Commit 767a2aef authored by Tinderbox User's avatar Tinderbox User Committed by Evan Hunt

prep 9.15.6

parent a4881490
--- 9.15.6 released ---
5319. [func] Trust anchors can now be configured using DS
format to represent a key digest, by using the
new "initial-ds" or "static-ds" keywords in
......
......@@ -4,10 +4,11 @@ Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with
RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
cryptography library. Atomic operations support from the compiler is
needed, either in the form of builtin operations, C11 atomics or the
Interlocked family of functions on Windows.
RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
asynchronous I/O library, and the OpenSSL cryptography library. Atomic
operations support from the compiler is needed, either in the form of
builtin operations, C11 atomics, or the Interlocked family of functions on
Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x).
For some of the older systems listed below, you will have to install
......
......@@ -12,10 +12,10 @@
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
Atomic operations support from the compiler is needed, either in the form of
builtin operations, C11 atomics or the Interlocked family of functions on
Windows.
IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
and the OpenSSL cryptography library. Atomic operations support from the
compiler is needed, either in the form of builtin operations, C11 atomics,
or the `Interlocked` family of functions on Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). For
some of the older systems listed below, you will have to install updated libuv
......
......@@ -48,7 +48,8 @@ the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
For up-to-date versions and release notes, see https://www.isc.org/download/.
For up-to-date versions and release notes, see https://www.isc.org/
download/.
For information about supported platforms, see PLATFORMS.
......@@ -110,25 +111,30 @@ BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.14 and earlier releases. New features include:
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC key configuration using dnssec-keys
* Improved DNSSEC trust anchor configuration using dnssec-keys,
permitting configuration of trust anchors in DS as well as DNSKEY
format.
* YAML output for dig, mdig, and delv.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have
been observed on many versions of Linux and UNIX, including RHEL/CentOS,
Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
OpenWRT.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires the
libcap library to set process privileges, though this requirement can be
overridden by disabling capability support at compile time. See
Compile-time options below for details on other libraries that may be
required to support optional features.
basic POSIX support, and a 64-bit integer type. BIND also requires the
libuv asynchronous I/O library, and a cryptography provider library such
as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
requires the libcap library to set process privileges, though this
requirement can be overridden by disabling capability support at compile
time. See Compile-time options below for details on other libraries that
may be required to support optional features.
Successful builds have been observed on many versions of Linux and UNIX,
including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See win32utils/
build.txt for details on building for Windows systems.
......
......@@ -129,25 +129,29 @@ include:
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* A new network manager based on libuv.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using `dnssec-keys`
* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have been
observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires
the `libcap` library to set process privileges, though this requirement
can be overridden by disabling capability support at compile time.
See [Compile-time options](#opts) below for details on other libraries
that may be required to support optional features.
basic POSIX support, and a 64-bit integer type. BIND also requires the
`libuv` asynchronous I/O library, and a cryptography provider library
such as OpenSSL or a hardware service module supporting PKCS#11. On
Linux, BIND requires the `libcap` library to set process privileges,
though this requirement can be overridden by disabling capability
support at compile time. See [Compile-time options](#opts) below
for details on other libraries that may be required to support
optional features.
Successful builds have been observed on many versions of Linux and
UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See
`win32utils/build.txt` for details on building for Windows
......
......@@ -39,7 +39,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
......@@ -109,6 +109,11 @@ option suppresses them\&.
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
.RE
.PP
\-d \fIbits\fR
.RS 4
Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the cryptographic hardware to use, when applicable\&.
......@@ -142,6 +147,17 @@ Prints a short summary of the options and arguments to
Sets the directory in which the key files are to be written\&.
.RE
.PP
\-k \fIpolicy\fR
.RS 4
Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys,
\fBdnssec\-keygen\fR
will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&.
.sp
This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that
\fBdnssec\-keygen\fR
provides\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
......@@ -151,6 +167,12 @@ none
is the same as leaving it unset\&.
.RE
.PP
\-l \fIfile\fR
.RS 4
Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with
\fB\-k\fR)\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
......
......@@ -41,6 +41,7 @@
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>]
......@@ -49,8 +50,9 @@
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
......@@ -59,6 +61,7 @@
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
......@@ -168,6 +171,15 @@
the specified class. If not specified, class IN is used.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
<dd>
<p>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
......@@ -218,6 +230,21 @@
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
<dd>
<p>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</p>
<p>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <span class="command"><strong>dnssec-keygen</strong></span>
provides.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
......@@ -231,6 +258,13 @@
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
......
......@@ -39,7 +39,7 @@
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-s\fR] [\fB\-g\ \fR\fB\fIstate\fR\fR] [\fB\-d\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-z\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
......@@ -59,7 +59,25 @@ simply prints the key timing metadata already stored in the key\&.
.PP
When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key
and
Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
Knnnn\&.+aaa+iiiii\&.private) are regenerated\&.
.PP
Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
.PP
When working with state files, it is possible to update the timing metadata in those files as well with
\fB\-s\fR\&. If this option is used you can also update key states with
\fB\-d\fR
(DS),
\fB\-k\fR
(DNSKEY),
\fB\-r\fR
(RRSIG of KSK), or
\fB\-z\fR
(RRSIG of ZSK)\&. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE\&.
.PP
You can also set the goal state of the key with
\fB\-g\fR\&. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published)\&.
.PP
It is NOT RECOMMENDED to manipulate state files manually except for testing purposes\&.
.SH "OPTIONS"
.PP
\-f
......@@ -156,6 +174,39 @@ If the key is being set to be an explicit successor to another key, then the def
.sp
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
.RE
.SH "KEY STATE OPTIONS"
.PP
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE\&. These should not be set manually except for testing purposes\&.
.PP
\-s
.RS 4
When setting key timing data, also update the state file\&.
.RE
.PP
\-g
.RS 4
Set the goal state for this key\&. Must be HIDDEN or OMNIPRESENT\&.
.RE
.PP
\-d
.RS 4
Set the DS state for this key, and when it was last changed\&.
.RE
.PP
\-k
.RS 4
Set the DNSKEY state for this key, and when it was last changed\&.
.RE
.PP
\-r
.RS 4
Set the RRSIG (KSK) state for this key, and when it was last changed\&.
.RE
.PP
\-z
.RS 4
Set the RRSIG (ZSK) state for this key, and when it was last changed\&.
.RE
.SH "PRINTING OPTIONS"
.PP
\fBdnssec\-settime\fR
......
......@@ -49,6 +49,12 @@
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
{keyfile}
</p></div>
</div>
......@@ -74,11 +80,30 @@
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
</p>
<p>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
<p>
When working with state files, it is possible to update the timing
metadata in those files as well with <code class="option">-s</code>. If this
option is used you can also update key states with <code class="option">-d</code>
(DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</p>
<p>
You can also set the goal state of the key with <code class="option">-g</code>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</p>
<p>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</p>
</div>
<div class="refsection">
......@@ -262,7 +287,57 @@
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>PRINTING OPTIONS</h2>
<a name="id-1.10"></a><h2>KEY STATE OPTIONS</h2>
<p>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-s</span></dt>
<dd>
<p>
When setting key timing data, also update the state file.
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd>
<p>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Set the DS state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Set the DNSKEY state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>PRINTING OPTIONS</h2>
<p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
......@@ -298,7 +373,7 @@
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
......
......@@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-08-07
.\" Date: 2019-08-12
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......@@ -104,7 +104,8 @@ dlz \fIstring\fR {
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
initial\-key | static\-ds | initial\-ds )
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
......@@ -170,9 +171,9 @@ Deprecated \- see DNSSEC\-KEYS\&.
.\}
.nf
managed\-keys { \fIstring\fR ( static\-key
| initial\-key ) \fIinteger\fR
\fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated
| initial\-key | static\-ds |
initial\-ds ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi
.if n \{\
.RE
......@@ -230,7 +231,7 @@ options {
[ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
\fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
......@@ -312,18 +313,18 @@ options {
fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
fstrm\-set\-output\-queue\-model ( mpsc | spsc );
fstrm\-set\-output\-queue\-size \fIinteger\fR;
fstrm\-set\-reopen\-interval \fIttlval\fR;
fstrm\-set\-reopen\-interval \fIduration\fR;
geoip\-directory ( \fIquoted_string\fR | none );
glue\-cache \fIboolean\fR;
heartbeat\-interval \fIinteger\fR;
hostname ( \fIquoted_string\fR | none );
inline\-signing \fIboolean\fR;
interface\-interval \fIttlval\fR;
interface\-interval \fIduration\fR;
ixfr\-from\-differences ( primary | master | secondary | slave |
\fIboolean\fR );
keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lame\-ttl \fIduration\fR;
listen\-on [ port \fIinteger\fR ] [ dscp
\fIinteger\fR ] {
\fIaddress_match_element\fR; \&.\&.\&. };
......@@ -337,28 +338,28 @@ options {
masterfile\-style ( full | relative );
match\-mapped\-addresses \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
max\-cache\-ttl \fIttlval\fR;
max\-cache\-ttl \fIduration\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
max\-ncache\-ttl \fIttlval\fR;
max\-ncache\-ttl \fIduration\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
max\-refresh\-time \fIinteger\fR;
max\-retry\-time \fIinteger\fR;
max\-rsa\-exponent\-size \fIinteger\fR;
max\-stale\-ttl \fIttlval\fR;
max\-stale\-ttl \fIduration\fR;
max\-transfer\-idle\-in \fIinteger\fR;
max\-transfer\-idle\-out \fIinteger\fR;
max\-transfer\-time\-in \fIinteger\fR;
max\-transfer\-time\-out \fIinteger\fR;
max\-udp\-size \fIinteger\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
max\-zone\-ttl ( unlimited | \fIduration\fR );
memstatistics \fIboolean\fR;
memstatistics\-file \fIquoted_string\fR;
message\-compression \fIboolean\fR;
min\-cache\-ttl \fIttlval\fR;
min\-ncache\-ttl \fIttlval\fR;
min\-cache\-ttl \fIduration\fR;
min\-ncache\-ttl \fIduration\fR;
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
minimal\-any \fIboolean\fR;
......@@ -375,8 +376,8 @@ options {
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]
[ dscp \fIinteger\fR ];
notify\-to\-soa \fIboolean\fR;
nta\-lifetime \fIttlval\fR;
nta\-recheck \fIttlval\fR;
nta\-lifetime \fIduration\fR;
nta\-recheck \fIduration\fR;
nxdomain\-redirect \fIstring\fR;
pid\-file ( \fIquoted_string\fR | none );
port \fIinteger\fR;
......@@ -423,13 +424,13 @@ options {
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
\fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
\fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
min\-update\-interval \fIduration\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
[ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ] [ dnsrps\-enable \fIboolean\fR ] [
......@@ -443,7 +444,7 @@ options {
serial\-query\-rate \fIinteger\fR;
serial\-update\-method ( date | increment | unixtime );
server\-id ( \fIquoted_string\fR | none | hostname );
servfail\-ttl \fIttlval\fR;
servfail\-ttl \fIduration\fR;
session\-keyalg \fIstring\fR;
session\-keyfile ( \fIquoted_string\fR | none );
session\-keyname \fIstring\fR;
......@@ -454,7 +455,7 @@ options {
sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
stacksize ( default | unlimited | \fIsizeval\fR );
stale\-answer\-enable \fIboolean\fR;
stale\-answer\-ttl \fIttlval\fR;
stale\-answer\-ttl \fIduration\fR;
startup\-notify\-rate \fIinteger\fR;
statistics\-file \fIquoted_string\fR;
synth\-from\-dnssec \fIboolean\fR;
......@@ -612,7 +613,7 @@ view \fIstring\fR [ \fIclass\fR ] {
[ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
\fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
......@@ -655,8 +656,9 @@ view \fIstring\fR [ \fIclass\fR ] {
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
initial\-key | static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
......@@ -690,10 +692,11 @@ view \fIstring\fR [ \fIclass\fR ] {
secret \fIstring\fR;
};
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lame\-ttl \fIduration\fR;
lmdb\-mapsize \fIsizeval\fR;
managed\-keys { \fIstring\fR (
static\-key | initial\-key
| static\-ds | initial\-ds
) \fIinteger\fR \fIinteger\fR
\fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated
......@@ -703,25 +706,25 @@ view \fIstring\fR [ \fIclass\fR ] {
match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
match\-recursive\-only \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
max\-cache\-ttl \fIttlval\fR;
max\-cache\-ttl \fIduration\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
max\-ncache\-ttl \fIttlval\fR;
max\-ncache\-ttl \fIduration\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
max\-refresh\-time \fIinteger\fR;