Commit 04536dd3 authored by Ondřej Surý's avatar Ondřej Surý
Browse files

Merge branch 'ondrej/1915-update-input-files-for-manpages' into 'main'

Update the generated files after the source manpages update

See merge request isc-projects/bind9!3793
parents f16152ac 9ab86d0d
.. highlight: console
named.conf - configuration file for ``named``
named.conf - configuration file for **named**
---------------------------------------------
Synopsis
......@@ -12,13 +12,13 @@ Description
~~~~~~~~~~~
``named.conf`` is the configuration file for ``named``. Statements are
enclosed in braces (``[ ]``) and terminated with a semi-colon (``;``). Clauses in the
enclosed in braces and terminated with a semi-colon. Clauses in the
statements are also semi-colon terminated. The usual comment styles are
supported:
C style: /\* \*/
C++ style: // to end of line
C++ style: // to end of line
Unix style: # to end of line
......
......@@ -43,57 +43,57 @@ can be used, for example, to secure dynamic DNS updates to a zone or for
the \fBrndc\fP command channel.
.sp
When run as \fBtsig\-keygen\fP, a domain name can be specified on the
command line which will be used as the name of the generated key. If no
command line to be used as the name of the generated key. If no
name is specified, the default is \fBtsig\-key\fP\&.
.sp
When run as \fBddns\-confgen\fP, the generated key is accompanied by
configuration text and instructions that can be used with \fBnsupdate\fP
and \fBnamed\fP when setting up dynamic DNS, including an example
\fBupdate\-policy\fP statement. (This usage similar to the \fBrndc\-confgen\fP
command for setting up command channel security.)
\fBupdate\-policy\fP statement. (This usage is similar to the \fBrndc\-confgen\fP
command for setting up command\-channel security.)
.sp
Note that \fBnamed\fP itself can configure a local DDNS key for use with
\fBnsupdate \-l\fP: it does this when a zone is configured with
\fBnsupdate \-l\fP; it does this when a zone is configured with
\fBupdate\-policy local;\fP\&. \fBddns\-confgen\fP is only needed when a more
elaborate configuration is required: for instance, if \fBnsupdate\fP is to
be used from a remote system.
.SH OPTIONS
.INDENT 0.0
.TP
\fB\-a\fP algorithm
Specifies the algorithm to use for the TSIG key. Available choices
are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and
.B \fB\-a algorithm\fP
This option specifies the algorithm to use for the TSIG key. Available choices
are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and
hmac\-sha512. The default is hmac\-sha256. Options are
case\-insensitive, and the "hmac\-" prefix may be omitted.
.TP
\fB\-h\fP
Prints a short summary of options and arguments.
.B \fB\-h\fP
This option prints a short summary of options and arguments.
.TP
\fB\-k\fP keyname
Specifies the key name of the DDNS authentication key. The default is
.B \fB\-k keyname\fP
This option specifies the key name of the DDNS authentication key. The default is
\fBddns\-key\fP when neither the \fB\-s\fP nor \fB\-z\fP option is specified;
otherwise, the default is \fBddns\-key\fP as a separate label followed
by the argument of the option, e.g., \fBddns\-key.example.com.\fP The
key name must have the format of a valid domain name, consisting of
letters, digits, hyphens and periods.
letters, digits, hyphens, and periods.
.TP
\fB\-q\fP
(\fBddns\-confgen\fP only.) Quiet mode: Print only the key, with no
explanatory text or usage examples; This is essentially identical to
.B \fB\-q\fP (\fBddns\-confgen\fP only)
This option enables quiet mode, which prints only the key, with no
explanatory text or usage examples. This is essentially identical to
\fBtsig\-keygen\fP\&.
.TP
\fB\-s\fP name
(\fBddns\-confgen\fP only.) Generate configuration example to allow
.B \fB\-s name\fP (\fBddns\-confgen\fP only)
This option generates a configuration example to allow
dynamic updates of a single hostname. The example \fBnamed.conf\fP text
shows how to set an update policy for the specified name using the
"name" nametype. The default key name is ddns\-key.name. Note that the
"name" nametype. The default key name is \fBddns\-key.name\fP\&. Note that the
"self" nametype cannot be used, since the name to be updated may
differ from the key name. This option cannot be used with the \fB\-z\fP
option.
.TP
\fB\-z\fP zone
(\fBddns\-confgen\fP only.) Generate configuration example to allow
dynamic updates of a zone: The example \fBnamed.conf\fP text shows how
.B \fB\-z zone\fP (\fBddns\-confgen\fP only)
This option generates a configuration example to allow
dynamic updates of a zone. The example \fBnamed.conf\fP text shows how
to set an update policy for the specified zone using the "zonesub"
nametype, allowing updates to all subdomain names within that zone.
This option cannot be used with the \fB\-s\fP option.
......
......@@ -44,15 +44,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
\fBdelv\fP is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as \fBnamed\fP\&.
.sp
\fBdelv\fP will send to a specified name server all queries needed to
\fBdelv\fP sends to a specified name server all queries needed to
fetch and validate the requested data; this includes the original
requested query, subsequent queries to follow CNAME or DNAME chains, and
requested query, subsequent queries to follow CNAME or DNAME chains,
queries for DNSKEY, and DS records to establish a chain of trust for
DNSSEC validation. It does not perform iterative resolution, but
simulates the behavior of a name server configured for DNSSEC validating
and forwarding.
.sp
By default, responses are validated using built\-in DNSSEC trust anchor
By default, responses are validated using the built\-in DNSSEC trust anchor
for the root zone ("."). Records returned by \fBdelv\fP are either fully
validated or were not signed. If validation fails, an explanation of the
failure is included in the output; the validation process can be traced
......@@ -60,13 +60,13 @@ in detail. Because \fBdelv\fP does not rely on an external server to carry
out validation, it can be used to check the validity of DNS responses in
environments where local name servers may not be trustworthy.
.sp
Unless it is told to query a specific name server, \fBdelv\fP will try
Unless it is told to query a specific name server, \fBdelv\fP tries
each of the servers listed in \fB/etc/resolv.conf\fP\&. If no usable server
addresses are found, \fBdelv\fP will send queries to the localhost
addresses are found, \fBdelv\fP sends queries to the localhost
addresses (127.0.0.1 for IPv4, ::1 for IPv6).
.sp
When no command line arguments or options are given, \fBdelv\fP will
perform an NS query for "." (the root zone).
When no command\-line arguments or options are given, \fBdelv\fP
performs an NS query for "." (the root zone).
.SH SIMPLE USAGE
.sp
A typical invocation of \fBdelv\fP looks like:
......@@ -95,109 +95,109 @@ DNSSEC).
If no \fBserver\fP argument is provided, \fBdelv\fP consults
\fB/etc/resolv.conf\fP; if an address is found there, it queries the
name server at that address. If either of the \fB\-4\fP or \fB\-6\fP
options are in use, then only addresses for the corresponding
transport will be tried. If no usable addresses are found, \fBdelv\fP
will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1
options is in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, \fBdelv\fP
sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
.TP
.B \fBname\fP
is the domain name to be looked up.
.TP
.B \fBtype\fP
indicates what type of query is required MDASH ANY, A, MX, etc.
indicates what type of query is required \- ANY, A, MX, etc.
\fBtype\fP can be any valid query type. If no \fBtype\fP argument is
supplied, \fBdelv\fP will perform a lookup for an A record.
supplied, \fBdelv\fP performs a lookup for an A record.
.UNINDENT
.SH OPTIONS
.INDENT 0.0
.TP
\fB\-a\fP anchor\-file
Specifies a file from which to read DNSSEC trust anchors. The default
.B \fB\-a anchor\-file\fP
This option specifies a file from which to read DNSSEC trust anchors. The default
is \fB/etc/bind.keys\fP, which is included with BIND 9 and contains one
or more trust anchors for the root zone (".").
.sp
Keys that do not match the root zone name are ignored. An alternate
key name can be specified using the \fB+root=NAME\fP options.
.sp
Note: When reading the trust anchor file, \fBdelv\fP treat \fBtrust\-anchors\fP
\fBinitial\-key\fP and \fBstatic\-key\fP identically. That is, for a managed key,
Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP,
\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not
supported. \fBdelv\fP will not consult the managed\-keys database maintained by
\fBnamed\fP\&. This means that if either of the keys in \fB/etc/bind.keys\fP is
revoked and rolled over, it will be necessary to update \fB/etc/bind.keys\fP to
supported. \fBdelv\fP does not consult the managed\-keys database maintained by
\fBnamed\fP, which means that if either of the keys in \fB/etc/bind.keys\fP is
revoked and rolled over, \fB/etc/bind.keys\fP must be updated to
use DNSSEC validation in \fBdelv\fP\&.
.TP
\fB\-b\fP address
Sets the source IP address of the query to \fBaddress\fP\&. This must be
a valid address on one of the host\(aqs network interfaces or "0.0.0.0"
or "::". An optional source port may be specified by appending
"#<port>"
.B \fB\-b address\fP
This option sets the source IP address of the query to \fBaddress\fP\&. This must be
a valid address on one of the host\(aqs network interfaces, or \fB0.0.0.0\fP,
or \fB::\fP\&. An optional source port may be specified by appending
\fB#<port>\fP
.TP
\fB\-c\fP class
Sets the query class for the requested data. Currently, only class
.B \fB\-c class\fP
This option sets the query class for the requested data. Currently, only class
"IN" is supported in \fBdelv\fP and any other value is ignored.
.TP
\fB\-d\fP level
Set the systemwide debug level to \fBlevel\fP\&. The allowed range is
.B \fB\-d level\fP
This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is
from 0 to 99. The default is 0 (no debugging). Debugging traces from
\fBdelv\fP become more verbose as the debug level increases. See the
\fB+mtrace\fP, \fB+rtrace\fP, and \fB+vtrace\fP options below for
additional debugging details.
.TP
\fB\-h\fP
Display the \fBdelv\fP help usage output and exit.
.B \fB\-h\fP
This option displays the \fBdelv\fP help usage output and exits.
.TP
\fB\-i\fP
Insecure mode. This disables internal DNSSEC validation. (Note,
however, this does not set the CD bit on upstream queries. If the
server being queried is performing DNSSEC validation, then it will
.B \fB\-i\fP
This option sets insecure mode, which disables internal DNSSEC validation. (Note,
however, that this does not set the CD bit on upstream queries. If the
server being queried is performing DNSSEC validation, then it does
not return invalid data; this can cause \fBdelv\fP to time out. When it
is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fP\&.)
.TP
\fB\-m\fP
Enables memory usage debugging.
.B \fB\-m\fP
This option enables memory usage debugging.
.TP
\fB\-p\fP port#
Specifies a destination port to use for queries instead of the
standard DNS port number 53. This option would be used with a name
.B \fB\-p port#\fP
This option specifies a destination port to use for queries, instead of the
standard DNS port number 53. This option is used with a name
server that has been configured to listen for queries on a
non\-standard port number.
.TP
\fB\-q\fP name
Sets the query name to \fBname\fP\&. While the query name can be
specified without using the \fB\-q\fP, it is sometimes necessary to
.B \fB\-q name\fP
This option sets the query name to \fBname\fP\&. While the query name can be
specified without using the \fB\-q\fP option, it is sometimes necessary to
disambiguate names from types or classes (for example, when looking
up the name "ns", which could be misinterpreted as the type NS, or
"ch", which could be misinterpreted as class CH).
.TP
\fB\-t\fP type
Sets the query type to \fBtype\fP, which can be any valid query type
.B \fB\-t type\fP
This option sets the query type to \fBtype\fP, which can be any valid query type
supported in BIND 9 except for zone transfer types AXFR and IXFR. As
with \fB\-q\fP, this is useful to distinguish query name type or class
when they are ambiguous. it is sometimes necessary to disambiguate
with \fB\-q\fP, this is useful to distinguish query\-name types or classes
when they are ambiguous. It is sometimes necessary to disambiguate
names from types.
.sp
The default query type is "A", unless the \fB\-x\fP option is supplied
to indicate a reverse lookup, in which case it is "PTR".
.TP
\fB\-v\fP
Print the \fBdelv\fP version and exit.
.B \fB\-v\fP
This option prints the \fBdelv\fP version and exits.
.TP
\fB\-x\fP addr
Performs a reverse lookup, mapping an addresses to a name. \fBaddr\fP
.B \fB\-x addr\fP
This option performs a reverse lookup, mapping an address to a name. \fBaddr\fP
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited
IPv6 address. When \fB\-x\fP is used, there is no need to provide the
\fBname\fP or \fBtype\fP arguments. \fBdelv\fP automatically performs a
\fBname\fP or \fBtype\fP arguments; \fBdelv\fP automatically performs a
lookup for a name like \fB11.12.13.10.in\-addr.arpa\fP and sets the
query type to PTR. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
.TP
\fB\-4\fP
Forces \fBdelv\fP to only use IPv4.
.B \fB\-4\fP
This option forces \fBdelv\fP to only use IPv4.
.TP
\fB\-6\fP
Forces \fBdelv\fP to only use IPv6.
.B \fB\-6\fP
This option forces \fBdelv\fP to only use IPv6.
.UNINDENT
.SH QUERY OPTIONS
.sp
......@@ -212,122 +212,122 @@ assign values to options like the timeout interval. They have the form
.INDENT 0.0
.TP
.B \fB+[no]cdflag\fP
Controls whether to set the CD (checking disabled) bit in queries
This option controls whether to set the CD (checking disabled) bit in queries
sent by \fBdelv\fP\&. This may be useful when troubleshooting DNSSEC
problems from behind a validating resolver. A validating resolver
will block invalid responses, making it difficult to retrieve them
for analysis. Setting the CD flag on queries will cause the resolver
blocks invalid responses, making it difficult to retrieve them
for analysis. Setting the CD flag on queries causes the resolver
to return invalid responses, which \fBdelv\fP can then validate
internally and report the errors in detail.
.TP
.B \fB+[no]class\fP
Controls whether to display the CLASS when printing a record. The
This option controls whether to display the CLASS when printing a record. The
default is to display the CLASS.
.TP
.B \fB+[no]ttl\fP
Controls whether to display the TTL when printing a record. The
This option controls whether to display the TTL when printing a record. The
default is to display the TTL.
.TP
.B \fB+[no]rtrace\fP
Toggle resolver fetch logging. This reports the name and type of each
This option toggles resolver fetch logging. This reports the name and type of each
query sent by \fBdelv\fP in the process of carrying out the resolution
and validation process: this includes including the original query
and validation process, including the original query
and all subsequent queries to follow CNAMEs and to establish a chain
of trust for DNSSEC validation.
.sp
This is equivalent to setting the debug level to 1 in the "resolver"
logging category. Setting the systemwide debug level to 1 using the
\fB\-d\fP option will product the same output (but will affect other
logging categories as well).
\fB\-d\fP option produces the same output, but affects other
logging categories as well.
.TP
.B \fB+[no]mtrace\fP
Toggle message logging. This produces a detailed dump of the
This option toggles message logging. This produces a detailed dump of the
responses received by \fBdelv\fP in the process of carrying out the
resolution and validation process.
.sp
This is equivalent to setting the debug level to 10 for the "packets"
module of the "resolver" logging category. Setting the systemwide
debug level to 10 using the \fB\-d\fP option will produce the same
output (but will affect other logging categories as well).
debug level to 10 using the \fB\-d\fP option produces the same
output, but affects other logging categories as well.
.TP
.B \fB+[no]vtrace\fP
Toggle validation logging. This shows the internal process of the
This option toggles validation logging. This shows the internal process of the
validator as it determines whether an answer is validly signed,
unsigned, or invalid.
.sp
This is equivalent to setting the debug level to 3 for the
"validator" module of the "dnssec" logging category. Setting the
systemwide debug level to 3 using the \fB\-d\fP option will produce the
same output (but will affect other logging categories as well).
systemwide debug level to 3 using the \fB\-d\fP option produces the
same output, but affects other logging categories as well.
.TP
.B \fB+[no]short\fP
Provide a terse answer. The default is to print the answer in a
This option toggles between verbose and terse answers. The default is to print the answer in a
verbose form.
.TP
.B \fB+[no]comments\fP
Toggle the display of comment lines in the output. The default is to
This option toggles the display of comment lines in the output. The default is to
print comments.
.TP
.B \fB+[no]rrcomments\fP
Toggle the display of per\-record comments in the output (for example,
This option toggles the display of per\-record comments in the output (for example,
human\-readable key information about DNSKEY records). The default is
to print per\-record comments.
.TP
.B \fB+[no]crypto\fP
Toggle the display of cryptographic fields in DNSSEC records. The
contents of these field are unnecessary to debug most DNSSEC
This option toggles the display of cryptographic fields in DNSSEC records. The
contents of these fields are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted
they are replaced by the string "[omitted]" or in the DNSKEY case the
key id is displayed as the replacement, e.g. "[ key id = value ]".
common failures. The default is to display the fields. When omitted,
they are replaced by the string \fB[omitted]\fP or, in the DNSKEY case, the
key ID is displayed as the replacement, e.g. \fB[ key id = value ]\fP\&.
.TP
.B \fB+[no]trust\fP
Controls whether to display the trust level when printing a record.
This option controls whether to display the trust level when printing a record.
The default is to display the trust level.
.TP
.B \fB+[no]split[=W]\fP
Split long hex\- or base64\-formatted fields in resource records into
This option splits long hex\- or base64\-formatted fields in resource records into
chunks of \fBW\fP characters (where \fBW\fP is rounded up to the nearest
multiple of 4). \fB+nosplit\fP or \fB+split=0\fP causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
.TP
.B \fB+[no]all\fP
Set or clear the display options \fB+[no]comments\fP,
This option sets or clears the display options \fB+[no]comments\fP,
\fB+[no]rrcomments\fP, and \fB+[no]trust\fP as a group.
.TP
.B \fB+[no]multiline\fP
Print long records (such as RRSIG, DNSKEY, and SOA records) in a
This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
verbose multi\-line format with human\-readable comments. The default
is to print each record on a single line, to facilitate machine
parsing of the \fBdelv\fP output.
.TP
.B \fB+[no]dnssec\fP
Indicates whether to display RRSIG records in the \fBdelv\fP output.
This option indicates whether to display RRSIG records in the \fBdelv\fP output.
The default is to do so. Note that (unlike in \fBdig\fP) this does
\fInot\fP control whether to request DNSSEC records or whether to
\fInot\fP control whether to request DNSSEC records or to
validate them. DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of \fB\-i\fP or
always occurs unless suppressed by the use of \fB\-i\fP or
\fB+noroot\fP\&.
.TP
.B \fB+[no]root[=ROOT]\fP
Indicates whether to perform conventional DNSSEC validation, and if so,
This option indicates whether to perform conventional DNSSEC validation, and if so,
specifies the name of a trust anchor. The default is to validate using a
trust anchor of "." (the root zone), for which there is a built\-in key. If
specifying a different trust anchor, then \fB\-a\fP must be used to specify a
file containing the key.
.TP
.B \fB+[no]tcp\fP
Controls whether to use TCP when sending queries. The default is to
This option controls whether to use TCP when sending queries. The default is to
use UDP unless a truncated response has been received.
.TP
.B \fB+[no]unknownformat\fP
Print all RDATA in unknown RR type presentation format (\fI\%RFC 3597\fP).
This option prints all RDATA in unknown RR\-type presentation format (\fI\%RFC 3597\fP).
The default is to print RDATA for known types in the type\(aqs
presentation format.
.TP
.B \fB+[no]yaml\fP
Print response data in YAML format.
This option prints response data in YAML format.
.UNINDENT
.SH FILES
.sp
......
This diff is collapsed.
......@@ -32,15 +32,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
..
.SH SYNOPSIS
.sp
\fBdnssec\-cds\fP [\fB\-a\fP alg...] [\fB\-c\fP class] [\fB\-D\fP] {\fB\-d\fP dsset\-file} {\fB\-f\fP child\-file} [\fB\-i\fP [extension]] [\fB\-s\fP start\-time] [\fB\-T\fP ttl] [\fB\-u\fP] [\fB\-v\fP level] [\fB\-V\fP] {domain}
\fBdnssec\-cds\fP [\fB\-a\fP alg...] [\fB\-c\fP class] [\fB\-D\fP] {\fB\-d\fP dsset\-file} {\fB\-f\fP child\-file} [\fB\-i**[extension]] [\fP\-s** start\-time] [\fB\-T\fP ttl] [\fB\-u\fP] [\fB\-v\fP level] [\fB\-V\fP] {domain}
.SH DESCRIPTION
.sp
The \fBdnssec\-cds\fP command changes DS records at a delegation point
based on CDS or CDNSKEY records published in the child zone. If both CDS
and CDNSKEY records are present in the child zone, the CDS is preferred.
This enables a child zone to inform its parent of upcoming changes to
its key\-signing keys; by polling periodically with \fBdnssec\-cds\fP, the
parent can keep the DS records up to date and enable automatic rolling
its key\-signing keys (KSKs); by polling periodically with \fBdnssec\-cds\fP, the
parent can keep the DS records up\-to\-date and enable automatic rolling
of KSKs.
.sp
Two input files are required. The \fB\-f child\-file\fP option specifies a
......@@ -53,12 +53,12 @@ output of a previous run of \fBdnssec\-cds\fP\&.
.sp
The \fBdnssec\-cds\fP command uses special DNSSEC validation logic
specified by \fI\%RFC 7344\fP\&. It requires that the CDS and/or CDNSKEY records
are validly signed by a key represented in the existing DS records. This
will typically be the pre\-existing key\-signing key (KSK).
be validly signed by a key represented in the existing DS records. This
is typically the pre\-existing KSK.
.sp
For protection against replay attacks, the signatures on the child
records must not be older than they were on a previous run of
\fBdnssec\-cds\fP\&. This time is obtained from the modification time of the
\fBdnssec\-cds\fP\&. Their age is obtained from the modification time of the
\fBdsset\-\fP file, or from the \fB\-s\fP option.
.sp
To protect against breaking the delegation, \fBdnssec\-cds\fP ensures that
......@@ -68,117 +68,121 @@ type.
.sp
By default, replacement DS records are written to the standard output;
with the \fB\-i\fP option the input file is overwritten in place. The
replacement DS records will be the same as the existing records when no
change is required. The output can be empty if the CDS / CDNSKEY records
specify that the child zone wants to go insecure.
replacement DS records are the same as the existing records, when no
change is required. The output can be empty if the CDS/CDNSKEY records
specify that the child zone wants to be insecure.
.sp
Warning: Be careful not to delete the DS records when \fBdnssec\-cds\fP
fails!
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
Be careful not to delete the DS records when \fBdnssec\-cds\fP fails!
.UNINDENT
.UNINDENT
.sp
Alternatively, \fBdnssec\-cds \-u\fP writes an \fBnsupdate\fP script to the
standard output. You can use the \fB\-u\fP and \fB\-i\fP options together to
standard output. The \fB\-u\fP and \fB\-i\fP options can be used together to
maintain a \fBdsset\-\fP file as well as emit an \fBnsupdate\fP script.
.SH OPTIONS
.INDENT 0.0
.TP
\fB\-a\fP algorithm
Specify a digest algorithm to use when converting CDNSKEY records to
.B \fB\-a algorithm\fP
This option specifies a digest algorithm to use when converting CDNSKEY records to
DS records. This option can be repeated, so that multiple DS records
are created for each CDNSKEY record. This option has no effect when
using CDS records.
.sp
The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values
are case insensitive, and the hyphen may be omitted. If no algorithm
are case\-insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA\-256.
.TP
\fB\-c\fP class
Specifies the DNS class of the zones.
.B \fB\-c class\fP
This option specifies the DNS class of the zones.
.TP
\fB\-D\fP
Generate DS records from CDNSKEY records if both CDS and CDNSKEY
.B \fB\-D\fP
This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
records are present in the child zone. By default CDS records are
preferred.
.TP
\fB\-d\fP path
Location of the parent DS records. The path can be the name of a file
containing the DS records, or if it is a directory, \fBdnssec\-cds\fP
.B \fB\-d path\fP
This specifies the location of the parent DS records. The path can be the name of a file
containing the DS records; if it is a directory, \fBdnssec\-cds\fP
looks for a \fBdsset\-\fP file for the domain inside the directory.
.sp
To protect against replay attacks, child records are rejected if they
were signed earlier than the modification time of the \fBdsset\-\fP
file. This can be adjusted with the \fB\-s\fP option.
.TP
\fB\-f\fP child\-file
File containing the child\(aqs CDS and/or CDNSKEY records, plus its
DNSKEY records and the covering RRSIG records so that they can be
.B \fB\-f child\-file\fP
This option specifies the file containing the child\(aqs CDS and/or CDNSKEY records, plus its
DNSKEY records and the covering RRSIG records, so that they can be
authenticated.
.sp
The EXAMPLES below describe how to generate this file.
The examples below describe how to generate this file.
.TP
\fB\-iextension\fP
Update the \fBdsset\-\fP file in place, instead of writing DS records to
.B \fB\-iextension\fP
This option updates the \fBdsset\-\fP file in place, instead of writing DS records to
the standard output.
.sp
There must be no space between the \fB\-i\fP and the extension. If you
provide no extension then the old \fBdsset\-\fP is discarded. If an
There must be no space between the \fB\-i\fP and the extension. If
no extension is provided, the old \fBdsset\-\fP is discarded. If an
extension is present, a backup of the old \fBdsset\-\fP file is kept
with the extension appended to its filename.
.sp
To protect against replay attacks, the modification time of the
\fBdsset\-\fP file is set to match the signature inception time of the
child records, provided that is later than the file\(aqs current
child records, provided that it is later than the file\(aqs current
modification time.
.TP
\fB\-s\fP start\-time
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative time. An
.B \fB\-s start\-time\fP
This option specifies the date and time after which RRSIG records become
acceptable. This can be either an absolute or a relative time. An
absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
time relative to the \fBdsset\-\fP file is indicated with \-N, which is N
time relative to the \fBdsset\-\fP file is indicated with \fB\-N\fP, which is N
seconds before the file modification time. A time relative to the
current time is indicated with now+N.
current time is indicated with \fBnow+N\fP\&.
.sp
If no start\-time is specified, the modification time of the
\fBdsset\-\fP file is used.
.TP
\fB\-T\fP ttl
Specifies a TTL to be used for new DS records. If not specified, the
default is the TTL of the old DS records. If they had no explicit TTL
then the new DS records also have no explicit TTL.
.B \fB\-T ttl\fP
This option specifies a TTL to be used for new DS records. If not specified, the
default is the TTL of the old DS records. If they had no explicit TTL,
the new DS records also have no explicit TTL.
.TP
\fB\-u\fP
Write an \fBnsupdate\fP script to the standard output, instead of
printing the new DS reords. The output will be empty if no change is
.B \fB\-u\fP
This option writes an \fBnsupdate\fP script to the standard output, instead of
printing the new DS reords. The output is empty if no change is
needed.
.sp
Note: The TTL of new records needs to be specified, either in the
original \fBdsset\-\fP file, or with the \fB\-T\fP option, or using the
Note: The TTL of new records needs to be specified: it can be done in the
original \fBdsset\-\fP file, with the \fB\-T\fP option, or using the
\fBnsupdate\fP \fBttl\fP command.
.TP
\fB\-V\fP
Print version information.
.B \fB\-V\fP
This option prints version information.
.TP
\fB\-v\fP level
Sets the debugging level. Level 1 is intended to be usefully verbose
.B \fB\-v level\fP
This option sets the debugging level. Level 1 is intended to be usefully verbose
for general users; higher levels are intended for developers.
.TP
.B domain
The name of the delegation point / child zone apex.
.B \fBdomain\fP
This indicates the name of the delegation point/child zone apex.