Commit fa2f16db authored by Tinderbox User's avatar Tinderbox User Committed by Evan Hunt

Merge branch 'prep-release' into security-master

parents a4881490 767a2aef
Pipeline #26000 canceled with stages
--- 9.15.6 released ---
5319. [func] Trust anchors can now be configured using DS 5319. [func] Trust anchors can now be configured using DS
format to represent a key digest, by using the format to represent a key digest, by using the
new "initial-ds" or "static-ds" keywords in new "initial-ds" or "static-ds" keywords in
......
...@@ -4,10 +4,11 @@ Supported platforms ...@@ -4,10 +4,11 @@ Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with system with a C11-compliant C compiler, BSD-style sockets with
RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
cryptography library. Atomic operations support from the compiler is asynchronous I/O library, and the OpenSSL cryptography library. Atomic
needed, either in the form of builtin operations, C11 atomics or the operations support from the compiler is needed, either in the form of
Interlocked family of functions on Windows. builtin operations, C11 atomics, or the Interlocked family of functions on
Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x).
For some of the older systems listed below, you will have to install For some of the older systems listed below, you will have to install
......
...@@ -12,10 +12,10 @@ ...@@ -12,10 +12,10 @@
In general, this version of BIND will build and run on any POSIX-compliant In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library. IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
Atomic operations support from the compiler is needed, either in the form of and the OpenSSL cryptography library. Atomic operations support from the
builtin operations, C11 atomics or the Interlocked family of functions on compiler is needed, either in the form of builtin operations, C11 atomics,
Windows. or the `Interlocked` family of functions on Windows.
BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). For BIND 9.15 requires fairly recent version of libuv library to run (>= 1.x). For
some of the older systems listed below, you will have to install updated libuv some of the older systems listed below, you will have to install updated libuv
......
...@@ -48,7 +48,8 @@ the file HISTORY. ...@@ -48,7 +48,8 @@ the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format. the file CHANGES. See below for details on the CHANGES file format.
For up-to-date versions and release notes, see https://www.isc.org/download/. For up-to-date versions and release notes, see https://www.isc.org/
download/.
For information about supported platforms, see PLATFORMS. For information about supported platforms, see PLATFORMS.
...@@ -110,25 +111,30 @@ BIND 9.15 features ...@@ -110,25 +111,30 @@ BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a number BIND 9.15 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.14 and earlier releases. New features include: of changes from BIND 9.14 and earlier releases. New features include:
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API * Support for the new GeoIP2 geolocation API
* Improved DNSSEC key configuration using dnssec-keys * Improved DNSSEC trust anchor configuration using dnssec-keys,
permitting configuration of trust anchors in DS as well as DNSKEY
format.
* YAML output for dig, mdig, and delv. * YAML output for dig, mdig, and delv.
Building BIND Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have basic POSIX support, and a 64-bit integer type. BIND also requires the
been observed on many versions of Linux and UNIX, including RHEL/CentOS, libuv asynchronous I/O library, and a cryptography provider library such
Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and requires the libcap library to set process privileges, though this
OpenWRT. requirement can be overridden by disabling capability support at compile
time. See Compile-time options below for details on other libraries that
BIND requires a cryptography provider library such as OpenSSL or a may be required to support optional features.
hardware service module supporting PKCS#11. On Linux, BIND requires the
libcap library to set process privileges, though this requirement can be Successful builds have been observed on many versions of Linux and UNIX,
overridden by disabling capability support at compile time. See including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
Compile-time options below for details on other libraries that may be Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
required to support optional features. HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See win32utils/ BIND is also available for Windows Server 2008 and higher. See win32utils/
build.txt for details on building for Windows systems. build.txt for details on building for Windows systems.
......
...@@ -129,25 +129,29 @@ include: ...@@ -129,25 +129,29 @@ include:
* New "dnssec-policy" statement to configure a key and signing policy * New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover. for zones, enabling automatic key regeneration and rollover.
* A new network manager based on libuv. * New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API * Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using `dnssec-keys` * Improved DNSSEC trust anchor configuration using `dnssec-keys`,
permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`. * YAML output for `dig`, `mdig`, and `delv`.
### <a name="build"/> Building BIND ### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have been basic POSIX support, and a 64-bit integer type. BIND also requires the
observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora, `libuv` asynchronous I/O library, and a cryptography provider library
Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD, such as OpenSSL or a hardware service module supporting PKCS#11. On
OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT. Linux, BIND requires the `libcap` library to set process privileges,
though this requirement can be overridden by disabling capability
BIND requires a cryptography provider library such as OpenSSL or a support at compile time. See [Compile-time options](#opts) below
hardware service module supporting PKCS#11. On Linux, BIND requires for details on other libraries that may be required to support
the `libcap` library to set process privileges, though this requirement optional features.
can be overridden by disabling capability support at compile time.
See [Compile-time options](#opts) below for details on other libraries Successful builds have been observed on many versions of Linux and
that may be required to support optional features. UNIX, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,
Slackware, Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris,
OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
BIND is also available for Windows Server 2008 and higher. See BIND is also available for Windows Server 2008 and higher. See
`win32utils/build.txt` for details on building for Windows `win32utils/build.txt` for details on building for Windows
......
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
dnssec-keygen \- DNSSEC key generation tool dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u .HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name} \fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-d\ \fR\fB\fIbits\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIpolicy\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-l\ \fR\fB\fIfile\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-T\ \fR\fB\fIrrtype\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION" .SH "DESCRIPTION"
.PP .PP
\fBdnssec\-keygen\fR \fBdnssec\-keygen\fR
...@@ -109,6 +109,11 @@ option suppresses them\&. ...@@ -109,6 +109,11 @@ option suppresses them\&.
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&. Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
.RE .RE
.PP .PP
\-d \fIbits\fR
.RS 4
Key size in bits\&. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256 and RSASHA512 the key size must be in range 1024\-4096\&. DH size is between 128 and 4096\&. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448\&.
.RE
.PP
\-E \fIengine\fR \-E \fIengine\fR
.RS 4 .RS 4
Specifies the cryptographic hardware to use, when applicable\&. Specifies the cryptographic hardware to use, when applicable\&.
...@@ -142,6 +147,17 @@ Prints a short summary of the options and arguments to ...@@ -142,6 +147,17 @@ Prints a short summary of the options and arguments to
Sets the directory in which the key files are to be written\&. Sets the directory in which the key files are to be written\&.
.RE .RE
.PP .PP
\-k \fIpolicy\fR
.RS 4
Create keys for a specific dnssec\-policy\&. If a policy uses multiple keys,
\fBdnssec\-keygen\fR
will generate multiple keys\&. This will also create a "\&.state" file to keep track of the key state\&.
.sp
This option creates keys according to the dnssec\-policy configuration, hence it cannot be used together with many of the other options that
\fBdnssec\-keygen\fR
provides\&.
.RE
.PP
\-L \fIttl\fR \-L \fIttl\fR
.RS 4 .RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
...@@ -151,6 +167,12 @@ none ...@@ -151,6 +167,12 @@ none
is the same as leaving it unset\&. is the same as leaving it unset\&.
.RE .RE
.PP .PP
\-l \fIfile\fR
.RS 4
Provide a configuration file that contains a dnssec\-policy statement (matching the policy set with
\fB\-k\fR)\&.
.RE
.PP
\-n \fInametype\fR \-n \fInametype\fR
.RS 4 .RS 4
Specifies the owner type of the key\&. The value of Specifies the owner type of the key\&. The value of
......
...@@ -41,6 +41,7 @@ ...@@ -41,6 +41,7 @@
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>bits</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
[<code class="option">-G</code>] [<code class="option">-G</code>]
...@@ -49,8 +50,9 @@ ...@@ -49,8 +50,9 @@
[<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>] [<code class="option">-k <em class="replaceable"><code>policy</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>file</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
...@@ -59,6 +61,7 @@ ...@@ -59,6 +61,7 @@
[<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>rrtype</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>] [<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
...@@ -168,6 +171,15 @@ ...@@ -168,6 +171,15 @@
the specified class. If not specified, class IN is used. the specified class. If not specified, class IN is used.
</p> </p>
</dd> </dd>
<dt><span class="term">-d <em class="replaceable"><code>bits</code></em></span></dt>
<dd>
<p>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt> <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd> <dd>
<p> <p>
...@@ -218,6 +230,21 @@ ...@@ -218,6 +230,21 @@
Sets the directory in which the key files are to be written. Sets the directory in which the key files are to be written.
</p> </p>
</dd> </dd>
<dt><span class="term">-k <em class="replaceable"><code>policy</code></em></span></dt>
<dd>
<p>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <span class="command"><strong>dnssec-keygen</strong></span> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</p>
<p>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <span class="command"><strong>dnssec-keygen</strong></span>
provides.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt> <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd> <dd>
<p> <p>
...@@ -231,6 +258,13 @@ ...@@ -231,6 +258,13 @@
or <code class="literal">none</code> is the same as leaving it unset. or <code class="literal">none</code> is the same as leaving it unset.
</p> </p>
</dd> </dd>
<dt><span class="term">-l <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <span class="command"><strong>-k</strong></span>).
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd> <dd>
<p> <p>
......
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
dnssec-settime \- set the key timing metadata for a DNSSEC key dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u .HP \w'\fBdnssec\-settime\fR\ 'u
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile} \fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-s\fR] [\fB\-g\ \fR\fB\fIstate\fR\fR] [\fB\-d\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] [\fB\-z\ \fR\fB\fIstate\fR\fR\fB\ \fR\fB\fIdate/offset\fR\fR] {keyfile}
.SH "DESCRIPTION" .SH "DESCRIPTION"
.PP .PP
\fBdnssec\-settime\fR \fBdnssec\-settime\fR
...@@ -59,7 +59,25 @@ simply prints the key timing metadata already stored in the key\&. ...@@ -59,7 +59,25 @@ simply prints the key timing metadata already stored in the key\&.
.PP .PP
When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key When key metadata fields are changed, both files of a key pair (Knnnn\&.+aaa+iiiii\&.key
and and
Knnnn\&.+aaa+iiiii\&.private) are regenerated\&. Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&. Knnnn\&.+aaa+iiiii\&.private) are regenerated\&.
.PP
Metadata fields are stored in the private file\&. A human\-readable description of the metadata is also placed in comments in the key file\&. The private file\*(Aqs permissions are always set to be inaccessible to anyone other than the owner (mode 0600)\&.
.PP
When working with state files, it is possible to update the timing metadata in those files as well with
\fB\-s\fR\&. If this option is used you can also update key states with
\fB\-d\fR
(DS),
\fB\-k\fR
(DNSKEY),
\fB\-r\fR
(RRSIG of KSK), or
\fB\-z\fR
(RRSIG of ZSK)\&. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE\&.
.PP
You can also set the goal state of the key with
\fB\-g\fR\&. This should be either HIDDEN or OMNIPRESENT (representing whether the key should be removed from the zone, or published)\&.
.PP
It is NOT RECOMMENDED to manipulate state files manually except for testing purposes\&.
.SH "OPTIONS" .SH "OPTIONS"
.PP .PP
\-f \-f
...@@ -156,6 +174,39 @@ If the key is being set to be an explicit successor to another key, then the def ...@@ -156,6 +174,39 @@ If the key is being set to be an explicit successor to another key, then the def
.sp .sp
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&. As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
.RE .RE
.SH "KEY STATE OPTIONS"
.PP
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE\&. These should not be set manually except for testing purposes\&.
.PP
\-s
.RS 4
When setting key timing data, also update the state file\&.
.RE
.PP
\-g
.RS 4
Set the goal state for this key\&. Must be HIDDEN or OMNIPRESENT\&.
.RE
.PP
\-d
.RS 4
Set the DS state for this key, and when it was last changed\&.
.RE
.PP
\-k
.RS 4
Set the DNSKEY state for this key, and when it was last changed\&.
.RE
.PP
\-r
.RS 4
Set the RRSIG (KSK) state for this key, and when it was last changed\&.
.RE
.PP
\-z
.RS 4
Set the RRSIG (ZSK) state for this key, and when it was last changed\&.
.RE
.SH "PRINTING OPTIONS" .SH "PRINTING OPTIONS"
.PP .PP
\fBdnssec\-settime\fR \fBdnssec\-settime\fR
......
...@@ -49,6 +49,12 @@ ...@@ -49,6 +49,12 @@
[<code class="option">-V</code>] [<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
[<code class="option">-s</code>]
[<code class="option">-g <em class="replaceable"><code>state</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-z <em class="replaceable"><code>state</code></em> <em class="replaceable"><code>date/offset</code></em></code>]
{keyfile} {keyfile}
</p></div> </p></div>
</div> </div>
...@@ -74,11 +80,30 @@ ...@@ -74,11 +80,30 @@
When key metadata fields are changed, both files of a key When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated. <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
</p>
<p>
Metadata fields are stored in the private file. A human-readable Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600). inaccessible to anyone other than the owner (mode 0600).
</p> </p>
<p>
When working with state files, it is possible to update the timing
metadata in those files as well with <code class="option">-s</code>. If this
option is used you can also update key states with <code class="option">-d</code>
(DS), <code class="option">-k</code> (DNSKEY), <code class="option">-r</code> (RRSIG of KSK),
or <code class="option">-z</code> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</p>
<p>
You can also set the goal state of the key with <code class="option">-g</code>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</p>
<p>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</p>
</div> </div>
<div class="refsection"> <div class="refsection">
...@@ -262,7 +287,57 @@ ...@@ -262,7 +287,57 @@
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.10"></a><h2>PRINTING OPTIONS</h2> <a name="id-1.10"></a><h2>KEY STATE OPTIONS</h2>
<p>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-s</span></dt>
<dd>
<p>
When setting key timing data, also update the state file.
</p>
</dd>
<dt><span class="term">-g</span></dt>
<dd>
<p>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Set the DS state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Set the DNSKEY state for this key, and when it was last changed.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>PRINTING OPTIONS</h2>
<p> <p>
<span class="command"><strong>dnssec-settime</strong></span> can also be used to print the <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
...@@ -298,7 +373,7 @@ ...@@ -298,7 +373,7 @@
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2> <a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"> <p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8) <span class="refentrytitle">dnssec-keygen</span>(8)
......
...@@ -10,12 +10,12 @@ ...@@ -10,12 +10,12 @@
.\" Title: named.conf .\" Title: named.conf
.\" Author: .\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-08-07 .\" Date: 2019-08-12
.\" Manual: BIND9 .\" Manual: BIND9
.\" Source: ISC .\" Source: ISC
.\" Language: English .\" Language: English
.\" .\"
.TH "NAMED\&.CONF" "5" "2019\-08\-07" "ISC" "BIND9" .TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
...@@ -104,7 +104,8 @@ dlz \fIstring\fR { ...@@ -104,7 +104,8 @@ dlz \fIstring\fR {
.\} .\}
.nf .nf
dnssec\-keys { \fIstring\fR ( static\-key | dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR initial\-key | static\-ds | initial\-ds )
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; \fIquoted_string\fR; \&.\&.\&. };
.fi .fi
.if n \{\ .if n \{\
...@@ -170,9 +171,9 @@ Deprecated \- see DNSSEC\-KEYS\&. ...@@ -170,9 +171,9 @@ Deprecated \- see DNSSEC\-KEYS\&.
.\} .\}
.nf .nf
managed\-keys { \fIstring\fR ( static\-key managed\-keys { \fIstring\fR ( static\-key
| initial\-key ) \fIinteger\fR | initial\-key | static\-ds |
\fIinteger\fR \fIinteger\fR initial\-ds ) \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi .fi
.if n \{\ .if n \{\
.RE .RE
...@@ -230,7 +231,7 @@ options { ...@@ -230,7 +231,7 @@ options {
[ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [ port
\fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [ \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. }; in\-memory \fIboolean\fR ] [ min\-update\-interval \fIduration\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore ); check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;