Commit fdd80e9a authored by Automatic Updater's avatar Automatic Updater
Browse files

regen

parent 948e3941
......@@ -12,48 +12,50 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: isc-hmac-fixup.8,v 1.2 2010/01/07 23:48:53 tbox Exp $
.\" $Id: isc-hmac-fixup.8,v 1.3 2010/01/08 01:14:07 tbox Exp $
.\"
.hy 0
.ad l
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "ISC-HMAC-FIXUP" 1 "January 5, 2010" "" ""
.SH NAME
isc-hmac-fixup \- fixes HMAC keys generated by older versions of BIND
.\" Title: isc\-hmac\-fixup
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: January 5, 2010
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "ISC\-HMAC\-FIXUP" "1" "January 5, 2010" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
isc\-hmac\-fixup \- fixes HMAC keys generated by older versions of BIND
.SH "SYNOPSIS"
.HP 15
\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
.SH "DESCRIPTION"
.PP
Versions of BIND 9 up to and including BIND 9\&.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i\&.e\&., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations\&.
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations.
.PP
This bug has been fixed in BIND 9\&.7\&. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys\&. \fBisc\-hmac\-fixup\fR modifies those keys to restore compatibility\&.
This bug has been fixed in BIND 9.7. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys.
\fBisc\-hmac\-fixup\fR
modifies those keys to restore compatibility.
.PP
To modify a key, run \fBisc\-hmac\-fixup\fR and specify the key's algorithm and secret on the command line\&. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret\&. (If the secret did not require conversion, then it will be printed without modification\&.)
To modify a key, run
\fBisc\-hmac\-fixup\fR
and specify the key's algorithm and secret on the command line. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret. (If the secret did not require conversion, then it will be printed without modification.)
.SH "SECURITY CONSIDERATIONS"
.PP
Secrets that have been converted by \fBisc\-hmac\-fixup\fR are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security\&. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength\&."
Secrets that have been converted by
\fBisc\-hmac\-fixup\fR
are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength."
.SH "SEE ALSO"
.PP
BIND 9 Administrator Reference Manual, RFC 2104\&.
BIND 9 Administrator Reference Manual,
RFC 2104.
.SH "AUTHOR"
.PP
Internet Systems Consortium
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2010 Internet Systems Consortium, Inc. ("ISC")
.br
......@@ -14,12 +14,12 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: isc-hmac-fixup.html,v 1.2 2010/01/07 23:48:53 tbox Exp $ -->
<!-- $Id: isc-hmac-fixup.html,v 1.3 2010/01/08 01:14:07 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>isc-hmac-fixup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
......@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id215034"></a><h2>DESCRIPTION</h2>
<a name="id2543351"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
......@@ -58,7 +58,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215065"></a><h2>SECURITY CONSIDERATIONS</h2>
<a name="id2543374"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
......@@ -69,14 +69,14 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215080"></a><h2>SEE ALSO</h2>
<a name="id2543388"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215096"></a><h2>AUTHOR</h2>
<a name="id2543405"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
......
<!--
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch01.html,v 1.47 2009/07/11 01:12:46 tbox Exp $ -->
<!-- $Id: Bv9ARM.ch01.html,v 1.48 2010/01/08 01:14:07 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -45,17 +45,17 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563412">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564391">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564531">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564712">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564733">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564768">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567173">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567250">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567422">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567553">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
......@@ -71,7 +71,7 @@
</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2563409"></a>Scope of Document</h2></div></div></div>
<a name="id2563412"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
......@@ -87,7 +87,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564388"></a>Organization of This Document</h2></div></div></div>
<a name="id2564391"></a>Organization of This Document</h2></div></div></div>
<p>
In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
......@@ -116,7 +116,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564528"></a>Conventions Used in This Document</h2></div></div></div>
<a name="id2564531"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
......@@ -243,7 +243,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564641"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<a name="id2564712"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
......@@ -253,7 +253,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564662"></a>DNS Fundamentals</h3></div></div></div>
<a name="id2564733"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
......@@ -275,7 +275,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564696"></a>Domains and Domain Names</h3></div></div></div>
<a name="id2564768"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
......@@ -321,7 +321,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567170"></a>Zones</h3></div></div></div>
<a name="id2567173"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
......@@ -374,7 +374,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567246"></a>Authoritative Name Servers</h3></div></div></div>
<a name="id2567250"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
......@@ -391,7 +391,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567270"></a>The Primary Master</h4></div></div></div>
<a name="id2567273"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
......@@ -411,7 +411,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567300"></a>Slave Servers</h4></div></div></div>
<a name="id2567303"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
......@@ -427,7 +427,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567389"></a>Stealth Servers</h4></div></div></div>
<a name="id2567393"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
......@@ -462,7 +462,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567419"></a>Caching Name Servers</h3></div></div></div>
<a name="id2567422"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
......@@ -489,7 +489,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567523"></a>Forwarding</h4></div></div></div>
<a name="id2567526"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
......@@ -516,7 +516,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567549"></a>Name Servers in Multiple Roles</h3></div></div></div>
<a name="id2567553"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
......
<!--
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch02.html,v 1.41 2009/07/11 01:12:46 tbox Exp $ -->
<!-- $Id: Bv9ARM.ch02.html,v 1.42 2010/01/08 01:14:07 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -45,16 +45,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567584">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567610">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567623">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567854">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567865">Supported Operating Systems</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567587">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567613">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567626">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567721">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567732">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567584"></a>Hardware requirements</h2></div></div></div>
<a name="id2567587"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
......@@ -73,7 +73,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567610"></a>CPU Requirements</h2></div></div></div>
<a name="id2567613"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
......@@ -84,7 +84,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567623"></a>Memory Requirements</h2></div></div></div>
<a name="id2567626"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
......@@ -107,7 +107,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567854"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<a name="id2567721"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
......@@ -124,7 +124,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567865"></a>Supported Operating Systems</h2></div></div></div>
<a name="id2567732"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number
......
<!--
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch03.html,v 1.77 2009/10/12 23:15:32 tbox Exp $ -->
<!-- $Id: Bv9ARM.ch03.html,v 1.78 2010/01/08 01:14:07 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -47,14 +47,14 @@
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567897">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567913">An Authoritative-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567764">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567780">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568004">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568007">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568361">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570124">Signals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568366">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570128">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
......@@ -68,7 +68,7 @@
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567897"></a>A Caching-only Name Server</h3></div></div></div>
<a name="id2567764"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
......@@ -98,7 +98,7 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567913"></a>An Authoritative-only Name Server</h3></div></div></div>
<a name="id2567780"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
......@@ -146,7 +146,7 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568004"></a>Load Balancing</h2></div></div></div>
<a name="id2568007"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple records
......@@ -289,10 +289,10 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568358"></a>Name Server Operations</h2></div></div></div>
<a name="id2568361"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568363"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<a name="id2568366"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
......@@ -786,7 +786,7 @@ controls {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570124"></a>Signals</h3></div></div></div>
<a name="id2570128"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
......
<!--
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch04.html,v 1.103 2009/11/11 01:14:42 tbox Exp $ -->
<!-- $Id: Bv9ARM.ch04.html,v 1.104 2010/01/08 01:14:07 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -49,29 +49,29 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570568">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570654">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570571">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570658">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571088">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571229">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571240">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571345">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571539">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571588">Errors</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571091">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571233">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571348">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571542">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571591">Errors</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571602">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571651">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571605">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571654">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571719">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571798">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571879">Configuring Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571722">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572061">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572065">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572328">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572349">Address to Name Lookups Using Nibble Format</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572331">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572353">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
......@@ -224,7 +224,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2570568"></a>Split DNS</h2></div></div></div>
<a name="id2570571"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
......@@ -254,7 +254,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570654"></a>Example split DNS setup</h3></div></div></div>
<a name="id2570658"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
......@@ -511,7 +511,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571088"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<a name="id2571091"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
......@@ -519,7 +519,7 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2571105"></a>Automatic Generation</h4></div></div></div>
<a name="id2571108"></a>Automatic Generation</h4></div></div></div>
<p>
The following command will generate a 128-bit (16 byte) HMAC-SHA256
key as described above. Longer keys are better, but shorter keys
......@@ -543,7 +543,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2571211"></a>Manual Generation</h4></div></div></div>
<a name="id2571214"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
......@@ -558,7 +558,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571229"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<a name="id2571233"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
......@@ -566,7 +566,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571240"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<a name="id2571243"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
......@@ -593,7 +593,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571345"></a>Instructing the Server to Use the Key</h3></div></div></div>
<a name="id2571348"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
......@@ -625,7 +625,7 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571539"></a>TSIG Key Based Access Control</h3></div></div></div>
<a name="id2571542"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
......@@ -652,7 +652,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571588"></a>Errors</h3></div></div></div>
<a name="id2571591"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
......@@ -678,7 +678,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2571602"></a>TKEY</h2></div></div></div>
<a name="id2571605"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
......@@ -714,7 +714,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2571651"></a>SIG(0)</h2></div></div></div>
<a name="id2571654"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC 2931.
......@@ -775,7 +775,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571719"></a>Generating Keys</h3></div></div></div>
<a name="id2571722"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class=