diff options
Diffstat (limited to 'contrib/bind9/bin/dnssec')
| -rw-r--r-- | contrib/bind9/bin/dnssec/Makefile.in | 2 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.8 | 75 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.c | 111 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.docbook | 343 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.html | 246 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.8 | 145 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.c | 331 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.docbook | 477 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.html | 306 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssectool.c | 8 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssectool.h | 2 |
11 files changed, 1317 insertions, 729 deletions
diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in index b9b7bea..b94dca7 100644 --- a/contrib/bind9/bin/dnssec/Makefile.in +++ b/contrib/bind9/bin/dnssec/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.19.12.12 2005/05/02 00:25:54 marka Exp $ +# $Id: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8 index 35bb0ef..39762fd 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.8 +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.19.12.10 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dnssec-keygen.8,v 1.23.18.13 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: dnssec\-keygen .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -39,8 +39,9 @@ dnssec\-keygen \- DNSSEC key generation tool \fBdnssec\-keygen\fR generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. .SH "OPTIONS" -.TP 3n +.PP \-a \fIalgorithm\fR +.RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. @@ -48,38 +49,58 @@ must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory. .sp Note 2: HMAC\-MD5 and DH automatically set the \-k flag. -.TP 3n +.RE +.PP \-b \fIkeysize\fR +.RS 4 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits. -.TP 3n +.RE +.PP \-n \fInametype\fR +.RS 4 Specifies the owner type of the key. The value of \fBnametype\fR must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -.TP 3n +.RE +.PP \-e +.RS 4 If generating an RSAMD5/RSASHA1 key, use a large exponent. -.TP 3n +.RE +.PP \-f \fIflag\fR +.RS 4 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. -.TP 3n +.RE +.PP \-g \fIgenerator\fR +.RS 4 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. -.TP 3n +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBdnssec\-keygen\fR. -.TP 3n +.RE +.PP \-k +.RS 4 Generate KEY records rather than DNSKEY records. -.TP 3n +.RE +.PP \-p \fIprotocol\fR +.RS 4 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -.TP 3n +.RE +.PP \-r \fIrandomdev\fR +.RS 4 Specifies the source of randomness. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -87,17 +108,24 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-s \fIstrength\fR +.RS 4 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -.TP 3n +.RE +.PP \-t \fItype\fR +.RS 4 Indicates the use of the key. \fBtype\fR must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -.TP 3n +.RE +.PP \-v \fIlevel\fR +.RS 4 Sets the debugging level. +.RE .SH "GENERATED KEYS" .PP When @@ -105,20 +133,18 @@ When completes successfully, it prints a string of the form \fIKnnnn.+aaa+iiiii\fR to the standard output. This is an identification string for the key it has generated. -.TP 3n +.TP 4 \(bu \fInnnn\fR is the key name. -.TP 3n +.TP 4 \(bu \fIaaa\fR is the numeric representation of the algorithm. -.TP 3n +.TP 4 \(bu \fIiiiii\fR is the key identifier (or footprint). -.sp -.RE .PP \fBdnssec\-keygen\fR creates two file, with names based on the printed string. @@ -168,4 +194,7 @@ RFC 2539. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c index 7feaf7c..19087ea 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.c +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c @@ -1,6 +1,6 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2000-2003 Internet Software Consortium. + * Portions Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and distribute this software for any @@ -16,7 +16,9 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */ +/* $Id: dnssec-keygen.c,v 1.66.18.9 2007/01/18 00:06:11 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -47,7 +49,9 @@ const char *program = "dnssec-keygen"; int verbose; -static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5"; +static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |" + " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | " + " HMAC-SHA384 | HMAC-SHA512"; static isc_boolean_t dsa_size_ok(int size) { @@ -68,10 +72,16 @@ usage(void) { fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); + fprintf(stderr, " HMAC-SHA1:\t[1..160]\n"); + fprintf(stderr, " HMAC-SHA224:\t[1..224]\n"); + fprintf(stderr, " HMAC-SHA256:\t[1..256]\n"); + fprintf(stderr, " HMAC-SHA384:\t[1..384]\n"); + fprintf(stderr, " HMAC-SHA512:\t[1..512]\n"); fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -c <class> (default: IN)\n"); + fprintf(stderr, " -d <digest bits> (0 => max, default)\n"); fprintf(stderr, " -e use large exponent (RSAMD5/RSASHA1 only)\n"); fprintf(stderr, " -f keyflag: KSK\n"); fprintf(stderr, " -g <generator> use specified generator " @@ -115,6 +125,7 @@ main(int argc, char **argv) { isc_entropy_t *ectx = NULL; dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; + int dbits = 0; if (argc == 1) usage(); @@ -124,7 +135,7 @@ main(int argc, char **argv) { dns_result_register(); while ((ch = isc_commandline_parse(argc, argv, - "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1) + "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1) { switch (ch) { case 'a': @@ -138,6 +149,11 @@ main(int argc, char **argv) { case 'c': classname = isc_commandline_argument; break; + case 'd': + dbits = strtol(isc_commandline_argument, &endp, 10); + if (*endp != '\0' || dbits < 0) + fatal("-d requires a non-negative number"); + break; case 'e': rsa_exp = 1; break; @@ -211,9 +227,29 @@ main(int argc, char **argv) { if (algname == NULL) fatal("no algorithm was specified"); - if (strcasecmp(algname, "HMAC-MD5") == 0) { + if (strcasecmp(algname, "RSA") == 0) { + fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n" + "If you still wish to use RSA (RSAMD5) please " + "specify \"-a RSAMD5\"\n"); + return (1); + } else if (strcasecmp(algname, "HMAC-MD5") == 0) { options |= DST_TYPE_KEY; alg = DST_ALG_HMACMD5; + } else if (strcasecmp(algname, "HMAC-SHA1") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA1; + } else if (strcasecmp(algname, "HMAC-SHA224") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA224; + } else if (strcasecmp(algname, "HMAC-SHA256") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA256; + } else if (strcasecmp(algname, "HMAC-SHA384") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA384; + } else if (strcasecmp(algname, "HMAC-SHA512") == 0) { + options |= DST_TYPE_KEY; + alg = DST_ALG_HMACSHA512; } else { r.base = algname; r.length = strlen(algname); @@ -260,6 +296,56 @@ main(int argc, char **argv) { case DST_ALG_HMACMD5: if (size < 1 || size > 512) fatal("HMAC-MD5 key size %d out of range", size); + if (dbits != 0 && (dbits < 80 || dbits > 128)) + fatal("HMAC-MD5 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-MD5 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA1: + if (size < 1 || size > 160) + fatal("HMAC-SHA1 key size %d out of range", size); + if (dbits != 0 && (dbits < 80 || dbits > 160)) + fatal("HMAC-SHA1 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA1 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA224: + if (size < 1 || size > 224) + fatal("HMAC-SHA224 key size %d out of range", size); + if (dbits != 0 && (dbits < 112 || dbits > 224)) + fatal("HMAC-SHA224 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA224 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA256: + if (size < 1 || size > 256) + fatal("HMAC-SHA256 key size %d out of range", size); + if (dbits != 0 && (dbits < 128 || dbits > 256)) + fatal("HMAC-SHA256 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA256 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA384: + if (size < 1 || size > 384) + fatal("HMAC-384 key size %d out of range", size); + if (dbits != 0 && (dbits < 192 || dbits > 384)) + fatal("HMAC-SHA384 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA384 digest bits %d not divisible by 8", + dbits); + break; + case DST_ALG_HMACSHA512: + if (size < 1 || size > 512) + fatal("HMAC-SHA512 key size %d out of range", size); + if (dbits != 0 && (dbits < 256 || dbits > 512)) + fatal("HMAC-SHA512 digest bits %d out of range", dbits); + if ((dbits % 8) != 0) + fatal("HMAC-SHA512 digest bits %d not divisible by 8", + dbits); break; } @@ -306,7 +392,10 @@ main(int argc, char **argv) { } if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5)) + (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 || + alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || + alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 || + alg == DST_ALG_HMACSHA512)) fatal("a key with algorithm '%s' cannot be a zone key", algname); @@ -330,6 +419,11 @@ main(int argc, char **argv) { break; case DNS_KEYALG_DSA: case DST_ALG_HMACMD5: + case DST_ALG_HMACSHA1: + case DST_ALG_HMACSHA224: + case DST_ALG_HMACSHA256: + case DST_ALG_HMACSHA384: + case DST_ALG_HMACSHA512: param = 0; break; } @@ -358,6 +452,8 @@ main(int argc, char **argv) { exit(-1); } + dst_key_setbits(key, dbits); + /* * Try to read a key with the same name, alg and id from disk. * If there is one we must continue generating a new one @@ -407,6 +503,7 @@ main(int argc, char **argv) { cleanup_logging(&log); cleanup_entropy(&ectx); dst_lib_destroy(); + dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook index e1eee22..cc5f1e7 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,9 +18,8 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.docbook,v 1.3.12.9 2005/08/30 01:41:41 marka Exp $ --> - -<refentry> +<!-- $Id: dnssec-keygen.docbook,v 1.7.18.9 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.dnssec-keygen"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> @@ -31,10 +30,16 @@ <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>dnssec-keygen</application></refname> + <refpurpose>DNSSEC key generation tool</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -46,11 +51,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>dnssec-keygen</application></refname> - <refpurpose>DNSSEC key generation tool</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>dnssec-keygen</command> @@ -74,11 +74,10 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>dnssec-keygen</command> generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate - keys for use with TSIG (Transaction Signatures), as - defined in RFC 2845. + <para><command>dnssec-keygen</command> + generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC <TBA\>. It can also generate keys for use with + TSIG (Transaction Signatures), as defined in RFC 2845. </para> </refsect1> @@ -88,168 +87,173 @@ <variablelist> <varlistentry> <term>-a <replaceable class="parameter">algorithm</replaceable></term> - <listitem> - <para> - Selects the cryptographic algorithm. The value of - <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. - </para> - <para> - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - </para> - <para> - Note 2: HMAC-MD5 and DH automatically set the -k flag. - </para> - </listitem> + <listitem> + <para> + Selects the cryptographic algorithm. The value of + <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1, + DSA, DH (Diffie Hellman), or HMAC-MD5. These values + are case insensitive. + </para> + <para> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </para> + <para> + Note 2: HMAC-MD5 and DH automatically set the -k flag. + </para> + </listitem> </varlistentry> <varlistentry> <term>-b <replaceable class="parameter">keysize</replaceable></term> - <listitem> - <para> - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between - 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be - between 1 and 512 bits. - </para> - </listitem> + <listitem> + <para> + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be + between + 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC-MD5 keys must be + between 1 and 512 bits. + </para> + </listitem> </varlistentry> <varlistentry> <term>-n <replaceable class="parameter">nametype</replaceable></term> - <listitem> - <para> - Specifies the owner type of the key. The value of - <option>nametype</option> must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are - case insensitive. - </para> - </listitem> + <listitem> + <para> + Specifies the owner type of the key. The value of + <option>nametype</option> must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are + case insensitive. + </para> + </listitem> </varlistentry> <varlistentry> <term>-c <replaceable class="parameter">class</replaceable></term> - <listitem> - <para> - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - </para> - </listitem> + <listitem> + <para> + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-e</term> - <listitem> - <para> - If generating an RSAMD5/RSASHA1 key, use a large exponent. - </para> - </listitem> + <listitem> + <para> + If generating an RSAMD5/RSASHA1 key, use a large exponent. + </para> + </listitem> </varlistentry> <varlistentry> <term>-f <replaceable class="parameter">flag</replaceable></term> - <listitem> - <para> - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. - </para> - </listitem> + <listitem> + <para> + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </para> + </listitem> </varlistentry> <varlistentry> <term>-g <replaceable class="parameter">generator</replaceable></term> - <listitem> - <para> - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. - </para> - </listitem> + <listitem> + <para> + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + </para> + </listitem> </varlistentry> <varlistentry> <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-keygen</command>. - </para> - </listitem> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>dnssec-keygen</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-k</term> - <listitem> - <para> - Generate KEY records rather than DNSKEY records. - </para> - </listitem> + <listitem> + <para> + Generate KEY records rather than DNSKEY records. + </para> + </listitem> </varlistentry> <varlistentry> <term>-p <replaceable class="parameter">protocol</replaceable></term> - <listitem> - <para> - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - </para> - </listitem> + <listitem> + <para> + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + </para> + </listitem> </varlistentry> <varlistentry> <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> + <listitem> + <para> + Specifies the source of randomness. If the operating + system does not provide a <filename>/dev/random</filename> + or equivalent device, the default source of randomness + is keyboard input. <filename>randomdev</filename> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard + input should be used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-s <replaceable class="parameter">strength</replaceable></term> - <listitem> - <para> - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. - </para> - </listitem> + <listitem> + <para> + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + </para> + </listitem> </varlistentry> <varlistentry> <term>-t <replaceable class="parameter">type</replaceable></term> - <listitem> - <para> - Indicates the use of the key. <option>type</option> must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - </para> - </listitem> + <listitem> + <para> + Indicates the use of the key. <option>type</option> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </para> + </listitem> </varlistentry> <varlistentry> <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> + <listitem> + <para> + Sets the debugging level. + </para> + </listitem> </varlistentry> </variablelist> @@ -258,82 +262,82 @@ <refsect1> <title>GENERATED KEYS</title> <para> - When <command>dnssec-keygen</command> completes successfully, - it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename> - to the standard output. This is an identification string for - the key it has generated. + When <command>dnssec-keygen</command> completes + successfully, + it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename> + to the standard output. This is an identification string for + the key it has generated. </para> <itemizedlist> <listitem> - <para> - <filename>nnnn</filename> is the key name. + <para><filename>nnnn</filename> is the key name. </para> </listitem> <listitem> - <para> - <filename>aaa</filename> is the numeric representation of the + <para><filename>aaa</filename> is the numeric representation + of the algorithm. </para> </listitem> <listitem> - <para> - <filename>iiiii</filename> is the key identifier (or footprint). + <para><filename>iiiii</filename> is the key identifier (or + footprint). </para> </listitem> </itemizedlist> - <para> - <command>dnssec-keygen</command> creates two file, with names based - on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename> - contains the public key, and - <filename>Knnnn.+aaa+iiiii.private</filename> contains the private - key. + <para><command>dnssec-keygen</command> + creates two file, with names based + on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename> + contains the public key, and + <filename>Knnnn.+aaa+iiiii.private</filename> contains the + private + key. </para> <para> - The <filename>.key</filename> file contains a DNS KEY record that - can be inserted into a zone file (directly or with a $INCLUDE - statement). + The <filename>.key</filename> file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). </para> <para> - The <filename>.private</filename> file contains algorithm specific - fields. For obvious security reasons, this file does not have - general read permission. + The <filename>.private</filename> file contains algorithm + specific + fields. For obvious security reasons, this file does not have + general read permission. </para> <para> - Both <filename>.key</filename> and <filename>.private</filename> - files are generated for symmetric encryption algorithm such as - HMAC-MD5, even though the public and private key are equivalent. + Both <filename>.key</filename> and <filename>.private</filename> + files are generated for symmetric encryption algorithm such as + HMAC-MD5, even though the public and private key are equivalent. </para> </refsect1> <refsect1> <title>EXAMPLE</title> <para> - To generate a 768-bit DSA key for the domain - <userinput>example.com</userinput>, the following command would be - issued: + To generate a 768-bit DSA key for the domain + <userinput>example.com</userinput>, the following command would be + issued: </para> - <para> - <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput> + <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput> </para> <para> - The command would print a string of the form: + The command would print a string of the form: </para> - <para> - <userinput>Kexample.com.+003+26160</userinput> + <para><userinput>Kexample.com.+003+26160</userinput> </para> <para> - In this example, <command>dnssec-keygen</command> creates - the files <filename>Kexample.com.+003+26160.key</filename> and - <filename>Kexample.com.+003+26160.private</filename> + In this example, <command>dnssec-keygen</command> creates + the files <filename>Kexample.com.+003+26160.key</filename> + and + <filename>Kexample.com.+003+26160.private</filename> </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-signzone</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>RFC 2535</citetitle>, @@ -344,14 +348,11 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html index 7a15099..5229868 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.html +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.15 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: dnssec-keygen.html,v 1.9.18.19 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-keygen</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.dnssec-keygen"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p> @@ -32,186 +32,191 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549521"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate - keys for use with TSIG (Transaction Signatures), as - defined in RFC 2845. +<a name="id2543474"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-keygen</strong></span> + generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC <TBA\>. It can also generate keys for use with + TSIG (Transaction Signatures), as defined in RFC 2845. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549533"></a><h2>OPTIONS</h2> +<a name="id2543485"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> - Selects the cryptographic algorithm. The value of - <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. - </p> + Selects the cryptographic algorithm. The value of + <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, + DSA, DH (Diffie Hellman), or HMAC-MD5. These values + are case insensitive. + </p> <p> - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - </p> + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </p> <p> - Note 2: HMAC-MD5 and DH automatically set the -k flag. - </p> + Note 2: HMAC-MD5 and DH automatically set the -k flag. + </p> </dd> <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> <dd><p> - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between - 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be - between 1 and 512 bits. - </p></dd> + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be + between + 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC-MD5 keys must be + between 1 and 512 bits. + </p></dd> <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> <dd><p> - Specifies the owner type of the key. The value of - <code class="option">nametype</code> must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are - case insensitive. - </p></dd> + Specifies the owner type of the key. The value of + <code class="option">nametype</code> must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are + case insensitive. + </p></dd> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - </p></dd> + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </p></dd> <dt><span class="term">-e</span></dt> <dd><p> - If generating an RSAMD5/RSASHA1 key, use a large exponent. - </p></dd> + If generating an RSAMD5/RSASHA1 key, use a large exponent. + </p></dd> <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt> <dd><p> - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. - </p></dd> + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </p></dd> <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt> <dd><p> - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. - </p></dd> + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + </p></dd> <dt><span class="term">-h</span></dt> <dd><p> - Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-keygen</strong></span>. - </p></dd> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-keygen</strong></span>. + </p></dd> <dt><span class="term">-k</span></dt> <dd><p> - Generate KEY records rather than DNSKEY records. - </p></dd> + Generate KEY records rather than DNSKEY records. + </p></dd> <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt> <dd><p> - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - </p></dd> + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + </p></dd> <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> <dd><p> - Specifies the source of randomness. If the operating - system does not provide a <code class="filename">/dev/random</code> - or equivalent device, the default source of randomness - is keyboard input. <code class="filename">randomdev</code> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <code class="filename">keyboard</code> indicates that keyboard - input should be used. - </p></dd> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> + or equivalent device, the default source of randomness + is keyboard input. <code class="filename">randomdev</code> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard + input should be used. + </p></dd> <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt> <dd><p> - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. - </p></dd> + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + </p></dd> <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> <dd><p> - Indicates the use of the key. <code class="option">type</code> must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - </p></dd> + Indicates the use of the key. <code class="option">type</code> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </p></dd> <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> <dd><p> - Sets the debugging level. - </p></dd> + Sets the debugging level. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2549939"></a><h2>GENERATED KEYS</h2> +<a name="id2543820"></a><h2>GENERATED KEYS</h2> <p> - When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, - it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> - to the standard output. This is an identification string for - the key it has generated. + When <span><strong class="command">dnssec-keygen</strong></span> completes + successfully, + it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> + to the standard output. This is an identification string for + the key it has generated. </p> <div class="itemizedlist"><ul type="disc"> -<li><p> - <code class="filename">nnnn</code> is the key name. +<li><p><code class="filename">nnnn</code> is the key name. </p></li> -<li><p> - <code class="filename">aaa</code> is the numeric representation of the +<li><p><code class="filename">aaa</code> is the numeric representation + of the algorithm. </p></li> -<li><p> - <code class="filename">iiiii</code> is the key identifier (or footprint). +<li><p><code class="filename">iiiii</code> is the key identifier (or + footprint). </p></li> </ul></div> -<p> - <span><strong class="command">dnssec-keygen</strong></span> creates two file, with names based - on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> - contains the public key, and - <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the private - key. +<p><span><strong class="command">dnssec-keygen</strong></span> + creates two file, with names based + on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> + contains the public key, and + <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the + private + key. </p> <p> - The <code class="filename">.key</code> file contains a DNS KEY record that - can be inserted into a zone file (directly or with a $INCLUDE - statement). + The <code class="filename">.key</code> file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). </p> <p> - The <code class="filename">.private</code> file contains algorithm specific - fields. For obvious security reasons, this file does not have - general read permission. + The <code class="filename">.private</code> file contains algorithm + specific + fields. For obvious security reasons, this file does not have + general read permission. </p> <p> - Both <code class="filename">.key</code> and <code class="filename">.private</code> - files are generated for symmetric encryption algorithm such as - HMAC-MD5, even though the public and private key are equivalent. + Both <code class="filename">.key</code> and <code class="filename">.private</code> + files are generated for symmetric encryption algorithm such as + HMAC-MD5, even though the public and private key are equivalent. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550027"></a><h2>EXAMPLE</h2> +<a name="id2543902"></a><h2>EXAMPLE</h2> <p> - To generate a 768-bit DSA key for the domain - <strong class="userinput"><code>example.com</code></strong>, the following command would be - issued: + To generate a 768-bit DSA key for the domain + <strong class="userinput"><code>example.com</code></strong>, the following command would be + issued: </p> -<p> - <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> +<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> </p> <p> - The command would print a string of the form: + The command would print a string of the form: </p> -<p> - <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> +<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong> </p> <p> - In this example, <span><strong class="command">dnssec-keygen</strong></span> creates - the files <code class="filename">Kexample.com.+003+26160.key</code> and - <code class="filename">Kexample.com.+003+26160.private</code> + In this example, <span><strong class="command">dnssec-keygen</strong></span> creates + the files <code class="filename">Kexample.com.+003+26160.key</code> + and + <code class="filename">Kexample.com.+003+26160.private</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2550073"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, +<a name="id2543946"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2535</em>, <em class="citetitle">RFC 2845</em>, @@ -219,9 +224,8 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2550106"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2544045"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8 index 734eca6..86347b1 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.8 +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.11 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dnssec-signzone.8,v 1.28.18.16 2007/01/30 00:23:44 marka Exp $ .\" .hy 0 .ad l .\" Title: dnssec\-signzone .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ dnssec\-signzone \- DNSSEC zone signing tool .SH "SYNOPSIS" .HP 16 -\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP \fBdnssec\-signzone\fR @@ -41,50 +41,71 @@ signs a zone. It generates NSEC and RRSIG records and produces a signed version \fIkeyset\fR file for each child zone. .SH "OPTIONS" -.TP 3n +.PP \-a +.RS 4 Verify all generated signatures. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Specifies the DNS class of the zone. -.TP 3n +.RE +.PP \-k \fIkey\fR +.RS 4 Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. -.TP 3n +.RE +.PP \-l \fIdomain\fR +.RS 4 Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. -.TP 3n +.RE +.PP \-d \fIdirectory\fR +.RS 4 Look for \fIkeyset\fR files in \fBdirectory\fR as the directory -.TP 3n +.RE +.PP \-g +.RS 4 Generate DS records for child zones from keyset files. Existing DS records will be removed. -.TP 3n +.RE +.PP \-s \fIstart\-time\fR +.RS 4 Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no \fBstart\-time\fR is specified, the current time minus 1 hour (to allow for clock skew) is used. -.TP 3n +.RE +.PP \-e \fIend\-time\fR +.RS 4 Specify the date and time when the generated RRSIG records expire. As with \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no \fBend\-time\fR is specified, 30 days from the start time is used as a default. -.TP 3n +.RE +.PP \-f \fIoutput\-file\fR +.RS 4 The name of the output file containing the signed zone. The default is to append \fI.signed\fR to the input file. -.TP 3n +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBdnssec\-signzone\fR. -.TP 3n +.RE +.PP \-i \fIinterval\fR +.RS 4 When a previously signed zone is passed as input, records may be resigned. The \fBinterval\fR option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. @@ -96,17 +117,77 @@ or are specified, \fBdnssec\-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. -.TP 3n +.RE +.PP +\-I \fIinput\-format\fR +.RS 4 +The format of the input zone file. Possible formats are +\fB"text"\fR +(default) and +\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones. +.RE +.PP +\-j \fIjitter\fR +.RS 4 +When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously signed zone is passed as input to the signer, all expired signatures has to be regenerated at about the same time. The +\fBjitter\fR +option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time. +.sp +Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time. +.RE +.PP \-n \fIncpus\fR +.RS 4 Specifies the number of threads to use. By default, one thread is started for each detected CPU. -.TP 3n +.RE +.PP +\-N \fIsoa\-serial\-format\fR +.RS 4 +The SOA serial number format of the signed zone. Possible formats are +\fB"keep"\fR +(default), +\fB"increment"\fR +and +\fB"unixtime"\fR. +.RS 4 +.PP +\fB"keep"\fR +.RS 4 +Do not modify the SOA serial number. +.RE +.PP +\fB"increment"\fR +.RS 4 +Increment the SOA serial number using RFC 1982 arithmetics. +.RE +.PP +\fB"unixtime"\fR +.RS 4 +Set the SOA serial number to the number of seconds since epoch. +.RE +.RE +.RE +.PP \-o \fIorigin\fR +.RS 4 The zone origin. If not specified, the name of the zone file is assumed to be the origin. -.TP 3n +.RE +.PP +\-O \fIoutput\-format\fR +.RS 4 +The format of the output file containing the signed zone. Possible formats are +\fB"text"\fR +(default) and +\fB"raw"\fR. +.RE +.PP \-p +.RS 4 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -.TP 3n +.RE +.PP \-r \fIrandomdev\fR +.RS 4 Specifies the source of randomness. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -114,21 +195,32 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-t +.RS 4 Print statistics at completion. -.TP 3n +.RE +.PP \-v \fIlevel\fR +.RS 4 Sets the debugging level. -.TP 3n +.RE +.PP \-z +.RS 4 Ignore KSK flag on key when determining what to sign. -.TP 3n +.RE +.PP zonefile +.RS 4 The file containing the zone to be signed. -.TP 3n +.RE +.PP key +.RS 4 The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory. +.RE .SH "EXAMPLE" .PP The following command signs the @@ -159,4 +251,7 @@ RFC 2535. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c index 4ac840d..1f5b538 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.c +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,9 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.139.2.2.4.23 2006/01/04 23:50:19 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.177.18.21 2006/08/30 23:01:54 marka Exp $ */ + +/*! \file */ #include <config.h> @@ -33,6 +35,7 @@ #include <isc/mutex.h> #include <isc/os.h> #include <isc/print.h> +#include <isc/random.h> #include <isc/serial.h> #include <isc/stdio.h> #include <isc/string.h> @@ -58,6 +61,7 @@ #include <dns/rdatastruct.h> #include <dns/rdatatype.h> #include <dns/result.h> +#include <dns/soa.h> #include <dns/time.h> #include <dst/dst.h> @@ -85,6 +89,10 @@ struct signer_key_struct { #define SIGNER_EVENT_WRITE (SIGNER_EVENTCLASS + 0) #define SIGNER_EVENT_WORK (SIGNER_EVENTCLASS + 1) +#define SOA_SERIAL_KEEP 0 +#define SOA_SERIAL_INCREMENT 1 +#define SOA_SERIAL_UNIXTIME 2 + typedef struct signer_event sevent_t; struct signer_event { ISC_EVENT_COMMON(sevent_t); @@ -96,6 +104,7 @@ static ISC_LIST(signer_key_t) keylist; static unsigned int keycount = 0; static isc_stdtime_t starttime = 0, endtime = 0, now; static int cycle = -1; +static int jitter = 0; static isc_boolean_t tryverify = ISC_FALSE; static isc_boolean_t printstats = ISC_FALSE; static isc_mem_t *mctx = NULL; @@ -104,6 +113,8 @@ static dns_ttl_t zonettl; static FILE *fp; static char *tempfile = NULL; static const dns_master_style_t *masterstyle; +static dns_masterformat_t inputformat = dns_masterformat_text; +static dns_masterformat_t outputformat = dns_masterformat_text; static unsigned int nsigned = 0, nretained = 0, ndropped = 0; static unsigned int nverified = 0, nverifyfailed = 0; static const char *directory; @@ -125,6 +136,7 @@ static isc_boolean_t ignoreksk = ISC_FALSE; static dns_name_t *dlv = NULL; static dns_fixedname_t dlv_fixed; static dns_master_style_t *dsstyle = NULL; +static unsigned int serialformat = SOA_SERIAL_KEEP; #define INCSTAT(counter) \ if (printstats) { \ @@ -154,42 +166,13 @@ static void dumpnode(dns_name_t *name, dns_dbnode_t *node) { isc_result_t result; + if (outputformat != dns_masterformat_text) + return; result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name, masterstyle, fp); check_result(result, "dns_master_dumpnodetostream"); } -static void -dumpdb(dns_db_t *db) { - dns_dbiterator_t *dbiter = NULL; - dns_dbnode_t *node; - dns_fixedname_t fname; - dns_name_t *name; - isc_result_t result; - - dbiter = NULL; - result = dns_db_createiterator(db, ISC_FALSE, &dbiter); - check_result(result, "dns_db_createiterator()"); - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - node = NULL; - - for (result = dns_dbiterator_first(dbiter); - result == ISC_R_SUCCESS; - result = dns_dbiterator_next(dbiter)) - { - result = dns_dbiterator_current(dbiter, &node, name); - check_result(result, "dns_dbiterator_current()"); - dumpnode(name, node); - dns_db_detachnode(db, &node); - } - if (result != ISC_R_NOMORE) - fatal("iterating database: %s", isc_result_totext(result)); - - dns_dbiterator_destroy(&dbiter); -} - static signer_key_t * newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) { signer_key_t *key; @@ -217,8 +200,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, dst_key_t *key, isc_buffer_t *b) { isc_result_t result; + isc_stdtime_t jendtime; - result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime, + jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime; + result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime, mctx, b, rdata); isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) { @@ -253,7 +238,7 @@ iszonekey(signer_key_t *key) { dst_key_iszonekey(key->key))); } -/* +/*% * Finds the key that generated a RRSIG, if possible. First look at the keys * that we've loaded already, and then see if there's a key on disk. */ @@ -291,7 +276,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) { return (key); } -/* +/*% * Check to see if we expect to find a key at this name. If we see a RRSIG * and can't find the signing key that we expect to find, we drop the rrsig. * I'm not sure if this is completely correct, but it seems to work. @@ -337,7 +322,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, } } -/* +/*% * Signs a set. Goes through contortions to decide if each RRSIG should * be dropped or retained, and then determines if any new SIGs need to * be generated. @@ -598,7 +583,7 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, dns_db_detach(dbp); } -/* +/*% * Loads the key set for a child zone, if there is one, and builds DS records. */ static isc_result_t @@ -653,6 +638,16 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { ttl, &ds, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(&diff, &tuple); + + dns_rdata_reset(&ds); + result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256, + dsbuf, &ds); + check_result(result, "dns_ds_buildrdata"); + + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, + ttl, &ds, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); } result = dns_diff_apply(&diff, db, ver); check_result(result, "dns_diff_apply"); @@ -775,7 +770,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { return (ISC_TF(result == ISC_R_SUCCESS)); } -/* +/*% * Signs all records at a name. This mostly just signs each set individually, * but also adds the RRSIG bit to any NSECs generated earlier, deals with * parent/child KEY signatures, and handles other exceptional cases. @@ -957,7 +952,7 @@ active_node(dns_dbnode_t *node) { isc_result_totext(result)); if (!active) { - /* + /*% * The node is empty of everything but NSEC / RRSIG records. */ for (result = dns_rdatasetiter_first(rdsiter); @@ -1021,7 +1016,7 @@ active_node(dns_dbnode_t *node) { return (active); } -/* +/*% * Extracts the TTL from the SOA. */ static dns_ttl_t @@ -1053,7 +1048,82 @@ soattl(void) { return (ttl); } -/* +/*% + * Increment (or set if nonzero) the SOA serial + */ +static isc_result_t +setsoaserial(isc_uint32_t serial) { + isc_result_t result; + dns_dbnode_t *node = NULL; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_uint32_t old_serial, new_serial; + + result = dns_db_getoriginnode(gdb, &node); + if (result != ISC_R_SUCCESS) + return result; + + dns_rdataset_init(&rdataset); + + result = dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_soa, 0, + 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; + + result = dns_rdataset_first(&rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + dns_rdataset_current(&rdataset, &rdata); + + old_serial = dns_soa_getserial(&rdata); + + if (serial) { + /* Set SOA serial to the value provided. */ + new_serial = serial; + } else { + /* Increment SOA serial using RFC 1982 arithmetics */ + new_serial = (old_serial + 1) & 0xFFFFFFFF; + if (new_serial == 0) + new_serial = 1; + } + + /* If the new serial is not likely to cause a zone transfer + * (a/ixfr) from servers having the old serial, warn the user. + * + * RFC1982 section 7 defines the maximum increment to be + * (2^(32-1))-1. Using u_int32_t arithmetic, we can do a single + * comparison. (5 - 6 == (2^32)-1, not negative-one) + */ + if (new_serial == old_serial || + (new_serial - old_serial) > 0x7fffffffU) + fprintf(stderr, "%s: warning: Serial number not advanced, " + "zone may not transfer\n", program); + + dns_soa_setserial(new_serial, &rdata); + + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_soa, 0); + check_result(result, "dns_db_deleterdataset"); + if (result != ISC_R_SUCCESS) + goto cleanup; + + result = dns_db_addrdataset(gdb, node, gversion, + 0, &rdataset, 0, NULL); + check_result(result, "dns_db_addrdataset"); + if (result != ISC_R_SUCCESS) + goto cleanup; + +cleanup: + dns_rdataset_disassociate(&rdataset); + if (node != NULL) + dns_db_detachnode(gdb, &node); + dns_rdata_reset(&rdata); + + return (result); +} + +/*% * Delete any RRSIG records at a node. */ static void @@ -1062,6 +1132,9 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdataset_t set; isc_result_t result, dresult; + if (outputformat != dns_masterformat_text) + return; + dns_rdataset_init(&set); result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); check_result(result, "dns_db_allrdatasets"); @@ -1089,7 +1162,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdatasetiter_destroy(&rdsiter); } -/* +/*% * Set up the iterator and global state before starting the tasks. */ static void @@ -1104,7 +1177,7 @@ presign(void) { check_result(result, "dns_dbiterator_first()"); } -/* +/*% * Clean up the iterator and global state after the tasks complete. */ static void @@ -1112,7 +1185,33 @@ postsign(void) { dns_dbiterator_destroy(&gdbiter); } -/* +/*% + * Sign the apex of the zone. + */ +static void +signapex(void) { + dns_dbnode_t *node = NULL; + dns_fixedname_t fixed; + dns_name_t *name; + isc_result_t result; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + result = dns_dbiterator_current(gdbiter, &node, name); + check_result(result, "dns_dbiterator_current()"); + signname(node, name); + dumpnode(name, node); + cleannode(gdb, gversion, node); + dns_db_detachnode(gdb, &node); + result = dns_dbiterator_next(gdbiter); + if (result == ISC_R_NOMORE) + finished = ISC_TRUE; + else if (result != ISC_R_SUCCESS) + fatal("failure iterating database: %s", + isc_result_totext(result)); +} + +/*% * Assigns a node to a worker thread. This is protected by the master task's * lock. */ @@ -1192,7 +1291,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) { assigned++; } -/* +/*% * Start a worker task */ static void @@ -1204,7 +1303,7 @@ startworker(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); } -/* +/*% * Write a node to the output file, and restart the worker task. */ static void @@ -1222,7 +1321,7 @@ writenode(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); } -/* +/*% * Sign a database node. */ static void @@ -1247,7 +1346,7 @@ sign(isc_task_t *task, isc_event_t *event) { isc_task_send(master, ISC_EVENT_PTR(&wevent)); } -/* +/*% * Generate NSEC records for the zone. */ static void @@ -1318,7 +1417,7 @@ nsecify(void) { dns_dbiterator_destroy(&dbiter); } -/* +/*% * Load the zone file from disk */ static void @@ -1344,13 +1443,13 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) { rdclass, 0, NULL, db); check_result(result, "dns_db_create()"); - result = dns_db_load(*db, file); + result = dns_db_load2(*db, file, inputformat); if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) fatal("failed loading zone from '%s': %s", file, isc_result_totext(result)); } -/* +/*% * Finds all public zone keys in the zone, and attempts to load the * private keys from disk. */ @@ -1389,7 +1488,7 @@ loadzonekeys(dns_db_t *db) { dns_db_closeversion(db, ¤tversion, ISC_FALSE); } -/* +/*% * Finds all public zone keys in the zone. */ static void @@ -1580,6 +1679,19 @@ writeset(const char *prefix, dns_rdatatype_t type) { ds.type = dns_rdatatype_dlv; result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, 0, &ds, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); + + dns_rdata_reset(&ds); + result = dns_ds_buildrdata(gorigin, &rdata, + DNS_DSDIGEST_SHA256, + dsbuf, &ds); + check_result(result, "dns_ds_buildrdata"); + if (type == dns_rdatatype_dlv) + ds.type = dns_rdatatype_dlv; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + name, 0, &ds, &tuple); + } else result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, gorigin, zonettl, @@ -1612,12 +1724,18 @@ static void print_time(FILE *fp) { time_t currenttime; + if (outputformat != dns_masterformat_text) + return; + currenttime = time(NULL); fprintf(fp, "; File written on %s", ctime(¤ttime)); } static void print_version(FILE *fp) { + if (outputformat != dns_masterformat_text) + return; + fprintf(fp, "; dnssec_signzone version " VERSION "\n"); } @@ -1644,12 +1762,20 @@ usage(void) { fprintf(stderr, "\t-i interval:\n"); fprintf(stderr, "\t\tcycle interval - resign " "if < interval from end ( (end-start)/4 )\n"); + fprintf(stderr, "\t-j jitter:\n"); + fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n"); fprintf(stderr, "\t-v debuglevel (0)\n"); fprintf(stderr, "\t-o origin:\n"); fprintf(stderr, "\t\tzone origin (name of zonefile)\n"); fprintf(stderr, "\t-f outfile:\n"); fprintf(stderr, "\t\tfile the signed zone is written in " "(zonefile + .signed)\n"); + fprintf(stderr, "\t-I format:\n"); + fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); + fprintf(stderr, "\t-O format:\n"); + fprintf(stderr, "\t\tfile format of signed zone file (text)\n"); + fprintf(stderr, "\t-N format:\n"); + fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n"); fprintf(stderr, "\t-r randomdev:\n"); fprintf(stderr, "\t\ta file containing random data\n"); fprintf(stderr, "\t-a:\t"); @@ -1708,6 +1834,8 @@ main(int argc, char *argv[]) { int i, ch; char *startstr = NULL, *endstr = NULL, *classname = NULL; char *origin = NULL, *file = NULL, *output = NULL; + char *inputformatstr = NULL, *outputformatstr = NULL; + char *serialformatstr = NULL; char *dskeyfile[MAXDSKEYS]; int ndskeys = 0; char *endp; @@ -1720,7 +1848,6 @@ main(int argc, char *argv[]) { isc_boolean_t free_output = ISC_FALSE; int tempfilelen; dns_rdataclass_t rdclass; - dns_db_t *udb = NULL; isc_task_t **tasks = NULL; isc_buffer_t b; int len; @@ -1736,7 +1863,7 @@ main(int argc, char *argv[]) { dns_result_register(); while ((ch = isc_commandline_parse(argc, argv, - "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z")) + "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z")) != -1) { switch (ch) { case 'a': @@ -1776,6 +1903,17 @@ main(int argc, char *argv[]) { "positive"); break; + case 'I': + inputformatstr = isc_commandline_argument; + break; + + case 'j': + endp = NULL; + jitter = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0' || jitter < 0) + fatal("jitter must be numeric and positive"); + break; + case 'l': dns_fixedname_init(&dlv_fixed); len = strlen(isc_commandline_argument); @@ -1802,10 +1940,18 @@ main(int argc, char *argv[]) { fatal("number of cpus must be numeric"); break; + case 'N': + serialformatstr = isc_commandline_argument; + break; + case 'o': origin = isc_commandline_argument; break; + case 'O': + outputformatstr = isc_commandline_argument; + break; + case 'p': pseudorandom = ISC_TRUE; break; @@ -1901,6 +2047,36 @@ main(int argc, char *argv[]) { sprintf(output, "%s.signed", file); } + if (inputformatstr != NULL) { + if (strcasecmp(inputformatstr, "text") == 0) + inputformat = dns_masterformat_text; + else if (strcasecmp(inputformatstr, "raw") == 0) + inputformat = dns_masterformat_raw; + else + fatal("unknown file format: %s\n", inputformatstr); + } + + if (outputformatstr != NULL) { + if (strcasecmp(outputformatstr, "text") == 0) + outputformat = dns_masterformat_text; + else if (strcasecmp(outputformatstr, "raw") == 0) + outputformat = dns_masterformat_raw; + else + fatal("unknown file format: %s\n", outputformatstr); + } + + if (serialformatstr != NULL) { + if (strcasecmp(serialformatstr, "keep") == 0) + serialformat = SOA_SERIAL_KEEP; + else if (strcasecmp(serialformatstr, "increment") == 0 || + strcasecmp(serialformatstr, "incr") == 0) + serialformat = SOA_SERIAL_INCREMENT; + else if (strcasecmp(serialformatstr, "unixtime") == 0) + serialformat = SOA_SERIAL_UNIXTIME; + else + fatal("unknown soa serial format: %s\n", serialformatstr); + } + result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, 0, 24, 0, 0, 0, 8, mctx); check_result(result, "dns_master_stylecreate"); @@ -2005,6 +2181,19 @@ main(int argc, char *argv[]) { result = dns_db_newversion(gdb, &gversion); check_result(result, "dns_db_newversion()"); + switch (serialformat) { + case SOA_SERIAL_INCREMENT: + setsoaserial(0); + break; + case SOA_SERIAL_UNIXTIME: + setsoaserial(now); + break; + case SOA_SERIAL_KEEP: + default: + /* do nothing */ + break; + } + nsecify(); if (!nokeys) { @@ -2053,10 +2242,6 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("failed to create task: %s", isc_result_totext(result)); - result = isc_app_onrun(mctx, master, startworker, tasks[i]); - if (result != ISC_R_SUCCESS) - fatal("failed to start task: %s", - isc_result_totext(result)); } RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS); @@ -2064,9 +2249,24 @@ main(int argc, char *argv[]) { RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS); presign(); - (void)isc_app_run(); - if (!finished) - fatal("process aborted by user"); + signapex(); + if (!finished) { + /* + * There is more work to do. Spread it out over multiple + * processors if possible. + */ + for (i = 0; i < (int)ntasks; i++) { + result = isc_app_onrun(mctx, master, startworker, + tasks[i]); + if (result != ISC_R_SUCCESS) + fatal("failed to start task: %s", + isc_result_totext(result)); + } + (void)isc_app_run(); + if (!finished) + fatal("process aborted by user"); + } else + isc_task_detach(&master); shuttingdown = ISC_TRUE; for (i = 0; i < (int)ntasks; i++) isc_task_detach(&tasks[i]); @@ -2074,9 +2274,11 @@ main(int argc, char *argv[]) { isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *)); postsign(); - if (udb != NULL) { - dumpdb(udb); - dns_db_detach(&udb); + if (outputformat != dns_masterformat_text) { + result = dns_master_dumptostream2(mctx, gdb, gversion, + masterstyle, outputformat, + fp); + check_result(result, "dns_master_dumptostream2"); } result = isc_stdio_close(fp); @@ -2115,6 +2317,7 @@ main(int argc, char *argv[]) { dst_lib_destroy(); isc_hash_destroy(); cleanup_entropy(&ectx); + dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook index 35f35cc..371d72b 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook @@ -1,8 +1,8 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -18,23 +18,29 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.11 2005/06/24 00:18:15 marka Exp $ --> - -<refentry> +<!-- $Id: dnssec-signzone.docbook,v 1.10.18.15 2007/01/29 23:57:20 marka Exp $ --> +<refentry id="man.dnssec-signzone"> <refentryinfo> <date>June 30, 2000</date> </refentryinfo> <refmeta> <refentrytitle><application>dnssec-signzone</application></refentrytitle> - <manvolnum>8</manvolnum> + <manvolnum>8</manvolnum> <refmiscinfo>BIND9</refmiscinfo> </refmeta> + <refnamediv> + <refname><application>dnssec-signzone</application></refname> + <refpurpose>DNSSEC zone signing tool</refpurpose> + </refnamediv> + <docinfo> <copyright> <year>2004</year> <year>2005</year> + <year>2006</year> + <year>2007</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -46,11 +52,6 @@ </copyright> </docinfo> - <refnamediv> - <refname><application>dnssec-signzone</application></refname> - <refpurpose>DNSSEC zone signing tool</refpurpose> - </refnamediv> - <refsynopsisdiv> <cmdsynopsis> <command>dnssec-signzone</command> @@ -64,8 +65,11 @@ <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg> <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg> - <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg> + <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg> + <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg> + <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg> <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> + <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg> <arg><option>-p</option></arg> <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> @@ -79,13 +83,13 @@ <refsect1> <title>DESCRIPTION</title> - <para> - <command>dnssec-signzone</command> signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <filename>keyset</filename> file for each child zone. + <para><command>dnssec-signzone</command> + signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + <filename>keyset</filename> file for each child zone. </para> </refsect1> @@ -95,231 +99,323 @@ <variablelist> <varlistentry> <term>-a</term> - <listitem> - <para> - Verify all generated signatures. - </para> - </listitem> + <listitem> + <para> + Verify all generated signatures. + </para> + </listitem> </varlistentry> <varlistentry> <term>-c <replaceable class="parameter">class</replaceable></term> - <listitem> - <para> - Specifies the DNS class of the zone. - </para> - </listitem> + <listitem> + <para> + Specifies the DNS class of the zone. + </para> + </listitem> </varlistentry> <varlistentry> <term>-k <replaceable class="parameter">key</replaceable></term> - <listitem> - <para> - Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. - </para> - </listitem> + <listitem> + <para> + Treat specified key as a key signing key ignoring any + key flags. This option may be specified multiple times. + </para> + </listitem> </varlistentry> <varlistentry> <term>-l <replaceable class="parameter">domain</replaceable></term> - <listitem> - <para> - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - </para> - </listitem> + <listitem> + <para> + Generate a DLV set in addition to the key (DNSKEY) and DS sets. + The domain is appended to the name of the records. + </para> + </listitem> </varlistentry> <varlistentry> <term>-d <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - Look for <filename>keyset</filename> files in - <option>directory</option> as the directory - </para> - </listitem> + <listitem> + <para> + Look for <filename>keyset</filename> files in + <option>directory</option> as the directory + </para> + </listitem> </varlistentry> <varlistentry> <term>-g</term> - <listitem> - <para> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. - </para> - </listitem> + <listitem> + <para> + Generate DS records for child zones from keyset files. + Existing DS records will be removed. + </para> + </listitem> </varlistentry> <varlistentry> <term>-s <replaceable class="parameter">start-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <option>start-time</option> is specified, the current - time minus 1 hour (to allow for clock skew) is used. - </para> - </listitem> + <listitem> + <para> + Specify the date and time when the generated RRSIG records + become valid. This can be either an absolute or relative + time. An absolute start time is indicated by a number + in YYYYMMDDHHMMSS notation; 20000530144500 denotes + 14:45:00 UTC on May 30th, 2000. A relative start time is + indicated by +N, which is N seconds from the current time. + If no <option>start-time</option> is specified, the current + time minus 1 hour (to allow for clock skew) is used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-e <replaceable class="parameter">end-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated RRSIG records - expire. As with <option>start-time</option>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <option>end-time</option> is - specified, 30 days from the start time is used as a default. - </para> - </listitem> + <listitem> + <para> + Specify the date and time when the generated RRSIG records + expire. As with <option>start-time</option>, an absolute + time is indicated in YYYYMMDDHHMMSS notation. A time relative + to the start time is indicated with +N, which is N seconds from + the start time. A time relative to the current time is + indicated with now+N. If no <option>end-time</option> is + specified, 30 days from the start time is used as a default. + </para> + </listitem> </varlistentry> <varlistentry> <term>-f <replaceable class="parameter">output-file</replaceable></term> - <listitem> - <para> - The name of the output file containing the signed zone. The - default is to append <filename>.signed</filename> to the - input file. - </para> - </listitem> + <listitem> + <para> + The name of the output file containing the signed zone. The + default is to append <filename>.signed</filename> to + the + input file. + </para> + </listitem> </varlistentry> <varlistentry> <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-signzone</command>. - </para> - </listitem> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>dnssec-signzone</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-i <replaceable class="parameter">interval</replaceable></term> - <listitem> - <para> - When a previously signed zone is passed as input, records - may be resigned. The <option>interval</option> option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. - </para> - <para> - The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - <option>end-time</option> or <option>start-time</option> - are specified, <command>dnssec-signzone</command> generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. - </para> - </listitem> + <listitem> + <para> + When a previously signed zone is passed as input, records + may be resigned. The <option>interval</option> option + specifies the cycle interval as an offset from the current + time (in seconds). If a RRSIG record expires after the + cycle interval, it is retained. Otherwise, it is considered + to be expiring soon, and it will be replaced. + </para> + <para> + The default cycle interval is one quarter of the difference + between the signature end and start times. So if neither + <option>end-time</option> or <option>start-time</option> + are specified, <command>dnssec-signzone</command> + generates + signatures that are valid for 30 days, with a cycle + interval of 7.5 days. Therefore, if any existing RRSIG records + are due to expire in less than 7.5 days, they would be + replaced. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-I <replaceable class="parameter">input-format</replaceable></term> + <listitem> + <para> + The format of the input zone file. + Possible formats are <command>"text"</command> (default) + and <command>"raw"</command>. + This option is primarily intended to be used for dynamic + signed zones so that the dumped zone file in a non-text + format containing updates can be signed directly. + The use of this option does not make much sense for + non-dynamic zones. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-j <replaceable class="parameter">jitter</replaceable></term> + <listitem> + <para> + When signing a zone with a fixed signature lifetime, all + RRSIG records issued at the time of signing expires + simultaneously. If the zone is incrementally signed, i.e. + a previously signed zone is passed as input to the signer, + all expired signatures has to be regenerated at about the + same time. The <option>jitter</option> option specifies a + jitter window that will be used to randomize the signature + expire time, thus spreading incremental signature + regeneration over time. + </para> + <para> + Signature lifetime jitter also to some extent benefits + validators and servers by spreading out cache expiration, + i.e. if large numbers of RRSIGs don't expire at the same time + from all caches there will be less congestion than if all + validators need to refetch at mostly the same time. + </para> + </listitem> </varlistentry> <varlistentry> <term>-n <replaceable class="parameter">ncpus</replaceable></term> - <listitem> - <para> - Specifies the number of threads to use. By default, one - thread is started for each detected CPU. - </para> - </listitem> + <listitem> + <para> + Specifies the number of threads to use. By default, one + thread is started for each detected CPU. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term> + <listitem> + <para> + The SOA serial number format of the signed zone. + Possible formats are <command>"keep"</command> (default), + <command>"increment"</command> and + <command>"unixtime"</command>. + </para> + + <variablelist> + <varlistentry> + <term><command>"keep"</command></term> + <listitem> + <para>Do not modify the SOA serial number.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><command>"increment"</command></term> + <listitem> + <para>Increment the SOA serial number using RFC 1982 + arithmetics.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><command>"unixtime"</command></term> + <listitem> + <para>Set the SOA serial number to the number of seconds + since epoch.</para> + </listitem> + </varlistentry> + </variablelist> + + </listitem> </varlistentry> <varlistentry> <term>-o <replaceable class="parameter">origin</replaceable></term> - <listitem> - <para> - The zone origin. If not specified, the name of the zone file - is assumed to be the origin. - </para> - </listitem> + <listitem> + <para> + The zone origin. If not specified, the name of the zone file + is assumed to be the origin. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-O <replaceable class="parameter">output-format</replaceable></term> + <listitem> + <para> + The format of the output file containing the signed zone. + Possible formats are <command>"text"</command> (default) + and <command>"raw"</command>. + </para> + </listitem> </varlistentry> <varlistentry> <term>-p</term> - <listitem> - <para> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </para> - </listitem> + <listitem> + <para> + Use pseudo-random data when signing the zone. This is faster, + but less secure, than using real random data. This option + may be useful when signing large zones or when the entropy + source is limited. + </para> + </listitem> </varlistentry> <varlistentry> <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> + <listitem> + <para> + Specifies the source of randomness. If the operating + system does not provide a <filename>/dev/random</filename> + or equivalent device, the default source of randomness + is keyboard input. <filename>randomdev</filename> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard + input should be used. + </para> + </listitem> </varlistentry> <varlistentry> <term>-t</term> - <listitem> - <para> - Print statistics at completion. - </para> - </listitem> + <listitem> + <para> + Print statistics at completion. + </para> + </listitem> </varlistentry> <varlistentry> <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> + <listitem> + <para> + Sets the debugging level. + </para> + </listitem> </varlistentry> <varlistentry> <term>-z</term> - <listitem> - <para> - Ignore KSK flag on key when determining what to sign. - </para> - </listitem> + <listitem> + <para> + Ignore KSK flag on key when determining what to sign. + </para> + </listitem> </varlistentry> <varlistentry> <term>zonefile</term> - <listitem> - <para> - The file containing the zone to be signed. - </para> - </listitem> + <listitem> + <para> + The file containing the zone to be signed. + </para> + </listitem> </varlistentry> <varlistentry> <term>key</term> - <listitem> - <para> - The keys used to sign the zone. If no keys are specified, the - default all zone keys that have private key files in the - current directory. - </para> - </listitem> + <listitem> + <para> + The keys used to sign the zone. If no keys are specified, the + default all zone keys that have private key files in the + current directory. + </para> + </listitem> </varlistentry> </variablelist> @@ -328,34 +424,34 @@ <refsect1> <title>EXAMPLE</title> <para> - The following command signs the <userinput>example.com</userinput> - zone with the DSA key generated in the <command>dnssec-keygen</command> - man page. The zone's keys must be in the zone. If there are - <filename>keyset</filename> files associated with child zones, - they must be in the current directory. - <userinput>example.com</userinput>, the following command would be - issued: + The following command signs the <userinput>example.com</userinput> + zone with the DSA key generated in the <command>dnssec-keygen</command> + man page. The zone's keys must be in the zone. If there are + <filename>keyset</filename> files associated with child + zones, + they must be in the current directory. + <userinput>example.com</userinput>, the following command would be + issued: </para> - <para> - <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput> + <para><userinput>dnssec-signzone -o example.com db.example.com + Kexample.com.+003+26160</userinput> </para> <para> - The command would print a string of the form: + The command would print a string of the form: </para> <para> - In this example, <command>dnssec-signzone</command> creates - the file <filename>db.example.com.signed</filename>. This file - should be referenced in a zone statement in a - <filename>named.conf</filename> file. + In this example, <command>dnssec-signzone</command> creates + the file <filename>db.example.com.signed</filename>. This + file + should be referenced in a zone statement in a + <filename>named.conf</filename> file. </para> </refsect1> <refsect1> <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle> - <manvolnum>8</manvolnum> + <para><citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>RFC 2535</citetitle>. @@ -364,14 +460,11 @@ <refsect1> <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> + <para><corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> -</refentry> - -<!-- +</refentry><!-- - Local variables: - mode: sgml - End: diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html index bd92631..da1e058 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.html +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any @@ -14,206 +14,266 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.16 2006/06/29 13:02:30 marka Exp $ --> +<!-- $Id: dnssec-signzone.html,v 1.8.18.22 2007/01/30 00:23:44 marka Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-signzone</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.70.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -<a name="id2482688"></a><div class="titlepage"></div> +<a name="man.dnssec-signzone"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> <p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p> </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2549544"></a><h2>DESCRIPTION</h2> -<p> - <span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <code class="filename">keyset</code> file for each child zone. +<a name="id2543526"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-signzone</strong></span> + signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + <code class="filename">keyset</code> file for each child zone. </p> </div> <div class="refsect1" lang="en"> -<a name="id2549560"></a><h2>OPTIONS</h2> +<a name="id2543541"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> - Verify all generated signatures. - </p></dd> + Verify all generated signatures. + </p></dd> <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> <dd><p> - Specifies the DNS class of the zone. - </p></dd> + Specifies the DNS class of the zone. + </p></dd> <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt> <dd><p> - Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. - </p></dd> + Treat specified key as a key signing key ignoring any + key flags. This option may be specified multiple times. + </p></dd> <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> <dd><p> - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - </p></dd> + Generate a DLV set in addition to the key (DNSKEY) and DS sets. + The domain is appended to the name of the records. + </p></dd> <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> - Look for <code class="filename">keyset</code> files in - <code class="option">directory</code> as the directory - </p></dd> + Look for <code class="filename">keyset</code> files in + <code class="option">directory</code> as the directory + </p></dd> <dt><span class="term">-g</span></dt> <dd><p> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. - </p></dd> + Generate DS records for child zones from keyset files. + Existing DS records will be removed. + </p></dd> <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt> <dd><p> - Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <code class="option">start-time</code> is specified, the current - time minus 1 hour (to allow for clock skew) is used. - </p></dd> + Specify the date and time when the generated RRSIG records + become valid. This can be either an absolute or relative + time. An absolute start time is indicated by a number + in YYYYMMDDHHMMSS notation; 20000530144500 denotes + 14:45:00 UTC on May 30th, 2000. A relative start time is + indicated by +N, which is N seconds from the current time. + If no <code class="option">start-time</code> is specified, the current + time minus 1 hour (to allow for clock skew) is used. + </p></dd> <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt> <dd><p> - Specify the date and time when the generated RRSIG records - expire. As with <code class="option">start-time</code>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <code class="option">end-time</code> is - specified, 30 days from the start time is used as a default. - </p></dd> + Specify the date and time when the generated RRSIG records + expire. As with <code class="option">start-time</code>, an absolute + time is indicated in YYYYMMDDHHMMSS notation. A time relative + to the start time is indicated with +N, which is N seconds from + the start time. A time relative to the current time is + indicated with now+N. If no <code class="option">end-time</code> is + specified, 30 days from the start time is used as a default. + </p></dd> <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt> <dd><p> - The name of the output file containing the signed zone. The - default is to append <code class="filename">.signed</code> to the - input file. - </p></dd> + The name of the output file containing the signed zone. The + default is to append <code class="filename">.signed</code> to + the + input file. + </p></dd> <dt><span class="term">-h</span></dt> <dd><p> - Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-signzone</strong></span>. - </p></dd> + Prints a short summary of the options and arguments to + <span><strong class="command">dnssec-signzone</strong></span>. + </p></dd> <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> <dd> <p> - When a previously signed zone is passed as input, records - may be resigned. The <code class="option">interval</code> option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. - </p> + When a previously signed zone is passed as input, records + may be resigned. The <code class="option">interval</code> option + specifies the cycle interval as an offset from the current + time (in seconds). If a RRSIG record expires after the + cycle interval, it is retained. Otherwise, it is considered + to be expiring soon, and it will be replaced. + </p> +<p> + The default cycle interval is one quarter of the difference + between the signature end and start times. So if neither + <code class="option">end-time</code> or <code class="option">start-time</code> + are specified, <span><strong class="command">dnssec-signzone</strong></span> + generates + signatures that are valid for 30 days, with a cycle + interval of 7.5 days. Therefore, if any existing RRSIG records + are due to expire in less than 7.5 days, they would be + replaced. + </p> +</dd> +<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> +<dd><p> + The format of the input zone file. + Possible formats are <span><strong class="command">"text"</strong></span> (default) + and <span><strong class="command">"raw"</strong></span>. + This option is primarily intended to be used for dynamic + signed zones so that the dumped zone file in a non-text + format containing updates can be signed directly. + The use of this option does not make much sense for + non-dynamic zones. + </p></dd> +<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt> +<dd> +<p> + When signing a zone with a fixed signature lifetime, all + RRSIG records issued at the time of signing expires + simultaneously. If the zone is incrementally signed, i.e. + a previously signed zone is passed as input to the signer, + all expired signatures has to be regenerated at about the + same time. The <code class="option">jitter</code> option specifies a + jitter window that will be used to randomize the signature + expire time, thus spreading incremental signature + regeneration over time. + </p> <p> - The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - <code class="option">end-time</code> or <code class="option">start-time</code> - are specified, <span><strong class="command">dnssec-signzone</strong></span> generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. - </p> + Signature lifetime jitter also to some extent benefits + validators and servers by spreading out cache expiration, + i.e. if large numbers of RRSIGs don't expire at the same time + from all caches there will be less congestion than if all + validators need to refetch at mostly the same time. + </p> </dd> <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt> <dd><p> - Specifies the number of threads to use. By default, one - thread is started for each detected CPU. - </p></dd> + Specifies the number of threads to use. By default, one + thread is started for each detected CPU. + </p></dd> +<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt> +<dd> +<p> + The SOA serial number format of the signed zone. + Possible formats are <span><strong class="command">"keep"</strong></span> (default), + <span><strong class="command">"increment"</strong></span> and + <span><strong class="command">"unixtime"</strong></span>. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt> +<dd><p>Do not modify the SOA serial number.</p></dd> +<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt> +<dd><p>Increment the SOA serial number using RFC 1982 + arithmetics.</p></dd> +<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt> +<dd><p>Set the SOA serial number to the number of seconds + since epoch.</p></dd> +</dl></div> +</dd> <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> <dd><p> - The zone origin. If not specified, the name of the zone file - is assumed to be the origin. - </p></dd> + The zone origin. If not specified, the name of the zone file + is assumed to be the origin. + </p></dd> +<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt> +<dd><p> + The format of the output file containing the signed zone. + Possible formats are <span><strong class="command">"text"</strong></span> (default) + and <span><strong class="command">"raw"</strong></span>. + </p></dd> <dt><span class="term">-p</span></dt> <dd><p> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </p></dd> + Use pseudo-random data when signing the zone. This is faster, + but less secure, than using real random data. This option + may be useful when signing large zones or when the entropy + source is limited. + </p></dd> <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> <dd><p> - Specifies the source of randomness. If the operating - system does not provide a <code class="filename">/dev/random</code> - or equivalent device, the default source of randomness - is keyboard input. <code class="filename">randomdev</code> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <code class="filename">keyboard</code> indicates that keyboard - input should be used. - </p></dd> + Specifies the source of randomness. If the operating + system does not provide a <code class="filename">/dev/random</code> + or equivalent device, the default source of randomness + is keyboard input. <code class="filename">randomdev</code> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard + input should be used. + </p></dd> <dt><span class="term">-t</span></dt> <dd><p> - Print statistics at completion. - </p></dd> + Print statistics at completion. + </p></dd> <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> <dd><p> - Sets the debugging level. - </p></dd> + Sets the debugging level. + </p></dd> <dt><span class="term">-z</span></dt> <dd><p> - Ignore KSK flag on key when determining what to sign. - </p></dd> + Ignore KSK flag on key when determining what to sign. + </p></dd> <dt><span class="term">zonefile</span></dt> <dd><p> - The file containing the zone to be signed. - </p></dd> + The file containing the zone to be signed. + </p></dd> <dt><span class="term">key</span></dt> <dd><p> - The keys used to sign the zone. If no keys are specified, the - default all zone keys that have private key files in the - current directory. - </p></dd> + The keys used to sign the zone. If no keys are specified, the + default all zone keys that have private key files in the + current directory. + </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2550068"></a><h2>EXAMPLE</h2> +<a name="id2544327"></a><h2>EXAMPLE</h2> <p> - The following command signs the <strong class="userinput"><code>example.com</code></strong> - zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span> - man page. The zone's keys must be in the zone. If there are - <code class="filename">keyset</code> files associated with child zones, - they must be in the current directory. - <strong class="userinput"><code>example.com</code></strong>, the following command would be - issued: + The following command signs the <strong class="userinput"><code>example.com</code></strong> + zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span> + man page. The zone's keys must be in the zone. If there are + <code class="filename">keyset</code> files associated with child + zones, + they must be in the current directory. + <strong class="userinput"><code>example.com</code></strong>, the following command would be + issued: </p> -<p> - <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong> +<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com + Kexample.com.+003+26160</code></strong> </p> <p> - The command would print a string of the form: + The command would print a string of the form: </p> <p> - In this example, <span><strong class="command">dnssec-signzone</strong></span> creates - the file <code class="filename">db.example.com.signed</code>. This file - should be referenced in a zone statement in a - <code class="filename">named.conf</code> file. + In this example, <span><strong class="command">dnssec-signzone</strong></span> creates + the file <code class="filename">db.example.com.signed</code>. This + file + should be referenced in a zone statement in a + <code class="filename">named.conf</code> file. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550118"></a><h2>SEE ALSO</h2> -<p> - <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, +<a name="id2544375"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2535</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2550145"></a><h2>AUTHOR</h2> -<p> - <span class="corpauthor">Internet Systems Consortium</span> +<a name="id2544400"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> </div></body> diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c index 83ba76d..4f95540 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.c +++ b/contrib/bind9/bin/dnssec/dnssectool.c @@ -15,7 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.31.2.3.2.6 2005/07/02 02:42:43 marka Exp $ */ +/* $Id: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */ + +/*! \file */ + +/*% + * DNSSEC Support Routines. + */ #include <config.h> diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h index 0d17950..c5f3648 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.h +++ b/contrib/bind9/bin/dnssec/dnssectool.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.h,v 1.15.12.3 2004/03/08 04:04:18 marka Exp $ */ +/* $Id: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */ #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 |
