Commit 515991cd authored by Mark Andrews's avatar Mark Andrews
Browse files

Merge branch 'master' of repo.isc.org:/proj/git/prod/bind9

parents 1b2ba495 dd8bbbfa
3543. [bug] Update socket stucture before attaching to socket
manager after accept. [RT #33084]
3542. [placeholder]
3541. [bug] The parts if libdns was not being properly initialized
in when built in libexport mode. [RT #33028]
3540. [bug] libt_api: t_info and t_assert were not thread safe.
3539. [port] win32: timestamp format didn't match other platforms.
3538. [test] Running "make test" now requires loopback interfaces
to be set up. [RT #32452]
3537. [tuning] Slave zones, when updated, now send NOTIFY messages
to peers before being dumped to disk rather than
after. [RT #27242]
3536. [func] Add support for setting Differentiated Services Code
Point (DSCP) values in named. Most configuration
options which take a "port" option (e.g.,
listen-on, forwarders, also-notify, masters,
notify-source, etc) can now also take a "dscp"
option specifying a code point for use with
outgoing traffic, if supported by the underlying
OS. [RT #27596]
3535. [bug] Minor win32 cleanups. [RT #32962]
3534. [bug] Extra text after an embedded NULL was ignored when
parsing zone files. [RT #32699]
3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
3531. [bug] win32: A uninitialized value could be returned on out
of memory. [RT #32960]
3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
3529. [func] Named now listens on both IPv4 and IPv6 interfaces
by default. Named previously only listened on IPv4
interfaces by default unless named was running in
IPv6 only mode. [RT #32945]
3528. [func] New "dnssec-coverage" command scans the timing
metadata for a set of DNSSEC keys and reports if a
lapse in signing coverage has been scheduled
inadvertently. (Note: This tool depends on python;
it will not be built or installed on systems that
do not have a python interpreter.) [RT #28098]
3527. [compat] Add a URI to allow applications to explicitly
request a particular XML schema from the statistics
channel, returning 404 if not supported. [RT #32481]
3526. [cleanup] Set up dependencies for unit tests correctly during
build. [RT #32803]
3525. [func] Support for additional signing algorithms in rndc:
hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
The -A option to rndc-confgen can be used to
select the algorithm for the generated key.
(The default is still hmac-md5; this may
change in a future release.) [RT #20363]
3524. [func] Added an alternate statistics channel in JSON format,
when the server is built with the json-c library:
http://[address]:[port]/json. [RT #32630]
3523. [contrib] Ported filesystem and ldap DLZ drivers to
dynamically-loadable modules, and added the
"wildcard" module based on a contribution from
Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
3522. [bug] DLZ lookups could fail to return SERVFAIL when
they ought to. [RT #32685]
3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
3520. [bug] 'mctx' was not being referenced counted in some places
where it should have been. [RT #32794]
3519. [func] Full replay protection via four-way handshake is
now mandatory for rndc clients. Very old versions
of rndc will no longer work. [RT #32798]
3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
so that all dns_rrl_rtype_t enum values fit regardless
of whether it is teated as signed or unsigned by
the compiler. [RT #32792]
3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
3516. [placeholder]
3515. [port] '%T' is not portable in strftime(). [RT #32763]
3514. [bug] The ranges for valid key sizes in ddns-confgen and
rndc-confgen were too constrained. Keys up to 512
bits are now allowed for most algorithms, and up
to 1024 bits for hmac-sha384 and hmac-sha512.
[RT #32753]
3513. [func] "dig -u" prints times in microseconds rather than
milliseconds. [RT #32704]
3512. [func] "rndc validation check" reports the current status
of DNSSEC validation. [RT #21397]
3511. [doc] Improve documentation of redirect zones. [RT #32756]
3510. [func] "rndc status" and XML statistics channel now report
server start and reconfiguration times. [RT #21048]
3509. [cleanup] Added a product line to version file to allow for
easy naming of different products (BIND
vs BIND ESV, for example). [RT #32755]
3508. [contrib] queryperf was incorrectly rejecting the -T option.
[RT #32338]
......@@ -21,7 +142,7 @@
using MaxMind GeoIP databases. Based on code
contributed by Ken Brownfield <kb@slide.com>.
[RT #30681]
3503. [doc] Clarify size_spec syntax. [RT #32449]
3502. [func] zone-statistics: "no" is now a synonym for "none",
......@@ -31,8 +152,10 @@
terse, and none. "yes" and "no" are retained as
synonyms for full and terse, respectively. [RT #29165]
3500. [port] Support NAPTR regular expression validation on
all platforms. [RT #32688]
3500. [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
3499. [doc] Corrected ARM documentation of built-in zones.
[RT #32694]
......@@ -48,11 +171,11 @@
3496. [placeholder]
3495. [func] Support multiple response-policy zones (up to 32),
while improving RPZ performance. "response-policy"
while improving RPZ performance. "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
--enable-rpz-nsdname are now the default. [RT #32251]
3494. [func] DNS RRL: Blunt the impact of DNS reflection and
amplification attacks by rate-limiting substantially-
......@@ -60,7 +183,7 @@
3493. [contrib] Added BDBHPT dynamically-lodable DLZ module,
contributed by Mark Goldfinch. [RT #32549]
3492. [bug] Fixed a regression in zone loading performance
due to lock contention. [RT #30399]
......@@ -68,7 +191,7 @@
file name. [RT #31946]
3490. [bug] When logging RDATA during update, truncate if it's
too long. [RT #32365]
too long. [RT #32365]
3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
dns_dlzcreate() failed to properly initialize
......@@ -79,7 +202,7 @@
3487. [bug] Change 3444 was not complete. There was a additional
place where the NOQNAME proof needed to be saved.
[RT #32629]
[RT #32629]
3486. [bug] named could crash when using TKEY-negotiated keys
that had been deleted and then recreated. [RT #32506]
......@@ -107,8 +230,8 @@
[RT #32475]
3477. [func] Expand logging when adding records via DDNS update
[RT #32365]
[RT #32365]
3476. [bug] "rndc zonestatus" could report a spurious "not
found" error on inline-signing zones. [RT #29226]
......
Frequently Asked Questions about BIND 9
Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 Internet Software Consortium.
......@@ -869,7 +869,7 @@ A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
key "rndc-key" {
algorithm hmac-md5;
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};
......
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -30,6 +30,7 @@
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
......@@ -1564,7 +1565,7 @@ rand_irqs="3 14 15"</programlisting>
<informalexample>
<programlisting>
key "rndc-key" {
algorithm hmac-md5;
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};</programlisting>
</informalexample>
......
Summary of functional enhancements from prior major releases of BIND 9:
BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
- Built-in trust anchor for the root zone, which can be
switched on via "dnssec-validation auto;"
- Support for DNS64.
- Support for response policy zones (RPZ).
- Support for writable DLZ zones.
- Improved ease of configuration of GSS/TSIG for
interoperability with Active Directory
- Support for GOST signing algorithm for DNSSEC.
- Removed RTT Banding from server selection algorithm.
- New "static-stub" zone type.
- Allow configuration of resolver timeouts via
"resolver-query-timeout" option.
- The DLZ "dlopen" driver is now built by default.
- Added a new include file with function typedefs
for the DLZ "dlopen" driver.
- Made "--with-gssapi" default.
- More verbose error reporting from DLZ LDAP.
BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration.
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
BIND 9.6.0
Full NSEC3 support
......
# Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -61,9 +61,21 @@ tags:
rm -f TAGS
find lib bin -name "*.[ch]" -print | @ETAGS@ -
check: test
test:
@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>&- || echo fail`"; then \
echo I: NOTE: The tests were not run because they require that; \
echo I: the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
echo I: as alias addresses on the loopback interface. Please run; \
echo I: \'bin/tests/system/ifconfig.sh up\' as root to configure; \
echo I: them, then rerun the tests. Run make force-test to run the; \
echo I: tests anyway.; \
exit 1; \
fi
${MAKE} test-force
force-test: test-force
test-force:
status=0; \
(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \
......
This diff is collapsed.
Redirect zones are used to find answers to queries when normal resolution
would result in NXDOMAIN being returned. Only one redirect zone per view
is currently supported.
To redirect to 100.100.100.2 and 2001:ffff:ffff::100.100.100.2 on NXDOMAIN
one would configure the redirect zone like this.
zone "." {
type redirect;
file "redirect.db";
};
redirect.db:
$TTL 300
@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
@ IN NS ns.example.net
;
; NS records do not need address records in this zone as it is not in the
; normal namespace.
;
*. IN A 100.100.100.2
*. IN AAAA 2001:ffff:ffff::100.100.100.2
To redirect all Spanish names (under .ES) one would use entries like these:
*.ES. IN A 100.100.100.3
*.ES. IN AAAA 2001:ffff:ffff::100.100.100.3
To redirect all commercial Spanish names (under COM.ES) one would use
entries like these:
*.COM.ES. IN A 100.100.100.4
*.COM.ES. IN AAAA 2001:ffff:ffff::100.100.100.4
The redirect zone supports all possible types. It is not limited to
A and AAAA record.
# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tests tools nsupdate \
SUBDIRS = named rndc dig dnssec tools tests nsupdate \
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
......
......@@ -43,7 +43,7 @@ RSC=rc.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdchecktool
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdchecktool
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
......@@ -70,7 +70,7 @@ LINK32=link.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdchecktool
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdchecktool
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
......
/*
* Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -126,29 +126,17 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
switch (alg) {
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA512:
if (keysize < 1 || keysize > 512)
fatal("keysize %d out of range (must be 1-512)\n",
keysize);
break;
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 256)
fatal("keysize %d out of range (must be 1-256)\n",
keysize);
break;
case DST_ALG_HMACSHA1:
if (keysize < 1 || keysize > 160)
fatal("keysize %d out of range (must be 1-160)\n",
keysize);
break;
case DST_ALG_HMACSHA224:
if (keysize < 1 || keysize > 224)
fatal("keysize %d out of range (must be 1-224)\n",
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 512)
fatal("keysize %d out of range (must be 1-512)\n",
keysize);
break;
case DST_ALG_HMACSHA384:
if (keysize < 1 || keysize > 384)
fatal("keysize %d out of range (must be 1-384)\n",
case DST_ALG_HMACSHA512:
if (keysize < 1 || keysize > 1024)
fatal("keysize %d out of range (must be 1-1024)\n",
keysize);
break;
default:
......
.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004, 2005, 2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
......@@ -33,7 +33,7 @@
rndc\-confgen \- rndc key generation tool
.SH "SYNOPSIS"
.HP 13
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-A\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
.SH "DESCRIPTION"
.PP
\fBrndc\-confgen\fR
......@@ -103,9 +103,14 @@ and
as directed.
.RE
.PP
\-A \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-md5.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is the hash size.
.RE
.PP
\-c \fIkeyfile\fR
......@@ -205,7 +210,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004, 2005, 2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2001, 2003 Internet Software Consortium.
.br
/*
* Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
......@@ -57,7 +57,6 @@
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYLENGTH 128 /*% Bits. */
#define DEFAULT_KEYNAME "rndc-key"
#define DEFAULT_SERVER "127.0.0.1"
#define DEFAULT_PORT 953
......@@ -80,7 +79,8 @@ Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-b bits: from 1 through 512, default %d; total length of the secret\n\
-A alg: algorithm (default hmac-md5)\n\
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
......@@ -88,7 +88,7 @@ Usage:\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef, DEFAULT_KEYLENGTH);
progname, keydef);
exit (status);
}
......@@ -103,12 +103,12 @@ main(int argc, char **argv) {
const char *keyname = NULL;
const char *randomfile = NULL;
const char *serveraddr = NULL;
dns_secalg_t alg = DST_ALG_HMACMD5;
const char *algname = alg_totext(alg);
dns_secalg_t alg;
const char *algname;
char *p;
int ch;
int port;
int keysize;
int keysize = -1;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
......@@ -124,24 +124,29 @@ main(int argc, char **argv) {
progname = program;
keyname = DEFAULT_KEYNAME;
keysize = DEFAULT_KEYLENGTH;
alg = DST_ALG_HMACMD5;
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
"aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
{
switch (ch) {
case 'a':
keyonly = ISC_TRUE;
break;
case 'A':
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN)
fatal("Unsupported algorithm '%s'", algname);
break;
case 'b':
keysize = strtol(isc_commandline_argument, &p, 10);
if (*p != '\0' || keysize < 0)
fatal("-b requires a non-negative number");
if (keysize < 1 || keysize > 512)
fatal("-b must be in the range 1 through 512");
break;
case 'c':
keyfile = isc_commandline_argument;
......@@ -205,6 +210,10 @@ main(int argc, char **argv) {
if (argc > 0)
usage(1);
if (keysize < 0)
keysize = alg_bits(alg);
algname = alg_totext(alg);
DO("create memory context", isc_mem_create(0, 0, &mctx));
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
......
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004, 2005, 2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -41,6 +41,7 @@
<year>2005</year>
<year>2007</year>
<year>2009</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
......@@ -54,6 +55,7 @@
<cmdsynopsis>
<command>rndc-confgen</command>
<arg><option>-a</option></arg>
<arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg><option>-h</option></arg>
......@@ -128,12 +130,24 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-md5.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is 128.
Must be between 1 and 512 bits; the default is the
hash size.
</para>
</listitem>
</varlistentry>
......
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004, 2005, 2007, 2009, 2013 Internet Systems Consortium, In