.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: named-checkzone.8,v 1.38 2007/01/30 00:24:59 marka Exp $
.\" $Id: named-checkzone.8,v 1.39 2007/05/09 03:33:50 marka Exp $
.\"
.hy 0
.ad l
...
...
@@ -82,7 +82,7 @@ Specify the class of the zone. If not specified "IN" is assumed.
.PP
\-i \fImode\fR
.RS 4
Perform postload zone integrity checks. Possible modes are
Perform post\-load zone integrity checks. Possible modes are
\fB"full"\fR
(default),
\fB"full\-sibling"\fR,
...
...
@@ -105,7 +105,7 @@ only checks SRV records which refer to in\-zone hostnames.
.sp
Mode
\fB"full"\fR
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue addresses records in the zone match those advertised by the child. Mode
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode
\fB"local"\fR
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
.sp
...
...
@@ -213,7 +213,7 @@ Check if a SRV record refers to a CNAME. Possible modes are
.PP
\-t \fIdirectory\fR
.RS 4
chroot to
Chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dig.1,v 1.42 2007/01/30 00:24:59 marka Exp $
.\" $Id: dig.1,v 1.43 2007/05/09 03:33:50 marka Exp $
.\"
.hy 0
.ad l
...
...
@@ -50,7 +50,7 @@ Although
\fBdig\fR
is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
\fB\-h\fR
option is given. Unlike earlier versions, the BIND9 implementation of
option is given. Unlike earlier versions, the BIND9 implementation of
\fBdig\fR
allows multiple lookups to be issued from the command line.
.PP
...
...
@@ -135,7 +135,7 @@ The
option makes
\fBdig \fR
operate in batch mode by reading a list of lookup requests to process from the file
\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to
\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
\fBdig\fR
using the command\-line interface.
.PP
...
...
@@ -160,7 +160,7 @@ to only use IPv6 query transport.
The
\fB\-t\fR
option sets the query type to
\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the
\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
\fItype\fR
...
...
@@ -171,11 +171,11 @@ ixfr=N. The incremental zone transfer will contain the changes made to the zone
The
\fB\-q\fR
option sets the query name to
\fIname\fR. This useful do distingish the
\fIname\fR. This useful do distinguish the
\fIname\fR
from other arguments.
.PP
Reverse lookups \- mapping addresses to names \- are simplified by the
Reverse lookups \(em mapping addresses to names \(em are simplified by the
\fB\-x\fR
option.
\fIaddr\fR
...
...
@@ -228,7 +228,7 @@ to negate the meaning of that keyword. Other keywords assign values to options l
.PP
\fB+[no]tcp\fR
.RS 4
Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
.RE
.PP
\fB+[no]vc\fR
...
...
@@ -354,7 +354,7 @@ Toggle the display of comment lines in the output. The default is to print comme
.PP
\fB+[no]stats\fR
.RS 4
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
.RE
.PP
\fB+[no]qr\fR
...
...
@@ -391,7 +391,7 @@ Set or clear all display flags.
.RS 4
Sets the timeout for a query to
\fIT\fR
seconds. The default timeout is 5 seconds. An attempt to set
seconds. The default timeout is 5 seconds. An attempt to set
\fIT\fR
to less than 1 will result in a query timeout of 1 second being applied.
.RE
...
...
@@ -451,7 +451,7 @@ output.
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
.RE
.PP
\fB+[no]besteffort\fR
...
...
@@ -487,7 +487,7 @@ Requires dig be compiled with \-DDIG_SIGCHASE.
.PP
\fB+[no]topdown\fR
.RS 4
When chasing DNSSEC signature chains perform a topdown validation. Requires dig be compiled with \-DDIG_SIGCHASE.
When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: host.1,v 1.27 2007/01/30 00:24:59 marka Exp $
.\" $Id: host.1,v 1.28 2007/05/09 03:33:50 marka Exp $
.\"
.hy 0
.ad l
...
...
@@ -130,7 +130,7 @@ makes. This should mean that the name server receiving the query will not attemp
\fB\-r\fR
option enables
\fBhost\fR
to mimic the behaviour of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
.PP
By default
\fBhost\fR
...
...
@@ -152,7 +152,7 @@ The
\fB\-t\fR
option is used to select the query type.
\fItype\fR
can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
\fBhost\fR
automatically selects an appropriate query type. By default it looks for A records, but if the
\fB\-C\fR
...
...
@@ -185,7 +185,7 @@ The
option tells
\fBhost\fR
\fInot\fR
to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behaviour.
to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
...
...
@@ -147,7 +147,7 @@ is the numeric representation of the algorithm.
is the key identifier (or footprint).
.PP
\fBdnssec\-keygen\fR
creates two file, with names based on the printed string.
creates two files, with names based on the printed string.
\fIKnnnn.+aaa+iiiii.key\fR
contains the public key, and
\fIKnnnn.+aaa+iiiii.private\fR
...
...
@@ -159,13 +159,13 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o
.PP
The
\fI.private\fR
file contains algorithmspecific fields. For obvious security reasons, this file does not have general read permission.
file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
.PP
Both
\fI.key\fR
and
\fI.private\fR
files are generated for symmetric encryption algorithm such as HMAC\-MD5, even though the public and private key are equivalent.
files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent.
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.44 2007/01/30 00:24:59 marka Exp $
.\" $Id: dnssec-signzone.8,v 1.45 2007/05/09 03:33:50 marka Exp $
.\"
.hy 0
.ad l
...
...
@@ -95,7 +95,7 @@ is specified, 30 days from the start time is used as a default.
.RS 4
The name of the output file containing the signed zone. The default is to append
\fI.signed\fR
to the input file.
to the input filename.
.RE
.PP
\-h
...
...
@@ -106,7 +106,7 @@ Prints a short summary of the options and arguments to
.PP
\-i \fIinterval\fR
.RS 4
When a previouslysigned zone is passed as input, records may be resigned. The
When a previously\-signed zone is passed as input, records may be resigned. The
\fBinterval\fR
option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
.sp
...
...
@@ -129,7 +129,7 @@ The format of the input zone file. Possible formats are
.PP
\-j \fIjitter\fR
.RS 4
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previouslysigned zone is passed as input to the signer, all expired signatures has to be regenerated at about the same time. The
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
\fBjitter\fR
option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
.sp
...
...
@@ -219,29 +219,44 @@ The file containing the zone to be signed.
.PP
key
.RS 4
The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
.RE
.SH "EXAMPLE"
.PP
The following command signs the
\fBexample.com\fR
zone with the DSA key generated in the
zone with the DSA key generated by
\fBdnssec\-keygen\fR
man page. The zone's keys must be in the zone. If there are
(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
\fIkeyset\fR
files associated with child zones, they must be in the current directory.
\fBexample.com\fR, the following command would be issued: