summaryrefslogtreecommitdiffstats
path: root/contrib/bind/doc
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind/doc')
-rw-r--r--contrib/bind/doc/man/dig.111
-rw-r--r--contrib/bind/doc/man/dnssigner.1213
-rw-r--r--contrib/bind/doc/man/host.1115
-rw-r--r--contrib/bind/doc/man/nslookup.87
-rw-r--r--contrib/bind/doc/misc/IPv672
-rw-r--r--contrib/bind/doc/secure/copyright.txt28
-rw-r--r--contrib/bind/doc/secure/install.txt155
-rw-r--r--contrib/bind/doc/secure/readme.txt93
-rw-r--r--contrib/bind/doc/secure/usage.txt215
9 files changed, 66 insertions, 843 deletions
diff --git a/contrib/bind/doc/man/dig.1 b/contrib/bind/doc/man/dig.1
index 47284c2..3e59b05 100644
--- a/contrib/bind/doc/man/dig.1
+++ b/contrib/bind/doc/man/dig.1
@@ -1,3 +1,4 @@
+.\" $FreeBSD$
.\" $Id: dig.1,v 8.4 1999/10/15 21:29:58 vixie Exp $
.\"
.\" ++Copyright++ 1993
@@ -99,7 +100,7 @@ may be either a domain name or a dot-notation
Internet address. If this optional field is omitted,
.Ic dig
will attempt to use the default name server for your machine.
-.sp 1
+.Pp
.Em Note:
If a domain name is specified, this will be resolved
using the domain name system resolver (i.e., BIND). If your
@@ -128,11 +129,10 @@ environment variable
to name a file which is to
be used instead of
.Pa /etc/resolv.conf
-.Po Ns Ev LOCALRES
+.Ns Ev (LOCALRES
is specific to the
.Ic dig
-resolver and is not referenced by the standard resolver
-.Pc .
+resolver and is not referenced by the standard resolver).
If the
.Ev LOCALRES
variable is not set or the specified file
@@ -625,7 +625,8 @@ structure.
.Sh ENVIRONMENT
.Bl -tag -width "LOCALRES " -compact
.It Ev LOCALRES
-file to use in place of Pa /etc/resolv.conf
+file to use in place of
+.Pa /etc/resolv.conf
.It Ev LOCALDEF
default environment file
.El
diff --git a/contrib/bind/doc/man/dnssigner.1 b/contrib/bind/doc/man/dnssigner.1
deleted file mode 100644
index 1fb4ce4..0000000
--- a/contrib/bind/doc/man/dnssigner.1
+++ /dev/null
@@ -1,213 +0,0 @@
-.\" Copyright (c) 1996 by Internet Software Consortium
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
-.\" ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
-.\" CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
-.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
-.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
-.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-.\" SOFTWARE.
-.\"
-.\" $Id: dnssigner.1,v 8.2 1997/03/14 02:29:42 vixie Exp $
-.\"
-.Dd October 25, 1996
-.Dt DNSSIGNER @CMD_EXT_U@
-.Os BSD 4
-.Sh NAME
-.Nm dnssigner
-.Nd add signatures to DNS zone files
-.Sh SYNOPSIS
-.Nm dnssigner
-.Op Cm signer-name Ar default_signer
-.Op Cm boot-file Ar file
-.Op Cm debug-file Ar file
-.Op Cm out-dir Ar directory
-.Op Cm seq-no Ar number
-.Oo
-.Cm expiration-time
-.Oo Po Cm +
-.Ns \&|
-.Ns Cm =
-.Pc Oc
-.Ns Ar time
-.Oc
-.Op Cm hide
-.Op Cm noaxfr
-.Op Cm nosign
-.Op Cm verify
-.Op Cm update-zonekey
-.Op Fl d Ns Ar level
-.Sh DESCRIPTION
-.Ic Dnssigner
-(Sign DNS zone database) is a tool to generate signatures
-for DNS (Domain Name System) resource records. It also generates
-NXT records for each zone.
-.Pp
-.Bl -tag -width Fl
-.It Cm signer-name Ar default_signer
-Specifies a name of the key to use if no signer is defined using the
-.Em Li $SIGNER
-directive in the boot files.
-.It Cm boot-file Ar file
-Specifies the control file for
-.Ic dnssigner ,
-which is in the same format as the BIND-4
-.Pa named.boot
-file.
-.It Cm debug-file Ar file
-Redirect debug output to the specified
-.Ar file ;
-default is
-.Pa signer_out
-in the current directory.
-.It Cm out-dir Ar directory
-Write signed files to thie specified
-.Ar directory ;
-default is to use
-.Pa /tmp .
-.Pp
-.Sy NOTE :
-Specify the full path to this directory; relative paths may not work.
-.It Xo Cm expiration-time
-.Oo Po Cm +
-.Ns \&|
-.Ns Cm =
-.Pc Oc
-.Ns Ar time
-.Xc
-Time when the signature records are to
-expire. Using either
-.Dq Cm =
-or
-.Em no
-sign before the
-.Ar time
-argument
-.Po i.e.,
-.Do Op Cm =
-.Ns Ar time
-.Dc
-.Pc ,
-the
-.Ar time
-is interpreted as an absolute time in seconds when the records will expire.
-.Po Sy NOTE :
- All such times are interpreted as Universal Times.
-.Pc
-With
-.Dq Cm +
-specified
-.Pq i.e., Dq Cm + Ns Ar time ,
-the
-.Ar time
-time is interpreted as an offset into the future.
-.Pp
-If not specified on the command line, the default
-.Cm expiration-time
-is 3600*24*30 sec (30 days).
-.It Cm seq-no Ar number
-Force the serial number in the SOA records to the specified value.
-If this parameter is not set, the serial number will be set to a value
-based on the current time.
-.It Cm hide
-This flag will cause NXT records in zones with wildcard
-records to point to
-.Li *.<zone>
-as the next host. The purpose of this
-flag is to hide all information about valid names in a zone.
-.It Cm noaxfr
-Turn of generation of zone transfer signature records,
-which validate the transfer of an entire zone.
-.It Cm nosign
-When this flag is specified, the boot files are read, NXT
-records are generated and zone file is written to the output
-directory. No SIG records are generated. This flag is useful for
-quickly checking the format of the data in the boot files, and to
-have boot files sorted into DNSSEC order.
-.It Cm verify
-When this flag is present,
-.Ic dnssigner
-will verify all
-signed records and print out a confirmation message for each SIG
-verified. The main use of this flag is to see how long it takes to
-generate each signature.
-.It Cm update-zonekey
-If this flag is specified, then the zonekeys used
-to sign files will be updated with new records. Specify this flag if
-one or more of the keys have been updated. If there are no zonekeys
-specified in the boot files, this flag will insert them. Omitting
-zonekeys will cause primary nameservers to reject the zone.
-.It Fl d Ns Ar level
-Debug level to use for running
-.Ic dnssigner ;
-these levels are the same as those used by
-.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@
-.El
-.Ss DETAILS
-.Ic Dnssigner
-reads BIND-4
-.Pa named.boot
-and zone files, adds SIG and NXT
-records and writes out the records (to one file per zone, regardless of
-how many include files the original zone was in). The files generated by
-.Ic dnssigner
-are ordinary textual zone files and are then normally
-loaded by
-.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@
-to serve the zone.
-.Ic Dnssigner
-\fBrequires that the PRIVATE key(s) reside in the input directory\fP.
-.Pp
-Making manual changes to the output files is hazardous, because most
-changes will invalidate one or more signatures contained therein. This
-will cause the zone to fail to load into
-.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ ,
-or will cause subsequent
-failures in retrieving records from the zone. It is far better to make
-changes in
-.Ic dnssigner's
-input files, and rerun
-.Ic dnssigner .
-.Pp
-When
-.Ic dnssigner
-detects a delegation point, it creates a special file
-.Pa <zone_name>.PARENT
-which contains the RR's the parent zone signs for the
-child zone (NS, KEY, NXT). The intent is that the child will include this
-file when loading primary nameservers. Similarly, each zone file ends
-with the
-.Dq Li #include <zone_name>.PARENT
-command. The records
-in the
-.Pa .PARENT
-files are omitted from the SIG(AXFR) calculations as these
-records usualy are on a different signing cycle.
-.Pp
-The
-.Em Li Dq $SIGNER Op Ar keyname
-directive can be used to change signers in a
-zone. If
-.Ar keyname
-is omitted, signing is turned off. Keys are loaded the
-first time the keys are accessed. Only records that are signed by the
-zone signer (the key that signs the SOA) are included in the SIG(AXFR)
-calculation. It is not generally recommended that multiple keys sign
-records in the same zone, unless this is useful for dynamic updates.
-.Sh ENVIRONMENT
-No environmental variables are used.
-.Sh SEE ALSO
-.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ ,
-RSAREF documentation,
-Internet-Draft
-.Em draft-ietf-dnssec-secext-10.txt
-on Secure DNS, or its successor.
-.Sh AUTHOR
-Olafur Gudmundsson (ogud@tis.com)
-.Sh ACKNOWLEDGMENTS
-The underlying crypto math is done by the RSAREF or BSAFE libraries.
diff --git a/contrib/bind/doc/man/host.1 b/contrib/bind/doc/man/host.1
index 12219e7..89611e4 100644
--- a/contrib/bind/doc/man/host.1
+++ b/contrib/bind/doc/man/host.1
@@ -50,7 +50,9 @@
.\" SOFTWARE.
.\" -
.\" --Copyright--
-.\" $Id: host.1,v 8.4 2000/02/29 03:50:47 vixie Exp $
+.\" $Id: host.1,v 8.2 1997/03/14 02:29:44 vixie Exp $
+.\" $FreeBSD$
+.\"
.Dd December 15, 1994
.Dt HOST @CMD_EXT_U@
.Os BSD 4
@@ -59,13 +61,9 @@
.Nd look up host names using domain server
.Sh SYNOPSIS
.Nm host
-.Op Fl l
-.Op Fl v
-.Op Fl w
-.Op Fl r
-.Op Fl d
+.Op Fl adlrwv
+.Op Fl c Ar class
.Op Fl t Ar querytype
-.Op Fl a
.Ar host
.Op Ar server
.Sh DESCRIPTION
@@ -84,7 +82,7 @@ by the domain server.
The arguments can be either host names or host numbers. The program
first attempts to interpret them as host numbers. If this fails,
it will treat them as host names. A host number consists of
-first decimal numbers separated by dots, e.g. 128.6.4.194
+four decimal numbers separated by dots, e.g. 128.6.4.194
A host name consists of names separated by dots, e.g. topaz.rutgers.edu.
Unless the name ends in a dot, the local domain
is automatically tacked on the end. Thus, a Rutgers user can say
@@ -158,32 +156,44 @@ There are a number of options that can be used before the
host name. Most of these options are meaningful only to the
staff who have to maintain the domain database.
.Bl -tag -width Fl
-.It Fl w
-This causes
-.Ic host
-to wait forever for a response. Normally
-it will time out after approximate one minute.
-.It Fl v
-Use "verbose" format for printout. This
-is the official domain master file format, which is documented
-in the man page for
-.Xr @INDOT@named @SYS_OPS_EXT@ .
-Without this option, output still follows
-this format in general terms, but some attempt is made to make it
-more intelligible to normal users. Without
-.Dq Fl v ,
-any "a", "mx", and "cname" records
-are written out as "has address", "mail is handled by", and
-"is a nickname for" (respectively), and TTL and class fields are not shown.
+.It Fl a
+.Dq all ;
+this is equivalent to
+.Dq Fl v Fl t Cm any .
+.It Fl c Ar class
+The
+.Ar class
+to look for non-Internet data.
+.It Fl d
+Turn on debugging. Network transactions are shown in detail.
+.It Fl l
+List a complete domain; e.g.:
+.Pp
+.D1 Ic host -l rutgers.edu
+.Pp
+will give a listing of all hosts in the rutgers.edu domain. The
+.Dq Fl t
+option is used to filter what information is presented, as you
+would expect. The default is address information, which also
+include PTR and NS records. The command
+.Pp
+.D1 Ic host -l -v -t any rutgers.edu
+.Pp
+will give a complete download of the zone data for rutgers.edu,
+in the official master file format. (However the SOA record is
+listed twice, for arcane reasons.)
+.Pp
+.Sy NOTE:
+.Dq Fl l
+is implemented by
+doing a complete zone transfer and then filtering out the information
+that you have asked for. This command should be used only if it
+is absolutely necessary.
.It Fl r
Turn off recursion in the request.
This means that the name server will return only data it has in
its own database. It will not ask other servers for more
information.
-.It Fl d
-Turn on debugging. Network transactions are shown in detail.
-.It Fl s
-Chase signatures back to parent key (DNSSEC).
.It Fl t Ar querytype
Allows you to specify a particular
.Ar querytype
@@ -229,35 +239,24 @@ option is particularly useful for filtering information returned by
.Ic host ;
see the explanation of the
.Dq Fl l
-option, below, for more information.
-.It Fl a
-.Dq all ;
-this is equivalent to
-.Dq Fl v Fl t Cm any .
-.It Fl l
-List a complete domain; e.g.:
-.Pp
-.D1 Ic host -l rutgers.edu
-.Pp
-will give a listing of all hosts in the rutgers.edu domain. The
-.Dq Fl t
-option is used to filter what information is presented, as you
-would expect. The default is address information, which also
-include PTR and NS records. The command
-.Pp
-.D1 Ic host -l -v -t any rutgers.edu
-.Pp
-will give a complete download of the zone data for rutgers.edu,
-in the official master file format. (However the SOA record is
-listed twice, for arcane reasons.)
-.Pp
-.Sy NOTE:
-.Dq Fl l
-is implemented by
-doing a complete zone transfer and then filtering out the information
-the you have asked for. This command should be used only if it
-is absolutely necessary.
-.El
+option for more information.
+.It Fl v
+Use "verbose" format for printout. This
+is the official domain master file format, which is documented
+in the man page for
+.Xr @INDOT@named @SYS_OPS_EXT@ .
+Without this option, output still follows
+this format in general terms, but some attempt is made to make it
+more intelligible to normal users. Without
+.Dq Fl v ,
+any "a", "mx", and "cname" records
+are written out as "has address", "mail is handled by", and
+"is a nickname for" (respectively), and TTL and class fields are not shown.
+.It Fl w
+This causes
+.Ic host
+to wait forever for a response. Normally
+it will time out after approximate one minute.
.Sh CUSTOMIZING HOST NAME LOOKUP
In general, if the name supplied by the user does not
have any dots in it, a default domain is appended to the end.
diff --git a/contrib/bind/doc/man/nslookup.8 b/contrib/bind/doc/man/nslookup.8
index d74d84f..439d480 100644
--- a/contrib/bind/doc/man/nslookup.8
+++ b/contrib/bind/doc/man/nslookup.8
@@ -111,8 +111,9 @@ or type
The command line length must be less than 256 characters.
To treat a built-in command as a host name,
precede it with an escape character
-.Pq .&\\ .
-.Sy N.B.: An unrecognized command will be interpreted as a host name.
+.Pq \e
+.Sy N.B.:
+An unrecognized command will be interpreted as a host name.
.Bl -tag -width "lserver"
.It Ar host Op Ar server
Look up information for
@@ -516,14 +517,12 @@ initial domain name and name server addresses
user's initial options
.It Pa /usr/share/misc/nslookup.help
summary of commands
-.El
.Sh ENVIRONMENT
.Bl -tag -width "HOSTALIASESXXXX" -compact
.It Ev HOSTALIASES
file containing host aliases
.It Ev LOCALDOMAIN
overrides default domain
-.El
.Sh SEE ALSO
.Xr @INDOT@named @SYS_OPS_EXT@ ,
.Xr resolver @LIB_NETWORK_EXT@ ,
diff --git a/contrib/bind/doc/misc/IPv6 b/contrib/bind/doc/misc/IPv6
deleted file mode 100644
index 49fc3f5..0000000
--- a/contrib/bind/doc/misc/IPv6
+++ /dev/null
@@ -1,72 +0,0 @@
-IPv6 notes for BIND 4.9.3 Patch 2 Candidate 5 (and later?)
-Paul Vixie, May 20, 1996
-doc/misc/IPv6
-
- *** Introduction ***
-
-The IPv6 support in this release is latent, in that its presence is not
-documented. The support is not optional, since its presence ought not to
-affect anyone who does not go looking for it. The support includes:
-
- inet_ntop() new function.
- inet_pton() new function.
- RES_USE_INET6 causes gethostby*() to return either real IPv6
- addresses (if available) or mapped (::FFFF:a.b.c.d)
- addresses if only IPv4 address records are found.
- gethostbyname() can search for T_AAAA in preference to T_A.
- gethostbyaddr() can search in IP6.INT for PTR RR's.
- named can load, transfer, cache, and dump T_AAAA RRs.
-
- *** Some notes on the new functions ***
-
-The inet_pton() and inet_ntop() functions differ from the current (as of
-this writing) IPv6 BSD API draft. Discussions were held, primarily between
-myself and Rich Stevens, on the ipng@sunroof.eng.sun.com mailing list, and
-the BIND definitions of these functions are likely to go into the next draft.
-(If not, and BIND has to change its definitions of these functions, then you
-will know why I chose not to document them yet!)
-
-These functions can return error values, and as such the process of porting
-code that used inet_aton() to use inet_pton() is not just syntactic. Not all
-nonzero values indicate success; consider "-1". Likewise, inet_ntoa() is not
-just smaller than inet_ntop() -- it's a whole new approach. Inet_ntop() does
-not return a static pointer, the caller has to supply a sized buffer. Also,
-inet_ntop() can return NULL, so you should only printf() the result if you
-have verified that your arguments will be seen as error free.
-
-The inet_pton() function is much pickier about its input format than the old
-inet_aton() function has been. You can't abbreviate 10.0.0.53 as 10.53 any
-more. Hexadecimal isn't accepted. You have to supply four decimal numeric
-strings, each of whose value is within the range from 0 to 255. No spaces
-are allowed either before, after, or within an address. If you need the older
-functionality with all the shortcuts and exceptions, continue using inet_aton()
-for your IPv4 address parsing needs.
-
- *** Some notes on RES_USE_INET6 ***
-
-You can set this by modifying _res.options after calling res_init(), or you
-can turn it on globally by setting "options inet6" in /etc/resolv.conf. This
-latter option ought to be used carefully, since _all_ applications will then
-receive IPv6 style h_addr_list's from their gethostby*() calls. Once you know
-that every application on your system can cope with IPv6 addressing, it is safe
-and reasonable to turn on the global option. Otherwise, don't do it.
-
- *** Some notes on mapped IPv4 addresses ***
-
-There are two IPv6 prefixes set aside for IPv4 address encapsulation. See
-RFC 1884 for a detailed explaination. The ::a.b.c.d form is used for
-tunnelling, which means wrapping an IPv4 header around IPv6 packets and using
-the existing IPv4 routing infrastructure to reach what are actually IPv6
-endpoints. The ::FFFF:a.b.c.d form can be used on dual-stack (IPv4 and IPv6)
-hosts to signal a predominantly IPv6 stack that it should use ``native'' IPv4
-to reach a given destination, even though the socket's address family is
-AF_INET6.
-
-BIND supports both of these address forms, to the extent that inet_pton() will
-parse them, inet_ntop() will generate them, gethostby*() will map IPv4 into
-IPv6 if the RES_USE_INET6 option is set, and gethostbyaddr() will search the
-IN-ADDR.ARPA domain rather than the IP6.INT domain when it needs a PTR RR.
-This last bit of behaviour is still under discussion and it's not clear that
-tunnelled addresses should be mapped using IN-ADDR.ARPA. In other words, this
-bit of behaviour may change in a subsequent BIND release. So now you know
-another reason why none of this stuff is ``officially'' documented.
diff --git a/contrib/bind/doc/secure/copyright.txt b/contrib/bind/doc/secure/copyright.txt
deleted file mode 100644
index cc38356..0000000
--- a/contrib/bind/doc/secure/copyright.txt
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Portions Copyright (c) 1995,1996 by Trusted Information Systems, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TRUSTED INFORMATION
- * SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- *
- * Trusted Information Systems, Inc. has received approval from the
- * United States Government for export and reexport of TIS/DNSSEC
- * software from the United States of America under the provisions of
- * the Export Administration Regulations (EAR) General Software Note
- * (GSN) license exception for mass market software. Under the
- * provisions of this license, this software may be exported or
- * reexported to all destinations except for the embargoed countries of
- * Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export
- * or reexport of TIS/DNSSEC software to the embargoed countries
- * requires additional, specific licensing approval from the United
- * States Government.
- */
diff --git a/contrib/bind/doc/secure/install.txt b/contrib/bind/doc/secure/install.txt
deleted file mode 100644
index bb5bc94..0000000
--- a/contrib/bind/doc/secure/install.txt
+++ /dev/null
@@ -1,155 +0,0 @@
-
-INSTALL_SEC
-
- Bind with Secure DNS (TIS/DNSSEC)
- Version 1.3.0 Beta
- September 1996
-
-This version has been compiled and tested on SUNOS 4.1.3,
-FreeBSD-2.1.5-REL and Linux 2.0.11.
-There may be still be portability problems.
-If you have access to other hardware platforms please let us know if
-there are any problems porting and send us patches, to include in
-future releases.
-
-This version of secure Bind uses RSAREF-2.0 library from RSA,
-First you should get/read the RSAREF FAQ
- http://www.consensus.com/rsaref-faq.html
-Then you can copy RSAREF from
- ftp://ftp.rsa.com/rsaref/README
-
-You need to read this README file carefully for further instructions.
-
-Installation: (this version is based on 4.9.4-REL-P1).
-
-1. The tar ball will create a directory sec_bind in the current directory
- untar the archive
- The content of the sec_bind directory has the same directory
- structure as bind distribution with the addition of the directories
- dnssec_lib/ and signer/, some named directories have been
- deleted from the distribution.
-
- dnssec_lib/ contains the library files for signature generation
- signer/ contains tools for signing bind boot files and
- generating keys.
-
- In addition, there is a new file, "res/res_sign.c", which
- contains library routines that are required in the resolver
- for displaying new RR types.
-
- You need to tailor sec_bind/Makefile to your system as you do
- with bind distributions.
-
- The sec_bind distribution expects to find RSAREF in the
- rsaref/ subdirectory. If you install RSAREF in a different
- place you can place a pointer to the RSAREF installation
- directory in place of sec_bind/rsaref.
-
- sec_bind/Makefile expects to find the RSAREF library file
- at sec_bind/rsaref/lib/rsaref.a. The RSAREF distribution
- does not contain that directory. If you are installing RSAREF
- for the first time create that directory copy the correct
- Makefile from the appropriate rsaref/install/ subdirectory.
- Sec_bind will compile RSAREF for you.
-
- We recommend that you use an ANSI C compliant compiler to
- compile this distribution.
-
-2. Follow Bind installation guidelines on your system
-
- Set your normal configuration in conf/options.h with the
- following exceptions/additions:
- ROUND_ROBIN must be OFF (for right now)
- DNS_SECURITY must be ON
- RSAREF must be ON if you have a copy of RSAREF.
- This version of sec_bind does not work well without RSAREF.
-
-3. make
- If you are going to use make install everything will work right
- out of the box. If you are going to run programs out of the
- sec_bind directory you need to set the DESTEXEC variables
- accordingly.
-
-4. Once everything compiles you can run the simple test that is include in
- the distribution.
-
- First you need to edit the file signer/simple_test/test.boot to
- set directory directive to the full path of the directory this
- file is in.
-
- Now the signer program can be run to sign the simple_test data.
- The signed zone will be written to /tmp
- % cd sec_bind/signer
- % make test
- The passwords for the keys in the distribution are:
- Key: Password:
- foo.bar foo.bar
- mobile.foo.bar mobile
- fix.foo.bar fix.foo.bar
- sub.foo.bar sub.foo.bar
- some.bar some.bar
-
- Notice the differences between simple_test/test.boot and
- /tmp/test.boot. The pubkey directive are required for correct
- behavior of new named.
-
- To check the if named can read the new zone files and verify
- the signatures run following commands
- % cd ../named
- % make test
-
- Exit/error code 66 indicates that program completed normally
- in "load-only" mode (new -l flag).
-
- If you want to load up named run same command as make test does
- without -l flag. (the -d 3 flag is to make sure the process
- does not do a fork).
- % ./named -p 12345 -b /tmp/test.boot -d 3
-
- % cd ../tools
- % ./dig @localhost snore.foo.bar. -p 12345
- This should return an A record + SIG(A) record
- % ./dig @localhost no_such_name.foo.bar. -p 12345
- This should return a NXT record +SIG(NXT) for *.foo.bar.
-
- You can also test against our nameserver for zone sd-bogus.tis.com
- the host is uranus.hq.tis.com(192.94.214.95)
- % ./dig @uranus.hq.tis.com sd-bogus.tis.com. soa
- will return the SOA and SIG(SOA) + KEY
- % ./dig @uranus.hq.tis.com sd-bogus.tis.com. mb
- will return NXT for sd-bogus.tis.com
- % ./dig @uranus.hq.tis.com foo.sd-bogus.tis.com. ns
- will NS +KEY for foo.sd-bog.tis.com.
-
-5. Converting your setup to secure DNS zones.
- need to create a key for your zone.
- If you have a copy of the last release of sec_bind the key file
- format has changed and you need to regenerate all your keys, Sorry.
- The new format for private key files is portable between
- different architectures and operating systems, the encryption
- of the key file is compatible with the des program.
-
- To generate key use sec_bind/signer/key_gen. To generate zone key
- for name you.bar, with 512 bit modulus and exponent of 3,
- execute following command
-
- % cd signer
- % ./key_gen -z -g 512 you.bar
-
- key_gen will ask for an encryption password for the private
- key file, if you do not want to encrypt the key hit <Return>.
- The program will output resource record suitable for zone file.
- key_gen creates two files you.bar.priv and foo.bar.public.
-
- If you want, at any time, to display the public key for foo.bar
- run key_gen without the -g flag or cat file foo.bar.public.
- key_gen without any flags will print out the usage information.
- key_gen has extensive error checking on flags.
-
- To modify the flags field for an existing key run key_gen with
- the new flags but without the -g flag.
-
- Note: The key above is suitable for signing records but not for
- encrypting data.
-
-6. Send problems, fixes and suggestions to dns-security@tis.com.
diff --git a/contrib/bind/doc/secure/readme.txt b/contrib/bind/doc/secure/readme.txt
deleted file mode 100644
index d7b422a..0000000
--- a/contrib/bind/doc/secure/readme.txt
+++ /dev/null
@@ -1,93 +0,0 @@
-
- Secure DNS (TIS/DNSSEC)
- September 1996
-
-Copyright (C) 1995,1996 Trusted Information Systems, Incorporated
-
-Trusted Information Systems, Inc. has received approval from the
-United States Government for export and reexport of TIS/DNSSEC
-software from the United States of America under the provisions of
-the Export Administration Regulations (EAR) General Software Note
-(GSN) license exception for mass market software. Under the
-provisions of this license, this software may be exported or
-reexported to all destinations except for the embargoed countries of
-Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Any export
-or reexport of TIS/DNSSEC software to the embargoed countries
-requires additional, specific licensing approval from the United
-States Government.
-
-Trusted Information Systems, Inc., is pleased to
-provide a reference implementation of the secure Domain Name System
-(TIS/DNSSEC). In order to foster acceptance of secure DNS and provide
-the community with a usable, working version of this technology,
-TIS/DNSSEC is being made available for broad use on the following basis.
-
-- Trusted Information Systems makes no representation about the
- suitability of this software for any purpose. It is provided "as is"
- without express or implied warranty.
-
-- TIS/DNSSEC is distributed in source code form, with all modules written
- in the C programming language. It runs on many UNIX derived platforms
- and is integrated with the Bind implementation of the DNS protocol.
-
-- This beta version of TIS/DNSSEC may be used, copied, and modified for
- testing and evaluation purposes without fee during the beta test
- period, provided that this notice appears in supporting documentation
- and is retained in all software modules in which it appears. Any other
- use requires specific, written prior permission from Trusted Information
- Systems.
-
-TIS maintains the email distribution list dns-security@tis.com for
-discussion of secure DNS. To join, send email to
- dns-security-request@tis.com.
-
-TIS/DNSSEC technical questions and bug reports should be addressed to
- dns-security@tis.com.
-
-To reach the maintainers of TIS/DNSSEC send mail to
- tisdnssec-support@tis.com
-
-TIS/DNSSEC is a product of Trusted Information Systems, Inc.
-
-This is an beta version of Bind with secure DNS extensions it uses
-RSAREF which you must obtain separately.
-
-Implemented and tested in this version:
- Portable key storage format.
- Improved authentication API
- Support for using different authentication packages.
- All Security RRs including KEY SIG, NXT, and support for wild cards
- tool for generating KEYs
- tool for signing RRs in boot files
- verification of RRs on load
- verification of RRs over the wire
- transmission of SIG RRs
- returns NXT when name and/or type does not exist
- storage of NXT, KEY, and SIG RRs with CNAME RR
- AD/ID bits added to header and setting of these bits
- key storage and retrieval
- dig and nslookup can display new header bits and RRs
- AXFR signature RR
- keyfile directive
- $SIGNER directive (to turn on and off signing)
- adding KEY to answers with NS or SOA
- SOA sequence numbers are now set each time zone is signed
- SIG AXFR ignores label count of names
- generation and inclusion of .PARENT files
- Returns only one NXT at delegation points unless two are required
- Expired SIG records are now returned in response to query
-
-Implemented but not fully tested:
-
-Known bugs:
-
-Not implemented:
- ROUND_ROBIN behaviour
- zone transfer in SIG(AXFR) sort order.
- transaction SIGs
- verification in resolver. (stub resolvers must trust local servers
- resolver library is to low level to implement security)
- knowing when to trust the AD bit in responses
-
-Read files INSTALL_SEC and USAGE_SEC for installation and user
-instructions, respectively.
diff --git a/contrib/bind/doc/secure/usage.txt b/contrib/bind/doc/secure/usage.txt
deleted file mode 100644
index aa8eebc..0000000
--- a/contrib/bind/doc/secure/usage.txt
+++ /dev/null
@@ -1,215 +0,0 @@
-
- USAGE_SEC
- Secure DNS (TIS/DNSSEC)
- September 1996
-
-This is the usage documentation for TIS' Secure DNS (TIS/DNSSEC) version
-BETA-1.3. This looks like a standard named distribution, with
-the following exceptions
-
- this version is coded against BIND-4.9.4-P1
-
- there are three new directories in this distribution
- dnssec_lib
- signer
- rsaref
-
-
- rsaref/ is place holder directory for RSAREF distribution.
- You must get RSAREF on your own.
-
- signer/ contains two applications needed by DNSSEC:
- signer: tool to sign zones
- key_gen: tool to generate keys
- dnssec_lib/ contains common library routines that are used by
- named, key_gen and signer.
- This is where most of the DNSSEC work is done.
-
-Before compiling you need to do your standard configurations for named
-and the edits explained in INSTALL_SEC. This version has been tested
-on SUNOS4.1.3. This version includes portability fixes from previous
-beta releases for Linux, Solaris-2.4, HPUX-9 and FreeBSD.
-
-CHANGES TO BIND
-
-res/
-
- There are minor changes to the files in the res directory. Most of
- the changes have to do with displaying NXT
- records. There are also some changes related to translating
- domain names into uncompressed lower case names upon request.
-
-tools/
- Minor changes to recognize NXT records and display them.
-
-named/
- Added code to read and write new record types.
- Added code to do signature validation on read.
- Added code to return appropriate SIG records.
- Added security flags to databuf and zoneinfo structures.
- Names can now have CNAME record and security RR's.
- Records are stored and transmitted in DNS SEC sort order.
-
-conf/
-
- Turned off ROUND_ROBIN option and installed new sorting required
- for signature verification.
-
-signer/
- NXT record generation.
- Key generation
- Signing of zones
- Converting data records to format required for signatures.
-
-dnssec_lib/
- Interfacing with Crypto library.
- Verifying signatures,
- preparing data for signing and verification
-
-The role of <zone>.PARENT files:
-
-DNSSEC specification requires change who is authorative for certain
-resource records. In order to support certification hierarchy each
-zone KEY RR must be signed by parent zone. The parent signed KEY RR
-must be distributed by the zone itself as it is the most authorative
-for its own records.
-
-To facilitate this TIS/DNSSEC signer program creates a <name>.PARENT
-file for every name in a zone that has a NS record. This file contains
-the KEY records stored under this name and
-NXT record and corresponding SIG records. If no KEY record is found
-for a name with a NS record a NULL-KEY record is generated to indicate
-that the child is INSECURE.
-
-Each <zone>.PARENT file must be sent via an out of band mechanism to
-the appropriate primary for the zone, for inclusion. signer program
-adds an $INCLUDE <zone>.PARENT command at the end of each zone file,
-if no file exists an warning message is printed.
-
-Potential PROBLEM: It is likely that the parent and child are on a
-different signing schedule. If new <zone>.PARENT file is put on the
-primary, due to the fact that the zone data changed but the SOA did
-not, it may take a long time for new records to propagate to the
-secondaries. This is only a problem if zone has added/deleted a KEY
-or if the the signatures will expire in the near future. To overcome
-this problem, resign your zone when any of above conditions is true.
-DNS NOTIFY and/or DNS DYNUPDATE may fix this problem in the future.
-
-TIS/DNSSEC SOA serial numbers. To facilitate prompt distribution of
-zone data to secondaries, signer takes over the management of SOA
-serial numbers. Each time signer signs a zone it sets the serial
-number to a value reflecting the time the zone was signed, in standard
-Unix time seconds since 1970/1/1 0:0:0 GMT.
-
-How to configure a secure zone.
- Create a directory <zone> to contain your zone files.
- Create a output directory <outdir> for the signer output.
- Put in <zone> a boot file that includes the files from that zone.
- Create a KEY for the zone by running key_gen, Name the key <domain>.
-
- Run signer on your zone writing to the output directory <outdir>.
- Signer will rewrite the boot file to include new directive
- "pubkey" of the key used to sign the file. If there where
- any pubkey declarations in the input boot file they will be
- deleted.
- Signer generates files that correspond to the load files specified.
-
- In case of load file that $INCLUDEs another load file, signer will
- merge them to the output file.
- You will notice that the output files are significantly larger.
- The output files will be in a different order than the input files,
- all records are sorted into DNSSEC sort order.
- NXT and SIG records have been added.
-
- If there are any NS records for a name other than the zone name of
- each input file you will see messages that NULL KEY records
- have been created, if this is not correct behavior, add
- the correct KEY RRs.
- For each domain name that has a NS record but is not a zone name
- of load file you will see a file named <name>.PARENT,
- this file contains the KEY record for that name and an
- NXT record + 2 SIG records.
- This file needs to be sent to the nameserver that is primary for that
- zone. There are two reasons for this:
- 1. To support Certification Hierarchy, each zone key is
- signed by the parent zone key.
- 2. Zone is the most trustworthy source for itself unless
- these records are loaded into the primary server for
- the zone, the records may not get propagated.
-
-how to run SEC_NAMED:
-
-Included in the distribution there is a small test setup:
-
-# run signer
-./signer boot-f simple_test/test.boot [out-dir /tmp]
-# or
-make test
-# This takes few minutes to run depending on your machine and the size
-# of the key selected
-# all output files will be stored in /tmp unless out-dir is specified
-
-#
-# Now we are ready to run named
-cd ../named
-./named -p 12345 -b /tmp/test.boot.save [-d x]
-
-#
-# you can now check for data in the data base
-# using the new dig.
-#
-cd ../tools
-./dig @yourhost snore.foo.bar. any in -p 12345
-
-#
-# Output from new dig will be something like this
-#
-; <<>> DiG 2.1 <<>> @dnssrv snore.foo.bar. any in -p
-; (1 server found)
-;; res options: init recurs defnam dnsrch
-;; got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
-;; flags: qr rd ra; Ques: 1, Ans: 11, Auth: 0, Addit: 1
-;; QUESTIONS:
-;; snore.foo.bar, type = ANY, class = IN
-
-;; ANSWERS:
-snore.foo.bar. 259200 A 10.17.3.20
-snore.foo.bar. 259200 SIG A (
- 1 3; alg labels
- 259200 ; TTL
- 19950506200636 ; Signature expiration
- 19950406200659 ; time signed
- 47437 ; Key foot print
- foo.bar. ; Signers name
- FsqeW3hstM8Q6v8PMCGPsVMfO6dEpHjFgKm2dJRaofFtCQ/CT9O6Vo7J5zgkV+5ciWQwuZwvzW071jnZ1i27Ip/8vqdKGHC63tjWkCHSZV0=
- ) ; END Signature
-snore.foo.bar. 259200 MX 96 who.foo.bar.
-snore.foo.bar. 259200 MX 100 foo.bar.
-snore.foo.bar. 259200 MX 120 xxx.foo.bar.
-snore.foo.bar. 259200 MX 130 maGellan.foo.bar.
-snore.foo.bar. 259200 MX 140 bozo.foo.bar.
-snore.foo.bar. 259200 SIG MX (
- 1 3; alg labels
- 259200 ; TTL
- 19950506200636 ; Signature expiration
- 19950406200659 ; time signed
- 47437 ; Key foot print
- foo.bar. ; Signers name
- EV0cJqF3pUOgktggTrFf55YGwQFbUqPJAMTnAkHK3+Z/Ya6GgwwNOGRzq/FYm5P4E+yIj6WUYFh9Ex5eX5TwiIsjM/hy173lSa3qm/ljDk8=
- ) ; END Signature
-snore.foo.bar. 259200 NXT xxx.foo.bar.
-snore.foo.bar. 259200 SIG NXT (
- 1 3; alg labels
- 259200 ; TTL
- 19950506200636 ; Signature expiration
- 19950406200659 ; time signed
- 47437 ; Key foot print
- foo.bar. ; Signers name
- eJUHVm5Q5qYQYFVOW0L5Of67HQvQ9+7T7sQqHv7ayTT2sMnXudxviYv43vALMMwBcJFXFEhLhwYwN7pUDssD/w5si/6JJQTi1o30S8si3zE=
- ) ; END Signature
-
-;; Total query time: 195 msec
-;; FROM: dnssrv to SERVER: dnssrv 10.17.3.1
-;; WHEN: Thu Apr 6 16:20:32 1995
-;; MSG SIZE sent: 31 rcvd: 662
OpenPOWER on IntegriCloud