #11 Tools</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612211">Using the HSM</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636514">Using the HSM</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636712">Specifying the engine on the command line</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636712">Specifying the engine on the command line</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636826">Running named with automatic zone re-signing</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636894">Running named with automatic zone re-signing</a></span></dt>
</dl></dd> </dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt> <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
<dd><dl> <dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609085">Configuring DLZ</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609154">Configuring DLZ</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609159">Sample DLZ Driver</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609227">Sample DLZ Driver</a></span></dt>
</dl></dd> </dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572873">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt> <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572873">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl> <dd><dl>
...@@ -1070,7 +1070,7 @@ options { ...@@ -1070,7 +1070,7 @@ options {
from insecure to signed and back again. A secure zone can use from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.</p> either NSEC or NSEC3 chains.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2609253"></a>Converting from insecure to secure</h3></div></div></div></div> <a name="id2609321"></a>Converting from insecure to secure</h3></div></div></div></div>
<p>Changing a zone from insecure to secure can be done in two <p>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the ways: using a dynamic DNS update, or the
<span><strong class="command">auto-dnssec</strong></span> zone option.</p> <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
...@@ -1256,7 +1256,7 @@ options { ...@@ -1256,7 +1256,7 @@ options {
<span><strong class="command">named</strong></span> will clean out any signatures generated <span><strong class="command">named</strong></span> will clean out any signatures generated
by the old key after the update completes.</p> by the old key after the update completes.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2574492"></a>Automatic key rollovers</h3></div></div></div></div> <a name="id2574561"></a>Automatic key rollovers</h3></div></div></div></div>
<p>When a new key reaches its activation date (as set by <p>When a new key reaches its activation date (as set by
<span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>), <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to
...@@ -1271,21 +1271,21 @@ options { ...@@ -1271,21 +1271,21 @@ options {
completes in 30 days, after which it will be safe to remove the completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.</p> old key from the DNSKEY RRset.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2574519"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div> <a name="id2574587"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
<p>Add the new NSEC3PARAM record via dynamic update. When the <p>Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request record. The old chain will be removed after the update request
completes.</p> completes.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2574529"></a>Converting from NSEC to NSEC3</h3></div></div></div></div> <a name="id2574597"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
<p>To do this, you just need to add an NSEC3PARAM record. When <p>To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3 and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is chain will be generated before the NSEC chain is
destroyed.</p> destroyed.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"> <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2574538"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div> <a name="id2574606"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
<p>To do this, use <span><strong class="command">nsupdate</strong></span> to <p>To do this, use <span><strong class="command">nsupdate</strong></span> to
remove all NSEC3PARAM records with a zero flag remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is field. The NSEC chain will be generated before the NSEC3 chain is
...@@ -1335,7 +1335,7 @@ options { ...@@ -1335,7 +1335,7 @@ options {
configuration files.</p> configuration files.</p>
<div class="sect2" lang="en"> <div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title"> <div class="titlepage"><div><div><h3 class="title">
<a name="id2608901"></a>Validating Resolver</h3></div></div></div> <a name="id2608969"></a>Validating Resolver</h3></div></div></div>
<p>To configure a validating resolver to use RFC 5011 to <p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a maintain a trust anchor, configure the trust anchor using a
<span><strong class="command">managed-keys</strong></span> statement. Information about <span><strong class="command">managed-keys</strong></span> statement. Information about
...@@ -1346,7 +1346,7 @@ options { ...@@ -1346,7 +1346,7 @@ options {
</div> </div>
<div class="sect2" lang="en"> <div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title"> <div class="titlepage"><div><div><h3 class="title">
<a name="id2608923"></a>Authoritative Server</h3></div></div></div> <a name="id2608992"></a>Authoritative Server</h3></div></div></div>
<p>To set up an authoritative zone for RFC 5011 trust anchor <p>To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active" the zone. Sign the zone with one of them; this is the "active"
...@@ -1420,7 +1420,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code>< ...@@ -1420,7 +1420,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
Debian Linux, Solaris x86 and Windows Server 2003.</p> Debian Linux, Solaris x86 and Windows Server 2003.</p>
<div class="sect2" lang="en"> <div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title"> <div class="titlepage"><div><div><h3 class="title">
<a name="id2612030"></a>Prerequisites</h3></div></div></div> <a name="id2612099"></a>Prerequisites</h3></div></div></div>
<p>See the HSM vendor documentation for information about <p>See the HSM vendor documentation for information about
installing, initializing, testing and troubleshooting the installing, initializing, testing and troubleshooting the
HSM.</p> HSM.</p>
...@@ -1497,7 +1497,7 @@ $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \ ...@@ -1497,7 +1497,7 @@ $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \
when we configure BIND 9.</p> when we configure BIND 9.</p>
<div class="sect3" lang="en"> <div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title"> <div class="titlepage"><div><div><h4 class="title">
<a name="id2609532"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div> <a name="id2609669"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
<p>The AEP Keyper is a highly secure key storage device, <p>The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It but does not provide hardware cryptographic acceleration. It
can carry out cryptographic operations, but it is probably can carry out cryptographic operations, but it is probably
...@@ -1529,7 +1529,7 @@ $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \ ...@@ -1529,7 +1529,7 @@ $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
</div> </div>
<div class="sect3" lang="en"> <div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title"> <div class="titlepage"><div><div><h4 class="title">
<a name="id2609602"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div> <a name="id2609738"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
<p>The SCA-6000 PKCS #11 provider is installed as a system <p>The SCA-6000 PKCS #11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4 library, libpkcs11. It is a true crypto accelerator, up to 4
times faster than any CPU, so the flavor shall be times faster than any CPU, so the flavor shall be
...@@ -1551,7 +1551,7 @@ $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \ ...@@ -1551,7 +1551,7 @@ $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
</div> </div>
<div class="sect3" lang="en"> <div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title"> <div class="titlepage"><div><div><h4 class="title">
<a name="id2609651"></a>Building OpenSSL for SoftHSM</h4></div></div></div> <a name="id2609787"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
<p>SoftHSM is a software library provided by the OpenDNSSEC <p>SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11 project (http://www.opendnssec.org) which provides a PKCS#11
interface to a virtual HSM, implemented in the form of encrypted interface to a virtual HSM, implemented in the form of encrypted
...@@ -1611,12 +1611,12 @@ $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \ ...@@ -1611,12 +1611,12 @@ $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
</div> </div>
<div class="sect2" lang="en"> <div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title"> <div class="titlepage"><div><div><h3 class="title">
<a name="id2609939"></a>Building BIND 9 with PKCS#11</h3></div></div></div> <a name="id2610075"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
<p>When building BIND 9, the location of the custom-built <p>When building BIND 9, the location of the custom-built
OpenSSL library must be specified via configure.</p> OpenSSL library must be specified via configure.</p>
<div class="sect3" lang="en"> <div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title"> <div class="titlepage"><div><div><h4 class="title">
<a name="id2609947"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div> <a name="id2610084"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
<p>To link with the PKCS #11 provider, threads must be <p>To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.</p> enabled in the BIND 9 build.</p>
<p>The PKCS #11 library for the AEP Keyper is currently <p>The PKCS #11 library for the AEP Keyper is currently
...@@ -1632,7 +1632,7 @@ $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \ ...@@ -1632,7 +1632,7 @@ $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
</div> </div>
<div class="sect3" lang="en"> <div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title"> <div class="titlepage"><div><div><h4 class="title">
<a name="id2609979"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div> <a name="id2612164"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
<p>To link with the PKCS #11 provider, threads must be <p>To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.</p> enabled in the BIND 9 build.</p>
<pre class="screen"> <pre class="screen">
...@@ -1650,7 +1650,7 @@ $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-thre ...@@ -1650,7 +1650,7 @@ $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-thre
</div> </div>
<div class="sect3" lang="en"> <div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title"> <div class="titlepage"><div><div><h4 class="title">
<a name="id2610016"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div> <a name="id2612200"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
<pre class="screen"> <pre class="screen">
$ <strong class="userinput"><code>cd ../bind9</code></strong> $ <strong class="userinput"><code>cd ../bind9</code></strong>
$ <strong class="userinput"><code>./configure --enable-threads \ $ <strong class="userinput"><code>./configure --enable-threads \
...@@ -1667,7 +1667,7 @@ $ <strong class="userinput"><code>./configure --enable-threads \ ...@@ -1667,7 +1667,7 @@ $ <strong class="userinput"><code>./configure --enable-threads \
</div> </div>
<div class="sect2" lang="en"> <div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title"> <div class="titlepage"><div><div><h3 class="title">
<a name="id2612180"></a>PKCS #11 Tools</h3></div></div></div> <a name="id2636483"></a>PKCS #11 Tools</h3></div></div></div>
<p>BIND 9 includes a minimal set of tools to operate the <p>BIND 9 includes a minimal set of tools to operate the