Commit 9d557856 authored by Tinderbox User's avatar Tinderbox User
Browse files

regen master

parent c07c0517
...@@ -212,7 +212,7 @@ ...@@ -212,7 +212,7 @@
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt> <dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p> <dd><p>
Check for records that are treated as different by DNSSEC but Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS. are semantically equal in plain DNS.
Possible modes are <span class="command"><strong>"fail"</strong></span>, Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and <span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>. <span class="command"><strong>"ignore"</strong></span>.
......
...@@ -60,7 +60,7 @@ ...@@ -60,7 +60,7 @@
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>: local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with it does this when a zone is configured with
<span class="command"><strong>update-policy local;</strong></span>. <span class="command"><strong>update-policy local;</strong></span>.
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a <span class="command"><strong>ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance, more elaborate configuration is required: for instance,
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system. system.
......
...@@ -74,7 +74,7 @@ ...@@ -74,7 +74,7 @@
<p> <p>
The IN and CH class names overlap with the IN and CH top level The IN and CH class names overlap with the IN and CH top level
domain names. Either use the <code class="option">-t</code> and domain names. Either use the <code class="option">-t</code> and
<code class="option">-c</code> options to specify the type and class, <code class="option">-c</code> options to specify the type and class,
use the <code class="option">-q</code> the specify the domain name, or use the <code class="option">-q</code> the specify the domain name, or
use "IN." and "CH." when looking up these top level domains. use "IN." and "CH." when looking up these top level domains.
</p> </p>
...@@ -771,7 +771,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr ...@@ -771,7 +771,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server. reply from the server.
If you'd like to turn off the IDN support for some reason, defines If you'd like to turn off the IDN support for some reason, defines
the <code class="envar">IDN_DISABLE</code> environment variable. the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when The IDN support is disabled if the variable is set when
<span class="command"><strong>dig</strong></span> runs. <span class="command"><strong>dig</strong></span> runs.
</p> </p>
</div> </div>
......
...@@ -178,7 +178,7 @@ ...@@ -178,7 +178,7 @@
<code class="filename">/etc/resolv.conf</code>. <code class="filename">/etc/resolv.conf</code>.
</p> </p>
<p> <p>
The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span> The <code class="option">-s</code> option tells <span class="command"><strong>host</strong></span>
<span class="emphasis"><em>not</em></span> to send the query to the next nameserver <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behavior. reverse of normal stub resolver behavior.
...@@ -198,7 +198,7 @@ ...@@ -198,7 +198,7 @@
<a name="id-1.8"></a><h2>IDN SUPPORT</h2> <a name="id-1.8"></a><h2>IDN SUPPORT</h2>
<p> <p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names. domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>host</strong></span> appropriately converts character encoding of <span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a domain name before sending a request to DNS server or displaying a
reply from the server. reply from the server.
......
...@@ -94,7 +94,7 @@ ...@@ -94,7 +94,7 @@
<dd><p> <dd><p>
Include ZSKs when generating DS records. Without this option, Include ZSKs when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode. records and printed. Useful only in zone file mode.
</p></dd> </p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p> <dd><p>
......
...@@ -281,7 +281,7 @@ ...@@ -281,7 +281,7 @@
</p> </p>
<p> <p>
If the key is being created as an explicit successor to another If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days; key, then the default prepublication interval is 30 days;
otherwise it is zero. otherwise it is zero.
</p> </p>
<p> <p>
...@@ -313,7 +313,7 @@ ...@@ -313,7 +313,7 @@
footprint). footprint).
</p></li> </p></li>
</ul></div> </ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span> <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and contains the public key, and
......
...@@ -328,7 +328,7 @@ ...@@ -328,7 +328,7 @@
</p> </p>
<p> <p>
If the key is being created as an explicit successor to another If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days; key, then the default prepublication interval is 30 days;
otherwise it is zero. otherwise it is zero.
</p> </p>
<p> <p>
...@@ -361,7 +361,7 @@ ...@@ -361,7 +361,7 @@
footprint). footprint).
</p></li> </p></li>
</ul></div> </ul></div>
<p><span class="command"><strong>dnssec-keygen</strong></span> <p><span class="command"><strong>dnssec-keygen</strong></span>
creates two files, with names based creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and contains the public key, and
......
...@@ -65,8 +65,8 @@ ...@@ -65,8 +65,8 @@
fail when attempting to update a legacy key. With this option, fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be original key data retained. The key's creation date will be
set to the present time. If no other values are specified, set to the present time. If no other values are specified,
then the key's publication and activation dates will also then the key's publication and activation dates will also
be set to the present time. be set to the present time.
</p></dd> </p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
...@@ -178,7 +178,7 @@ ...@@ -178,7 +178,7 @@
</p> </p>
<p> <p>
If the key is being set to be an explicit successor to another If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days; key, then the default prepublication interval is 30 days;
otherwise it is zero. otherwise it is zero.
</p> </p>
<p> <p>
......
...@@ -74,7 +74,7 @@ ...@@ -74,7 +74,7 @@
(<code class="option">-S</code>) is used, DNSKEY records are also (<code class="option">-S</code>) is used, DNSKEY records are also
included. The resulting file can be included in the original included. The resulting file can be included in the original
zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
cannot be combined with <code class="option">-O raw</code>, cannot be combined with <code class="option">-O raw</code>,
<code class="option">-O map</code>, or serial number updating. <code class="option">-O map</code>, or serial number updating.
</p></dd> </p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt> <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
...@@ -328,7 +328,7 @@ ...@@ -328,7 +328,7 @@
<p> <p>
Normally, when a previously-signed zone is passed as input Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key replaced with a new one, signatures from the old key
that are still within their validity period are retained. that are still within their validity period are retained.
This allows the zone to continue to validate with cached This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <code class="option">-Q</code> copies of the old DNSKEY RRset. The <code class="option">-Q</code>
...@@ -391,7 +391,7 @@ ...@@ -391,7 +391,7 @@
<dd><p> <dd><p>
If the key's activation date is set and in the past, the If the key's activation date is set and in the past, the
key is published (regardless of publication date) and key is published (regardless of publication date) and
used to sign the zone. used to sign the zone.
</p></dd> </p></dd>
<dt></dt> <dt></dt>
<dd><p> <dd><p>
......
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
server that answers queries using the BIND 9 lightweight server that answers queries using the BIND 9 lightweight
resolver protocol rather than the DNS protocol. resolver protocol rather than the DNS protocol.
</p> </p>
<p><span class="command"><strong>lwresd</strong></span> <p><span class="command"><strong>lwresd</strong></span>
listens for resolver queries on a listens for resolver queries on a
UDP port on the IPv4 loopback interface, 127.0.0.1. This UDP port on the IPv4 loopback interface, 127.0.0.1. This
means that <span class="command"><strong>lwresd</strong></span> can only be used by means that <span class="command"><strong>lwresd</strong></span> can only be used by
...@@ -123,7 +123,7 @@ ...@@ -123,7 +123,7 @@
<em class="replaceable"><code>trace</code></em>, <em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>, <em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and <em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>. <em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>. <code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd> </p></dd>
......
...@@ -49,7 +49,7 @@ ...@@ -49,7 +49,7 @@
</p></dd> </p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p> <dd><p>
Check for a DLV record in the specified lookaside domain, Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent. instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com" For example, to check for DLV records for "example.com"
in ISC's DLV zone, use: in ISC's DLV zone, use:
......
...@@ -556,7 +556,7 @@ ...@@ -556,7 +556,7 @@
operations (such as signing or generating operations (such as signing or generating
NSEC3 chains) is stored in the zone in the form NSEC3 chains) is stored in the zone in the form
of DNS resource records of type of DNS resource records of type
<span class="command"><strong>sig-signing-type</strong></span>. <span class="command"><strong>sig-signing-type</strong></span>.
<span class="command"><strong>rndc signing -list</strong></span> converts <span class="command"><strong>rndc signing -list</strong></span> converts
these records into a human-readable form, these records into a human-readable form,
indicating which keys are currently signing indicating which keys are currently signing
...@@ -582,7 +582,7 @@ ...@@ -582,7 +582,7 @@
flags, iterations, and salt, in that order. flags, iterations, and salt, in that order.
</p> </p>
<p> <p>
Currently, the only defined value for hash algorithm Currently, the only defined value for hash algorithm
is <code class="literal">1</code>, representing SHA-1. is <code class="literal">1</code>, representing SHA-1.
The <code class="option">flags</code> may be set to The <code class="option">flags</code> may be set to
<code class="literal">0</code> or <code class="literal">1</code>, <code class="literal">0</code> or <code class="literal">1</code>,
......
...@@ -34,10 +34,10 @@ ...@@ -34,10 +34,10 @@
<p> <p>
<span class="command"><strong>named-journalprint</strong></span> <span class="command"><strong>named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable prints the contents of a zone journal file in a human-readable
form. form.
</p> </p>
<p> <p>
Journal files are automatically created by <span class="command"><strong>named</strong></span> Journal files are automatically created by <span class="command"><strong>named</strong></span>
when changes are made to dynamic zones (e.g., by when changes are made to dynamic zones (e.g., by
<span class="command"><strong>nsupdate</strong></span>). They record each addition <span class="command"><strong>nsupdate</strong></span>). They record each addition
or deletion of a resource record, in binary format, allowing the or deletion of a resource record, in binary format, allowing the
......
...@@ -579,7 +579,7 @@ nameserver 172.16.72.4 ...@@ -579,7 +579,7 @@ nameserver 172.16.72.4
<p> <p>
TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span> TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
command; the output of the command is a <span class="command"><strong>key</strong></span> directive command; the output of the command is a <span class="command"><strong>key</strong></span> directive
suitable for inclusion in <code class="filename">named.conf</code>. The suitable for inclusion in <code class="filename">named.conf</code>. The
key name, algorithm and size can be specified by command line parameters; key name, algorithm and size can be specified by command line parameters;
the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively. the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
</p> </p>
...@@ -661,7 +661,7 @@ key "host1-host2." { ...@@ -661,7 +661,7 @@ key "host1-host2." {
signed using the specified key. Keys may also be specified signed using the specified key. Keys may also be specified
in the <span class="command"><strong>also-notify</strong></span> statement of a master in the <span class="command"><strong>also-notify</strong></span> statement of a master
or slave zone, causing NOTIFY messages to be signed using or slave zone, causing NOTIFY messages to be signed using
the specified key. the specified key.
</p> </p>
<p> <p>
Keys can also be specified in a <span class="command"><strong>server</strong></span> Keys can also be specified in a <span class="command"><strong>server</strong></span>
...@@ -770,7 +770,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; ...@@ -770,7 +770,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<p> <p>
The TKEY process is initiated by a client or server by sending The TKEY process is initiated by a client or server by sending
a query of type TKEY to a TKEY-aware server. The query must include a query of type TKEY to a TKEY-aware server. The query must include
an appropriate KEY record in the additional section, and an appropriate KEY record in the additional section, and
must be signed using either TSIG or SIG(0) with a previously must be signed using either TSIG or SIG(0) with a previously
established key. The server's response, if successful, will established key. The server's response, if successful, will
contain a TKEY record in its answer section. After this transaction, contain a TKEY record in its answer section. After this transaction,
...@@ -1112,15 +1112,15 @@ options { ...@@ -1112,15 +1112,15 @@ options {
<div class="section"><div class="titlepage"><div><div><h3 class="title"> <div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div> <a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div></div>
<p>Changing a zone from insecure to secure can be done in two <p>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the ways: using a dynamic DNS update, or the
<span class="command"><strong>auto-dnssec</strong></span> zone option.</p> <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
<p>For either method, you need to configure <p>For either method, you need to configure
<span class="command"><strong>named</strong></span> so that it can see the <span class="command"><strong>named</strong></span> so that it can see the
<code class="filename">K*</code> files which contain the public and private <code class="filename">K*</code> files which contain the public and private
parts of the keys that will be used to sign the zone. These files parts of the keys that will be used to sign the zone. These files
will have been generated by will have been generated by
<span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
in the key-directory, as specified in in the key-directory, as specified in
<code class="filename">named.conf</code>:</p> <code class="filename">named.conf</code>:</p>
<pre class="programlisting"> <pre class="programlisting">
zone example.net { zone example.net {
...@@ -1146,7 +1146,7 @@ options { ...@@ -1146,7 +1146,7 @@ options {
&gt; send &gt; send
</pre> </pre>
<p>While the update request will complete almost immediately, <p>While the update request will complete almost immediately,
the zone will not be completely signed until the zone will not be completely signed until
<span class="command"><strong>named</strong></span> has had time to walk the zone and <span class="command"><strong>named</strong></span> has had time to walk the zone and
generate the NSEC and RRSIG records. The NSEC record at the apex generate the NSEC and RRSIG records. The NSEC record at the apex
will be added last, to signal that there is a complete NSEC will be added last, to signal that there is a complete NSEC
...@@ -1164,7 +1164,7 @@ options { ...@@ -1164,7 +1164,7 @@ options {
&gt; send &gt; send
</pre> </pre>
<p>Again, this update request will complete almost <p>Again, this update request will complete almost
immediately; however, the record won't show up until immediately; however, the record won't show up until
<span class="command"><strong>named</strong></span> has had a chance to build/remove the <span class="command"><strong>named</strong></span> has had a chance to build/remove the
relevant chain. A private type record will be created to record relevant chain. A private type record will be created to record
the state of the operation (see below for more details), and will the state of the operation (see below for more details), and will
...@@ -1173,17 +1173,17 @@ options { ...@@ -1173,17 +1173,17 @@ options {
is happening, other updates are possible as well.</p> is happening, other updates are possible as well.</p>
<div class="section"><div class="titlepage"><div><div><h3 class="title"> <div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div> <a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div></div>
<p>To enable automatic signing, add the <p>To enable automatic signing, add the
<span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
<code class="filename">named.conf</code>. <code class="filename">named.conf</code>.
<span class="command"><strong>auto-dnssec</strong></span> has two possible arguments: <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
<code class="constant">allow</code> or <code class="constant">allow</code> or
<code class="constant">maintain</code>.</p> <code class="constant">maintain</code>.</p>
<p>With <p>With
<span class="command"><strong>auto-dnssec allow</strong></span>, <span class="command"><strong>auto-dnssec allow</strong></span>,
<span class="command"><strong>named</strong></span> can search the key directory for keys <span class="command"><strong>named</strong></span> can search the key directory for keys
matching the zone, insert them into the zone, and use them to matching the zone, insert them into the zone, and use them to
sign the zone. It will do so only when it receives an sign the zone. It will do so only when it receives an
<span class="command"><strong>rndc sign &lt;zonename&gt;</strong></span>.</p> <span class="command"><strong>rndc sign &lt;zonename&gt;</strong></span>.</p>
<p> <p>
...@@ -1191,7 +1191,7 @@ options { ...@@ -1191,7 +1191,7 @@ options {
functionality, but will also automatically adjust the zone's functionality, but will also automatically adjust the zone's
DNSKEY records on schedule according to the keys' timing metadata. DNSKEY records on schedule according to the keys' timing metadata.
(See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
</p> </p>
<p> <p>
<span class="command"><strong>named</strong></span> will periodically search the key directory <span class="command"><strong>named</strong></span> will periodically search the key directory
...@@ -1205,7 +1205,7 @@ options { ...@@ -1205,7 +1205,7 @@ options {
</p> </p>
<p> <p>
If keys are present in the key directory the first time the zone If keys are present in the key directory the first time the zone
is loaded, the zone will be signed immediately, without waiting for an is loaded, the zone will be signed immediately, without waiting for an
<span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span> <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
command. (Those commands can still be used when there are unscheduled command. (Those commands can still be used when there are unscheduled
key changes, however.) key changes, however.)
...@@ -1227,10 +1227,10 @@ options { ...@@ -1227,10 +1227,10 @@ options {
the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
record will appear in the zone. record will appear in the zone.
</p> </p>
<p>Using the <p>Using the
<span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
configured to allow dynamic updates, by adding an configured to allow dynamic updates, by adding an
<span class="command"><strong>allow-update</strong></span> or <span class="command"><strong>allow-update</strong></span> or
<span class="command"><strong>update-policy</strong></span> statement to the zone <span class="command"><strong>update-policy</strong></span> statement to the zone
configuration. If this has not been done, the configuration will configuration. If this has not been done, the configuration will
fail.</p> fail.</p>
...@@ -1278,14 +1278,14 @@ options { ...@@ -1278,14 +1278,14 @@ options {
<div class="section"><div class="titlepage"><div><div><h3 class="title"> <div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div> <a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div></div>
<p>As with insecure-to-secure conversions, rolling DNSSEC <p>As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the keys can be done in two ways: using a dynamic DNS update, or the
<span class="command"><strong>auto-dnssec</strong></span> zone option.</p> <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
<div class="section"><div class="titlepage"><div><div><h3 class="title"> <div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div> <a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div></div>
<p> To perform key rollovers via dynamic update, you need to add <p> To perform key rollovers via dynamic update, you need to add
the <code class="filename">K*</code> files for the new keys so that the <code class="filename">K*</code> files for the new keys so that
<span class="command"><strong>named</strong></span> can find them. You can then add the new <span class="command"><strong>named</strong></span> can find them. You can then add the new
DNSKEY RRs via dynamic update. DNSKEY RRs via dynamic update.
<span class="command"><strong>named</strong></span> will then cause the zone to be signed <span class="command"><strong>named</strong></span> will then cause the zone to be signed
with the new keys. When the signing is complete the private type with the new keys. When the signing is complete the private type
records will be updated so that the last octet is non records will be updated so that the last octet is non
...@@ -1299,14 +1299,14 @@ options { ...@@ -1299,14 +1299,14 @@ options {
be able to verify at least one signature when you remove the old be able to verify at least one signature when you remove the old
DNSKEY.</p> DNSKEY.</p>
<p>The old DNSKEY can be removed via UPDATE. Take care to <p>The old DNSKEY can be removed via UPDATE. Take care to
specify the correct key. specify the correct key.
<span class="command"><strong>named</strong></span> will clean out any signatures generated <span class="command"><strong>named</strong></span> will clean out any signatures generated
by the old key after the update completes.</p> by the old key after the update completes.</p>
<div class="section"><div class="titlepage"><div><div><h3 class="title"> <div class="section"><div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div> <a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div></div>
<p>When a new key reaches its activation date (as set by <p>When a new key reaches its activation date (as set by
<span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>), <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
<code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
automatically carry out the key rollover. If the key's algorithm automatically carry out the key rollover. If the key's algorithm
has not previously been used to sign the zone, then the zone will has not previously been used to sign the zone, then the zone will
...@@ -1344,9 +1344,9 @@ options { ...@@ -1344,9 +1344,9 @@ options {
<span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains, <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
and associated NSEC3PARAM records will be removed automatically. and associated NSEC3PARAM records will be removed automatically.
This will take place after the update request completes.</p> This will take place after the update request completes.</p>
<p> This requires the <p> This requires the
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
<strong class="userinput"><code>yes</code></strong> in <strong class="userinput"><code>yes</code></strong> in
<code class="filename">named.conf</code>.</p> <code class="filename">named.conf</code>.</p>
<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span> <p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
zone statement is used, it should be removed or changed to zone statement is used, it should be removed or changed to
...@@ -1364,9 +1364,9 @@ options { ...@@ -1364,9 +1364,9 @@ options {
<p> <p>
<span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT where all the NSEC3 records in the zone have the same OPTOUT
state. state.
<span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3 <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
records in the chain have mixed OPTOUT state. records in the chain have mixed OPTOUT state.
<span class="command"><strong>named</strong></span> does not support changing the OPTOUT <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
state of an individual NSEC3 record, the entire chain needs to be state of an individual NSEC3 record, the entire chain needs to be
changed if the OPTOUT state of an individual NSEC3 needs to be changed if the OPTOUT state of an individual NSEC3 needs to be
...@@ -1376,7 +1376,7 @@ options { ...@@ -1376,7 +1376,7 @@ options {
<div class="titlepage"><div><div><h2 class="title" style="clear: both"> <div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div> <a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust <p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
anchor management. Using this feature allows anchor management. Using this feature allows
<span class="command"><strong>named</strong></span> to keep track of changes to critical <span class="command"><strong>named</strong></span> to keep track of changes to critical
DNSSEC keys without any need for the operator to make changes to DNSSEC keys without any need for the operator to make changes to
configuration files.</p> configuration files.</p>
...@@ -1384,9 +1384,9 @@ options { ...@@ -1384,9 +1384,9 @@ options {
<div class="titlepage"><div><div><h3 class="title"> <div class="titlepage"><div><div><h3 class="title">
<a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div> <a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
<p>To configure a validating resolver to use RFC 5011 to <p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>managed-keys</strong></span> statement. Information about <span class="command"><strong>managed-keys</strong></span> statement. Information about
this can be found in this can be found in
<a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage&#8221;</a>.</p> and Usage&#8221;</a>.</p>
</div> </div>
...@@ -1408,21 +1408,21 @@ options { ...@@ -1408,21 +1408,21 @@ options {
timer has completed, the active KSK can be revoked, and the timer has completed, the active KSK can be revoked, and the
zone can be "rolled over" to the newly accepted key.</p> zone can be "rolled over" to the newly accepted key.</p>
<p>The easiest way to place a stand-by key in a zone is to <p>The easiest way to place a stand-by key in a zone is to
use the "smart signing" features of use the "smart signing" features of
<span class="command"><strong>dnssec-keygen</strong></span> and <span class="command"><strong>dnssec-keygen</strong></span> and
<span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication