Commit e9c93169 authored by Tinderbox User's avatar Tinderbox User Committed by Evan Hunt
Browse files

Merge branch 'prep-release' into v9_12

parents 50e0734a c798c983
--- 9.12.4rc1 released ---
5166. [port] openbsd: Threads are now enabled by default. [GL !1548]
5164. [bug] Correct errno to result translation in dlz filesystem
......
......@@ -151,6 +151,12 @@ correcting faulty documentation and introducing the following new feature:
statements allow updating of subdomains based on a Kerberos or Active
Directory machine principal.
BIND 9.12.4
BIND 9.12.4 is a maintenance release, and addresses the security
vulnerabilities disclosed in CVE-2018-5744, CVE-2018-5745, and
CVE-2019-6465.
Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
......
......@@ -169,6 +169,12 @@ feature:
statements allow updating of subdomains based on a Kerberos or
Active Directory machine principal.
#### BIND 9.12.4
BIND 9.12.4 is a maintenance release, and addresses the security
vulnerabilities disclosed in CVE-2018-5744, CVE-2018-5745, and
CVE-2019-6465.
### <a name="build"/> Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
......
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -136,5 +136,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......
.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -155,5 +155,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -217,5 +217,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......
.\" Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -437,5 +437,5 @@ RFC5155\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2014-2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......
.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -74,7 +74,9 @@ will perform an NS query for "\&." (the root)\&.
It is possible to set per\-user defaults for
\fBdig\fR
via
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
\fB\-r\fR
option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
......@@ -208,6 +210,12 @@ The domain name to query\&. This is useful to distinguish the
from other arguments\&.
.RE
.PP
\-r
.RS 4
Do not read options from
${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
.RE
.PP
\-t \fItype\fR
.RS 4
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
......@@ -468,12 +476,16 @@ option is enabled\&. If short form answers are requested, the default is not to
.PP
\fB+[no]idnin\fR
.RS 4
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
......@@ -806,5 +818,5 @@ There are probably too many query options\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -106,9 +106,10 @@
<p>
It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
<code class="filename">${HOME}/.digrc</code>. This file is read and
any options in it
are applied before the command line arguments.
<code class="filename">${HOME}/.digrc</code>. This file is read and any
options in it are applied before the command line arguments.
The <code class="option">-r</code> option disables this feature, for
scripts that need predictable behaviour.
</p>
<p>
......@@ -274,6 +275,13 @@
the <em class="parameter"><code>name</code></em> from other arguments.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Do not read options from <code class="filename">${HOME}/.digrc</code>.
This is useful for scripts that need predictable behaviour.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
......@@ -631,7 +639,13 @@
<p>
Process [do not process] IDN domain names on input.
This requires IDN SUPPORT to have been enabled at
compile time. The default is to process IDN input.
compile time.
</p>
<p>
The default is to process IDN input when standard output
is a tty. The IDN processing on input is disabled when
dig output is redirected to files, pipes, and other
non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
......@@ -639,7 +653,13 @@
<p>
Convert [do not convert] puny code on output.
This requires IDN SUPPORT to have been enabled at
compile time. The default is to convert output.
compile time.
</p>
<p>
The default is to process puny code on output when
standard output is a tty. The puny code processing on
output is disabled when dig output is redirected to
files, pipes, and other non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
......
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -274,5 +274,5 @@ runs\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......
.\" Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -277,6 +277,17 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
.PP
\fBnslookup\fR
returns with an exit status of 1 if any query failed, and 0 otherwise\&.
.SH "IDN SUPPORT"
.PP
If
\fBnslookup\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBnslookup\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBnslookup\fR
runs or when the standard output is not a tty\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
......@@ -290,5 +301,5 @@ returns with an exit status of 1 if any query failed, and 0 otherwise\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004-2007, 2010, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -362,14 +362,31 @@ nslookup -query=hinfo -timeout=10
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
a tty.
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<a name="id-1.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
......
.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\
.sp
The
\fIalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
must be one of SHA\-1, SHA\-256, SHA\-384, or GOST\&. These values are case insensitive, and hyphens may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
......@@ -293,5 +293,5 @@ RFC 7344\&.
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -129,9 +129,9 @@
record. This option has no effect when using CDS records.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1,
SHA-256, SHA-384, or GOST. These values are case insensitive,
and hyphens may be omitted. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
......
.\" Copyright (C) 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
......@@ -39,61 +39,103 @@
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
.SH "DESCRIPTION"
.PP
The
\fBdnssec\-dsfromkey\fR
outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
\fB\-l\fR
option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
\fB\-C\fR
it outputs CDS (Child DS) RRs\&.
.PP
The input keys can be specified in a number of ways:
.PP
By default,
\fBdnssec\-dsfromkey\fR
reads a key file named like
Knnnn\&.+aaa+iiiii\&.key, as generated by
\fBdnssec\-keygen\fR\&.
.PP
With the
\fB\-f \fR\fB\fIfile\fR\fR
option,
\fBdnssec\-dsfromkey\fR
reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
.PP
With the
\fB\-s\fR
option,
\fBdnssec\-dsfromkey\fR
reads a
keyset\-
file, as generated by
\fBdnssec\-keygen\fR\fB\-C\fR\&.
.SH "OPTIONS"
.PP
\-1
.RS 4
Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
An abbreviation for
\fB\-a SHA1\fR
.RE
.PP
\-2
.RS 4
Use SHA\-256 as the digest algorithm\&.
An abbreviation for
\fB\-a SHA\-256\fR
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Select the digest algorithm\&. The value of
\fBalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&.
Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-C
\-A
.RS 4
Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
\fB\-f\fR
zone file mode\&.
.RE
.PP
\-T \fITTL\fR
\-c \fIclass\fR
.RS 4
Specifies the TTL of the DS records\&.
Specifies the DNS class (default is IN)\&. Useful only in
\fB\-s\fR
keyset or
\fB\-f\fR
zone file mode\&.
.RE
.PP
\-K \fIdirectory\fR
\-C
.RS 4
Look for key files (or, in keyset mode,
keyset\-
files) in
\fBdirectory\fR\&.
Generate CDS records rather than DS records\&. This is mutually exclusive with the
\fB\-l\fR
option for generating DLV records\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
Zone file mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name of a zone whose master file can be read from
\fBfile\fR\&. If the zone name is the same as
\fBfile\fR, then it may be omitted\&.
.sp
If
\fBfile\fR
is set to
\fIfile\fR
is
"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
\fBdig\fR
command as input, as in:
......@@ -101,26 +143,41 @@ command as input, as in:
\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
.RE
.PP
\-A
\-h
.RS 4
Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
Prints usage information\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Look for key files or
keyset\-
files in
\fBdirectory\fR\&.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set instead of a DS set\&. The specified
\fBdomain\fR
is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
\fIdomain\fR
is appended to the name for each record in the set\&. This is mutually exclusive with the
\fB\-C\fR
option for generating CDS records\&.
.RE
.PP
\-s
.RS 4
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
Keyset mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name used to locate a
keyset\-
file\&.
.RE
.PP
\-c \fIclass\fR
\-T \fITTL\fR
.RS 4
Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
.RE
.PP
\-v \fIlevel\fR
......@@ -128,11 +185,6 @@ Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mo
Sets the debugging level\&.
.RE
.PP
\-h
.RS 4
Prints usage information\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
......@@ -141,16 +193,16 @@ Prints version information\&.
.PP
To build the SHA\-256 DS RR from the
\fBKexample\&.com\&.+003+26160\fR
keyfile name, the following command would be issued:
keyfile name, you can issue the following command:
.PP
\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
.PP
The command would print something like:
.PP
\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
.SH "FILES"
.PP
The keyfile can be designed by the key identification
The keyfile can be designated by the key identification
Knnnn\&.+aaa+iiiii
or the full file name
Knnnn\&.+aaa+iiiii\&.key
......@@ -170,13 +222,20 @@ A keyfile error can give a "file not found" even if the file exists\&.
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 3658,
RFC 4431\&.
RFC 4509\&.
RFC 3658
(DS RRs),
RFC 4431
(DLV RRs),
RFC 4509
(SHA\-256 for DS RRs),
RFC 6605
(SHA\-384 for DS RRs),