Commit 9a57aa45 authored by Mark Andrews's avatar Mark Andrews

NSEC3

parent bfcb5fae
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.369 2008/09/25 05:49:26 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.370 2008/09/25 06:08:49 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -1650,11 +1650,11 @@ controls {
</para>
<para>
Updating of secure zones (zones using DNSSEC) follows
RFC 3007: RRSIG and NSEC records affected by updates are automatically
regenerated by the server using an online zone key.
Update authorization is based
on transaction signatures and an explicit server policy.
Updating of secure zones (zones using DNSSEC) follows RFC
3007: RRSIG, NSEC and NSEC3 records affected by updates are
automatically regenerated by the server using an online
zone key. Update authorization is based on transaction
signatures and an explicit server policy.
</para>
<sect2 id="journal">
......@@ -2391,23 +2391,21 @@ allow-update { key host1-host2. ;};
<sect2>
<title>Signing the Zone</title>
<para>
The <command>dnssec-signzone</command> program is used
to
sign a zone.
</para>
<para>
The <command>dnssec-signzone</command> program is used
to sign a zone.
</para>
<para>
Any <filename>keyset</filename> files corresponding
to secure subzones should be present. The zone signer will
generate <literal>NSEC</literal> and <literal>RRSIG</literal>
records for the zone, as well as <literal>DS</literal>
for
the child zones if <literal>'-d'</literal> is specified.
If <literal>'-d'</literal> is not specified, then
DS RRsets for
the secure child zones need to be added manually.
</para>
<para>
Any <filename>keyset</filename> files corresponding to
secure subzones should be present. The zone signer will
generate <literal>NSEC</literal>, <literal>NSEC3</literal>
and <literal>RRSIG</literal> records for the zone, as
well as <literal>DS</literal> for the child zones if
<literal>'-g'</literal> is specified. If <literal>'-g'</literal>
is not specified, then DS RRsets for the secure child
zones need to be added manually.
</para>
<para>
The following command signs the zone, assuming it is in a
......@@ -9621,16 +9619,15 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
specify a fully-qualified domain name.
</para>
<para>
If no types are explicitly specified, this rule matches all
types except
RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
"ANY" (ANY matches all types except NSEC, which can never be
updated).
Note that when an attempt is made to delete all records
associated with a
name, the rules are checked for each existing record type.
</para>
<para>
If no types are explicitly specified, this rule matches
all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
may be specified by name, including "ANY" (ANY matches
all types except NSEC and NSEC3, which can never be
updated). Note that when an attempt is made to delete
all records associated with a name, the rules are
checked for each existing record type.
</para>
</sect3>
</sect2>
</sect1>
......@@ -10058,6 +10055,40 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para>
NSEC3
</para>
</entry>
<entry colname="2">
<para>
Used in DNSSECbis to securely indicate that
RRs with an owner name in a certain name
interval do not exist in a zone and indicate
what RR types are present for an existing
name. NSEC3 differs from NSEC in that it
prevents zone enumeration but is more
computationally expensive on both the server
and the client than NSEC. Described in RFC
5155.
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para>
NSEC3PARAM
</para>
</entry>
<entry colname="2">
<para>
Used in DNSSECbis to tell the authoritative
server which NSEC3 chains are available to use.
Described in RFC 5155.
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment