aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2011-07-16 10:49:33 +0000
committerDoug Barton <dougb@FreeBSD.org>2011-07-16 10:49:33 +0000
commit473038528ab5bd55332138ebf791ab91a25f747b (patch)
treecb160fa2acd93f24b5f5b9082cd3afc68396d51a
parent46da9ebeb3b1241e2e7f0182d76c336966e91d20 (diff)
downloadsrc-473038528ab5bd55332138ebf791ab91a25f747b.tar.gz
src-473038528ab5bd55332138ebf791ab91a25f747b.zip
Vendor import of BIND 9.8.0-P4vendor/bind9/9.8.0-P4
Notes
Notes: svn path=/vendor/bind9/dist/; revision=224090 svn path=/vendor/bind9/9.8.0-P4/; revision=224091; tag=vendor/bind9/9.8.0-P4
-rw-r--r--CHANGES1288
-rw-r--r--COPYRIGHT2
-rw-r--r--FAQ.xml2
-rw-r--r--HISTORY313
-rw-r--r--KNOWN-DEFECTS15
-rw-r--r--Makefile.in11
-rw-r--r--NSEC3-NOTES128
-rw-r--r--README448
-rw-r--r--README.idnkit112
-rw-r--r--README.pkcs1161
-rw-r--r--acconfig.h4
-rw-r--r--bin/Makefile.in7
-rw-r--r--bin/check/Makefile.in20
-rw-r--r--bin/check/check-tool.c5
-rw-r--r--bin/check/check-tool.h2
-rw-r--r--bin/check/named-checkconf.835
-rw-r--r--bin/check/named-checkconf.c43
-rw-r--r--bin/check/named-checkconf.docbook36
-rw-r--r--bin/check/named-checkconf.html41
-rw-r--r--bin/check/named-checkzone.819
-rw-r--r--bin/check/named-checkzone.c47
-rw-r--r--bin/check/named-checkzone.docbook22
-rw-r--r--bin/check/named-checkzone.html26
-rw-r--r--bin/confgen/Makefile.in101
-rw-r--r--bin/confgen/ddns-confgen.8143
-rw-r--r--bin/confgen/ddns-confgen.c257
-rw-r--r--bin/confgen/ddns-confgen.docbook218
-rw-r--r--bin/confgen/ddns-confgen.html141
-rw-r--r--bin/confgen/include/confgen/os.h39
-rw-r--r--bin/confgen/keygen.c218
-rw-r--r--bin/confgen/keygen.h41
-rw-r--r--bin/confgen/rndc-confgen.8 (renamed from bin/rndc/rndc-confgen.8)6
-rw-r--r--bin/confgen/rndc-confgen.c (renamed from bin/rndc/rndc-confgen.c)126
-rw-r--r--bin/confgen/rndc-confgen.docbook (renamed from bin/rndc/rndc-confgen.docbook)5
-rw-r--r--bin/confgen/rndc-confgen.html (renamed from bin/rndc/rndc-confgen.html)14
-rw-r--r--bin/confgen/unix/Makefile.in (renamed from bin/rndc/unix/Makefile.in)5
-rw-r--r--bin/confgen/unix/os.c (renamed from bin/rndc/unix/os.c)33
-rw-r--r--bin/confgen/util.c56
-rw-r--r--bin/confgen/util.h52
-rw-r--r--bin/dig/Makefile.in26
-rw-r--r--bin/dig/dig.111
-rw-r--r--bin/dig/dig.c176
-rw-r--r--bin/dig/dig.docbook16
-rw-r--r--bin/dig/dig.html28
-rw-r--r--bin/dig/dighost.c223
-rw-r--r--bin/dig/host.12
-rw-r--r--bin/dig/host.c5
-rw-r--r--bin/dig/host.docbook2
-rw-r--r--bin/dig/host.html2
-rw-r--r--bin/dig/include/dig/dig.h14
-rw-r--r--bin/dig/nslookup.12
-rw-r--r--bin/dig/nslookup.c20
-rw-r--r--bin/dig/nslookup.docbook2
-rw-r--r--bin/dig/nslookup.html2
-rw-r--r--bin/dnssec/Makefile.in41
-rw-r--r--bin/dnssec/dnssec-dsfromkey.855
-rw-r--r--bin/dnssec/dnssec-dsfromkey.c314
-rw-r--r--bin/dnssec/dnssec-dsfromkey.docbook78
-rw-r--r--bin/dnssec/dnssec-dsfromkey.html67
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.886
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.c336
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.docbook195
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.html136
-rw-r--r--bin/dnssec/dnssec-keygen.8114
-rw-r--r--bin/dnssec/dnssec-keygen.c768
-rw-r--r--bin/dnssec/dnssec-keygen.docbook264
-rw-r--r--bin/dnssec/dnssec-keygen.html196
-rw-r--r--bin/dnssec/dnssec-revoke.883
-rw-r--r--bin/dnssec/dnssec-revoke.c269
-rw-r--r--bin/dnssec/dnssec-revoke.docbook149
-rw-r--r--bin/dnssec/dnssec-revoke.html87
-rw-r--r--bin/dnssec/dnssec-settime.8166
-rw-r--r--bin/dnssec/dnssec-settime.c576
-rw-r--r--bin/dnssec/dnssec-settime.docbook319
-rw-r--r--bin/dnssec/dnssec-settime.html208
-rw-r--r--bin/dnssec/dnssec-signzone.8154
-rw-r--r--bin/dnssec/dnssec-signzone.c1157
-rw-r--r--bin/dnssec/dnssec-signzone.docbook246
-rw-r--r--bin/dnssec/dnssec-signzone.html200
-rw-r--r--bin/dnssec/dnssectool.c223
-rw-r--r--bin/dnssec/dnssectool.h33
-rw-r--r--bin/named/Makefile.in33
-rw-r--r--bin/named/bind.keys.h99
-rw-r--r--bin/named/bind9.xsl2
-rw-r--r--bin/named/bind9.xsl.h4
-rw-r--r--bin/named/builtin.c205
-rw-r--r--bin/named/client.c130
-rw-r--r--bin/named/config.c74
-rw-r--r--bin/named/control.c11
-rw-r--r--bin/named/include/named/client.h17
-rw-r--r--bin/named/include/named/config.h7
-rw-r--r--bin/named/include/named/control.h9
-rw-r--r--bin/named/include/named/globals.h21
-rw-r--r--bin/named/include/named/log.h2
-rw-r--r--bin/named/include/named/lwdclient.h2
-rw-r--r--bin/named/include/named/main.h9
-rw-r--r--bin/named/include/named/notify.h2
-rw-r--r--bin/named/include/named/query.h17
-rw-r--r--bin/named/include/named/server.h53
-rw-r--r--bin/named/include/named/tsigconf.h7
-rw-r--r--bin/named/include/named/types.h6
-rw-r--r--bin/named/include/named/zoneconf.h19
-rw-r--r--bin/named/interfacemgr.c2
-rw-r--r--bin/named/log.c2
-rw-r--r--bin/named/lwdgabn.c6
-rw-r--r--bin/named/lwdgrbn.c6
-rw-r--r--bin/named/lwresd.82
-rw-r--r--bin/named/lwresd.c7
-rw-r--r--bin/named/lwresd.docbook2
-rw-r--r--bin/named/lwresd.html2
-rw-r--r--bin/named/main.c132
-rw-r--r--bin/named/named.811
-rw-r--r--bin/named/named.conf.567
-rw-r--r--bin/named/named.conf.docbook68
-rw-r--r--bin/named/named.conf.html92
-rw-r--r--bin/named/named.docbook17
-rw-r--r--bin/named/named.html26
-rw-r--r--bin/named/query.c2245
-rw-r--r--bin/named/server.c2454
-rw-r--r--bin/named/statschannel.c19
-rw-r--r--bin/named/tkeyconf.c28
-rw-r--r--bin/named/tsigconf.c10
-rw-r--r--bin/named/unix/Makefile.in4
-rw-r--r--bin/named/unix/include/named/os.h8
-rw-r--r--bin/named/unix/os.c186
-rw-r--r--bin/named/update.c1060
-rw-r--r--bin/named/xfrout.c204
-rw-r--r--bin/named/zoneconf.c531
-rw-r--r--bin/nsupdate/Makefile.in19
-rw-r--r--bin/nsupdate/nsupdate.198
-rw-r--r--bin/nsupdate/nsupdate.c279
-rw-r--r--bin/nsupdate/nsupdate.docbook125
-rw-r--r--bin/nsupdate/nsupdate.html113
-rw-r--r--bin/rndc/Makefile.in40
-rw-r--r--bin/rndc/include/rndc/os.h8
-rw-r--r--bin/rndc/rndc.82
-rw-r--r--bin/rndc/rndc.c25
-rw-r--r--bin/rndc/rndc.conf.52
-rw-r--r--bin/rndc/rndc.conf.html2
-rw-r--r--bin/rndc/rndc.html2
-rw-r--r--bin/rndc/util.h10
-rw-r--r--bin/tools/Makefile.in103
-rw-r--r--bin/tools/arpaname.148
-rw-r--r--bin/tools/arpaname.c53
-rw-r--r--bin/tools/arpaname.docbook76
-rw-r--r--bin/tools/arpaname.html52
-rw-r--r--bin/tools/genrandom.869
-rw-r--r--bin/tools/genrandom.c136
-rw-r--r--bin/tools/genrandom.docbook119
-rw-r--r--bin/tools/genrandom.html73
-rw-r--r--bin/tools/isc-hmac-fixup.861
-rw-r--r--bin/tools/isc-hmac-fixup.c136
-rw-r--r--bin/tools/isc-hmac-fixup.docbook109
-rw-r--r--bin/tools/isc-hmac-fixup.html83
-rw-r--r--bin/tools/named-journalprint.860
-rw-r--r--bin/tools/named-journalprint.c86
-rw-r--r--bin/tools/named-journalprint.docbook101
-rw-r--r--bin/tools/named-journalprint.html73
-rw-r--r--bin/tools/nsec3hash.870
-rw-r--r--bin/tools/nsec3hash.c121
-rw-r--r--bin/tools/nsec3hash.docbook125
-rw-r--r--bin/tools/nsec3hash.html78
-rw-r--r--config.guess2
-rw-r--r--config.h.in66
-rw-r--r--configure.in501
-rw-r--r--doc/arm/Bv9ARM-book.xml2041
-rw-r--r--doc/arm/Bv9ARM.ch01.html54
-rw-r--r--doc/arm/Bv9ARM.ch02.html30
-rw-r--r--doc/arm/Bv9ARM.ch03.html174
-rw-r--r--doc/arm/Bv9ARM.ch04.html969
-rw-r--r--doc/arm/Bv9ARM.ch05.html8
-rw-r--r--doc/arm/Bv9ARM.ch06.html1669
-rw-r--r--doc/arm/Bv9ARM.ch07.html29
-rw-r--r--doc/arm/Bv9ARM.ch08.html20
-rw-r--r--doc/arm/Bv9ARM.ch09.html657
-rw-r--r--doc/arm/Bv9ARM.ch10.html28
-rw-r--r--doc/arm/Bv9ARM.html217
-rw-r--r--doc/arm/Bv9ARM.pdf19903
-rw-r--r--doc/arm/Makefile.in2
-rw-r--r--doc/arm/dnssec.xml268
-rw-r--r--doc/arm/libdns.xml530
-rw-r--r--doc/arm/man.arpaname.html91
-rw-r--r--doc/arm/man.ddns-confgen.html180
-rw-r--r--doc/arm/man.dig.html28
-rw-r--r--doc/arm/man.dnssec-dsfromkey.html67
-rw-r--r--doc/arm/man.dnssec-keyfromlabel.html136
-rw-r--r--doc/arm/man.dnssec-keygen.html206
-rw-r--r--doc/arm/man.dnssec-revoke.html126
-rw-r--r--doc/arm/man.dnssec-settime.html247
-rw-r--r--doc/arm/man.dnssec-signzone.html210
-rw-r--r--doc/arm/man.genrandom.html112
-rw-r--r--doc/arm/man.host.html12
-rw-r--r--doc/arm/man.isc-hmac-fixup.html122
-rw-r--r--doc/arm/man.named-checkconf.html41
-rw-r--r--doc/arm/man.named-checkzone.html26
-rw-r--r--doc/arm/man.named-journalprint.html112
-rw-r--r--doc/arm/man.named.html36
-rw-r--r--doc/arm/man.nsec3hash.html113
-rw-r--r--doc/arm/man.nsupdate.html123
-rw-r--r--doc/arm/man.rndc-confgen.html24
-rw-r--r--doc/arm/man.rndc.conf.html14
-rw-r--r--doc/arm/man.rndc.html14
-rw-r--r--doc/arm/managed-keys.xml100
-rw-r--r--doc/arm/pkcs11.xml390
-rw-r--r--doc/misc/Makefile.in2
-rw-r--r--doc/misc/options104
-rw-r--r--lib/bind9/Makefile.in4
-rw-r--r--lib/bind9/api4
-rw-r--r--lib/bind9/check.c549
-rw-r--r--lib/bind9/include/bind9/getaddresses.h2
-rw-r--r--lib/dns/Makefile.in44
-rw-r--r--lib/dns/acl.c2
-rw-r--r--lib/dns/adb.c581
-rw-r--r--lib/dns/api4
-rw-r--r--lib/dns/byaddr.c47
-rw-r--r--lib/dns/cache.c78
-rw-r--r--lib/dns/client.c3019
-rw-r--r--lib/dns/db.c46
-rw-r--r--lib/dns/diff.c19
-rw-r--r--lib/dns/dispatch.c93
-rw-r--r--lib/dns/dlz.c154
-rw-r--r--lib/dns/dns64.c299
-rw-r--r--lib/dns/dnssec.c804
-rw-r--r--lib/dns/ds.c72
-rw-r--r--lib/dns/dst_api.c489
-rw-r--r--lib/dns/dst_internal.h40
-rw-r--r--lib/dns/dst_openssl.h9
-rw-r--r--lib/dns/dst_parse.c193
-rw-r--r--lib/dns/dst_parse.h21
-rw-r--r--lib/dns/ecdb.c810
-rw-r--r--lib/dns/forward.c22
-rw-r--r--lib/dns/gen-unix.h2
-rw-r--r--lib/dns/gen.c6
-rw-r--r--lib/dns/gssapi_link.c91
-rw-r--r--lib/dns/gssapictx.c96
-rw-r--r--lib/dns/hmac_link.c211
-rw-r--r--lib/dns/include/dns/Makefile.in20
-rw-r--r--lib/dns/include/dns/acl.h2
-rw-r--r--lib/dns/include/dns/cache.h39
-rw-r--r--lib/dns/include/dns/client.h621
-rw-r--r--lib/dns/include/dns/compress.h2
-rw-r--r--lib/dns/include/dns/db.h49
-rw-r--r--lib/dns/include/dns/diff.h2
-rw-r--r--lib/dns/include/dns/dispatch.h2
-rw-r--r--lib/dns/include/dns/dlz.h62
-rw-r--r--lib/dns/include/dns/dns64.h175
-rw-r--r--lib/dns/include/dns/dnssec.h137
-rw-r--r--lib/dns/include/dns/ds.h9
-rw-r--r--lib/dns/include/dns/ecdb.h52
-rw-r--r--lib/dns/include/dns/events.h7
-rw-r--r--lib/dns/include/dns/forward.h19
-rw-r--r--lib/dns/include/dns/journal.h2
-rw-r--r--lib/dns/include/dns/keydata.h55
-rw-r--r--lib/dns/include/dns/keytable.h212
-rw-r--r--lib/dns/include/dns/keyvalues.h8
-rw-r--r--lib/dns/include/dns/lib.h18
-rw-r--r--lib/dns/include/dns/log.h3
-rw-r--r--lib/dns/include/dns/lookup.h2
-rw-r--r--lib/dns/include/dns/master.h5
-rw-r--r--lib/dns/include/dns/masterdump.h2
-rw-r--r--lib/dns/include/dns/message.h20
-rw-r--r--lib/dns/include/dns/name.h84
-rw-r--r--lib/dns/include/dns/ncache.h2
-rw-r--r--lib/dns/include/dns/nsec3.h61
-rw-r--r--lib/dns/include/dns/peer.h2
-rw-r--r--lib/dns/include/dns/private.h55
-rw-r--r--lib/dns/include/dns/rbt.h19
-rw-r--r--lib/dns/include/dns/rdata.h55
-rw-r--r--lib/dns/include/dns/rdataset.h2
-rw-r--r--lib/dns/include/dns/request.h11
-rw-r--r--lib/dns/include/dns/resolver.h28
-rw-r--r--lib/dns/include/dns/result.h9
-rw-r--r--lib/dns/include/dns/rpz.h189
-rw-r--r--lib/dns/include/dns/rriterator.h103
-rw-r--r--lib/dns/include/dns/sdb.h2
-rw-r--r--lib/dns/include/dns/sdlz.h130
-rw-r--r--lib/dns/include/dns/secalg.h11
-rw-r--r--lib/dns/include/dns/soa.h26
-rw-r--r--lib/dns/include/dns/ssu.h31
-rw-r--r--lib/dns/include/dns/stats.h2
-rw-r--r--lib/dns/include/dns/tkey.h14
-rw-r--r--lib/dns/include/dns/tsec.h135
-rw-r--r--lib/dns/include/dns/tsig.h32
-rw-r--r--lib/dns/include/dns/types.h18
-rw-r--r--lib/dns/include/dns/validator.h2
-rw-r--r--lib/dns/include/dns/view.h211
-rw-r--r--lib/dns/include/dns/xfrin.h2
-rw-r--r--lib/dns/include/dns/zone.h109
-rw-r--r--lib/dns/include/dst/dst.h241
-rw-r--r--lib/dns/include/dst/gssapi.h13
-rw-r--r--lib/dns/iptable.c2
-rw-r--r--lib/dns/journal.c8
-rw-r--r--lib/dns/keydata.c89
-rw-r--r--lib/dns/keytable.c389
-rw-r--r--lib/dns/lib.c109
-rw-r--r--lib/dns/log.c5
-rw-r--r--lib/dns/master.c113
-rw-r--r--lib/dns/masterdump.c65
-rw-r--r--lib/dns/message.c59
-rw-r--r--lib/dns/name.c77
-rw-r--r--lib/dns/ncache.c57
-rw-r--r--lib/dns/nsec.c2
-rw-r--r--lib/dns/nsec3.c490
-rw-r--r--lib/dns/openssl_link.c231
-rw-r--r--lib/dns/openssldh_link.c45
-rw-r--r--lib/dns/openssldsa_link.c47
-rw-r--r--lib/dns/opensslgost_link.c418
-rw-r--r--lib/dns/opensslrsa_link.c166
-rw-r--r--lib/dns/peer.c6
-rw-r--r--lib/dns/private.c295
-rw-r--r--lib/dns/rbt.c9
-rw-r--r--lib/dns/rbtdb.c826
-rw-r--r--lib/dns/rcode.c27
-rw-r--r--lib/dns/rdata.c143
-rw-r--r--lib/dns/rdata/any_255/tsig_250.c9
-rw-r--r--lib/dns/rdata/ch_3/a_1.c12
-rw-r--r--lib/dns/rdata/generic/afsdb_18.c8
-rw-r--r--lib/dns/rdata/generic/cert_37.c10
-rw-r--r--lib/dns/rdata/generic/cname_5.c9
-rw-r--r--lib/dns/rdata/generic/dlv_32769.c36
-rw-r--r--lib/dns/rdata/generic/dname_39.c8
-rw-r--r--lib/dns/rdata/generic/dnskey_48.c41
-rw-r--r--lib/dns/rdata/generic/ds_43.c32
-rw-r--r--lib/dns/rdata/generic/gpos_27.c9
-rw-r--r--lib/dns/rdata/generic/hinfo_13.c8
-rw-r--r--lib/dns/rdata/generic/hip_55.c506
-rw-r--r--lib/dns/rdata/generic/hip_55.h47
-rw-r--r--lib/dns/rdata/generic/ipseckey_45.c41
-rw-r--r--lib/dns/rdata/generic/isdn_20.c9
-rw-r--r--lib/dns/rdata/generic/key_25.c37
-rw-r--r--lib/dns/rdata/generic/keydata_65533.c377
-rw-r--r--lib/dns/rdata/generic/keydata_65533.h35
-rw-r--r--lib/dns/rdata/generic/loc_29.c7
-rw-r--r--lib/dns/rdata/generic/mb_7.c15
-rw-r--r--lib/dns/rdata/generic/md_3.c15
-rw-r--r--lib/dns/rdata/generic/mf_4.c15
-rw-r--r--lib/dns/rdata/generic/mg_8.c15
-rw-r--r--lib/dns/rdata/generic/minfo_14.c21
-rw-r--r--lib/dns/rdata/generic/mr_9.c15
-rw-r--r--lib/dns/rdata/generic/mx_15.c13
-rw-r--r--lib/dns/rdata/generic/ns_2.c15
-rw-r--r--lib/dns/rdata/generic/nsec3_50.c7
-rw-r--r--lib/dns/rdata/generic/nsec3param_51.c7
-rw-r--r--lib/dns/rdata/generic/nsec_47.c36
-rw-r--r--lib/dns/rdata/generic/null_10.c9
-rw-r--r--lib/dns/rdata/generic/nxt_30.c8
-rw-r--r--lib/dns/rdata/generic/opt_41.c9
-rw-r--r--lib/dns/rdata/generic/proforma.c21
-rw-r--r--lib/dns/rdata/generic/ptr_12.c14
-rw-r--r--lib/dns/rdata/generic/rp_17.c20
-rw-r--r--lib/dns/rdata/generic/rrsig_46.c47
-rw-r--r--lib/dns/rdata/generic/rt_21.c13
-rw-r--r--lib/dns/rdata/generic/sig_24.c8
-rw-r--r--lib/dns/rdata/generic/soa_6.c7
-rw-r--r--lib/dns/rdata/generic/spf_99.c8
-rw-r--r--lib/dns/rdata/generic/sshfp_44.c9
-rw-r--r--lib/dns/rdata/generic/tkey_249.c8
-rw-r--r--lib/dns/rdata/generic/txt_16.c9
-rw-r--r--lib/dns/rdata/generic/unspec_103.c9
-rw-r--r--lib/dns/rdata/generic/x25_19.c9
-rw-r--r--lib/dns/rdata/hs_4/a_1.c9
-rw-r--r--lib/dns/rdata/in_1/a6_38.c9
-rw-r--r--lib/dns/rdata/in_1/a_1.c9
-rw-r--r--lib/dns/rdata/in_1/aaaa_28.c8
-rw-r--r--lib/dns/rdata/in_1/apl_42.c9
-rw-r--r--lib/dns/rdata/in_1/dhcid_49.c11
-rw-r--r--lib/dns/rdata/in_1/kx_36.c13
-rw-r--r--lib/dns/rdata/in_1/naptr_35.c136
-rw-r--r--lib/dns/rdata/in_1/nsap-ptr_23.c15
-rw-r--r--lib/dns/rdata/in_1/nsap_22.c9
-rw-r--r--lib/dns/rdata/in_1/px_26.c13
-rw-r--r--lib/dns/rdata/in_1/srv_33.c13
-rw-r--r--lib/dns/rdata/in_1/wks_11.c7
-rw-r--r--lib/dns/rdatalist.c2
-rw-r--r--lib/dns/rdataset.c2
-rw-r--r--lib/dns/rdataslab.c28
-rw-r--r--lib/dns/request.c10
-rw-r--r--lib/dns/resolver.c630
-rw-r--r--lib/dns/result.c7
-rw-r--r--lib/dns/rootns.c2
-rw-r--r--lib/dns/rpz.c1168
-rw-r--r--lib/dns/rriterator.c202
-rw-r--r--lib/dns/sdb.c8
-rw-r--r--lib/dns/sdlz.c413
-rw-r--r--lib/dns/soa.c40
-rw-r--r--lib/dns/spnego.c9
-rw-r--r--lib/dns/ssu.c68
-rw-r--r--lib/dns/ssu_external.c265
-rw-r--r--lib/dns/stats.c2
-rw-r--r--lib/dns/time.c2
-rw-r--r--lib/dns/tkey.c53
-rw-r--r--lib/dns/tsec.c160
-rw-r--r--lib/dns/tsig.c367
-rw-r--r--lib/dns/validator.c428
-rw-r--r--lib/dns/view.c421
-rw-r--r--lib/dns/xfrin.c43
-rw-r--r--lib/dns/zone.c3909
-rw-r--r--lib/export/Makefile.in27
-rw-r--r--lib/export/dns/Makefile.in179
-rw-r--r--lib/export/dns/include/Makefile.in23
-rw-r--r--lib/export/dns/include/dns/Makefile.in56
-rw-r--r--lib/export/dns/include/dst/Makefile.in36
-rw-r--r--lib/export/irs/Makefile.in86
-rw-r--r--lib/export/irs/include/Makefile.in24
-rw-r--r--lib/export/irs/include/irs/Makefile.in46
-rw-r--r--lib/export/isc/Makefile.in139
-rw-r--r--lib/export/isc/include/Makefile.in24
-rw-r--r--lib/export/isc/include/isc/Makefile.in66
-rw-r--r--lib/export/isc/include/isc/bind9.h30
-rw-r--r--lib/export/isc/nls/Makefile.in35
-rw-r--r--lib/export/isc/nothreads/Makefile.in40
-rw-r--r--lib/export/isc/nothreads/include/Makefile.in24
-rw-r--r--lib/export/isc/nothreads/include/isc/Makefile.in36
-rw-r--r--lib/export/isc/pthreads/Makefile.in38
-rw-r--r--lib/export/isc/pthreads/include/Makefile.in24
-rw-r--r--lib/export/isc/pthreads/include/isc/Makefile.in36
-rw-r--r--lib/export/isc/unix/Makefile.in57
-rw-r--r--lib/export/isc/unix/include/Makefile.in24
-rw-r--r--lib/export/isc/unix/include/isc/Makefile.in37
-rw-r--r--lib/export/isccfg/Makefile.in83
-rw-r--r--lib/export/isccfg/include/Makefile.in24
-rw-r--r--lib/export/isccfg/include/isccfg/Makefile.in42
-rw-r--r--lib/export/samples/Makefile-postinstall.in78
-rw-r--r--lib/export/samples/Makefile.in98
-rw-r--r--lib/export/samples/nsprobe.c1220
-rw-r--r--lib/export/samples/sample-async.c402
-rw-r--r--lib/export/samples/sample-gai.c77
-rw-r--r--lib/export/samples/sample-request.c263
-rw-r--r--lib/export/samples/sample-update.c755
-rw-r--r--lib/export/samples/sample.c378
-rw-r--r--lib/irs/Makefile.in80
-rw-r--r--lib/irs/api3
-rw-r--r--lib/irs/context.c396
-rw-r--r--lib/irs/dnsconf.c269
-rw-r--r--lib/irs/gai_strerror.c93
-rw-r--r--lib/irs/getaddrinfo.c1295
-rw-r--r--lib/irs/getnameinfo.c410
-rw-r--r--lib/irs/include/Makefile.in24
-rw-r--r--lib/irs/include/irs/Makefile.in44
-rw-r--r--lib/irs/include/irs/context.h159
-rw-r--r--lib/irs/include/irs/dnsconf.h94
-rw-r--r--lib/irs/include/irs/netdb.h.in167
-rw-r--r--lib/irs/include/irs/platform.h.in45
-rw-r--r--lib/irs/include/irs/resconf.h113
-rw-r--r--lib/irs/include/irs/types.h31
-rw-r--r--lib/irs/include/irs/version.h27
-rw-r--r--lib/irs/resconf.c636
-rw-r--r--lib/irs/version.c27
-rw-r--r--lib/isc/Makefile.in38
-rw-r--r--lib/isc/alpha/include/isc/atomic.h2
-rw-r--r--lib/isc/api6
-rw-r--r--lib/isc/app_api.c136
-rw-r--r--lib/isc/assertions.c64
-rw-r--r--lib/isc/backtrace-emptytbl.c34
-rw-r--r--lib/isc/backtrace.c285
-rw-r--r--lib/isc/base32.c2
-rw-r--r--lib/isc/base64.c2
-rw-r--r--lib/isc/entropy.c2
-rw-r--r--lib/isc/hash.c20
-rw-r--r--lib/isc/heap.c2
-rw-r--r--lib/isc/hmacmd5.c35
-rw-r--r--lib/isc/hmacsha.c269
-rw-r--r--lib/isc/httpd.c2
-rw-r--r--lib/isc/ia64/include/isc/atomic.h2
-rw-r--r--lib/isc/include/isc/Makefile.in10
-rw-r--r--lib/isc/include/isc/app.h173
-rw-r--r--lib/isc/include/isc/assertions.h8
-rw-r--r--lib/isc/include/isc/backtrace.h131
-rw-r--r--lib/isc/include/isc/bind9.h30
-rw-r--r--lib/isc/include/isc/buffer.h4
-rw-r--r--lib/isc/include/isc/entropy.h2
-rw-r--r--lib/isc/include/isc/error.h9
-rw-r--r--lib/isc/include/isc/file.h31
-rw-r--r--lib/isc/include/isc/fsaccess.h2
-rw-r--r--lib/isc/include/isc/hash.h2
-rw-r--r--lib/isc/include/isc/heap.h2
-rw-r--r--lib/isc/include/isc/hmacmd5.h13
-rw-r--r--lib/isc/include/isc/hmacsha.h17
-rw-r--r--lib/isc/include/isc/lib.h13
-rw-r--r--lib/isc/include/isc/log.h2
-rw-r--r--lib/isc/include/isc/md5.h14
-rw-r--r--lib/isc/include/isc/mem.h161
-rw-r--r--lib/isc/include/isc/msgs.h6
-rw-r--r--lib/isc/include/isc/namespace.h164
-rw-r--r--lib/isc/include/isc/netaddr.h2
-rw-r--r--lib/isc/include/isc/netscope.h2
-rw-r--r--lib/isc/include/isc/platform.h.in24
-rw-r--r--lib/isc/include/isc/portset.h2
-rw-r--r--lib/isc/include/isc/radix.h2
-rw-r--r--lib/isc/include/isc/random.h2
-rw-r--r--lib/isc/include/isc/ratelimiter.h2
-rw-r--r--lib/isc/include/isc/refcount.h12
-rw-r--r--lib/isc/include/isc/result.h5
-rw-r--r--lib/isc/include/isc/resultclass.h5
-rw-r--r--lib/isc/include/isc/serial.h2
-rw-r--r--lib/isc/include/isc/sha1.h13
-rw-r--r--lib/isc/include/isc/sha2.h17
-rw-r--r--lib/isc/include/isc/sockaddr.h2
-rw-r--r--lib/isc/include/isc/socket.h149
-rw-r--r--lib/isc/include/isc/stats.h2
-rw-r--r--lib/isc/include/isc/symtab.h2
-rw-r--r--lib/isc/include/isc/task.h108
-rw-r--r--lib/isc/include/isc/timer.h93
-rw-r--r--lib/isc/include/isc/types.h9
-rw-r--r--lib/isc/include/isc/util.h2
-rw-r--r--lib/isc/inet_aton.c4
-rw-r--r--lib/isc/inet_ntop.c2
-rw-r--r--lib/isc/iterated_hash.c2
-rw-r--r--lib/isc/lib.c34
-rw-r--r--lib/isc/log.c2
-rw-r--r--lib/isc/md5.c30
-rw-r--r--lib/isc/mem.c573
-rw-r--r--lib/isc/mem_api.c303
-rw-r--r--lib/isc/netaddr.c24
-rw-r--r--lib/isc/nls/Makefile.in4
-rw-r--r--lib/isc/nothreads/Makefile.in8
-rw-r--r--lib/isc/powerpc/include/isc/atomic.h2
-rw-r--r--lib/isc/print.c2
-rw-r--r--lib/isc/pthreads/Makefile.in4
-rw-r--r--lib/isc/pthreads/mutex.c2
-rw-r--r--lib/isc/radix.c2
-rw-r--r--lib/isc/random.c4
-rw-r--r--lib/isc/rwlock.c2
-rw-r--r--lib/isc/sha1.c41
-rw-r--r--lib/isc/sha2.c429
-rw-r--r--lib/isc/sockaddr.c8
-rw-r--r--lib/isc/socket_api.c216
-rw-r--r--lib/isc/stats.c2
-rw-r--r--lib/isc/task.c517
-rw-r--r--lib/isc/task_api.c216
-rw-r--r--lib/isc/task_p.h8
-rw-r--r--lib/isc/timer.c346
-rw-r--r--lib/isc/timer_api.c144
-rw-r--r--lib/isc/timer_p.h8
-rw-r--r--lib/isc/unix/Makefile.in4
-rw-r--r--lib/isc/unix/app.c540
-rw-r--r--lib/isc/unix/dir.c4
-rw-r--r--lib/isc/unix/entropy.c4
-rw-r--r--lib/isc/unix/file.c90
-rw-r--r--lib/isc/unix/ifiter_getifaddrs.c2
-rw-r--r--lib/isc/unix/ifiter_ioctl.c2
-rw-r--r--lib/isc/unix/include/isc/net.h4
-rw-r--r--lib/isc/unix/include/isc/offset.h4
-rw-r--r--lib/isc/unix/include/isc/strerror.h4
-rw-r--r--lib/isc/unix/include/isc/time.h2
-rw-r--r--lib/isc/unix/interfaceiter.c4
-rw-r--r--lib/isc/unix/resource.c2
-rw-r--r--lib/isc/unix/socket.c952
-rw-r--r--lib/isc/unix/socket_p.h9
-rw-r--r--lib/isc/unix/strerror.c2
-rw-r--r--lib/isccc/Makefile.in6
-rw-r--r--lib/isccc/api4
-rw-r--r--lib/isccfg/Makefile.in8
-rw-r--r--lib/isccfg/aclconf.c25
-rw-r--r--lib/isccfg/api6
-rw-r--r--lib/isccfg/dnsconf.c69
-rw-r--r--lib/isccfg/include/isccfg/aclconf.h14
-rw-r--r--lib/isccfg/include/isccfg/cfg.h38
-rw-r--r--lib/isccfg/include/isccfg/dnsconf.h35
-rw-r--r--lib/isccfg/include/isccfg/grammar.h24
-rw-r--r--lib/isccfg/include/isccfg/log.h2
-rw-r--r--lib/isccfg/include/isccfg/namedconf.h16
-rw-r--r--lib/isccfg/namedconf.c588
-rw-r--r--lib/isccfg/parser.c92
-rw-r--r--lib/lwres/api4
-rw-r--r--lib/lwres/context.c2
-rw-r--r--lib/lwres/context_p.h2
-rw-r--r--lib/lwres/getaddrinfo.c4
-rw-r--r--lib/lwres/getipnode.c2
-rw-r--r--lib/lwres/include/lwres/context.h2
-rw-r--r--lib/lwres/include/lwres/netdb.h.in2
-rw-r--r--lib/lwres/lwconfig.c2
-rw-r--r--lib/lwres/man/lwres.32
-rw-r--r--lib/lwres/man/lwres.html14
-rw-r--r--lib/lwres/man/lwres_buffer.32
-rw-r--r--lib/lwres/man/lwres_buffer.html6
-rw-r--r--lib/lwres/man/lwres_config.32
-rw-r--r--lib/lwres/man/lwres_config.html12
-rw-r--r--lib/lwres/man/lwres_context.32
-rw-r--r--lib/lwres/man/lwres_context.html10
-rw-r--r--lib/lwres/man/lwres_gabn.32
-rw-r--r--lib/lwres/man/lwres_gabn.html10
-rw-r--r--lib/lwres/man/lwres_gai_strerror.32
-rw-r--r--lib/lwres/man/lwres_gai_strerror.html8
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.32
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.html10
-rw-r--r--lib/lwres/man/lwres_gethostent.32
-rw-r--r--lib/lwres/man/lwres_gethostent.html12
-rw-r--r--lib/lwres/man/lwres_getipnode.32
-rw-r--r--lib/lwres/man/lwres_getipnode.html10
-rw-r--r--lib/lwres/man/lwres_getnameinfo.32
-rw-r--r--lib/lwres/man/lwres_getnameinfo.html12
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.32
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.html10
-rw-r--r--lib/lwres/man/lwres_gnba.32
-rw-r--r--lib/lwres/man/lwres_gnba.html10
-rw-r--r--lib/lwres/man/lwres_hstrerror.32
-rw-r--r--lib/lwres/man/lwres_hstrerror.html10
-rw-r--r--lib/lwres/man/lwres_inetntop.32
-rw-r--r--lib/lwres/man/lwres_inetntop.html10
-rw-r--r--lib/lwres/man/lwres_noop.32
-rw-r--r--lib/lwres/man/lwres_noop.html10
-rw-r--r--lib/lwres/man/lwres_packet.32
-rw-r--r--lib/lwres/man/lwres_packet.html8
-rw-r--r--lib/lwres/man/lwres_resutil.32
-rw-r--r--lib/lwres/man/lwres_resutil.html10
-rw-r--r--lib/lwres/print_p.h2
-rw-r--r--make/rules.in91
-rw-r--r--version10
609 files changed, 75304 insertions, 17302 deletions
diff --git a/CHANGES b/CHANGES
index 4a7cadadbf37..80ac38a8b27e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,17 +1,28 @@
- --- 9.6-ESV-R4-P3 released ---
+ --- 9.8.0-P4 released ---
3124. [bug] Use an rdataset attribute flag to indicate
negative-cache records rather than using rrtype 0;
this will prevent problems when that rrtype is
used in actual DNS packets. [RT #24777]
- --- 9.6-ESV-R4-P2 released (withdrawn) ---
+ --- 9.8.0-P3 released (withdrawn) ---
+
+3126. [security] Using DNAME record to generate replacements caused
+ RPZ to exit with a assertion failure. [RT #23766]
+
+3125. [security] Using wildcard CNAME records as a replacement with
+ RPZ caused named to exit with a assertion failure.
+ [RT #24715]
3123. [security] Change #2912 exposed a latent flaw in
dns_rdataset_totext() that could cause named to
crash with an assertion failure. [RT #24777]
- --- 9.6-ESV-R4-P1 released ---
+3115. [bug] Named could fail to return requested data when
+ following a CNAME that points into the same zone.
+ [RT #2445]
+
+ --- 9.8.0-P2 released ---
3121. [security] An authoritative name server sending a negative
response containing a very large RRset could
@@ -22,22 +33,114 @@
that validated insecure without using DLV and had
DS records in the parent zone. [RT #24631]
- --- 9.6-ESV-R4 released ---
+ --- 9.8.0-P1 released ---
+
+3100. [security] Certain response policy zone configurations could
+ trigger an INSIST when receiving a query of type
+ RRSIG. [RT #24280]
+
+ --- 9.8.0 released ---
+
+3025. [bug] Fixed a possible deadlock due to zone resigning.
+ [RT #22964]
+
+3024. [func] RTT Banding removed due to minor security increase
+ but major impact on resolver latency. [RT #23310]
+
+3023. [bug] Named could be left in an inconsistent state when
+ receiving multiple AXFR response messages that were
+ not all TSIG-signed. [RT #23254]
+
+3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
+ [RT #23246]
+
+3021. [bug] Change #3010 was incomplete. [RT #22296]
+
+3020. [bug] auto-dnssec failed to correctly update the zone when
+ changing the DNSKEY RRset. [RT #23232]
+
+3019. [test] Test: check apex NSEC3 records after adding DNSKEY
+ record via UPDATE. [RT #23229]
+
+ --- 9.8.0rc1 released ---
+
+3018. [bug] Named failed to check for the "none;" acl when deciding
+ if a zone may need to be re-signed. [RT #23120]
+
+3017. [doc] dnssec-keyfromlabel -I was not properly documented.
+ [RT #22887]
+
+3016. [bug] rndc usage missing '-b'. [RT #22937]
+
+3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
+ IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
- --- 9.6.3 released ---
+3013. [bug] The DNS64 ttl was not always being set as expected.
+ [RT #23034]
+
+3012. [bug] Remove DNSKEY TTL change pairs before generating
+ signing records for any remaining DNSKEY changes.
+ [RT #22590]
+
+3011. [func] Allow setting this in named.conf using the new
+ 'resolver-query-timeout' option, which specifies a max
+ time in seconds. 0 means 'default' and anything longer
+ than 30 will be silently set to 30. [RT #22852]
+
+3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
+ for refreshing managed-keys. [RT #22296]
3009. [bug] clients-per-query code didn't work as expected with
particular query patterns. [RT #22972]
- --- 9.6.3rc1 released ---
+ --- 9.8.0b1 released ---
+
+3008. [func] Response policy zones (RPZ) support. [RT #21726]
3007. [bug] Named failed to preserve the case of domain names in
rdata which is not compressible when writing master
files. [RT #22863]
+3006. [func] Allow dynamically generated TSIG keys to be preserved
+ across restarts of named. Initially this is for
+ TSIG keys generated using GSSAPI. [RT #22639]
+
+3005. [port] Solaris: Work around the lack of
+ gsskrb5_register_acceptor_identity() by setting
+ the KRB5_KTNAME environment variable to the
+ contents of tkey-gssapi-keytab. Also fixed
+ test errors on MacOSX. [RT #22853]
+
+3004. [func] DNS64 reverse support. [RT #22769]
+
+3003. [experimental] Added update-policy match type "external",
+ enabling named to defer the decision of whether to
+ allow a dynamic update to an external daemon.
+ (Contributed by Andrew Tridgell.) [RT #22758]
+
3002. [bug] isc_mutex_init_errcheck() failed to destroy attr.
[RT #22766]
+3001. [func] Added a default trust anchor for the root zone, which
+ can be switched on by setting "dnssec-validation auto;"
+ in the named.conf options. [RT #21727]
+
+3000. [bug] More TKEY/GSS fixes:
+ - nsupdate can now get the default realm from
+ the user's Kerberos principal
+ - corrected gsstest compilation flags
+ - improved documentation
+ - fixed some NULL dereferences
+ [RT #22795]
+
+2999. [func] Add GOST support (RFC 5933). [RT #20639]
+
+2998. [func] Add isc_task_beginexclusive and isc_task_endexclusive
+ to the task api. [RT #22776]
+
+2997. [func] named -V now reports the OpenSSL and libxml2 verions
+ it was compiled against. [RT #22687]
+
2996. [security] Temporarily disable SO_ACCEPTFILTER support.
[RT #22589]
@@ -48,13 +151,52 @@
do not use threads on earlier versions. Also kill
the unproven-pthreads, mit-pthreads, and ptl2 support.
+2993. [func] Dynamically grow adb hash tables. [RT #21186]
+
+2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
+ for looking at a secure delegation. [RT #22059]
+
+2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
+ dynamic zones. [RT #22365]
+
+2990. [bug] 'dnssec-settime -S' no longer tests prepublication
+ interval validity when the interval is set to 0.
+ [RT #22761]
+
+2989. [func] Added support for writable DLZ zones. (Contributed
+ by Andrew Tridgell of the Samba project.) [RT #22629]
+
+2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
+ of external DLZ drivers that can be loaded as
+ shared objects at runtime rather than linked with
+ named. Currently this is switched on via a
+ compile-time option, "configure --with-dlz-dlopen".
+ Note: the syntax for configuring DLZ zones
+ is likely to be refined in future releases.
+ (Contributed by Andrew Tridgell of the Samba
+ project.) [RT #22629]
+
+2987. [func] Improve ease of configuring TKEY/GSS updates by
+ adding a "tkey-gssapi-keytab" option. If set,
+ updates will be allowed with any key matching
+ a principal in the specified keytab file.
+ "tkey-gssapi-credential" is no longer required
+ and is expected to be deprecated. (Contributed
+ by Andrew Tridgell of the Samba project.)
+ [RT #22629]
+
+2986. [func] Add new zone type "static-stub". It's like a stub
+ zone, but the nameserver names and/or their IP
+ addresses are statically configured. [RT #21474]
+
+2985. [bug] Add a regression test for change #2896. [RT #21324]
+
2984. [bug] Don't run MX checks when the target of the MX record
is ".". [RT #22645]
-2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
- [RT #20768]
+2983. [bug] Include "loadkeys" in rndc help output. [RT #22493]
- --- 9.6.3b1 released ---
+ --- 9.8.0a1 released ---
2982. [bug] Reference count dst keys. dst_key_attach() can be used
increment the reference count.
@@ -63,34 +205,103 @@
always call dst_key_free() rather than setting it
to NULL on success. [RT #22672]
+2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]
+
+2980. [bug] named didn't properly handle UPDATES that changed the
+ TTL of the NSEC3PARAM RRset. [RT #22363]
+
2979. [bug] named could deadlock during shutdown if two
"rndc stop" commands were issued at the same
time. [RT #22108]
2978. [port] hpux: look for <devpoll.h> [RT #21919]
+2977. [bug] 'nsupdate -l' report if the session key is missing.
+ [RT #21670]
+
2976. [bug] named could die on exit after negotiating a GSS-TSIG
key. [RT #22573]
-2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() aquired the
+2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() acquired the
wrong lock which could lead to server deadlock.
[RT #22614]
+2974. [bug] Some valid UPDATE requests could fail due to a
+ consistency check examining the existing version
+ of the zone rather than the new version resulting
+ from the UPDATE. [RT #22413]
+
+2973. [bug] bind.keys.h was being removed by the "make clean"
+ at the end of configure resulting in build failures
+ where there is very old version of perl installed.
+ Move it to "make maintainer-clean". [RT #22230]
+
+2972. [bug] win32: address windows socket errors. [RT #21906]
+
+2971. [bug] Fixed a bug that caused journal files not to be
+ compacted on Windows systems as a result of
+ non-POSIX-compliant rename() semantics. [RT #22434]
+
+2970. [security] Adding a NO DATA negative cache entry failed to clear
+ any matching RRSIG records. A subsequent lookup of
+ of NO DATA cache entry could trigger a INSIST when the
+ unexpected RRSIG was also returned with the NO DATA
+ cache entry.
+
+ CVE-2010-3613, VU#706148. [RT #22288]
+
+2969. [security] Fix acl type processing so that allow-query works
+ in options and view statements. Also add a new
+ set of tests to verify proper functioning.
+
+ CVE-2010-3615, VU#510208. [RT #22418]
+
+2968. [security] Named could fail to prove a data set was insecure
+ before marking it as insecure. One set of conditions
+ that can trigger this occurs naturally when rolling
+ DNSKEY algorithms.
+
+ CVE-2010-3614, VU#837744. [RT #22309]
+
+2967. [bug] 'host -D' now turns on debugging messages earlier.
+ [RT #22361]
+
+2966. [bug] isc_print_vsnprintf() failed to check if there was
+ space available in the buffer when adding a left
+ justified character with a non zero width,
+ (e.g. "%-1c"). [RT #22270]
+
2965. [func] Test HMAC functions using test data from RFC 2104 and
RFC 4634. [RT #21702]
+2964. [placeholder]
+
+2963. [security] The allow-query acl was being applied instead of the
+ allow-query-cache acl to cache lookups. [RT #22114]
+
+2962. [port] win32: add more dependencies to BINDBuild.dsw.
+ [RT #22062]
+
+2961. [bug] Be still more selective about the non-authoritative
+ answers we apply change 2748 to. [RT #22074]
+
2960. [func] Check that named accepts non-authoritative answers.
[RT #21594]
2959. [func] Check that named starts with a missing masterfile.
[RT #22076]
+2958. [bug] named failed to start with a missing master file.
+ [RT #22076]
+
2957. [bug] entropy_get() and entropy_getpseudo() failed to match
the API for RAND_bytes() and RAND_pseudo_bytes()
respectively. [RT #21962]
2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]
+2955. [func] Provide more detail in the recursing log. [RT #22043]
+
2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
build_sqldbinstance failure. [RT #21623]
@@ -98,10 +309,26 @@
exact match" message when returning a wildcard
no data response. [RT #21744]
+2952. [port] win32: named-checkzone and named-checkconf failed
+ to initialise winsock. [RT #21932]
+
+2951. [bug] named failed to generate a correct signed response
+ in a optout, delegation only zone with no secure
+ delegations. [RT #22007]
+
2950. [bug] named failed to perform a SOA up to date check when
falling back to TCP on UDP timeouts when
ixfr-from-differences was set. [RT #21595]
+2949. [bug] dns_view_setnewzones() contained a memory leak if
+ it was called multiple times. [RT #21942]
+
+2948. [port] MacOS: provide a mechanism to configure the test
+ interfaces at reboot. See bin/tests/system/README
+ for details.
+
+2947. [placeholder]
+
2946. [doc] Document the default values for the minimum and maximum
zone refresh and retry values in the ARM. [RT #21886]
@@ -110,12 +337,59 @@
2944. [maint] Remove ORCHID prefix from built in empty zones.
[RT #21772]
+2943. [func] Add support to load new keys into managed zones
+ without signing immediately with "rndc loadkeys".
+ Add support to link keys with "dnssec-keygen -S"
+ and "dnssec-settime -S". [RT #21351]
+
2942. [contrib] zone2sqlite failed to setup the entropy sources.
[RT #21610]
2941. [bug] sdb and sdlz (dlz's zone database) failed to support
DNAME at the zone apex. [RT #21610]
+2940. [port] Remove connection aborted error message on
+ Windows. [RT #21549]
+
+2939. [func] Check that named successfully skips NSEC3 records
+ that fail to match the NSEC3PARAM record currently
+ in use. [RT# 21868]
+
+2938. [bug] When generating signed responses, from a signed zone
+ that uses NSEC3, named would use a uninitialised
+ pointer if it needed to skip a NSEC3 record because
+ it didn't match the selected NSEC3PARAM record for
+ zone. [RT# 21868]
+
+2937. [bug] Worked around an apparent race condition in over
+ memory conditions. Without this fix a DNS cache DB or
+ ADB could incorrectly stay in an over memory state,
+ effectively refusing further caching, which
+ subsequently made a BIND 9 caching server unworkable.
+ This fix prevents this problem from happening by
+ polling the state of the memory context, rather than
+ making a copy of the state, which appeared to cause
+ a race. This is a "workaround" in that it doesn't
+ solve the possible race per se, but several experiments
+ proved this change solves the symptom. Also, the
+ polling overhead hasn't been reported to be an issue.
+ This bug should only affect a caching server that
+ specifies a finite max-cache-size. It's also quite
+ likely that the bug happens only when enabling threads,
+ but it's not confirmed yet. [RT #21818]
+
+2936. [func] Improved configuration syntax and multiple-view
+ support for addzone/delzone feature (see change
+ #2930). Removed "new-zone-file" option, replaced
+ with "allow-new-zones (yes|no)". The new-zone-file
+ for each view is now created automatically, with
+ a filename generated from a hash of the view name.
+ It is no longer necessary to "include" the
+ new-zone-file in named.conf; this happens
+ automatically. Zones that were not added via
+ "rndc addzone" can no longer be removed with
+ "rndc delzone". [RT #19447]
+
2935. [bug] nsupdate: improve 'file not found' error message.
[RT #21871]
@@ -136,6 +410,17 @@
revisit the issue and complete the fix later.
[RT #21710]
+2930. [experimental] New "rndc addzone" and "rndc delzone" commads
+ allow dynamic addition and deletion of zones.
+ To enable this feature, specify a "new-zone-file"
+ option at the view or options level in named.conf.
+ Zone configuration information for the new zones
+ will be written into that file. To make the new
+ zones persist after a restart, "include" the file
+ into named.conf in the appropriate view. (Note:
+ This feature is not yet documented, and its syntax
+ is expected to change.) [RT #19447]
+
2929. [bug] Improved handling of GSS security contexts:
- added LRU expiration for generated TSIGs
- added the ability to use a non-default realm
@@ -145,19 +430,49 @@
smaller)
[RT #19737]
+2928. [bug] Be more selective about the non-authoritative
+ answer we apply change 2748 to. [RT #21594]
+
+2927. [placeholder]
+
+2926. [placeholder]
+h
+2925. [bug] Named failed to accept uncachable negative responses
+ from insecure zones. [RT# 21555]
+
+2924. [func] 'rndc secroots' dump a combined summary of the
+ current managed keys combined with trusted keys.
+ [RT #20904]
+
2923. [bug] 'dig +trace' could drop core after "connection
timeout". [RT #21514]
2922. [contrib] Update zkt to version 1.0.
+2921. [bug] The resolver could attempt to destroy a fetch context
+ too soon. [RT #19878]
+
+2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
+ to IPv4 clients. New acl 'filter-aaaa' (default any).
+
+2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
+ [RT #20840]
+
2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
+2917. [func] Virtual time test framework. [RT #20801]
+
2916. [func] Add framework to use IPv6 in tests.
fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
2915. [cleanup] Be smarter about which objects we attempt to compile
based on configure options. [RT #21444]
+2914. [bug] Make the "autosign" system test more portable.
+ [RT #20997]
+
+2913. [func] Add pkcs#11 system tests. [RT #20784]
+
2912. [func] Windows clients don't like UPDATE responses that clear
the zone section. [RT #20986]
@@ -166,9 +481,17 @@
2910. [func] Sanity check Kerberos credentials. [RT #20986]
+2909. [bug] named-checkconf -p could die if "update-policy local;"
+ was specified in named.conf. [RT #21416]
+
2908. [bug] It was possible for re-signing to stop after removing
a DNSKEY. [RT #21384]
+2907. [bug] The export version of libdns had undefined references.
+ [RT #21444]
+
+2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
+
2905. [port] aix: set use_atomic=yes with native compiler.
[RT #21402]
@@ -177,23 +500,55 @@
secure leading to negative proofs failing. This was
a unintended outcome from change 2890. [RT# 21392]
+2903. [bug] managed-keys-directory missing from namedconf.c.
+ [RT #21370]
+
+2902. [func] Add regression test for change 2897. [RT #21040]
+
2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
+2900. [bug] The placeholder negative caching element was not
+ properly constructed triggering a INSIST in
+ dns_ncache_towire(). [RT #21346]
+
2899. [port] win32: Support linking against OpenSSL 1.0.0.
2898. [bug] nslookup leaked memory when -domain=value was
specified. [RT #21301]
+2897. [bug] NSEC3 chains could be left behind when transitioning
+ to insecure. [RT #21040]
+
+2896. [bug] "rndc sign" failed to properly update the zone
+ when adding a DNSKEY for publication only. [RT #21045]
+
+2895. [func] genrandom: add support for the generation of multiple
+ files. [RT #20917]
+
2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
+2893. [bug] Improve managed keys support. New named.conf option
+ managed-keys-directory. [RT #20924]
+
+2892. [bug] Handle REVOKED keys better. [RT #20961]
+
2891. [maint] Update empty-zones list to match
draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
+2890. [bug] Handle the introduction of new trusted-keys and
+ DS, DLV RRsets better. [RT #21097]
+
2889. [bug] Elements of the grammar where not properly reported.
[RT #21046]
2888. [bug] Only the first EDNS option was displayed. [RT #21273]
+2887. [bug] Report the keytag times in UTC in the .key file,
+ local time is presented as a comment within the
+ comment. [RT #21223]
+
+2886. [bug] ctime() is not thread safe. [RT #21223]
+
2885. [bug] Improve -fno-strict-aliasing support probing in
configure. [RT #21080]
@@ -209,12 +564,21 @@
2881. [bug] Reduce the amount of time the rbtdb write lock
is held when closing a version. [RT #21198]
+2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
+ consistent. [RT #21078]
+
2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
[RT #21106]
+2878. [func] Incrementally write the master file after performing
+ a AXFR. [RT #21010]
+
2877. [bug] The validator failed to skip obviously mismatching
RRSIGs. [RT #21138]
+2876. [bug] Named could return SERVFAIL for negative responses
+ from unsigned zones. [RT #21131]
+
2875. [bug] dns_time64_fromtext() could accept non digits.
[RT #21033]
@@ -222,8 +586,22 @@
successfully responds to the query using plain DNS.
[RT #20930]
+2873. [bug] Cancelling a dynamic update via the dns/client module
+ could trigger an assertion failure. [RT #21133]
+
+2872. [bug] Modify dns/client.c:dns_client_createx() to only
+ require one of IPv4 or IPv6 rather than both.
+ [RT #21122]
+
+2871. [bug] Type mismatch in mem_api.c between the definition and
+ the header file, causing build failure with
+ --enable-exportlib. [RT #21138]
+
2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
+2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
+ [RT #20877]
+
2868. [cleanup] Run "make clean" at the end of configure to ensure
any changes made by configure are integrated.
Use --with-make-clean=no to disable. [RT #20994]
@@ -245,6 +623,11 @@
2862. [bug] nsupdate didn't default to the parent zone when
updating DS records. [RT #20896]
+2861. [doc] dnssec-settime man pages didn't correctly document the
+ inactivation time. [RT #21039]
+
+2860. [bug] named-checkconf's usage was out of date. [RT #21039]
+
2859. [bug] When cancelling validation it was possible to leak
memory. [RT #20800]
@@ -257,173 +640,244 @@
2856. [bug] The size of a memory allocation was not always properly
recorded. [RT #20927]
-2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
-
-2851. [doc] nslookup.1, removed <informalexample> from the docbook
- source as it produced bad nroff. [RT #21007]
-
- --- 9.6-ESV-R3 released ---
-
-2972. [bug] win32: address windows socket errors. [RT #21906]
-
-2971. [bug] Fixed a bug that caused journal files not to be
- compacted on Windows systems as a result of
- non-POSIX-compliant rename() semantics. [RT #22434]
-
-2970. [security] Adding a NO DATA negative cache entry failed to clear
- any matching RRSIG records. A subsequent lookup of
- of NO DATA cache entry could trigger a INSIST when the
- unexpected RRSIG was also returned with the NO DATA
- cache entry.
-
- CVE-2010-3613, VU#706148. [RT #22288]
-
-2969. [security] Fix acl type processing so that allow-query works
- in options and view statements. Also add a new
- set of tests to verify proper functioning.
+2855. [func] nsupdate will now preserve the entered case of domain
+ names in update requests it sends. [RT #20928]
- CVE-2010-3615, VU#510208. [RT #22418]
+2854. [func] dig: allow the final soa record in a axfr response to
+ be suppressed, dig +onesoa. [RT #20929]
-2968. [security] Named could fail to prove a data set was insecure
- before marking it as insecure. One set of conditions
- that can trigger this occurs naturally when rolling
- DNSKEY algorithms.
-
- CVE-2010-3614, VU#837744. [RT #22309]
-
-2967. [bug] 'host -D' now turns on debugging messages earlier.
- [RT #22361]
-
-2966. [bug] isc_print_vsnprintf() failed to check if there was
- space available in the buffer when adding a left
- justified character with a non zero width,
- (e.g. "%-1c"). [RT #22270]
-
-2964. [bug] view->queryacl was being overloaded. Seperate the
- usage into view->queryacl, view->cacheacl and
- view->queryonacl. [RT #22114]
-
-2962. [port] win32: add more dependencies to BINDBuild.dsw.
- [RT #22062]
-
-2952. [port] win32: named-checkzone and named-checkconf failed
- to initialise winsock. [RT #21932]
+2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
-2951. [bug] named failed to generate a correct signed response
- in a optout, delegation only zone with no secure
- delegations. [RT #22007]
+2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
- --- 9.6-ESV-R2 released ---
+2851. [doc] nslookup.1, removed <informalexample> from the docbook
+ source as it produced bad nroff. [RT #21007]
-2939. [func] Check that named successfully skips NSEC3 records
- that fail to match the NSEC3PARAM record currently
- in use. [RT# 21868]
+2850. [bug] If isc_heap_insert() failed due to memory shortage
+ the heap would have corrupted entries. [RT #20951]
-2937. [bug] Worked around an apparent race condition in over
- memory conditions. Without this fix a DNS cache DB or
- ADB could incorrectly stay in an over memory state,
- effectively refusing further caching, which
- subsequently made a BIND 9 caching server unworkable.
- This fix prevents this problem from happening by
- polling the state of the memory context, rather than
- making a copy of the state, which appeared to cause
- a race. This is a "workaround" in that it doesn't
- solve the possible race per se, but several experiments
- proved this change solves the symptom. Also, the
- polling overhead hasn't been reported to be an issue.
- This bug should only affect a caching server that
- specifies a finite max-cache-size. It's also quite
- likely that the bug happens only when enabling threads,
- but it's not confirmed yet. [RT #21818]
+2849. [bug] Don't treat errors from the xml2 library as fatal.
+ [RT #20945]
-2925. [bug] Named failed to accept uncachable negative responses
- from insecure zones. [RT# 21555]
+2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
+ README.rfc5011 into the ARM. [RT #20899]
-2921. [bug] The resolver could attempt to destroy a fetch context
- too soon. [RT #19878]
+2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
-2900. [bug] The placeholder negative caching element was not
- properly constructed triggering a INSIST in
- dns_ncache_towire(). [RT #21346]
+2846. [bug] EOF on unix domain sockets was not being handled
+ correctly. [RT #20731]
-2890. [bug] Handle the introduction of new trusted-keys and
- DS, DLV RRsets better. [RT #21097]
+2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
-2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
- [RT #20877]
+2844. [doc] notify-delay default in ARM was wrong. It should have
+ been five (5) seconds.
- --- 9.6-ESV-R1 released ---
+2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
+ creating key files if there is a chance that the new
+ key ID will collide with an existing one after
+ either of the keys has been revoked. (To override
+ this in the case of dnssec-keyfromlabel, use the -y
+ option. dnssec-keygen will simply create a
+ different, non-colliding key, so an override is
+ not necessary.) [RT #20838]
-2876. [bug] Named could return SERVFAIL for negative responses
- from unsigned zones. [RT #21131]
+2842. [func] Added "smartsign" and improved "autosign" and
+ "dnssec" regression tests. [RT #20865]
- --- 9.6-ESV released ---
+2841. [bug] Change 2836 was not complete. [RT #20883]
-2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
+2840. [bug] Temporary fixed pkcs11-destroy usage check.
+ [RT #20760]
- --- 9.6.2 released ---
+2839. [bug] A KSK revoked by named could not be deleted.
+ [RT #20881]
-2850. [bug] If isc_heap_insert() failed due to memory shortage
- the heap would have corrupted entries. [RT #20951]
+2838. [placeholder]
-2849. [bug] Don't treat errors from the xml2 library as fatal.
- [RT #20945]
+2837. [port] Prevent Linux spurious warnings about fwrite().
+ [RT #20812]
-2846. [bug] EOF on unix domain sockets was not being handled
- correctly. [RT #20731]
+2836. [bug] Keys that were scheduled to become active could
+ be delayed. [RT #20874]
-2844. [doc] notify-delay default in ARM was wrong. It should have
- been five (5) seconds.
+2835. [bug] Key inactivity dates were inadvertently stored in
+ the private key file with the outdated tag
+ "Unpublish" rather than "Inactive". This has been
+ fixed; however, any existing keys that had Inactive
+ dates set will now need to have them reset, using
+ 'dnssec-settime -I'. [RT #20868]
- --- 9.6.2rc1 released ---
+2834. [bug] HMAC-SHA* keys that were longer than the algorithm
+ digest length were used incorrectly, leading to
+ interoperability problems with other DNS
+ implementations. This has been corrected.
+ (Note: If an oversize key is in use, and
+ compatibility is needed with an older release of
+ BIND, the new tool "isc-hmac-fixup" can convert
+ the key secret to a form that will work with all
+ versions.) [RT #20751]
-2838. [func] Backport support for SHA-2 DNSSEC algorithms,
- RSASHA256 and RSASHA512, from BIND 9.7. (This
- incorporates changes 2726 and 2738 from that
- release branch.) [RT #20871]
+2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
+ [RT #20851]
-2837. [port] Prevent Linux spurious warnings about fwrite().
- [RT #20812]
+2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
+ to avoid redefinition in some OSs [RT 20831]
2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]
+2830. [bug] Changing the OPTOUT setting could take multiple
+ passes. [RT #20813]
+
+2829. [bug] Fixed potential node inconsistency in rbtdb.c.
+ [RT #20808]
+
2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
+ being released. [RT #20740]
+
2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]
+2824. [bug] "rndc sign" was not being run by the correct task.
+ [RT #20759]
+
2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
+2822. [bug] rbtdb.c:loadnode() could return the wrong result.
+ [RT #20802]
+
+2821. [doc] Add note that named-checkconf doesn't automatically
+ read rndc.key and bind.keys [RT #20758]
+
+2820. [func] Handle read access failure of OpenSSL configuration
+ file more user friendly (PKCS#11 engine patch).
+ [RT #20668]
+
2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
[RT #20771]
2818. [cleanup] rndc could return an incorrect error code
when a zone was not found. [RT #20767]
+2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
+ [RT #20768]
+
+2816. [bug] previous_closest_nsec() could fail to return
+ data for NSEC3 nodes [RT #29730]
+
2815. [bug] Exclusively lock the task when freezing a zone.
[RT #19838]
2814. [func] Provide a definitive error message when a master
zone is not loaded. [RT #20757]
- --- 9.6.2b1 released ---
+2813. [bug] Better handling of unreadable DNSSEC key files.
+ [RT #20710]
+
+2812. [bug] Make sure updates can't result in a zone with
+ NSEC-only keys and NSEC3 records. [RT 20748]
+
+2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
+ output. [RT #20733]
+
+2810. [doc] Clarified the process of transitioning an NSEC3 zone
+ to insecure. [RT #20746]
+
+2809. [cleanup] Restored accidentally-deleted text in usage output
+ in dnssec-settime and dnssec-revoke [RT #20739]
+
+2808. [bug] Remove the attempt to install atomic.h from lib/isc.
+ atomic.h is correctly installed by the architecture
+ specific subdirectories. [RT #20722]
+
+2807. [bug] Fixed a possible ASSERT when reconfiguring zone
+ keys. [RT #20720]
+
+ --- 9.7.0rc1 released ---
+
+2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
+ when it had changed. [RT #20703]
+
+2805. [bug] Fixed namespace problems encountered when building
+ external programs using non-exported BIND9 libraries
+ (i.e., built without --enable-exportlib). [RT #20679]
+
+2804. [bug] Send notifies when a zone is signed with "rndc sign"
+ or as a result of a scheduled key change. [RT #20700]
+
+2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
+ and genrandom under windows. [RT #20670]
+
+2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
+
+2801. [func] Detect and report records that are different according
+ to DNSSEC but are semantically equal according to plain
+ DNS. Apply plain DNS comparisons rather than DNSSEC
+ comparisons when processing UPDATE requests.
+ dnssec-signzone now removes such semantically duplicate
+ records prior to signing the RRset.
+
+ named-checkzone -r {ignore|warn|fail} (default warn)
+ named-compilezone -r {ignore|warn|fail} (default warn)
+
+ named.conf: check-dup-records {ignore|warn|fail};
+
+2800. [func] Reject zones which have NS records which refer to
+ CNAMEs, DNAMEs or don't have address record (class IN
+ only). Reject UPDATEs which would cause the zone
+ to fail the above checks if committed. [RT #20678]
+
+2799. [cleanup] Changed the "secure-to-insecure" option to
+ "dnssec-secure-to-insecure", and "dnskey-ksk-only"
+ to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
+
+2798. [bug] Addressed bugs in managed-keys initialization
+ and rollover. [RT #20683]
2797. [bug] Don't decrement the dispatch manager's maxbuffers.
[RT #20613]
+2796. [bug] Missing dns_rdataset_disassociate() call in
+ dns_nsec3_delnsec3sx(). [RT #20681]
+
+2795. [cleanup] Add text to differentiate "update with no effect"
+ log messages. [RT #18889]
+
+2794. [bug] Install <isc/namespace.h>. [RT #20677]
+
+2793. [func] Add "autosign" and "metadata" tests to the
+ automatic tests. [RT #19946]
+
+2792. [func] "filter-aaaa-on-v4" can now be set in view
+ options (if compiled in). [RT #20635]
+
+2791. [bug] The installation of isc-config.sh was broken.
+ [RT #20667]
+
2790. [bug] Handle DS queries to stub zones. [RT #20440]
2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
+2788. [bug] dnssec-signzone could sign with keys that were
+ not requested [RT #20625]
+
+2787. [bug] Spurious log message when zone keys were
+ dynamically reconfigured. [RT #20659]
+
2786. [bug] Additional could be promoted to answer. [RT #20663]
+ --- 9.7.0b3 released ---
+
+2785. [bug] Revoked keys could fail to self-sign [RT #20652]
+
2784. [bug] TC was not always being set when required glue was
dropped. [RT #20655]
@@ -433,15 +887,65 @@
2782. [port] win32: use getaddrinfo() for hostname lookups.
[RT #20650]
+2781. [bug] Inactive keys could be used for signing. [RT #20649]
+
+2780. [bug] dnssec-keygen -A none didn't properly unset the
+ activation date in all cases. [RT #20648]
+
+2779. [bug] Dynamic key revocation could fail. [RT #20644]
+
+2778. [bug] dnssec-signzone could fail when a key was revoked
+ without deleting the unrevoked version. [RT #20638]
+
2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
+2776. [bug] Change #2762 was not correct. [RT #20647]
+
+2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
+ in dnssec-keyfromlabel. [RT #20643]
+
+2774. [bug] Existing cache DB wasn't being reused after
+ reconfiguration. [RT #20629]
+
+2773. [bug] In autosigned zones, the SOA could be signed
+ with the KSK. [RT #20628]
+
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
+2771. [bug] dnssec-signzone: DNSKEY records could be
+ corrupted when importing from key files [RT #20624]
+
+2770. [cleanup] Add log messages to resolver.c to indicate events
+ causing FORMERR responses. [RT #20526]
+
+2769. [cleanup] Change #2742 was incomplete. [RT #19589]
+
+2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
+
+2767. [bug] named could crash on startup if a zone was
+ configured with auto-dnssec and there was no
+ key-directory. [RT #20615]
+
+2766. [bug] isc_socket_fdwatchpoke() should only update the
+ socketmgr state if the socket is not pending on a
+ read or write. [RT #20603]
+
2765. [bug] Skip masters for which the TSIG key cannot be found.
[RT #20595]
+2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
+
+2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
+
+2762. [bug] DLV validation failed with a local slave DLV zone.
+ [RT #20577]
+
+2761. [cleanup] Enable internal symbol table for backtrace only for
+ systems that are known to work. Currently, BSD
+ variants, Linux and Solaris are supported. [RT# 20202]
+
2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
2759. [doc] Add information about .jbk/.jnw files to
@@ -454,27 +958,115 @@
2757. [bug] dig: assertion failure could occur in connect
timeout. [RT #20599]
-2755. [doc] Clarify documentation of keyset- files in
- dnssec-signzone man page. [RT #19810]
+2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597]
+
+2755. [placeholder]
2754. [bug] Secure-to-insecure transitions failed when zone
was signed with NSEC3. [RT #20587]
+2753. [bug] Removed an unnecessary warning that could appear when
+ building an NSEC chain. [RT #20589]
+
+2752. [bug] Locking violation. [RT #20587]
+
+2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
+
2750. [bug] dig: assertion failure could occur when a server
didn't have an address. [RT #20579]
2749. [bug] ixfr-from-differences generated a non-minimal ixfr
for NSEC3 signed zones. [RT #20452]
+2748. [func] Identify bad answers from GTLD servers and treat them
+ as referrals. [RT #18884]
+
2747. [bug] Journal roll forwards failed to set the re-signing
time of RRSIGs correctly. [RT #20541]
+2746. [port] hpux: address signed/unsigned expansion mismatch of
+ dns_rbtnode_t.nsec. [RT #20542]
+
+2745. [bug] configure script didn't probe the return type of
+ gai_strerror(3) correctly. [RT #20573]
+
+2744. [func] Log if a query was over TCP. [RT #19961]
+
2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
for a insecure delegation.
+ --- 9.7.0b2 released ---
+
+2742. [cleanup] Clarify some DNSSEC-related log messages in
+ validator.c. [RT #19589]
+
+2741. [func] Allow the dnssec-keygen progress messages to be
+ suppressed (dnssec-keygen -q). Automatically
+ suppress the progress messages when stdin is not
+ a tty. [RT #20474]
+
+2740. [placeholder]
+
+2739. [cleanup] Clean up API for initializing and clearing trust
+ anchors for a view. [RT #20211]
+
+2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
+ test. [RT #20453]
+
+2737. [func] UPDATE requests can leak existence information.
+ [RT #17261]
+
+2736. [func] Improve the performance of NSEC signed zones with
+ more than a normal amount of glue below a delegation.
+ [RT #20191]
+
+2735. [bug] dnssec-signzone could fail to read keys
+ that were specified on the command line with
+ full paths, but weren't in the current
+ directory. [RT #20421]
+
+2734. [port] cygwin: arpaname did not compile. [RT #20473]
+
+2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
+
+2732. [func] Add optional filter-aaaa-on-v4 option, available
+ if built with './configure --enable-filter-aaaa'.
+ Filters out AAAA answers to clients connecting
+ via IPv4. (This is NOT recommended for general
+ use.) [RT #20339]
+
+2731. [func] Additional work on change 2709. The key parser
+ will now ignore unrecognized fields when the
+ minor version number of the private key format
+ has been increased. It will reject any key with
+ the major version number increased. [RT #20310]
+
+2730. [func] Have dnssec-keygen display a progress indication
+ a la 'openssl genrsa' on standard error. Note
+ when the first '.' is followed by a long stop
+ one has the choice between slow generation vs.
+ poor random quality, i.e., '-r /dev/urandom'.
+ [RT #20284]
+
2729. [func] When constructing a CNAME from a DNAME use the DNAME
TTL. [RT #20451]
+2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
+ dnssec-signzone now warn immediately if asked to
+ write into a nonexistent directory. [RT #20278]
+
+2727. [func] The 'key-directory' option can now specify a relative
+ path. [RT #20154]
+
+2726. [func] Added support for SHA-2 DNSSEC algorithms,
+ RSASHA256 and RSASHA512. [RT #20023]
+
+2725. [doc] Added information about the file "managed-keys.bind"
+ to the ARM. [RT #20235]
+
+2724. [bug] Updates to a existing node in secure zone using NSEC
+ were failing. [RT #20448]
+
2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
isc_base64_totext(), didn't always mark regions of
memory as fully consumed after conversion. [RT #20445]
@@ -486,11 +1078,24 @@
2721. [port] Have dst__entropy_status() prime the random number
generator. [RT #20369]
+2720. [bug] RFC 5011 trust anchor updates could trigger an
+ assert if the DNSKEY record was unsigned. [RT #20406]
+
+2719. [func] Skip trusted/managed keys for unsupported algorithms.
+ [RT #20392]
+
2718. [bug] The space calculations in opensslrsa_todns() were
incorrect. [RT #20394]
+2717. [bug] named failed to update the NSEC/NSEC3 record when
+ the last private type record was removed as a result
+ of completing the signing the zone with a key.
+ [RT #20399]
+
2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
+ --- 9.7.0b1 released ---
+
2715. [bug] Require OpenSSL support to be explicitly disabled.
[RT #20288]
@@ -500,19 +1105,63 @@
2713. [bug] powerpc: atomic operations missing asm("ics") /
__isync() calls.
+2712. [func] New 'auto-dnssec' zone option allows zone signing
+ to be fully automated in zones configured for
+ dynamic DNS. 'auto-dnssec allow;' permits a zone
+ to be signed by creating keys for it in the
+ key-directory and using 'rndc sign <zone>'.
+ 'auto-dnssec maintain;' allows that too, plus it
+ also keeps the zone's DNSSEC keys up to date
+ according to their timing metadata. [RT #19943]
+
+2711. [port] win32: Add the bin/pkcs11 tools into the full
+ build. [RT #20372]
+
+2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
+ zone option cause a zone to be signed with only KSKs
+ signing the DNSKEY RRset, not ZSKs. This reduces
+ the size of a DNSKEY answer. [RT #20340]
+
+2709. [func] Added some data fields, currently unused, to the
+ private key file format, to allow implementation
+ of explicit key rollover in a future release
+ without impairing backward or forward compatibility.
+ [RT #20310]
+
+2708. [func] Insecure to secure and NSEC3 parameter changes via
+ update are now fully supported and no longer require
+ defines to enable. We now no longer overload the
+ NSEC3PARAM flag field, nor the NSEC OPT bit at the
+ apex. Secure to insecure changes are controlled by
+ by the named.conf option 'secure-to-insecure'.
+
+ Warning: If you had previously enabled support by
+ adding defines at compile time to BIND 9.6 you should
+ ensure that all changes that are in progress have
+ completed prior to upgrading to BIND 9.7. BIND 9.7
+ is not backwards compatible.
+
+2707. [func] dnssec-keyfromlabel no longer require engine name
+ to be specified in the label if there is a default
+ engine or the -E option has been used. Also, it
+ now uses default algorithms as dnssec-keygen does
+ (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
+ [RT #20371]
+
2706. [bug] Loading a zone with a very large NSEC3 salt could
trigger an assert. [RT #20368]
-2705. [bug] Reconcile the XML stats version number with a later
- BIND9 release, by adding a "name" attribute to
- "cache" elements and increasing the version number
- to 2.2. (This is a minor version change, but may
- affect XML parsers if they assume the cache element
- doesn't take an attribute.)
+2705. [placeholder]
2704. [bug] Serial of dynamic and stub zones could be inconsistent
with their SOA serial. [RT #19387]
+2703. [func] Introduce an OpenSSL "engine" argument with -E
+ for all binaries which can take benefit of
+ crypto hardware. [RT #20230]
+
+2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
+
2701. [doc] Correction to ARM: hmac-md5 is no longer the only
supported TSIG key algorithm. [RT #18046]
@@ -521,6 +1170,8 @@
2699. [bug] Missing lock in rbtdb.c. [RT #20037]
+2698. [placeholder]
+
2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
S_IFREG are defined after including <isc/stat.h>.
[RT #20309]
@@ -528,8 +1179,25 @@
2696. [bug] named failed to successfully process some valid
acl constructs. [RT #20308]
+2695. [func] DHCP/DDNS - update fdwatch code for use by
+ DHCP. Modify the api to isc_sockfdwatch_t (the
+ callback functon for isc_socket_fdwatchcreate)
+ to include information about the direction (read
+ or write) and add isc_socket_fdwatchpoke.
+ [RT #20253]
+
+2694. [bug] Reduce default NSEC3 iterations from 100 to 10.
+ [RT #19970]
+
+2693. [port] Add some noreturn attributes. [RT #20257]
+
2692. [port] win32: 32/64 bit cleanups. [RT #20335]
+2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
+ chain when re-signing a previously-signed zone.
+ Use -u to modify NSEC3 parameters or switch
+ between NSEC and NSEC3. [RT #20304]
+
2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
[RT #20315]
@@ -538,25 +1206,102 @@
2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
to decide to fetch the destination address. [RT #20305]
+2687. [bug] Fixed dnssec-signzone -S handling of revoked keys.
+ Also, added warnings when revoking a ZSK, as this is
+ not defined by protocol (but is legal). [RT #19943]
+
2686. [bug] dnssec-signzone should clean the old NSEC chain when
signing with NSEC3 and vice versa. [RT #20301]
+2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
+
+2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+ +adflag and +cdflag. [RT #19305]
+
2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
the NSEC3 parameters used to sign the zone change.
[RT #20246]
+2682. [bug] "configure --enable-symtable=all" failed to
+ build. [RT #20282]
+
2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
decoded. [RT #20269]
+2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
+
+2679. [func] dig -k can now accept TSIG keys in named.conf
+ format. [RT #20031]
+
2678. [func] Treat DS queries as if "minimal-response yes;"
was set. [RT #20258]
+2677. [func] Changes to key metadata behavior:
+ - Keys without "publish" or "active" dates set will
+ no longer be used for smart signing. However,
+ those dates will be set to "now" by default when
+ a key is created; to generate a key but not use
+ it yet, use dnssec-keygen -G.
+ - New "inactive" date (dnssec-keygen/settime -I)
+ sets the time when a key is no longer used for
+ signing but is still published.
+ - The "unpublished" date (-U) is deprecated in
+ favour of "deleted" (-D).
+ [RT #20247]
+
+2676. [bug] --with-export-installdir should have been
+ --with-export-includedir. [RT #20252]
+
+2675. [bug] dnssec-signzone could crash if the key directory
+ did not exist. [RT #20232]
+
+ --- 9.7.0a3 released ---
+
+2674. [bug] "dnssec-lookaside auto;" crashed if named was built
+ without openssl. [RT #20231]
+
+2673. [bug] The managed-keys.bind zone file could fail to
+ load due to a spurious result from sync_keyzone()
+ [RT #20045]
+
2672. [bug] Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]
+2671. [bug] Add support for PKCS#11 providers not returning
+ the public exponent in RSA private keys
+ (OpenCryptoki for instance) in
+ dnssec-keyfromlabel. [RT #19294]
+
2670. [bug] Unexpected connect failures failed to log enough
information to be useful. [RT #20205]
+2669. [func] Update PKCS#11 support to support Keyper HSM.
+ Update PKCS#11 patch to be against openssl-0.9.8i.
+
+2668. [func] Several improvements to dnssec-* tools, including:
+ - dnssec-keygen and dnssec-settime can now set key
+ metadata fields 0 (to unset a value, use "none")
+ - dnssec-revoke sets the revocation date in
+ addition to the revoke bit
+ - dnssec-settime can now print individual metadata
+ fields instead of always printing all of them,
+ and can print them in unix epoch time format for
+ use by scripts
+ [RT #19942]
+
+2667. [func] Add support for logging stack backtrace on assertion
+ failure (not available for all platforms). [RT #19780]
+
+2666. [func] Added an 'options' argument to dns_name_fromstring()
+ (API change from 9.7.0a2). [RT #20196]
+
+2665. [func] Clarify syntax for managed-keys {} statement, add
+ ARM documentation about RFC 5011 support. [RT #19874]
+
+2664. [bug] create_keydata() and minimal_update() in zone.c
+ didn't properly check return values for some
+ functions. [RT #19956]
+
2663. [func] win32: allow named to run as a service using
"NT AUTHORITY\LocalService" as the account. [RT #19977]
@@ -567,19 +1312,40 @@
2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
creating lwres context. [RT #20029]
+2660. [func] Add a new set of DNS libraries for non-BIND9
+ applications. See README.libdns. [RT #19369]
+
2659. [doc] Clarify dnssec-keygen doc: key name must match zone
name for DNSSEC keys. [RT #19938]
+2658. [bug] dnssec-settime and dnssec-revoke didn't process
+ key file paths correctly. [RT #20078]
+
+2657. [cleanup] Lower "journal file <path> does not exist, creating it"
+ log level to debug 1. [RT #20058]
+
2656. [func] win32: add a "tools only" check box to the installer
which causes it to only install dig, host, nslookup,
nsupdate and relevant DLLs. [RT #19998]
2655. [doc] Document that key-directory does not affect
- rndc.key. [RT #20155]
+ bind.keys, rndc.key or session.key. [RT #20155]
+
+2654. [bug] Improve error reporting on duplicated names for
+ deny-answer-xxx. [RT #20164]
2653. [bug] Treat ENGINE_load_private_key() failures as key
not found rather than out of memory. [RT #18033]
+2652. [func] Provide more detail about what record is being
+ deleted. [RT #20061]
+
+2651. [bug] Dates could print incorrectly in K*.key files on
+ 64-bit systems. [RT #20076]
+
+2650. [bug] Assertion failure in dnssec-signzone when trying
+ to read keyset-* files. [RT #20075]
+
2649. [bug] Set the domain for forward only zones. [RT #19944]
2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
@@ -592,37 +1358,99 @@
2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
which default to 64 bits. [RT #19927]
+ --- 9.7.0a2 released ---
+
+2644. [bug] Change #2628 caused a regression on some systems;
+ named was unable to write the PID file and would
+ fail on startup. [RT #20001]
+
2643. [bug] Stub zones interacted badly with NSEC3 support.
[RT #19777]
2642. [bug] nsupdate could dump core on solaris when reading
improperly formatted key files. [RT #20015]
+2641. [bug] Fixed an error in parsing update-policy syntax,
+ added a regression test to check it. [RT #20007]
+
2640. [security] A specially crafted update packet will cause named
to exit. [RT #20000]
2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
+2638. [bug] Install arpaname. [RT #19957]
+
2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
[RT #19959]
+2636. [func] Simplify zone signing and key maintenance with the
+ dnssec-* tools. Major changes:
+ - all dnssec-* tools now take a -K option to
+ specify a directory in which key files will be
+ stored
+ - DNSSEC can now store metadata indicating when
+ they are scheduled to be published, activated,
+ revoked or removed; these values can be set by
+ dnssec-keygen or overwritten by the new
+ dnssec-settime command
+ - dnssec-signzone -S (for "smart") option reads key
+ metadata and uses it to determine automatically
+ which keys to publish to the zone, use for
+ signing, revoke, or remove from the zone
+ [RT #19816]
+
2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
[RT #19716]
+2634. [port] win32: Add support for libxml2, enable
+ statschannel. [RT #19773]
+
2633. [bug] Handle 15 bit rand() functions. [RT #19783]
2632. [func] util/kit.sh: warn if documentation appears to be out of
date. [RT #19922]
+2631. [bug] Handle "//", "/./" and "/../" in mkdirpath().
+ [RT #19926 ]
+
+2630. [func] Improved syntax for DDNS autoconfiguration: use
+ "update-policy local;" to switch on local DDNS in a
+ zone. (The "ddns-autoconf" option has been removed.)
+ [RT #19875]
+
+2629. [port] Check for seteuid()/setegid(), use setresuid()/
+ setresgid() if not present. [RT #19932]
+
+2628. [port] linux: Allow /var/run/named/named.pid to be opened
+ at startup with reduced capabilities in operation.
+ [RT #19884]
+
+2627. [bug] Named aborted if the same key was included in
+ trusted-keys more than once. [RT #19918]
+
+2626. [bug] Multiple trusted-keys could trigger an assertion
+ failure. [RT #19914]
+
2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
-2623. [bug] Named started seaches for DS non-optimally. [RT #19915]
+2624. [func] 'named-checkconf -p' will print out the parsed
+ configuration. [RT #18871]
+
+2623. [bug] Named started searches for DS non-optimally. [RT #19915]
-2621. [doc] Made copyright boilterplate consistent. [RT #19833]
+2622. [bug] Printing of named.conf grammar was broken. [RT #19919]
+
+2621. [doc] Made copyright boilerplate consistent. [RT #19833]
2620. [bug] Delay thawing the zone until the reload of it has
completed successfully. [RT #19750]
+2619. [func] Add support for RFC 5011, automatic trust anchor
+ maintenance. The new "managed-keys" statement can
+ be used in place of "trusted-keys" for zones which
+ support this protocol. (Note: this syntax is
+ expected to change prior to 9.7.0 final.) [RT #19248]
+
2618. [bug] The sdb and sdlz db_interator_seek() methods could
loop infinitely. [RT #19847]
@@ -638,11 +1466,33 @@
2614. [port] win32: 'named -v' should automatically be executed
in the foreground. [RT #19844]
-2613. [bug] Option argument validation was missing for
- dnssec-dsfromkey. [RT #19828]
+2613. [placeholder]
+
+ --- 9.7.0a1 released ---
+
+2612. [func] Add default values for the arguments to
+ dnssec-keygen. Without arguments, it will now
+ generate a 1024-bit RSASHA1 zone-signing key,
+ or with the -f KSK option, a 2048-bit RSASHA1
+ key-signing key. [RT #19300]
+
+2611. [func] Add -l option to dnssec-dsfromkey to generate
+ DLV records instead of DS records. [RT #19300]
2610. [port] sunos: Change #2363 was not complete. [RT #19796]
+2609. [func] Simplify the configuration of dynamic zones:
+ - add ddns-confgen command to generate
+ configuration text for named.conf
+ - add zone option "ddns-autoconf yes;", which
+ causes named to generate a TSIG session key
+ and allow updates to the zone using that key
+ - add '-l' (localhost) option to nsupdate, which
+ causes nsupdate to connect to a locally-running
+ named process using the session key generated
+ by named
+ [RT #19284]
+
2608. [func] Perform post signing verification checks in
dnssec-signzone. These can be disabled with -P.
@@ -652,27 +1502,6 @@
self signed. That all records in the zone are signed
by the algorithm. [RT #19653]
-2601. [doc] Mention file creation mode mask in the
- named manual page.
-
-2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
-
-2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
- [RT #19626]
-
-2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
- Requires MySQL 5.0.19 or later. [RT #19084]
-
-2580. [bug] UpdateRej statistics counter could be incremented twice
- for one rejection. [RT #19476]
-
-2533. [doc] ARM: document @ (at-sign). [RT #17144]
-
-2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
- function. [RT #18582]
-
- --- 9.6.1 released ---
-
2607. [bug] named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
[RT #19749]
@@ -683,6 +1512,11 @@
2605. [bug] Accept DS responses from delegation only zones.
[RT # 19296]
+2604. [func] Add support for DNS rebinding attack prevention through
+ new options, deny-answer-addresses and
+ deny-answer-aliases. Based on contributed code from
+ JD Nurmi, Google. [RT #18192]
+
2603. [port] win32: handle .exe extension of named-checkzone and
named-comilezone argv[0] names under windows.
[RT #19767]
@@ -690,11 +1524,17 @@
2602. [port] win32: fix debugging command line build of libisccfg.
[RT #19767]
- --- 9.6.1rc1 released ---
+2601. [doc] Mention file creation mode mask in the
+ named manual page.
+
+2600. [doc] ARM: miscellaneous reformatting for different
+ page widths. [RT #19574]
2599. [bug] Address rapid memory growth when validation fails.
[RT #19654]
+2598. [func] Reserve the -F flag. [RT #19657]
+
2597. [bug] Handle a validation failure with a insecure delegation
from a NSEC3 signed master/slave zone. [RT #19464]
@@ -704,16 +1544,31 @@
2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
+2594. [func] Have rndc warn if using its default configuration
+ file when the key file also exists. [RT #19424]
+
+2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
+
2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
2591. [bug] named could die when processing a update in
removed_orphaned_ds(). [RT #19507]
+2590. [func] Report zone/class of "update with no effect".
+ [RT #19542]
+
+2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
+ [RT #19626]
+
2588. [bug] SO_REUSEADDR could be set unconditionally after failure
of bind(2) call. This should be rare and mostly
harmless, but may cause interference with other
processes that happen to use the same port. [RT #19642]
+2587. [func] Improve logging by reporting serial numbers for
+ when zone serial has gone backwards or unchanged.
+ [RT #19506]
+
2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
or SDB. [RT #19577]
@@ -730,28 +1585,57 @@
2582. [bug] Don't emit warning log message when we attempt to
remove non-existent journal. [RT #19516]
+2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
+ Requires MySQL 5.0.19 or later. [RT #19084]
+
+2580. [bug] UpdateRej statistics counter could be incremented twice
+ for one rejection. [RT #19476]
+
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
2578. [bug] Changed default sig-signing-type to 65534, because
65535 turns out to be reserved. [RT #19477]
-2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
- [RT #18837]
-
- --- 9.6.1b1 released ---
-
2577. [doc] Clarified some statistics counters. [RT #19454]
2576. [bug] NSEC record were not being correctly signed when
a zone transitions from insecure to secure.
Handle such incorrectly signed zones. [RT #19114]
+2575. [func] New functions dns_name_fromstring() and
+ dns_name_tostring(), to simplify conversion
+ of a string to a dns_name structure and vice
+ versa. [RT #19451]
+
2574. [doc] Document nsupdate -g and -o. [RT #19351]
2573. [bug] Replacing a non-CNAME record with a CNAME record in a
single transaction in a signed zone failed. [RT #19397]
+2572. [func] Simplify DLV configuration, with a new option
+ "dnssec-lookaside auto;" This is the equivalent
+ of "dnssec-lookaside . trust-anchor dlv.isc.org;"
+ plus setting a trusted-key for dlv.isc.org.
+
+ Note: The trusted key is hard-coded into named,
+ but is also stored in (and can be overridden
+ by) $sysconfdir/bind.keys. As the ISC DLV key
+ rolls over it can be kept up to date by replacing
+ the bind.keys file with a key downloaded from
+ https://www.isc.org/solutions/dlv. [RT #18685]
+
+2571. [func] Add a new tool "arpaname" which translates IP addresses
+ to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
+ [RT #18976]
+
+2570. [func] Log the destination address the query was sent to.
+ [RT #19209]
+
+2569. [func] Move journalprint, nsec3hash, and genrandom
+ commands from bin/tests into bin/tools;
+ "make install" will put them in $sbindir. [RT #19301]
+
2568. [bug] Report when the write to indicate a otherwise
successful start fails. [RT #19360]
@@ -760,6 +1644,15 @@
dnssec-dsfromkey could miss write errors.
[RT #19360]
+2566. [cleanup] Clarify logged message when an insecure DNSSEC
+ response arrives from a zone thought to be secure:
+ "insecurity proof failed" instead of "not
+ insecure". [RT #19400]
+
+2565. [func] Add support for HIP record. Includes new functions
+ dns_rdata_hip_first(), dns_rdata_hip_next()
+ and dns_rdata_hip_current(). [RT #19384]
+
2564. [bug] Only take EDNS fallback steps when processing timeouts.
[RT #19405]
@@ -776,6 +1669,10 @@
2559. [bug] dnssec-dsfromkey could compute bad DS records when
reading from a K* files. [RT #19357]
+2558. [func] Set the ownership of missing directories created
+ for pid-file if -u has been specified on the command
+ line. [RT #19328]
+
2557. [cleanup] PCI compliance:
* new libisc log module file
* isc_dir_chroot() now also changes the working
@@ -787,6 +1684,9 @@
error checks in the correct order resulting in the
wrong error code sometimes being returned. [RT #19249]
+2555. [func] dig: when emitting a hex dump also display the
+ corresponding characters. [RT #19258]
+
2554. [bug] Validation of uppercase queries from NSEC3 zones could
fail. [RT #19297]
@@ -810,6 +1710,10 @@
function isc_mem_reallocate() was introduced to address
this bug. [RT #19313]
+2546. [func] Add --enable-openssl-hash configure flag to use
+ OpenSSL (in place of internal routine) for hash
+ functions (MD5, SHA[12] and HMAC). [RT #18815]
+
2545. [doc] ARM: Legal hostname checking (check-names) is
for SRV RDATA too. [RT #19304]
@@ -822,6 +1726,8 @@
2541. [bug] Conditionally update dispatch manager statistics.
[RT #19247]
+2540. [func] Add a nibble mode to $GENERATE. [RT #18872]
+
2539. [security] Update the interaction between recursion, allow-query,
allow-query-cache and allow-recursion. [RT #19198]
@@ -829,7 +1735,7 @@
especially with threads and smaller max-cache-size
values. [RT #19240]
-2537. [experimental] Added more statistics counters including those on socket
+2537. [func] Added more statistics counters including those on socket
I/O events and query RTT histograms. [RT #18802]
2536. [cleanup] Silence some warnings when -Werror=format-security is
@@ -837,6 +1743,12 @@
2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
+2534. [func] Check NAPTR records regular expressions and
+ replacement strings to ensure they are syntactically
+ valid and consistant. [RT #18168]
+
+2533. [doc] ARM: document @ (at-sign). [RT #17144]
+
2532. [bug] dig: check the question section of the response to
see if it matches the asked question. [RT #18495]
@@ -851,10 +1763,14 @@
2528. [cleanup] Silence spurious configure warning about
--datarootdir [RT #19096]
-2527. [bug] named could reuse cache on reload with
- enabling/disabling validation. [RT #19119]
+2527. [placeholder]
-2525. [experimental] New logging category "query-errors" to provide detailed
+2526. [func] New named option "attach-cache" that allows multiple
+ views to share a single cache to save memory and
+ improve lookup efficiency. Based on contributed code
+ from Barclay Osborn, Google. [RT #18905]
+
+2525. [func] New logging category "query-errors" to provide detailed
internal information about query failures, especially
about server failures. [RT #19027]
@@ -867,10 +1783,17 @@
2521. [bug] Improve epoll cross compilation support. [RT #19047]
+2520. [bug] Update xml statistics version number to 2.0 as change
+ #2388 made the schema incompatible to the previous
+ version. [RT #19080]
+
2519. [bug] dig/host with -4 or -6 didn't work if more than two
nameserver addresses of the excluded address family
preceded in resolv.conf. [RT #19081]
+2518. [func] Add support for the new CERT types from RFC 4398.
+ [RT #19077]
+
2517. [bug] dig +trace with -4 or -6 failed when it chose a
nameserver address of the excluded address type.
[RT #18843]
@@ -878,45 +1801,56 @@
2516. [bug] glue sort for responses was performed even when not
needed. [RT #19039]
+2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
+ [RT #19063]
+
2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
a nameserver of the excluded address family.
[RT #18848]
+2513. [bug] Fix windows cli build. [RT #19062]
+
+2512. [func] Print a summary of the cached records which make up
+ the negative response. [RT #18885]
+
2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
[RT #18885]
+2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
+ [RT #19033]
+
+2509. [bug] Specifying a fixed query source port was broken.
+ [RT #19051]
+
+2508. [placeholder]
+
+2507. [func] Log the recursion quota values when killing the
+ oldest query or refusing to recurse due to quota.
+ [RT #19022]
+
2506. [port] solaris: Check at configure time if
hack_shutup_pthreadonceinit is needed. [RT #19037]
2505. [port] Treat amd64 similarly to x86_64 when determining
atomic operation support. [RT #19031]
+2504. [bug] Address race condition in the socket code. [RT #18899]
+
2503. [port] linux: improve compatibility with Linux Standard
Base. [RT #18793]
2502. [cleanup] isc_radix: Improve compliance with coding style,
document function in <isc/radix.h>. [RT #18534]
- --- 9.6.0 released ---
-
-2520. [bug] Update xml statistics version number to 2.0 as change
- #2388 made the schema incompatible to the previous
- version. [RT #19080]
-
- --- 9.6.0rc2 released ---
-
-2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
- [RT #19063]
-
-2513. [bug] Fix windows cli build. [RT #19062]
-
-2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
- [RT #19033]
+2501. [func] $GENERATE now supports all rdata types. Multi-field
+ rdata types need to be quoted. See the ARM for
+ details. [RT #18368]
-2509. [bug] Specifying a fixed query source port was broken.
- [RT #19051]
+2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
+ function. [RT #18582]
-2504. [bug] Address race condition in the socket code. [RT #18899]
+2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
+ [RT #18837]
--- 9.6.0rc1 released ---
diff --git a/COPYRIGHT b/COPYRIGHT
index ee90ece313ec..8721ceca8462 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-$Id: COPYRIGHT,v 1.14.176.3 2011-01-04 23:45:42 tbox Exp $
+$Id: COPYRIGHT,v 1.17 2011-01-04 23:47:13 tbox Exp $
Portions Copyright (C) 1996-2001 Nominum, Inc.
diff --git a/FAQ.xml b/FAQ.xml
index a9b2b41bbe67..4c83f7647075 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: FAQ.xml,v 1.46.56.9 2010-01-20 23:47:43 tbox Exp $ -->
+<!-- $Id: FAQ.xml,v 1.54 2010-01-19 23:48:55 tbox Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
diff --git a/HISTORY b/HISTORY
new file mode 100644
index 000000000000..e98f9b41460d
--- /dev/null
+++ b/HISTORY
@@ -0,0 +1,313 @@
+Summary of functional enhancements from prior major releases of BIND 9:
+
+BIND 9.6.0
+
+ Full NSEC3 support
+
+ Automatic zone re-signing
+
+ New update-policy methods tcp-self and 6to4-self
+
+ The BIND 8 resolver library, libbind, has been removed from the
+ BIND 9 distribution and is now available as a separate download.
+
+ Change the default pid file location from /var/run to
+ /var/run/{named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+ GSS-TSIG support (RFC 3645).
+
+ DHCID support.
+
+ Experimental http server and statistics support for named via xml.
+
+ More detailed statistics counters including those supported in BIND 8.
+
+ Faster ACL processing.
+
+ Use Doxygen to generate internal documentation.
+
+ Efficient LRU cache-cleaning mechanism.
+
+ NSID support.
+
+BIND 9.4.0
+
+ Implemented "additional section caching (or acache)", an
+ internal cache framework for additional section content to
+ improve response performance. Several configuration options
+ were provided to control the behavior.
+
+ New notify type 'master-only'. Enable notify for master
+ zones only.
+
+ Accept 'notify-source' style syntax for query-source.
+
+ rndc now allows addresses to be set in the server clauses.
+
+ New option "allow-query-cache". This lets "allow-query"
+ be used to specify the default zone access level rather
+ than having to have every zone override the global value.
+ "allow-query-cache" can be set at both the options and view
+ levels. If "allow-query-cache" is not set then "allow-recursion"
+ is used if set, otherwise "allow-query" is used if set
+ unless "recursion no;" is set in which case "none;" is used,
+ otherwise the default (localhost; localnets;) is used.
+
+ rndc: the source address can now be specified.
+
+ ixfr-from-differences now takes master and slave in addition
+ to yes and no at the options and view levels.
+
+ Allow the journal's name to be changed via named.conf.
+
+ 'rndc notify zone [class [view]]' resend the NOTIFY messages
+ for the specified zone.
+
+ 'dig +trace' now randomly selects the next servers to try.
+ Report if there is a bad delegation.
+
+ Improve check-names error messages.
+
+ Make public the function to read a key file, dst_key_read_public().
+
+ dig now returns the byte count for axfr/ixfr.
+
+ allow-update is now settable at the options / view level.
+
+ named-checkconf now checks the logging configuration.
+
+ host now can turn on memory debugging flags with '-m'.
+
+ Don't send notify messages to self.
+
+ Perform sanity checks on NS records which refer to 'in zone' names.
+
+ New zone option "notify-delay". Specify a minimum delay
+ between sets of NOTIFY messages.
+
+ Extend adjusting TTL warning messages.
+
+ Named and named-checkzone can now both check for non-terminal
+ wildcard records.
+
+ "rndc freeze/thaw" now freezes/thaws all zones.
+
+ named-checkconf now check acls to verify that they only
+ refer to existing acls.
+
+ The server syntax has been extended to support a range of
+ servers.
+
+ Report differences between hints and real NS rrset and
+ associated address records.
+
+ Preserve the case of domain names in rdata during zone
+ transfers.
+
+ Restructured the data locking framework using architecture
+ dependent atomic operations (when available), improving
+ response performance on multi-processor machines significantly.
+ x86, x86_64, alpha, powerpc, and mips are currently supported.
+
+ UNIX domain controls are now supported.
+
+ Add support for additional zone file formats for improving
+ loading performance. The masterfile-format option in
+ named.conf can be used to specify a non-default format. A
+ separate command named-compilezone was provided to generate
+ zone files in the new format. Additionally, the -I and -O
+ options for dnssec-signzone specify the input and output
+ formats.
+
+ dnssec-signzone can now randomize signature end times
+ (dnssec-signzone -j jitter).
+
+ Add support for CH A record.
+
+ Add additional zone data constancy checks. named-checkzone
+ has extended checking of NS, MX and SRV record and the hosts
+ they reference. named has extended post zone load checks.
+ New zone options: check-mx and integrity-check.
+
+
+ edns-udp-size can now be overridden on a per server basis.
+
+ dig can now specify the EDNS version when making a query.
+
+ Added framework for handling multiple EDNS versions.
+
+ Additional memory debugging support to track size and mctx
+ arguments.
+
+ Detect duplicates of UDP queries we are recursing on and
+ drop them. New stats category "duplicates".
+
+ "USE INTERNAL MALLOC" is now runtime selectable.
+
+ The lame cache is now done on a <qname,qclass,qtype> basis
+ as some servers only appear to be lame for certain query
+ types.
+
+ Limit the number of recursive clients that can be waiting
+ for a single query (<qname,qtype,qclass>) to resolve. New
+ options clients-per-query and max-clients-per-query.
+
+ dig: report the number of extra bytes still left in the
+ packet after processing all the records.
+
+ Support for IPSECKEY rdata type.
+
+ Raise the UDP recieve buffer size to 32k if it is less than 32k.
+
+ x86 and x86_64 now have seperate atomic locking implementations.
+
+ named-checkconf now validates update-policy entries.
+
+ Attempt to make the amount of work performed in a iteration
+ self tuning. The covers nodes clean from the cache per
+ iteration, nodes written to disk when rewriting a master
+ file and nodes destroyed per iteration when destroying a
+ zone or a cache.
+
+ ISC string copy API.
+
+ Automatic empty zone creation for D.F.IP6.ARPA and friends.
+ Note: RFC 1918 zones are not yet covered by this but are
+ likely to be in a future release.
+
+ New options: empty-server, empty-contact, empty-zones-enable
+ and disable-empty-zone.
+
+ dig now has a '-q queryname' and '+showsearch' options.
+
+ host/nslookup now continue (default)/fail on SERVFAIL.
+
+ dig now warns if 'RA' is not set in the answer when 'RD'
+ was set in the query. host/nslookup skip servers that fail
+ to set 'RA' when 'RD' is set unless a server is explicitly
+ set.
+
+ Integrate contibuted DLZ code into named.
+
+ Integrate contibuted IDN code from JPNIC.
+
+ libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+ DNSSEC is now DS based (RFC 3658).
+ See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
+
+ DNSSEC lookaside validation.
+
+ check-names is now implemented.
+ rrset-order in more complete.
+
+ IPv4/IPv6 transition support, dual-stack-servers.
+
+ IXFR deltas can now be generated when loading master files,
+ ixfr-from-differences.
+
+ It is now possible to specify the size of a journal, max-journal-size.
+
+ It is now possible to define a named set of master servers to be
+ used in masters clause, masters.
+
+ The advertised EDNS UDP size can now be set, edns-udp-size.
+
+ allow-v6-synthesis has been obsoleted.
+
+ NOTE:
+ * Zones containing MD and MF will now be rejected.
+ * dig, nslookup name. now report "Not Implemented" as
+ NOTIMP rather than NOTIMPL. This will have impact on scripts
+ that are looking for NOTIMPL.
+
+ libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+ The size of the cache can now be limited using the
+ "max-cache-size" option.
+
+ The server can now automatically convert RFC1886-style recursive
+ lookup requests into RFC2874-style lookups, when enabled using the
+ new option "allow-v6-synthesis". This allows stub resolvers that
+ support AAAA records but not A6 record chains or binary labels to
+ perform lookups in domains that make use of these IPv6 DNS
+ features.
+
+ Performance has been improved.
+
+ The man pages now use the more portable "man" macros rather than
+ the "mandoc" macros, and are installed by "make install".
+
+ The named.conf parser has been completely rewritten. It now
+ supports "include" directives in more places such as inside "view"
+ statements, and it no longer has any reserved words.
+
+ The "rndc status" command is now implemented.
+
+ rndc can now be configured automatically.
+
+ A BIND 8 compatible stub resolver library is now included in
+ lib/bind.
+
+ OpenSSL has been removed from the distribution. This means that to
+ use DNSSEC, OpenSSL must be installed and the --with-openssl option
+ must be supplied to configure. This does not apply to the use of
+ TSIG, which does not require OpenSSL.
+
+ The source distribution now builds on Windows. See
+ win32utils/readme1.txt and win32utils/win32-build.txt for details.
+
+ This distribution also includes a new lightweight stub
+ resolver library and associated resolver daemon that fully
+ support forward and reverse lookups of both IPv4 and IPv6
+ addresses. This library is considered experimental and
+ is not a complete replacement for the BIND 8 resolver library.
+ Applications that use the BIND 8 res_* functions to perform
+ DNS lookups or dynamic updates still need to be linked against
+ the BIND 8 libraries. For DNS lookups, they can also use the
+ new "getrrsetbyname()" API.
+
+ BIND 9.2 is capable of acting as an authoritative server
+ for DNSSEC secured zones. This functionality is believed to
+ be stable and complete except for lacking support for
+ verifications involving wildcard records in secure zones.
+
+ When acting as a caching server, BIND 9.2 can be configured
+ to perform DNSSEC secure resolution on behalf of its clients.
+ This part of the DNSSEC implementation is still considered
+ experimental. For detailed information about the state of the
+ DNSSEC implementation, see the file doc/misc/dnssec.
+
+ There are a few known bugs:
+
+ On some systems, IPv6 and IPv4 sockets interact in
+ unexpected ways. For details, see doc/misc/ipv6.
+ To reduce the impact of these problems, the server
+ no longer listens for requests on IPv6 addresses
+ by default. If you need to accept DNS queries over
+ IPv6, you must specify "listen-on-v6 { any; };"
+ in the named.conf options statement.
+
+ FreeBSD prior to 4.2 (and 4.2 if running as non-root)
+ and OpenBSD prior to 2.8 log messages like
+ "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
+ This is due to a bug in "/dev/random" and impacts the
+ server's DNSSEC support.
+
+ OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
+ OS X 10.2 (Darwin 6.0) reports errors like
+ "fcntl(3, F_SETFL, 4): Operation not supported by device".
+ This is due to a bug in "/dev/random" and impacts the
+ server's DNSSEC support.
+
+ --with-libtool does not work on AIX.
+
+ A bug in some versions of the Microsoft DNS server can cause zone
+ transfers from a BIND 9 server to a W2K server to fail. For details,
+ see the "Zone Transfers" section in doc/misc/migration.
diff --git a/KNOWN-DEFECTS b/KNOWN-DEFECTS
deleted file mode 100644
index 83d71759740e..000000000000
--- a/KNOWN-DEFECTS
+++ /dev/null
@@ -1,15 +0,0 @@
-dnssec-signzone was designed so that it could sign a zone partially, using
-only a subset of the DNSSEC keys needed to produce a fully-signed zone.
-This permits a zone administrator, for example, to sign a zone with one
-key on one machine, move the resulting partially-signed zone to a second
-machine, and sign it again with a second key.
-
-An unfortunate side-effect of this flexibility is that dnssec-signzone
-does not check to make sure it's signing a zone with any valid keys at
-all. An attempt to sign a zone without any keys will appear to succeed,
-producing a "signed" zone with no signatures. There is no warning issued
-when a zone is not signed.
-
-This will be corrected in a future release. In the meantime, ISC
-recommends examining the output of dnssec-signzone to confirm that
-the zone is properly signed by all keys before using it.
diff --git a/Makefile.in b/Makefile.in
index e4d56396da2b..95944d9fa4ff 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.52.48.2 2009-02-20 23:47:23 tbox Exp $
+# $Id: Makefile.in,v 1.58 2009-11-26 20:52:44 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -21,13 +21,13 @@ top_srcdir = @top_srcdir@
@BIND9_VERSION@
-SUBDIRS = make lib bin doc
+SUBDIRS = make lib bin doc @LIBEXPORT@
TARGETS =
MANPAGES = isc-config.sh.1
-
+
HTMLPAGES = isc-config.sh.html
-
+
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@@ -54,7 +54,8 @@ installdirs:
install:: isc-config.sh installdirs
${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+ ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
tags:
rm -f TAGS
diff --git a/NSEC3-NOTES b/NSEC3-NOTES
deleted file mode 100644
index 3f8d8f905c00..000000000000
--- a/NSEC3-NOTES
+++ /dev/null
@@ -1,128 +0,0 @@
-
- DNSSEC and UPDATE
-
- Converting from insecure to secure
-
-As of BIND 9.6.0 it is possible to move a zone between being insecure
-to secure and back again. A secure zone can be using NSEC or NSEC3.
-
-To move a zone from insecure to secure you need to configure named
-so that it can see the K* files which contain the public and private
-parts of the keys that will be used to sign the zone. These files
-will have been generated by dnssec-keygen. You can do this by
-placing them in the key-directory as specified in named.conf.
-
- zone example.net {
- type master;
- allow-update { .... };
- file "dynamic/example.net/example.net";
- key-directory "dynamic/example.net";
- };
-
-Assuming one KSK and one ZSK DNSKEY key have been generated. Then
-this will cause the zone to be signed with the ZSK and the DNSKEY
-RRset to be signed with the KSK DNSKEY. A NSEC chain will also be
-generated as part of the initial signing process.
-
- % nsupdate
- > ttl 3600
- > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
- > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
- > send
-
-While the update request will complete almost immediately the zone
-will not be completely signed until named has had time to walk the
-zone and generate the NSEC and RRSIG records. Initially the NSEC
-record at the zone apex will have the OPT bit set. When the NSEC
-chain is complete the OPT bit will be cleared. Additionally when
-the zone is fully signed the private type (default TYPE65534) records
-will have a non zero value for the final octet.
-
-The private type record has 5 octets.
- algorithm (octet 1)
- key id in network order (octet 2 and 3)
- removal flag (octet 4)
- complete flag (octet 5)
-
-If you wish to go straight to a secure zone using NSEC3 you should
-also add a NSEC3PARAM record to the update request with the flags
-field set to indicate whether the NSEC3 chain will have the OPTOUT
-bit set or not.
-
- % nsupdate
- > ttl 3600
- > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
- > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
- > update add example.net NSEC3PARAM 1 1 100 1234567890
- > send
-
-Again the update request will complete almost immediately however the
-NSEC3PARAM record will have additional flag bits set indicating that the
-NSEC3 chain is under construction. When the NSEC3 chain is complete the
-flags field will be set to zero.
-
-While the initial signing and NSEC/NSEC3 chain generation is happening
-other updates are possible.
-
- DNSKEY roll overs via UPDATE
-
-It is possible to perform key rollovers via update. You need to
-add the K* files for the new keys so that named can find them. You
-can then add the new DNSKEY RRs via update. Named will then cause
-the zone to be signed with the new keys. When the signing is
-complete the private type records will be updated so that the last
-octet is non zero.
-
-If this is for a KSK you need to inform the parent and any trust
-anchor repositories of the new KSK.
-
-You should then wait for the maximum TLL in the zone before removing the
-old DNSKEY. If it is a KSK that is being updated you also need to wait
-for the DS RRset in the parent to be updated and its TTL to expire.
-This ensures that all clients will be able to verify at least a signature
-when you remove the old DNSKEY.
-
-The old DNSKEY can be removed via UPDATE. Take care to specify
-the correct key. Named will clean out any signatures generated by
-the old key after the update completes.
-
- NSEC3PARAM rollovers via UPDATE.
-
-Add the new NSEC3PARAM record via update. When the new NSEC3 chain
-has been generated the NSEC3PARAM flag field will be zero. At this
-point you can remove the old NSEC3PARAM record. The old chain will
-be removed after the update request completes.
-
- Converting from NSEC to NSEC3
-
-To do this you just need to add a NSEC3PARAM record. When the
-conversion is complete the NSEC chain will have been removed and
-the NSEC3PARAM record will have a zero flag field. The NSEC3 chain
-will be generated before the NSEC chain is destroyed.
-
- Converting from NSEC3 to NSEC
-
-To do this remove all NSEC3PARAM records with a zero flag field. The
-NSEC chain will be generated before the NSEC3 chain is removed.
-
- Converting from secure to insecure
-
-To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
-will be removed as well as associated NSEC3PARAM records. This will
-take place after the update requests completes.
-
- Periodic re-signing.
-
-Named will periodically re-sign RRsets which have not been re-signed
-as a result of some update action. The signature lifetimes will
-be adjusted so as to spread the re-sign load over time rather than
-all at once.
-
- NSEC3 and OPTOUT
-
-Named only supports creating new NSEC3 chains where all the NSEC3
-records in the zone have the same OPTOUT state. Named supports
-UPDATES to zones where the NSEC3 records in the chain have mixed
-OPTOUT state. Named does not support changing the OPTOUT state of
-an individual NSEC3 record, the entire chain needs to be changed if
-the OPTOUT state of an individual NSEC3 needs to be changed.
diff --git a/README b/README
index 54d90fe1f22c..00010c3983f3 100644
--- a/README
+++ b/README
@@ -42,368 +42,95 @@ BIND 9
Stichting NLnet - NLnet Foundation
Nominum, Inc.
-BIND 9.6.3
-
- BIND 9.6.3 is a maintenance release, fixing bugs in 9.6.2.
-
-BIND 9.6.2
-
- BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
- It also introduces support for the SHA-2 DNSSEC algorithms,
- RSASHA256 and RSASHA512.
-
- Known issues in this release:
-
- - A validating resolver that has been incorrectly configured with
- an invalid trust anchor will be unable to resolve names covered
- by that trust anchor. In all current versions of BIND 9, such a
- resolver will also generate significant unnecessary DNS traffic
- while trying to validate. The latter problem will be addressed
- in future BIND 9 releases. In the meantime, to avoid these
- problems, exercise caution when configuring "trusted-keys":
- make sure all keys are correct and current when you add them,
- and update your configuration in a timely manner when keys
- roll over.
-
-BIND 9.6.1
-
- BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
-
-BIND 9.6.0
-
- BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
- releases, including:
-
- Full NSEC3 support
-
- Automatic zone re-signing
-
- New update-policy methods tcp-self and 6to4-self
-
- The BIND 8 resolver library, libbind, has been removed from the
- BIND 9 distribution and is now available as a separate download.
-
- Change the default pid file location from /var/run to
- /var/run/{named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
- BIND 9.5.0 has a number of new features over 9.4,
- including:
-
- GSS-TSIG support (RFC 3645).
-
- DHCID support.
-
- Experimental http server and statistics support for named via xml.
-
- More detailed statistics counters including those supported in BIND 8.
-
- Faster ACL processing.
-
- Use Doxygen to generate internal documentation.
-
- Efficient LRU cache-cleaning mechanism.
-
- NSID support.
-
-BIND 9.4.0
-
- BIND 9.4.0 has a number of new features over 9.3,
- including:
-
- Implemented "additional section caching (or acache)", an
- internal cache framework for additional section content to
- improve response performance. Several configuration options
- were provided to control the behavior.
-
- New notify type 'master-only'. Enable notify for master
- zones only.
-
- Accept 'notify-source' style syntax for query-source.
-
- rndc now allows addresses to be set in the server clauses.
-
- New option "allow-query-cache". This lets "allow-query"
- be used to specify the default zone access level rather
- than having to have every zone override the global value.
- "allow-query-cache" can be set at both the options and view
- levels. If "allow-query-cache" is not set then "allow-recursion"
- is used if set, otherwise "allow-query" is used if set
- unless "recursion no;" is set in which case "none;" is used,
- otherwise the default (localhost; localnets;) is used.
-
- rndc: the source address can now be specified.
-
- ixfr-from-differences now takes master and slave in addition
- to yes and no at the options and view levels.
-
- Allow the journal's name to be changed via named.conf.
-
- 'rndc notify zone [class [view]]' resend the NOTIFY messages
- for the specified zone.
-
- 'dig +trace' now randomly selects the next servers to try.
- Report if there is a bad delegation.
-
- Improve check-names error messages.
-
- Make public the function to read a key file, dst_key_read_public().
-
- dig now returns the byte count for axfr/ixfr.
-
- allow-update is now settable at the options / view level.
-
- named-checkconf now checks the logging configuration.
-
- host now can turn on memory debugging flags with '-m'.
-
- Don't send notify messages to self.
-
- Perform sanity checks on NS records which refer to 'in zone' names.
-
- New zone option "notify-delay". Specify a minimum delay
- between sets of NOTIFY messages.
-
- Extend adjusting TTL warning messages.
-
- Named and named-checkzone can now both check for non-terminal
- wildcard records.
-
- "rndc freeze/thaw" now freezes/thaws all zones.
-
- named-checkconf now check acls to verify that they only
- refer to existing acls.
-
- The server syntax has been extended to support a range of
- servers.
-
- Report differences between hints and real NS rrset and
- associated address records.
-
- Preserve the case of domain names in rdata during zone
- transfers.
-
- Restructured the data locking framework using architecture
- dependent atomic operations (when available), improving
- response performance on multi-processor machines significantly.
- x86, x86_64, alpha, powerpc, and mips are currently supported.
-
- UNIX domain controls are now supported.
-
- Add support for additional zone file formats for improving
- loading performance. The masterfile-format option in
- named.conf can be used to specify a non-default format. A
- separate command named-compilezone was provided to generate
- zone files in the new format. Additionally, the -I and -O
- options for dnssec-signzone specify the input and output
- formats.
-
- dnssec-signzone can now randomize signature end times
- (dnssec-signzone -j jitter).
-
- Add support for CH A record.
-
- Add additional zone data constancy checks. named-checkzone
- has extended checking of NS, MX and SRV record and the hosts
- they reference. named has extended post zone load checks.
- New zone options: check-mx and integrity-check.
-
-
- edns-udp-size can now be overridden on a per server basis.
-
- dig can now specify the EDNS version when making a query.
-
- Added framework for handling multiple EDNS versions.
-
- Additional memory debugging support to track size and mctx
- arguments.
-
- Detect duplicates of UDP queries we are recursing on and
- drop them. New stats category "duplicates".
-
- "USE INTERNAL MALLOC" is now runtime selectable.
-
- The lame cache is now done on a <qname,qclass,qtype> basis
- as some servers only appear to be lame for certain query
- types.
-
- Limit the number of recursive clients that can be waiting
- for a single query (<qname,qtype,qclass>) to resolve. New
- options clients-per-query and max-clients-per-query.
-
- dig: report the number of extra bytes still left in the
- packet after processing all the records.
-
- Support for IPSECKEY rdata type.
-
- Raise the UDP recieve buffer size to 32k if it is less than 32k.
-
- x86 and x86_64 now have seperate atomic locking implementations.
-
- named-checkconf now validates update-policy entries.
-
- Attempt to make the amount of work performed in a iteration
- self tuning. The covers nodes clean from the cache per
- iteration, nodes written to disk when rewriting a master
- file and nodes destroyed per iteration when destroying a
- zone or a cache.
-
- ISC string copy API.
-
- Automatic empty zone creation for D.F.IP6.ARPA and friends.
- Note: RFC 1918 zones are not yet covered by this but are
- likely to be in a future release.
-
- New options: empty-server, empty-contact, empty-zones-enable
- and disable-empty-zone.
-
- dig now has a '-q queryname' and '+showsearch' options.
-
- host/nslookup now continue (default)/fail on SERVFAIL.
-
- dig now warns if 'RA' is not set in the answer when 'RD'
- was set in the query. host/nslookup skip servers that fail
- to set 'RA' when 'RD' is set unless a server is explicitly
- set.
-
- Integrate contibuted DLZ code into named.
-
- Integrate contibuted IDN code from JPNIC.
-
- libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
- BIND 9.3.0 has a number of new features over 9.2,
- including:
-
- DNSSEC is now DS based (RFC 3658).
- See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
- DNSSEC lookaside validation.
-
- check-names is now implemented.
- rrset-order in more complete.
-
- IPv4/IPv6 transition support, dual-stack-servers.
-
- IXFR deltas can now be generated when loading master files,
- ixfr-from-differences.
-
- It is now possible to specify the size of a journal, max-journal-size.
-
- It is now possible to define a named set of master servers to be
- used in masters clause, masters.
-
- The advertised EDNS UDP size can now be set, edns-udp-size.
-
- allow-v6-synthesis has been obsoleted.
-
- NOTE:
- * Zones containing MD and MF will now be rejected.
- * dig, nslookup name. now report "Not Implemented" as
- NOTIMP rather than NOTIMPL. This will have impact on scripts
- that are looking for NOTIMPL.
-
- libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
- BIND 9.2.0 has a number of new features over 9.1,
- including:
-
- - The size of the cache can now be limited using the
- "max-cache-size" option.
-
- - The server can now automatically convert RFC1886-style
- recursive lookup requests into RFC2874-style lookups,
- when enabled using the new option "allow-v6-synthesis".
- This allows stub resolvers that support AAAA records
- but not A6 record chains or binary labels to perform
- lookups in domains that make use of these IPv6 DNS
- features.
-
- - Performance has been improved.
-
- - The man pages now use the more portable "man" macros
- rather than the "mandoc" macros, and are installed
- by "make install".
-
- - The named.conf parser has been completely rewritten.
- It now supports "include" directives in more
- places such as inside "view" statements, and it no
- longer has any reserved words.
-
- - The "rndc status" command is now implemented.
-
- - rndc can now be configured automatically.
-
- - A BIND 8 compatible stub resolver library is now
- included in lib/bind.
-
- - OpenSSL has been removed from the distribution. This
- means that to use DNSSEC, OpenSSL must be installed and
- the --with-openssl option must be supplied to configure.
- This does not apply to the use of TSIG, which does not
- require OpenSSL.
-
- - The source distribution now builds on Windows.
- See win32utils/readme1.txt and win32utils/win32-build.txt
- for details.
-
- This distribution also includes a new lightweight stub
- resolver library and associated resolver daemon that fully
- support forward and reverse lookups of both IPv4 and IPv6
- addresses. This library is considered experimental and
- is not a complete replacement for the BIND 8 resolver library.
- Applications that use the BIND 8 res_* functions to perform
- DNS lookups or dynamic updates still need to be linked against
- the BIND 8 libraries. For DNS lookups, they can also use the
- new "getrrsetbyname()" API.
-
- BIND 9.2 is capable of acting as an authoritative server
- for DNSSEC secured zones. This functionality is believed to
- be stable and complete except for lacking support for
- verifications involving wildcard records in secure zones.
-
- When acting as a caching server, BIND 9.2 can be configured
- to perform DNSSEC secure resolution on behalf of its clients.
- This part of the DNSSEC implementation is still considered
- experimental. For detailed information about the state of the
- DNSSEC implementation, see the file doc/misc/dnssec.
-
- There are a few known bugs:
-
- On some systems, IPv6 and IPv4 sockets interact in
- unexpected ways. For details, see doc/misc/ipv6.
- To reduce the impact of these problems, the server
- no longer listens for requests on IPv6 addresses
- by default. If you need to accept DNS queries over
- IPv6, you must specify "listen-on-v6 { any; };"
- in the named.conf options statement.
-
- FreeBSD prior to 4.2 (and 4.2 if running as non-root)
- and OpenBSD prior to 2.8 log messages like
- "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
- This is due to a bug in "/dev/random" and impacts the
- server's DNSSEC support.
-
- OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
- OS X 10.2 (Darwin 6.0) reports errors like
- "fcntl(3, F_SETFL, 4): Operation not supported by device".
- This is due to a bug in "/dev/random" and impacts the
- server's DNSSEC support.
-
- --with-libtool does not work on AIX.
-
- A bug in some versions of the Microsoft DNS server can cause zone
- transfers from a BIND 9 server to a W2K server to fail. For details,
- see the "Zone Transfers" section in doc/misc/migration.
+ For a summary of functional enhancements in previous
+ releases, see the HISTORY file.
For a detailed list of user-visible changes from
previous releases, see the CHANGES file.
+BIND 9.8.0
+
+ BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+ releases. New features include:
+
+ - Built-in trust anchor for the root zone, which can be
+ switched on via "dnssec-validation auto;"
+ - Support for DNS64.
+ - Support for response policy zones (RPZ).
+ - Support for writable DLZ zones.
+ - Improved ease of configuration of GSS/TSIG for
+ interoperability with Active Directory
+ - Support for GOST signing algorithm for DNSSEC.
+ - Removed RTT Banding from server selection algorithm.
+ - New "static-stub" zone type.
+ - Allow configuration of resolver timeouts via
+ "resolver-query-timeout" option.
+
+BIND 9.7.0
+
+ BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+ releases. Most are intended to simplify DNSSEC configuration.
+
+ New features include:
+
+ - Fully automatic signing of zones by "named".
+ - Simplified configuration of DNSSEC Lookaside Validation (DLV).
+ - Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+ command line tool or the "local" update-policy option. (As a side
+ effect, this also makes it easier to configure automatic zone
+ re-signing.)
+ - New named option "attach-cache" that allows multiple views to
+ share a single cache.
+ - DNS rebinding attack prevention.
+ - New default values for dnssec-keygen parameters.
+ - Support for RFC 5011 automated trust anchor maintenance
+ - Smart signing: simplified tools for zone signing and key
+ maintenance.
+ - The "statistics-channels" option is now available on Windows.
+ - A new DNSSEC-aware libdns API for use by non-BIND9 applications
+ - On some platforms, named and other binaries can now print out
+ a stack backtrace on assertion failure, to aid in debugging.
+ - A "tools only" installation mode on Windows, which only installs
+ dig, host, nslookup and nsupdate.
+ - Improved PKCS#11 support, including Keyper support and explicit
+ OpenSSL engine selection.
+
+ Known issues in this release:
+
+ - In rare cases, DNSSEC validation can leak memory. When this
+ happens, it will cause an assertion failure when named exits,
+ but is otherwise harmless. A fix exists, but was too late for
+ this release; it will be included in BIND 9.7.1.
+
+ Compatibility notes:
+
+ - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
+ ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
+ you should ensure that all changes that are in progress have
+ completed prior to upgrading to BIND 9.7. BIND 9.7 implements
+ those features in a way which is not backwards compatible.
+
+ - Prior releases had a bug which caused HMAC-SHA* keys with long
+ secrets to be used incorrectly. Fixing this bug means that older
+ versions of BIND 9 may fail to interoperate with this version
+ when using TSIG keys. If this occurs, the new "isc-hmac-fixup"
+ tool will convert a key with a long secret into a form that works
+ correctly with all versions of BIND 9. See the "isc-hmac-fixup"
+ man page for additional details.
+
+ - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
+ It is possible for the new key ID to collide with that of a
+ different key. Newly generated keys will not have this problem,
+ as "dnssec-keygen" looks for potential collisions before
+ generating keys, but exercise caution if using key revokation
+ with keys that were generated by older versions of BIND 9. See
+ the Administrator's Reference Manual, section 4.10 ("Dynamic
+ Trust Anchor Management") for more details.
+
+ - A bug was fixed in which a key's scheduled inactivity date was
+ stored incorectly. Users who participated in the 9.7.0 BETA test
+ and had DNSSEC keys with scheduled inactivity dates will need to
+ reset those keys' dates using "dnssec-settime -I".
Building
@@ -417,7 +144,7 @@ Building
FreeBSD 4.10, 5.2.1, 6.2
HP-UX 11.11
Mac OS X 10.5
- NetBSD 3.x and 4.0-beta
+ NetBSD 3.x, 4.0-beta, 5.0-beta
OpenBSD 3.3 and up
Solaris 8, 9, 9 (x86), 10
Ubuntu 7.04, 7.10
@@ -594,6 +321,9 @@ Documentation
Frequently asked questions and their answers can be found in
FAQ.
+ Additional information on various subjects can be found
+ in the other README files.
+
Bug Reports and Mailing Lists
diff --git a/README.idnkit b/README.idnkit
deleted file mode 100644
index f5255f5f97a9..000000000000
--- a/README.idnkit
+++ /dev/null
@@ -1,112 +0,0 @@
-
- BIND-9 IDN patch
-
- Japan Network Information Center (JPNIC)
-
-
-* What is this patch for?
-
-This patch adds internationalized domain name (IDN) support to BIND-9.
-You'll get internationalized version of dig/host/nslookup commands.
-
- + internationalized dig/host/nslookup
- dig/host/nslookup accepts non-ASCII domain names in the local
- codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
- the locale information. The domain names are normalized and
- converted to the encoding on the DNS protocol, and sent to DNS
- servers. The replies are converted back to the local codeset
- and displayed.
-
-
-* Compilation & installation
-
-0. Prerequisite
-
-You have to build and install idnkit before building this patched version
-of bind-9.
-
-1. Running configure script
-
-Run `configure' in the top directory. See `README' for the
-configuration options.
-
-This patch adds the following 4 options to `configure'. You should
-at least specify `--with-idn' option to enable IDN support.
-
- --with-idn[=IDN_PREFIX]
- To enable IDN support, you have to specify `--with-idn' option.
- The argument IDN_PREFIX is the install prefix of idnkit. If
- IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
- is assumed.
-
- --with-libiconv[=LIBICONV_PREFIX]
- Specify this option if idnkit you have installed links GNU
- libiconv. The argument LIBICONV_PREFIX is install prefix of
- GNU libiconv. If the argument is omitted, PREFIX (derived
- from `--prefix=PREFIX') is assumed.
-
- `--with-libiconv' is shorthand option for GNU libiconv.
-
- --with-libiconv=/usr/local
-
- This is equivalent to:
-
- --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
-
- `--with-libiconv' assumes that your C compiler has `-R'
- option, and that the option adds the specified run-time path
- to an executable binary. If `-R' option of your compiler has
- different meaning, or your compiler lacks the option, you
- should use `--with-iconv' option instead. Binary command
- without run-time path information might be unexecutable.
- In that case, you would see an error message like:
-
- error in loading shared libraries: libiconv.so.2: cannot
- open shared object file
-
- If both `--with-libiconv' and `--with-iconv' options are
- specified, `--with-iconv' is prior to `--with-libiconv'.
-
- --with-iconv=ICONV_LIBSPEC
- If your libc doesn't provide iconv(), you need to specify the
- library containing iconv() with this option. `ICONV_LIBSPEC'
- is the argument(s) to `cc' or `ld' to link the library, for
- example, `--with-iconv="-L/usr/local/lib -liconv"'.
- You don't need to specify the header file directory for "iconv.h"
- to the compiler, as it isn't included directly by bind-9 with
- this patch.
-
- --with-idnlib=IDN_LIBSPEC
- With this option, you can explicitly specify the argument(s)
- to `cc' or `ld' to link the idnkit's library, `libidnkit'. If
- this option is not specified, `-L${PREFIX}/lib -lidnkit' is
- assumed, where ${PREFIX} is the installation prefix specified
- with `--with-idn' option above. You may need to use this
- option to specify extra arguments, for example,
- `--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
-
-Please consult `README' for other configuration options.
-
-Note that if you want to specify some extra header file directories,
-you should use the environment variable STD_CINCLUDES instead of
-CFLAGS, as described in README.
-
-2. Compilation and installation
-
-After running "configure", just do
-
- make
- make install
-
-for compiling and installing.
-
-
-* Contact information
-
-Please see http//www.nic.ad.jp/en/idn/ for the latest news
-about idnkit and this patch.
-
-Bug reports and comments on this kit should be sent to
-mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
-
-; $Id: README.idnkit,v 1.2.762.1 2009-01-18 23:25:14 marka Exp $
diff --git a/README.pkcs11 b/README.pkcs11
deleted file mode 100644
index b58640de1c5a..000000000000
--- a/README.pkcs11
+++ /dev/null
@@ -1,61 +0,0 @@
-
- BIND-9 PKCS#11 support
-
-Prerequisite
-
-The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
-and some improvements, including user friendly PIN management.
-
-Compilation
-
-"configure --with-pkcs11 ..."
-
-PKCS#11 Libraries
-
-Tested with Solaris one with a SCA board and with openCryptoki with the
-software token.
-
-OpenSSL Engines
-
-With PKCS#11 support the PKCS#11 engine is statically loaded but at its
-initialization it dynamically loads the PKCS#11 objects.
-Even the pre commands are therefore unused they are defined with:
- SO_PATH:
- define: PKCS11_SO_PATH
- default: /usr/local/lib/engines/engine_pkcs11.so
- MODULE_PATH:
- define: PKCS11_MODULE_PATH
- default: /usr/lib/libpkcs11.so
-Without PKCS#11 support, a specific OpenSSL engine can be still used
-by defining ENGINE_ID at compile time.
-
-PKCS#11 tools
-
-The contrib/pkcs11-keygen directory contains a set of experimental tools
-to handle keys stored in a Hardware Security Module at the benefit of BIND.
-
-The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
-for the way to use it (these are the original notes so with the original
-path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
-
-PIN management
-
-With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
-each time it is required. With the improved engine, the PIN should be
-entered the first time it is required or can be configured in the
-OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- - at the beginning:
- openssl_conf = openssl_def
- - at any place these sections:
- [ openssl_def ]
- engines = engine_section
- [ engine_section ]
- pkcs11 = pkcs11_section
- [ pkcs11_section ]
- PIN = put__your__pin__value__here
-
-Note
-
-Some names here are registered trademarks, at least Solaris is a trademark
-of Sun Microsystems Inc...
diff --git a/acconfig.h b/acconfig.h
index d64404ad1e3f..d9da221f83f1 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: acconfig.h,v 1.51.334.2 2009-02-16 23:47:15 tbox Exp $ */
+/* $Id: acconfig.h,v 1.53 2008-12-01 23:47:44 tbox Exp $ */
/*! \file */
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 1694268fb79e..d263d795eb02 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -13,13 +13,14 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.25 2007-06-19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.29 2009-10-05 12:07:08 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig dnssec tests nsupdate check
+SUBDIRS = named rndc dig dnssec tests tools nsupdate \
+ check confgen @PKCS11_TOOLS@
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 46271c77de7f..d5827dcce11e 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.32 2007-06-19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.36 2009-12-05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -32,6 +32,7 @@ CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
@@ -39,7 +40,8 @@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
-LIBS = @LIBS@
+LIBS = ${ISCLIBS} @LIBS@
+NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
@@ -69,14 +71,14 @@ named-checkzone.@O@: named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
+ export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+ ${FINALBUILDCMD}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
+ export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
+ ${FINALBUILDCMD}
doc man:: ${MANOBJS}
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index ed9224bb9aa2..4d2ca5c45ab5 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.c,v 1.35.36.5 2010-09-07 23:46:05 tbox Exp $ */
+/* $Id: check-tool.c,v 1.41 2010-09-07 23:46:59 tbox Exp $ */
/*! \file */
@@ -601,8 +601,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
isc_buffer_add(&buffer, strlen(zonename));
dns_fixedname_init(&fixorigin);
origin = dns_fixedname_name(&fixorigin);
- CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
- ISC_FALSE, NULL));
+ CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
CHECK(dns_zone_setorigin(zone, origin));
CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
CHECK(dns_zone_setfile2(zone, filename, fileformat));
diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h
index f9273ff152e8..4371ae29ec20 100644
--- a/bin/check/check-tool.h
+++ b/bin/check/check-tool.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.h,v 1.14.334.2 2010-09-07 23:46:05 tbox Exp $ */
+/* $Id: check-tool.h,v 1.16 2010-09-07 23:46:59 tbox Exp $ */
#ifndef CHECK_TOOL_H
#define CHECK_TOOL_H
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index 71310073e8d0..fabcfa916eb7 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-checkconf.8,v 1.30.334.1 2009-07-11 01:55:20 tbox Exp $
+.\" $Id: named-checkconf.8,v 1.33 2009-12-29 01:14:03 tbox Exp $
.\"
.hy 0
.ad l
@@ -33,11 +33,29 @@
named\-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP 16
-\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
+\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-z\fR]
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
-checks the syntax, but not the semantics, of a named configuration file.
+checks the syntax, but not the semantics, of a
+\fBnamed\fR
+configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
+\fI/etc/named.conf\fR
+is read by default.
+.PP
+Note: files that
+\fBnamed\fR
+reads in separate parser contexts, such as
+\fIrndc.key\fR
+and
+\fIbind.keys\fR, are not automatically read by
+\fBnamed\-checkconf\fR. Configuration errors in these files may cause
+\fBnamed\fR
+to fail to run, even if
+\fBnamed\-checkconf\fR
+was successful.
+\fBnamed\-checkconf\fR
+can be run on these files explicitly, however.
.SH "OPTIONS"
.PP
\-h
@@ -59,6 +77,13 @@ Print the version of the
program and exit.
.RE
.PP
+\-p
+.RS 4
+Print out the
+\fInamed.conf\fR
+and included files in canonical form if no errors were detected.
+.RE
+.PP
\-z
.RS 4
Perform a test load of all master zones found in
@@ -88,7 +113,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 20983b5b9392..521ed31916c5 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkconf.c,v 1.46.222.4 2010-09-07 23:46:05 tbox Exp $ */
+/* $Id: named-checkconf.c,v 1.54 2010-09-07 01:49:08 marka Exp $ */
/*! \file */
@@ -59,9 +59,12 @@ isc_log_t *logc = NULL;
} while (0)
/*% usage */
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
static void
usage(void) {
- fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
+ fprintf(stderr, "usage: %s [-h] [-j] [-p] [-v] [-z] [-t directory] "
"[named.conf]\n", program);
exit(1);
}
@@ -203,6 +206,24 @@ configure_zone(const char *vclass, const char *view,
zfile = cfg_obj_asstring(fileobj);
obj = NULL;
+ if (get_maps(maps, "check-dup-records", &obj)) {
+ if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+ zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+ zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+ } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+ zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+ zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
+ } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+ zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
+ zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+ } else
+ INSIST(0);
+ } else {
+ zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+ zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+ }
+
+ obj = NULL;
if (get_maps(maps, "check-mx", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKMX;
@@ -387,6 +408,15 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
return (result);
}
+static void
+output(void *closure, const char *text, int textlen) {
+ UNUSED(closure);
+ if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
+ perror("fwrite");
+ exit(1);
+ }
+}
+
/*% The main processing routine */
int
main(int argc, char **argv) {
@@ -399,10 +429,11 @@ main(int argc, char **argv) {
int exit_status = 0;
isc_entropy_t *ectx = NULL;
isc_boolean_t load_zones = ISC_FALSE;
+ isc_boolean_t print = ISC_FALSE;
isc_commandline_errprint = ISC_FALSE;
- while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
+ while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) {
switch (c) {
case 'd':
debug++;
@@ -421,6 +452,10 @@ main(int argc, char **argv) {
}
break;
+ case 'p':
+ print = ISC_TRUE;
+ break;
+
case 'v':
printf(VERSION "\n");
exit(0);
@@ -485,6 +520,8 @@ main(int argc, char **argv) {
exit_status = 1;
}
+ if (print && exit_status == 0)
+ cfg_print(config, output, NULL);
cfg_obj_destroy(parser, &config);
cfg_parser_destroy(&parser);
diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
index e0c43d17118b..fe12cb3ea278 100644
--- a/bin/check/named-checkconf.docbook
+++ b/bin/check/named-checkconf.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.docbook,v 1.19 2007-06-19 06:58:03 marka Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.22 2009-12-28 23:21:16 each Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
@@ -35,6 +35,7 @@
<year>2004</year>
<year>2005</year>
<year>2007</year>
+ <year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -58,6 +59,7 @@
<arg><option>-j</option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req">filename</arg>
+ <arg><option>-p</option></arg>
<arg><option>-z</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -65,8 +67,21 @@
<refsect1>
<title>DESCRIPTION</title>
<para><command>named-checkconf</command>
- checks the syntax, but not the semantics, of a named
- configuration file.
+ checks the syntax, but not the semantics, of a
+ <command>named</command> configuration file. The file is parsed
+ and checked for syntax errors, along with all files included by it.
+ If no file is specified, <filename>/etc/named.conf</filename> is read
+ by default.
+ </para>
+ <para>
+ Note: files that <command>named</command> reads in separate
+ parser contexts, such as <filename>rndc.key</filename> and
+ <filename>bind.keys</filename>, are not automatically read
+ by <command>named-checkconf</command>. Configuration
+ errors in these files may cause <command>named</command> to
+ fail to run, even if <command>named-checkconf</command> was
+ successful. <command>named-checkconf</command> can be run
+ on these files explicitly, however.
</para>
</refsect1>
@@ -87,8 +102,7 @@
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
- Chroot to <filename>directory</filename> so that
- include
+ Chroot to <filename>directory</filename> so that include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</para>
@@ -106,6 +120,16 @@
</varlistentry>
<varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>
+ Print out the <filename>named.conf</filename> and included files
+ in canonical form if no errors were detected.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-z</term>
<listitem>
<para>
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index 458b486e90fd..f5e4cd385114 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.html,v 1.30.334.1 2009-07-11 01:55:20 tbox Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.33 2009-12-29 01:14:03 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,17 +29,30 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543387"></a><h2>DESCRIPTION</h2>
+<a name="id2543395"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
- checks the syntax, but not the semantics, of a named
- configuration file.
+ checks the syntax, but not the semantics, of a
+ <span><strong class="command">named</strong></span> configuration file. The file is parsed
+ and checked for syntax errors, along with all files included by it.
+ If no file is specified, <code class="filename">/etc/named.conf</code> is read
+ by default.
+ </p>
+<p>
+ Note: files that <span><strong class="command">named</strong></span> reads in separate
+ parser contexts, such as <code class="filename">rndc.key</code> and
+ <code class="filename">bind.keys</code>, are not automatically read
+ by <span><strong class="command">named-checkconf</strong></span>. Configuration
+ errors in these files may cause <span><strong class="command">named</strong></span> to
+ fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
+ successful. <span><strong class="command">named-checkconf</strong></span> can be run
+ on these files explicitly, however.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543399"></a><h2>OPTIONS</h2>
+<a name="id2543444"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@@ -47,8 +60,7 @@
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
- Chroot to <code class="filename">directory</code> so that
- include
+ Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</p></dd>
@@ -57,6 +69,11 @@
Print the version of the <span><strong class="command">named-checkconf</strong></span>
program and exit.
</p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+ Print out the <code class="filename">named.conf</code> and included files
+ in canonical form if no errors were detected.
+ </p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Perform a test load of all master zones found in
@@ -74,21 +91,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543507"></a><h2>RETURN VALUES</h2>
+<a name="id2543568"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543518"></a><h2>SEE ALSO</h2>
+<a name="id2543579"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543548"></a><h2>AUTHOR</h2>
+<a name="id2543609"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index e5f07906a457..1bb784606d8d 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-checkzone.8,v 1.42.334.3 2009-11-11 01:56:22 tbox Exp $
+.\" $Id: named-checkzone.8,v 1.47 2010-01-17 01:14:02 tbox Exp $
.\"
.hy 0
.ad l
@@ -33,9 +33,9 @@
named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP 18
-\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkzone\fR
@@ -201,6 +201,15 @@ then write to standard out. This is mandatory for
\fBnamed\-compilezone\fR.
.RE
.PP
+\-r \fImode\fR
+.RS 4
+Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR.
+.RE
+.PP
\-s \fIstyle\fR
.RS 4
Specify the style of the dumped zone file. Possible styles are
@@ -272,7 +281,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index 3b86e576df5a..100e809867d1 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkzone.c,v 1.51.34.6 2010-09-07 23:46:06 tbox Exp $ */
+/* $Id: named-checkzone.c,v 1.61 2010-09-07 23:46:59 tbox Exp $ */
/*! \file */
@@ -70,6 +70,9 @@ static enum { progmode_check, progmode_compile } progmode;
} \
} while (0)
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
static void
usage(void) {
fprintf(stderr,
@@ -77,12 +80,13 @@ usage(void) {
"[-f inputformat] [-F outputformat] "
"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+ "[-r (ignore|warn|fail)] "
"[-i (full|full-sibling|local|local-sibling|none)] "
"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
"[-W (ignore|warn)] "
"%s zonename filename\n",
prog_name,
- progmode == progmode_check ? "[-o filename]" : "{-o filename}");
+ progmode == progmode_check ? "[-o filename]" : "-o filename");
exit(1);
}
@@ -140,17 +144,19 @@ main(int argc, char **argv) {
if (progmode == progmode_compile) {
zone_options |= (DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_FATALNS |
+ DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL |
DNS_ZONEOPT_CHECKWILDCARD);
- }
+ } else
+ zone_options |= DNS_ZONEOPT_CHECKDUPRR;
#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
isc_commandline_errprint = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv,
- "c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
+ "c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:W:"))
!= EOF) {
switch (c) {
case 'c':
@@ -262,16 +268,27 @@ main(int argc, char **argv) {
}
break;
+ case 'o':
+ output_filename = isc_commandline_argument;
+ break;
+
case 'q':
quiet++;
break;
- case 't':
- result = isc_dir_chroot(isc_commandline_argument);
- if (result != ISC_R_SUCCESS) {
- fprintf(stderr, "isc_dir_chroot: %s: %s\n",
- isc_commandline_argument,
- isc_result_totext(result));
+ case 'r':
+ if (ARGCMP("warn")) {
+ zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+ zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+ } else if (ARGCMP("fail")) {
+ zone_options |= DNS_ZONEOPT_CHECKDUPRR |
+ DNS_ZONEOPT_CHECKDUPRRFAIL;
+ } else if (ARGCMP("ignore")) {
+ zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
+ DNS_ZONEOPT_CHECKDUPRRFAIL);
+ } else {
+ fprintf(stderr, "invalid argument to -r: %s\n",
+ isc_commandline_argument);
exit(1);
}
break;
@@ -289,8 +306,14 @@ main(int argc, char **argv) {
}
break;
- case 'o':
- output_filename = isc_commandline_argument;
+ case 't':
+ result = isc_dir_chroot(isc_commandline_argument);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "isc_dir_chroot: %s: %s\n",
+ isc_commandline_argument,
+ isc_result_totext(result));
+ exit(1);
+ }
break;
case 'v':
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index 0e04c033f38b..415ee1c34499 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkzone.docbook,v 1.34.334.3 2009-11-10 20:01:41 each Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.40 2010-01-16 23:48:15 tbox Exp $ -->
<refentry id="man.named-checkzone">
<refentryinfo>
<date>June 13, 2000</date>
@@ -37,6 +37,7 @@
<year>2006</year>
<year>2007</year>
<year>2009</year>
+ <year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -69,6 +70,8 @@
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+ <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
@@ -92,7 +95,7 @@
<arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
- <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
@@ -320,6 +323,19 @@
</varlistentry>
<varlistentry>
+ <term>-r <replaceable class="parameter">mode</replaceable></term>
+ <listitem>
+ <para>
+ Check for records that are treated as different by DNSSEC but
+ are semantically equal in plain DNS.
+ Possible modes are <command>"fail"</command>,
+ <command>"warn"</command> (default) and
+ <command>"ignore"</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-s <replaceable class="parameter">style</replaceable></term>
<listitem>
<para>
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 24f5c0586dde..e0532af0f590 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkzone.html,v 1.42.334.3 2009-11-11 01:56:22 tbox Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.47 2010-01-17 01:14:02 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,11 +29,11 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
-<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543674"></a><h2>DESCRIPTION</h2>
+<a name="id2543694"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -53,7 +53,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543709"></a><h2>OPTIONS</h2>
+<a name="id2543730"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@@ -177,6 +177,14 @@
write to standard out.
This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
</p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+ Check for records that are treated as different by DNSSEC but
+ are semantically equal in plain DNS.
+ Possible modes are <span><strong class="command">"fail"</strong></span>,
+ <span><strong class="command">"warn"</strong></span> (default) and
+ <span><strong class="command">"ignore"</strong></span>.
+ </p></dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd><p>
Specify the style of the dumped zone file.
@@ -239,14 +247,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544330"></a><h2>RETURN VALUES</h2>
+<a name="id2544377"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544342"></a><h2>SEE ALSO</h2>
+<a name="id2544389"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@@ -254,7 +262,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544375"></a><h2>AUTHOR</h2>
+<a name="id2544422"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
new file mode 100644
index 000000000000..da3587982cd3
--- /dev/null
+++ b/bin/confgen/Makefile.in
@@ -0,0 +1,101 @@
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.8 2009-12-05 23:31:40 each Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS = ../../lib/isccc/libisccc.@A@
+ISCLIBS = ../../lib/isc/libisc.@A@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS = ../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
+ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns/libdns.@A@
+BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+
+RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS= rndc-confgen.c ddns-confgen.c
+
+SUBDIRS = unix
+
+TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
+
+MANPAGES = rndc-confgen.8 ddns-confgen.8
+
+HTMLPAGES = rndc-confgen.html ddns-confgen.html
+
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
+UOBJS = unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+ -c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
+
+clean distclean maintainer-clean::
+ rm -f ${TARGETS}
diff --git a/bin/confgen/ddns-confgen.8 b/bin/confgen/ddns-confgen.8
new file mode 100644
index 000000000000..d69af398e614
--- /dev/null
+++ b/bin/confgen/ddns-confgen.8
@@ -0,0 +1,143 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: ddns-confgen.8,v 1.10 2009-09-19 01:14:52 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: ddns\-confgen
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Jan 29, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+ddns\-confgen \- ddns key generation tool
+.SH "SYNOPSIS"
+.HP 13
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
+.SH "DESCRIPTION"
+.PP
+\fBddns\-confgen\fR
+generates a key for use by
+\fBnsupdate\fR
+and
+\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
+\fBnsupdate\fR
+and
+\fBnamed.conf\fR
+syntax that will be needed to use it, including an example
+\fBupdate\-policy\fR
+statement.
+.PP
+If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
+\fBnamed.conf\fR
+syntax. For example,
+\fBddns\-confgen example.com\fR
+would generate a key called "ddns\-key.example.com", and sample
+\fBnamed.conf\fR
+command that could be used in the zone definition for "example.com".
+.PP
+Note that
+\fBnamed\fR
+itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fR.
+\fBddns\-confgen\fR
+is only needed when a more elaborate configuration is required: for instance, if
+\fBnsupdate\fR
+is to be used from a remote system.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBddns\-confgen\fR.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the DDNS authentication key. The default is
+\fBddns\-key\fR
+when neither the
+\fB\-s\fR
+nor
+\fB\-z\fR
+option is specified; otherwise, the default is
+\fBddns\-key\fR
+as a separate label followed by the argument of the option, e.g.,
+\fBddns\-key.example.com.\fR
+The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode: Print only the key, with no explanatory text or usage examples.
+.RE
+.PP
+\-r \fIrandomfile\fR
+.RS 4
+Specifies a source of random data for generating the authorization. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
+\-s \fIname\fR
+.RS 4
+Single host mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIname\fR
+using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
+\fB\-z\fR
+option.
+.RE
+.PP
+\-z \fIzone\fR
+.RS 4
+zone mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIzone\fR
+using the "zonesub" nametype, allowing updates to all subdomain names within that
+\fIzone\fR. This option cannot be used with the
+\fB\-s\fR
+option.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBnsupdate\fR(1),
+\fBnamed.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c
new file mode 100644
index 000000000000..814a5657bb4d
--- /dev/null
+++ b/bin/confgen/ddns-confgen.c
@@ -0,0 +1,257 @@
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ddns-confgen.c,v 1.9 2009-09-29 15:06:05 fdupont Exp $ */
+
+/*! \file */
+
+/**
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+#define DEFAULT_KEYNAME "ddns-key"
+
+static char program[256];
+const char *progname;
+
+isc_boolean_t verbose = ISC_FALSE;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+
+ fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
+ -a alg: algorithm (default hmac-sha256)\n\
+ -k keyname: name of the key as it will be used in named.conf\n\
+ -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+ -s name: domain name to be updated using the created key\n\
+ -z zone: name of the zone as it will be used in named.conf\n\
+ -q: quiet mode: print the key, with no explanatory text\n",
+ progname);
+
+ exit (status);
+}
+
+int
+main(int argc, char **argv) {
+ isc_boolean_t show_final_mem = ISC_FALSE;
+ isc_boolean_t quiet = ISC_FALSE;
+ isc_buffer_t key_txtbuffer;
+ char key_txtsecret[256];
+ isc_mem_t *mctx = NULL;
+ isc_result_t result = ISC_R_SUCCESS;
+ const char *randomfile = NULL;
+ const char *keyname = NULL;
+ const char *zone = NULL;
+ const char *self_domain = NULL;
+ char *keybuf = NULL;
+ dns_secalg_t alg = DST_ALG_HMACSHA256;
+ const char *algname = alg_totext(alg);
+ int keysize = 256;
+ int len = 0;
+ int ch;
+
+ result = isc_file_progname(*argv, program, sizeof(program));
+ if (result != ISC_R_SUCCESS)
+ memcpy(program, "ddns-confgen", 13);
+ progname = program;
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv,
+ "a:hk:Mmr:qs:Vy:z:")) != -1) {
+ switch (ch) {
+ case 'a':
+ algname = isc_commandline_argument;
+ alg = alg_fromtext(algname);
+ if (alg == DST_ALG_UNKNOWN)
+ fatal("Unsupported algorithm '%s'", algname);
+ keysize = alg_bits(alg);
+ break;
+ case 'h':
+ usage(0);
+ case 'k':
+ case 'y':
+ keyname = isc_commandline_argument;
+ break;
+ case 'M':
+ isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+ break;
+ case 'm':
+ show_final_mem = ISC_TRUE;
+ break;
+ case 'q':
+ quiet = ISC_TRUE;
+ break;
+ case 'r':
+ randomfile = isc_commandline_argument;
+ break;
+ case 's':
+ self_domain = isc_commandline_argument;
+ break;
+ case 'V':
+ verbose = ISC_TRUE;
+ break;
+ case 'z':
+ zone = isc_commandline_argument;
+ break;
+ case '?':
+ if (isc_commandline_option != '?') {
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ usage(1);
+ } else
+ usage(0);
+ break;
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ argc -= isc_commandline_index;
+ argv += isc_commandline_index;
+
+ if (self_domain != NULL && zone != NULL)
+ usage(1); /* -s and -z cannot coexist */
+
+ if (argc > 0)
+ usage(1);
+
+ DO("create memory context", isc_mem_create(0, 0, &mctx));
+
+ if (keyname == NULL) {
+ const char *suffix = NULL;
+
+ keyname = DEFAULT_KEYNAME;
+ if (self_domain != NULL)
+ suffix = self_domain;
+ else if (zone != NULL)
+ suffix = zone;
+ if (suffix != NULL) {
+ len = strlen(keyname) + strlen(suffix) + 2;
+ keybuf = isc_mem_get(mctx, len);
+ if (keybuf == NULL)
+ fatal("failed to allocate memory for keyname");
+ snprintf(keybuf, len, "%s.%s", keyname, suffix);
+ keyname = (const char *) keybuf;
+ }
+ }
+
+ isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+ generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
+
+
+ if (!quiet)
+ printf("\
+# To activate this key, place the following in named.conf, and\n\
+# in a separate keyfile on the system or systems from which nsupdate\n\
+# will be run:\n");
+
+ printf("\
+key \"%s\" {\n\
+ algorithm %s;\n\
+ secret \"%.*s\";\n\
+};\n",
+ keyname, algname,
+ (int)isc_buffer_usedlength(&key_txtbuffer),
+ (char *)isc_buffer_base(&key_txtbuffer));
+
+ if (!quiet) {
+ if (self_domain != NULL) {
+ printf("\n\
+# Then, in the \"zone\" statement for the zone containing the\n\
+# name \"%s\", place an \"update-policy\" statement\n\
+# like this one, adjusted as needed for your preferred permissions:\n\
+update-policy {\n\
+ grant %s name %s ANY;\n\
+};\n",
+ self_domain, keyname, self_domain);
+ } else if (zone != NULL) {
+ printf("\n\
+# Then, in the \"zone\" definition statement for \"%s\",\n\
+# place an \"update-policy\" statement like this one, adjusted as \n\
+# needed for your preferred permissions:\n\
+update-policy {\n\
+ grant %s zonesub ANY;\n\
+};\n",
+ zone, keyname);
+ } else {
+ printf("\n\
+# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
+# update, place an \"update-policy\" statement granting update permission\n\
+# to this key. For example, the following statement grants this key\n\
+# permission to update any name within the zone:\n\
+update-policy {\n\
+ grant %s zonesub ANY;\n\
+};\n",
+ keyname);
+ }
+
+ printf("\n\
+# After the keyfile has been placed, the following command will\n\
+# execute nsupdate using this key:\n\
+nsupdate -k <keyfile>\n");
+
+ }
+
+ if (keybuf != NULL)
+ isc_mem_put(mctx, keybuf, len);
+
+ if (show_final_mem)
+ isc_mem_stats(mctx, stderr);
+
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
diff --git a/bin/confgen/ddns-confgen.docbook b/bin/confgen/ddns-confgen.docbook
new file mode 100644
index 000000000000..2b3e1c0556a5
--- /dev/null
+++ b/bin/confgen/ddns-confgen.docbook
@@ -0,0 +1,218 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: ddns-confgen.docbook,v 1.6 2009-09-18 22:08:55 fdupont Exp $ -->
+<refentry id="man.ddns-confgen">
+ <refentryinfo>
+ <date>Jan 29, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>ddns-confgen</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>ddns-confgen</application></refname>
+ <refpurpose>ddns key generation tool</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>ddns-confgen</command>
+ <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+ <group>
+ <arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
+ <arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
+ </group>
+ <arg><option>-q</option></arg>
+ <arg choice="opt">name</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>ddns-confgen</command>
+ generates a key for use by <command>nsupdate</command>
+ and <command>named</command>. It simplifies configuration
+ of dynamic zones by generating a key and providing the
+ <command>nsupdate</command> and <command>named.conf</command>
+ syntax that will be needed to use it, including an example
+ <command>update-policy</command> statement.
+ </para>
+
+ <para>
+ If a domain name is specified on the command line, it will
+ be used in the name of the generated key and in the sample
+ <command>named.conf</command> syntax. For example,
+ <command>ddns-confgen example.com</command> would
+ generate a key called "ddns-key.example.com", and sample
+ <command>named.conf</command> command that could be used
+ in the zone definition for "example.com".
+ </para>
+
+ <para>
+ Note that <command>named</command> itself can configure a
+ local DDNS key for use with <command>nsupdate -l</command>.
+ <command>ddns-confgen</command> is only needed when a
+ more elaborate configuration is required: for instance, if
+ <command>nsupdate</command> is to be used from a remote system.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the algorithm to use for the TSIG key. Available
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>ddns-confgen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-k <replaceable class="parameter">keyname</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the key name of the DDNS authentication key.
+ The default is <constant>ddns-key</constant> when neither
+ the <option>-s</option> nor <option>-z</option> option is
+ specified; otherwise, the default
+ is <constant>ddns-key</constant> as a separate label
+ followed by the argument of the option, e.g.,
+ <constant>ddns-key.example.com.</constant>
+ The key name must have the format of a valid domain name,
+ consisting of letters, digits, hyphens and periods.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-q</term>
+ <listitem>
+ <para>
+ Quiet mode: Print only the key, with no explanatory text or
+ usage examples.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomfile</replaceable></term>
+ <listitem>
+ <para>
+ Specifies a source of random data for generating the
+ authorization. If the operating system does not provide a
+ <filename>/dev/random</filename> or equivalent device, the
+ default source of randomness is keyboard input.
+ <filename>randomdev</filename> specifies the name of a
+ character device or file containing random data to be used
+ instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard input
+ should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">name</replaceable></term>
+ <listitem>
+ <para>
+ Single host mode: The example <command>named.conf</command> text
+ shows how to set an update policy for the specified
+ <replaceable class="parameter">name</replaceable>
+ using the "name" nametype.
+ The default key name is
+ ddns-key.<replaceable class="parameter">name</replaceable>.
+ Note that the "self" nametype cannot be used, since
+ the name to be updated may differ from the key name.
+ This option cannot be used with the <option>-z</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-z <replaceable class="parameter">zone</replaceable></term>
+ <listitem>
+ <para>
+ zone mode: The example <command>named.conf</command> text
+ shows how to set an update policy for the specified
+ <replaceable class="parameter">zone</replaceable>
+ using the "zonesub" nametype, allowing updates to all subdomain
+ names within
+ that <replaceable class="parameter">zone</replaceable>.
+ This option cannot be used with the <option>-s</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/confgen/ddns-confgen.html b/bin/confgen/ddns-confgen.html
new file mode 100644
index 000000000000..17c3f26dccae
--- /dev/null
+++ b/bin/confgen/ddns-confgen.html
@@ -0,0 +1,141 @@
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: ddns-confgen.html,v 1.10 2009-09-19 01:14:52 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543395"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">ddns-confgen</strong></span>
+ generates a key for use by <span><strong class="command">nsupdate</strong></span>
+ and <span><strong class="command">named</strong></span>. It simplifies configuration
+ of dynamic zones by generating a key and providing the
+ <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
+ syntax that will be needed to use it, including an example
+ <span><strong class="command">update-policy</strong></span> statement.
+ </p>
+<p>
+ If a domain name is specified on the command line, it will
+ be used in the name of the generated key and in the sample
+ <span><strong class="command">named.conf</strong></span> syntax. For example,
+ <span><strong class="command">ddns-confgen example.com</strong></span> would
+ generate a key called "ddns-key.example.com", and sample
+ <span><strong class="command">named.conf</strong></span> command that could be used
+ in the zone definition for "example.com".
+ </p>
+<p>
+ Note that <span><strong class="command">named</strong></span> itself can configure a
+ local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
+ <span><strong class="command">ddns-confgen</strong></span> is only needed when a
+ more elaborate configuration is required: for instance, if
+ <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543454"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+ Specifies the algorithm to use for the TSIG key. Available
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">ddns-confgen</strong></span>.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+ Specifies the key name of the DDNS authentication key.
+ The default is <code class="constant">ddns-key</code> when neither
+ the <code class="option">-s</code> nor <code class="option">-z</code> option is
+ specified; otherwise, the default
+ is <code class="constant">ddns-key</code> as a separate label
+ followed by the argument of the option, e.g.,
+ <code class="constant">ddns-key.example.com.</code>
+ The key name must have the format of a valid domain name,
+ consisting of letters, digits, hyphens and periods.
+ </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+ Quiet mode: Print only the key, with no explanatory text or
+ usage examples.
+ </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+ Specifies a source of random data for generating the
+ authorization. If the operating system does not provide a
+ <code class="filename">/dev/random</code> or equivalent device, the
+ default source of randomness is keyboard input.
+ <code class="filename">randomdev</code> specifies the name of a
+ character device or file containing random data to be used
+ instead of the default. The special value
+ <code class="filename">keyboard</code> indicates that keyboard input
+ should be used.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd><p>
+ Single host mode: The example <span><strong class="command">named.conf</strong></span> text
+ shows how to set an update policy for the specified
+ <em class="replaceable"><code>name</code></em>
+ using the "name" nametype.
+ The default key name is
+ ddns-key.<em class="replaceable"><code>name</code></em>.
+ Note that the "self" nametype cannot be used, since
+ the name to be updated may differ from the key name.
+ This option cannot be used with the <code class="option">-z</code> option.
+ </p></dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd><p>
+ zone mode: The example <span><strong class="command">named.conf</strong></span> text
+ shows how to set an update policy for the specified
+ <em class="replaceable"><code>zone</code></em>
+ using the "zonesub" nametype, allowing updates to all subdomain
+ names within
+ that <em class="replaceable"><code>zone</code></em>.
+ This option cannot be used with the <code class="option">-s</code> option.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543642"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543681"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/confgen/include/confgen/os.h b/bin/confgen/include/confgen/os.h
new file mode 100644
index 000000000000..bf80f00ef417
--- /dev/null
+++ b/bin/confgen/include/confgen/os.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
+
+#include <isc/lang.h>
+#include <stdio.h>
+
+ISC_LANG_BEGINDECLS
+
+int set_user(FILE *fd, const char *user);
+/*%<
+ * Set the owner of the file referenced by 'fd' to 'user'.
+ * Returns:
+ * 0 success
+ * -1 insufficient permissions, or 'user' does not exist.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
new file mode 100644
index 000000000000..c259e7e6a721
--- /dev/null
+++ b/bin/confgen/keygen.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.c,v 1.4 2009-11-12 14:02:38 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ return "hmac-md5";
+ case DST_ALG_HMACSHA1:
+ return "hmac-sha1";
+ case DST_ALG_HMACSHA224:
+ return "hmac-sha224";
+ case DST_ALG_HMACSHA256:
+ return "hmac-sha256";
+ case DST_ALG_HMACSHA384:
+ return "hmac-sha384";
+ case DST_ALG_HMACSHA512:
+ return "hmac-sha512";
+ default:
+ return "(unknown)";
+ }
+}
+
+/*%
+ * Convert string to algorithm type.
+ */
+dns_secalg_t
+alg_fromtext(const char *name) {
+ if (strcmp(name, "hmac-md5") == 0)
+ return DST_ALG_HMACMD5;
+ if (strcmp(name, "hmac-sha1") == 0)
+ return DST_ALG_HMACSHA1;
+ if (strcmp(name, "hmac-sha224") == 0)
+ return DST_ALG_HMACSHA224;
+ if (strcmp(name, "hmac-sha256") == 0)
+ return DST_ALG_HMACSHA256;
+ if (strcmp(name, "hmac-sha384") == 0)
+ return DST_ALG_HMACSHA384;
+ if (strcmp(name, "hmac-sha512") == 0)
+ return DST_ALG_HMACSHA512;
+ return DST_ALG_UNKNOWN;
+}
+
+/*%
+ * Return default keysize for a given algorithm type.
+ */
+int
+alg_bits(dns_secalg_t alg) {
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ return 128;
+ case DST_ALG_HMACSHA1:
+ return 160;
+ case DST_ALG_HMACSHA224:
+ return 224;
+ case DST_ALG_HMACSHA256:
+ return 256;
+ case DST_ALG_HMACSHA384:
+ return 384;
+ case DST_ALG_HMACSHA512:
+ return 512;
+ default:
+ return 0;
+ }
+}
+
+/*%
+ * Generate a key of size 'keysize' using entropy source 'randomfile',
+ * and place it in 'key_txtbuffer'
+ */
+void
+generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+ int keysize, isc_buffer_t *key_txtbuffer) {
+ isc_result_t result = ISC_R_SUCCESS;
+ isc_entropysource_t *entropy_source = NULL;
+ int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+ int entropy_flags = 0;
+ isc_entropy_t *ectx = NULL;
+ isc_buffer_t key_rawbuffer;
+ isc_region_t key_rawregion;
+ char key_rawsecret[64];
+ dst_key_t *key = NULL;
+
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ if (keysize < 1 || keysize > 512)
+ fatal("keysize %d out of range (must be 1-512)\n",
+ keysize);
+ break;
+ case DST_ALG_HMACSHA256:
+ if (keysize < 1 || keysize > 256)
+ fatal("keysize %d out of range (must be 1-256)\n",
+ keysize);
+ break;
+ default:
+ fatal("unsupported algorithm %d\n", alg);
+ }
+
+
+ DO("create entropy context", isc_entropy_create(mctx, &ectx));
+
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+ randomfile = NULL;
+ open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+ }
+ DO("start entropy source", isc_entropy_usebestsource(ectx,
+ &entropy_source,
+ randomfile,
+ open_keyboard));
+
+ entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
+
+ DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
+
+ DO("generate key", dst_key_generate(dns_rootname, alg,
+ keysize, 0, 0,
+ DNS_KEYPROTO_ANY,
+ dns_rdataclass_in, mctx, &key));
+
+ isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+
+ DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
+
+ isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+
+ DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
+ key_txtbuffer));
+
+ /*
+ * Shut down the entropy source now so the "stop typing" message
+ * does not muck with the output.
+ */
+ if (entropy_source != NULL)
+ isc_entropy_destroysource(&entropy_source);
+
+ if (key != NULL)
+ dst_key_free(&key);
+
+ isc_entropy_detach(&ectx);
+ dst_lib_destroy();
+}
+
+/*%
+ * Write a key file to 'keyfile'. If 'user' is non-NULL,
+ * make that user the owner of the file. The key will have
+ * the name 'keyname' and the secret in the buffer 'secret'.
+ */
+void
+write_key_file(const char *keyfile, const char *user,
+ const char *keyname, isc_buffer_t *secret,
+ dns_secalg_t alg) {
+ isc_result_t result;
+ const char *algname = alg_totext(alg);
+ FILE *fd = NULL;
+
+ DO("create keyfile", isc_file_safecreate(keyfile, &fd));
+
+ if (user != NULL) {
+ if (set_user(fd, user) == -1)
+ fatal("unable to set file owner\n");
+ }
+
+ fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
+ "\tsecret \"%.*s\";\n};\n",
+ keyname, algname,
+ (int)isc_buffer_usedlength(secret),
+ (char *)isc_buffer_base(secret));
+ fflush(fd);
+ if (ferror(fd))
+ fatal("write to %s failed\n", keyfile);
+ if (fclose(fd))
+ fatal("fclose(%s) failed\n", keyfile);
+ fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
+}
+
diff --git a/bin/confgen/keygen.h b/bin/confgen/keygen.h
new file mode 100644
index 000000000000..cea25dd4f92a
--- /dev/null
+++ b/bin/confgen/keygen.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
+
+#ifndef RNDC_KEYGEN_H
+#define RNDC_KEYGEN_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+ int keysize, isc_buffer_t *key_txtbuffer);
+
+void write_key_file(const char *keyfile, const char *user,
+ const char *keyname, isc_buffer_t *secret,
+ dns_secalg_t alg);
+
+const char *alg_totext(dns_secalg_t alg);
+dns_secalg_t alg_fromtext(const char *name);
+int alg_bits(dns_secalg_t alg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_KEYGEN_H */
diff --git a/bin/rndc/rndc-confgen.8 b/bin/confgen/rndc-confgen.8
index db45df4dd7c3..a1b3ae86b735 100644
--- a/bin/rndc/rndc-confgen.8
+++ b/bin/confgen/rndc-confgen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: rndc-confgen.8,v 1.20.418.1 2009-07-11 01:55:21 tbox Exp $
+.\" $Id: rndc-confgen.8,v 1.7 2009-07-11 01:12:45 tbox Exp $
.\"
.hy 0
.ad l
@@ -205,7 +205,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2001, 2003 Internet Software Consortium.
.br
diff --git a/bin/rndc/rndc-confgen.c b/bin/confgen/rndc-confgen.c
index 1cb0a0a7c9b9..766e3b49444e 100644
--- a/bin/rndc/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc-confgen.c,v 1.26 2008-10-15 23:47:31 tbox Exp $ */
+/* $Id: rndc-confgen.c,v 1.5 2009-09-29 15:06:05 fdupont Exp $ */
/*! \file */
@@ -52,9 +52,10 @@
#include <dns/name.h>
#include <dst/dst.h>
-#include <rndc/os.h>
+#include <confgen/os.h>
#include "util.h"
+#include "keygen.h"
#define DEFAULT_KEYLENGTH 128 /*% Bits. */
#define DEFAULT_KEYNAME "rndc-key"
@@ -68,6 +69,9 @@ isc_boolean_t verbose = ISC_FALSE;
const char *keyfile, *keydef;
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
static void
usage(int status) {
@@ -75,72 +79,36 @@ usage(int status) {
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
- -a: generate just the key clause and write it to keyfile (%s)\n\
- -b bits: from 1 through 512, default %d; total length of the secret\n\
- -c keyfile: specify an alternate key file (requires -a)\n\
- -k keyname: the name as it will be used in named.conf and rndc.conf\n\
- -p port: the port named will listen on and rndc will connect to\n\
- -r randomfile: a file containing random data\n\
- -s addr: the address to which rndc should connect\n\
- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
- -u user: set the keyfile owner to \"user\" (requires -a)\n",
- progname, keydef, DEFAULT_KEYLENGTH);
+ -a: generate just the key clause and write it to keyfile (%s)\n\
+ -b bits: from 1 through 512, default %d; total length of the secret\n\
+ -c keyfile: specify an alternate key file (requires -a)\n\
+ -k keyname: the name as it will be used in named.conf and rndc.conf\n\
+ -p port: the port named will listen on and rndc will connect to\n\
+ -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+ -s addr: the address to which rndc should connect\n\
+ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
+ -u user: set the keyfile owner to \"user\" (requires -a)\n",
+ progname, keydef, DEFAULT_KEYLENGTH);
exit (status);
}
-/*%
- * Write an rndc.key file to 'keyfile'. If 'user' is non-NULL,
- * make that user the owner of the file. The key will have
- * the name 'keyname' and the secret in the buffer 'secret'.
- */
-static void
-write_key_file(const char *keyfile, const char *user,
- const char *keyname, isc_buffer_t *secret )
-{
- FILE *fd;
-
- fd = safe_create(keyfile);
- if (fd == NULL)
- fatal( "unable to create \"%s\"\n", keyfile);
- if (user != NULL) {
- if (set_user(fd, user) == -1)
- fatal("unable to set file owner\n");
- }
- fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
- "\tsecret \"%.*s\";\n};\n", keyname,
- (int)isc_buffer_usedlength(secret),
- (char *)isc_buffer_base(secret));
- fflush(fd);
- if (ferror(fd))
- fatal("write to %s failed\n", keyfile);
- if (fclose(fd))
- fatal("fclose(%s) failed\n", keyfile);
- fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
-}
-
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
- isc_buffer_t key_rawbuffer;
isc_buffer_t key_txtbuffer;
- isc_region_t key_rawregion;
+ char key_txtsecret[256];
isc_mem_t *mctx = NULL;
- isc_entropy_t *ectx = NULL;
- isc_entropysource_t *entropy_source = NULL;
isc_result_t result = ISC_R_SUCCESS;
- dst_key_t *key = NULL;
const char *keyname = NULL;
const char *randomfile = NULL;
const char *serveraddr = NULL;
- char key_rawsecret[64];
- char key_txtsecret[256];
+ dns_secalg_t alg = DST_ALG_HMACMD5;
+ const char *algname = alg_totext(alg);
char *p;
int ch;
int port;
int keysize;
- int entropy_flags = 0;
- int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
@@ -237,53 +205,13 @@ main(int argc, char **argv) {
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
-
- DO("create entropy context", isc_entropy_create(mctx, &ectx));
-
- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
- randomfile = NULL;
- open_keyboard = ISC_ENTROPY_KEYBOARDYES;
- }
- DO("start entropy source", isc_entropy_usebestsource(ectx,
- &entropy_source,
- randomfile,
- open_keyboard));
-
- entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
-
- DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
-
- DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
- keysize, 0, 0,
- DNS_KEYPROTO_ANY,
- dns_rdataclass_in, mctx, &key));
-
- isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-
- DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
-
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
- isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-
- DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
- &key_txtbuffer));
-
- /*
- * Shut down the entropy source now so the "stop typing" message
- * does not muck with the output.
- */
- if (entropy_source != NULL)
- isc_entropy_destroysource(&entropy_source);
-
- if (key != NULL)
- dst_key_free(&key);
- isc_entropy_detach(&ectx);
- dst_lib_destroy();
+ generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (keyonly) {
write_key_file(keyfile, chrootdir == NULL ? user : NULL,
- keyname, &key_txtbuffer);
+ keyname, &key_txtbuffer, alg);
if (chrootdir != NULL) {
char *buf;
@@ -294,14 +222,14 @@ main(int argc, char **argv) {
snprintf(buf, len, "%s%s%s", chrootdir,
(*keyfile != '/') ? "/" : "", keyfile);
- write_key_file(buf, user, keyname, &key_txtbuffer);
+ write_key_file(buf, user, keyname, &key_txtbuffer, alg);
isc_mem_put(mctx, buf, len);
}
} else {
printf("\
# Start of rndc.conf\n\
key \"%s\" {\n\
- algorithm hmac-md5;\n\
+ algorithm %s;\n\
secret \"%.*s\";\n\
};\n\
\n\
@@ -314,7 +242,7 @@ options {\n\
\n\
# Use with the following in named.conf, adjusting the allow list as needed:\n\
# key \"%s\" {\n\
-# algorithm hmac-md5;\n\
+# algorithm %s;\n\
# secret \"%.*s\";\n\
# };\n\
# \n\
@@ -323,11 +251,11 @@ options {\n\
# allow { %s; } keys { \"%s\"; };\n\
# };\n\
# End of named.conf\n",
- keyname,
+ keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
keyname, serveraddr, port,
- keyname,
+ keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
serveraddr, port, serveraddr, keyname);
diff --git a/bin/rndc/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
index f71dd9f94c7b..d43fcfbe8aa4 100644
--- a/bin/rndc/rndc-confgen.docbook
+++ b/bin/confgen/rndc-confgen.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc-confgen.docbook,v 1.13 2007-06-18 23:47:25 tbox Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.4 2009-06-15 23:47:59 tbox Exp $ -->
<refentry id="man.rndc-confgen">
<refentryinfo>
<date>Aug 27, 2001</date>
@@ -40,6 +40,7 @@
<year>2004</year>
<year>2005</year>
<year>2007</year>
+ <year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
diff --git a/bin/rndc/rndc-confgen.html b/bin/confgen/rndc-confgen.html
index 6ef10737ae43..82a712091614 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/confgen/rndc-confgen.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc-confgen.html,v 1.25.418.1 2009-07-11 01:55:21 tbox Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.7 2009-07-11 01:12:45 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543429"></a><h2>DESCRIPTION</h2>
+<a name="id2543432"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@@ -48,7 +48,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543474"></a><h2>OPTIONS</h2>
+<a name="id2543477"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@@ -155,7 +155,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543787"></a><h2>EXAMPLES</h2>
+<a name="id2543790"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@@ -172,7 +172,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543829"></a><h2>SEE ALSO</h2>
+<a name="id2543832"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -180,7 +180,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543867"></a><h2>AUTHOR</h2>
+<a name="id2543870"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/rndc/unix/Makefile.in b/bin/confgen/unix/Makefile.in
index e503db3b0b27..1785e0d0f4de 100644
--- a/bin/rndc/unix/Makefile.in
+++ b/bin/confgen/unix/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001 Internet Software Consortium.
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.5 2007-06-19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.3 2009-06-11 23:47:55 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/rndc/unix/os.c b/bin/confgen/unix/os.c
index e9ece1ba776c..e439a5182648 100644
--- a/bin/rndc/unix/os.c
+++ b/bin/confgen/unix/os.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001 Internet Software Consortium.
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -15,13 +14,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.c,v 1.10 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: os.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
/*! \file */
#include <config.h>
-#include <rndc/os.h>
+#include <confgen/os.h>
#include <fcntl.h>
#include <unistd.h>
@@ -42,29 +41,3 @@ set_user(FILE *fd, const char *user) {
}
return (fchown(fileno(fd), pw->pw_uid, -1));
}
-
-FILE *
-safe_create(const char *filename) {
- int fd;
- FILE *f;
- struct stat sb;
- int flags = O_WRONLY;
-
- if (stat(filename, &sb) == -1) {
- if (errno != ENOENT)
- return (NULL);
- flags = O_WRONLY | O_CREAT | O_EXCL;
- } else if ((sb.st_mode & S_IFREG) == 0) {
- errno = EOPNOTSUPP;
- return (NULL);
- } else
- flags = O_WRONLY | O_TRUNC;
-
- fd = open(filename, flags, S_IRUSR | S_IWUSR);
- if (fd == -1)
- return (NULL);
- f = fdopen(fd, "w");
- if (f == NULL)
- close(fd);
- return (f);
-}
diff --git a/bin/confgen/util.c b/bin/confgen/util.c
new file mode 100644
index 000000000000..158a8d355818
--- /dev/null
+++ b/bin/confgen/util.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/boolean.h>
+
+#include "util.h"
+
+extern isc_boolean_t verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+ va_list ap;
+
+ if (verbose) {
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ fputs("\n", stderr);
+ }
+}
+
+void
+fatal(const char *format, ...) {
+ va_list args;
+
+ fprintf(stderr, "%s: ", progname);
+ va_start(args, format);
+ vfprintf(stderr, format, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ exit(1);
+}
diff --git a/bin/confgen/util.h b/bin/confgen/util.h
new file mode 100644
index 000000000000..651b6e558cf2
--- /dev/null
+++ b/bin/confgen/util.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.4 2009-09-29 15:06:05 fdupont Exp $ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#include <isc/formatcheck.h>
+
+#define NS_CONTROL_PORT 953
+
+#undef DO
+#define DO(name, function) \
+ do { \
+ result = function; \
+ if (result != ISC_R_SUCCESS) \
+ fatal("%s: %s", name, isc_result_totext(result)); \
+ else \
+ notify("%s", name); \
+ } while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index ad20553d532b..bebef6f45d34 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.41 2007-06-19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.47 2009-12-05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -24,7 +24,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISC_INCLUDES} ${LWRES_INCLUDES}
+ ${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
@@ -33,6 +33,7 @@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
@@ -44,8 +45,11 @@ LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
${LWRESDEPLIBS}
-LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
- ${ISCCFGLIBS} @IDNLIBS@ @LIBS@
+LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+ ${ISCLIBS} @IDNLIBS@ @LIBS@
+
+NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
SUBDIRS =
@@ -66,16 +70,16 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+ export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+ export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+ export BASEOBJS="nslookup.@O@ dighost.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
doc man:: ${MANOBJS}
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index 93f90b2ea84c..87d5045701ce 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dig.1,v 1.50.44.3 2009-07-11 01:55:20 tbox Exp $
+.\" $Id: dig.1,v 1.54 2010-03-05 01:14:15 tbox Exp $
.\"
.hy 0
.ad l
@@ -455,6 +455,11 @@ Print records like the SOA records in a verbose multi\-line format with human\-r
output.
.RE
.PP
+\fB+[no]onesoa\fR
+.RS 4
+Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
+.RE
+.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
@@ -562,7 +567,7 @@ RFC1035.
.PP
There are probably too many query options.
.SH "COPYRIGHT"
-Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 7de934bb50d2..a3143c93d273 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dig.c,v 1.225.26.7 2010-05-13 00:43:37 marka Exp $ */
+/* $Id: dig.c,v 1.237 2010-05-13 00:40:46 marka Exp $ */
/*! \file */
@@ -68,7 +68,8 @@ static char domainopt[DNS_NAME_MAXTEXT];
static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
- multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
+ multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE,
+ onesoa = ISC_FALSE;
/*% opcode text */
static const char * const opcodetext[] = {
@@ -138,6 +139,9 @@ print_usage(FILE *fp) {
" [ host [@local-server] {local-d-opt} [...]]\n", fp);
}
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
static void
usage(void) {
print_usage(stderr);
@@ -222,6 +226,7 @@ help(void) {
#endif
#endif
" +[no]multiline (Print records in an expanded format)\n"
+" +[no]onesoa (AXFR prints only one soa record)\n"
" global d-opts and servers (before host name) affect all queries.\n"
" local d-opts and servers (after host name) affect only that lookup.\n"
" -h (print help and exit)\n"
@@ -468,6 +473,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
}
+ if (onesoa && query->lookup->rdtype == dns_rdatatype_axfr)
+ flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA :
+ DNS_MESSAGETEXTFLAG_OMITSOA;
if (!query->lookup->comments)
flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
@@ -673,19 +681,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
}
}
-static isc_uint32_t
-parse_uint(char *arg, const char *desc, isc_uint32_t max) {
- isc_result_t result;
- isc_uint32_t tmp;
-
- result = isc_parse_uint32(&tmp, arg, 10);
- if (result == ISC_R_SUCCESS && tmp > max)
- result = ISC_R_RANGE;
- if (result != ISC_R_SUCCESS)
- fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
- return (tmp);
-}
-
/*%
* We're not using isc_commandline_parse() here since the command line
* syntax of dig is quite a bit different from that which can be described
@@ -697,8 +692,10 @@ static void
plus_option(char *option, isc_boolean_t is_batchfile,
dig_lookup_t *lookup)
{
+ isc_result_t result;
char option_store[256];
char *cmd, *value, *ptr;
+ isc_uint32_t num;
isc_boolean_t state = ISC_TRUE;
#ifdef DIG_SIGCHASE
size_t n;
@@ -746,6 +743,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
lookup->section_additional = state;
break;
case 'f': /* adflag */
+ case '\0': /* +ad is a synonym for +adflag */
FULLCHECK("adflag");
lookup->adflag = state;
break;
@@ -787,8 +785,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
- lookup->udpsize = (isc_uint16_t) parse_uint(value,
- "buffer size", COMMSIZE);
+ result = parse_uint(&num, value, COMMSIZE,
+ "buffer size");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse buffer size");
+ lookup->udpsize = num;
break;
default:
goto invalid_option;
@@ -797,8 +798,15 @@ plus_option(char *option, isc_boolean_t is_batchfile,
case 'c':
switch (cmd[1]) {
case 'd':/* cdflag */
- FULLCHECK("cdflag");
- lookup->cdflag = state;
+ switch (cmd[2]) {
+ case 'f': /* cdflag */
+ case '\0': /* +cd is a synonym for +cdflag */
+ FULLCHECK("cdflag");
+ lookup->cdflag = state;
+ break;
+ default:
+ goto invalid_option;
+ }
break;
case 'l': /* cl */
FULLCHECK("cl");
@@ -853,7 +861,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
}
if (value == NULL)
goto need_value;
- lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
+ result = parse_uint(&num, value, 255, "edns");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse edns");
+ lookup->edns = num;
break;
case 'f': /* fail */
FULLCHECK("fail");
@@ -883,7 +894,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
- ndots = parse_uint(value, "ndots", MAXNDOTS);
+ result = parse_uint(&num, value, MAXNDOTS, "ndots");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse ndots");
+ ndots = num;
break;
case 's':
switch (cmd[2]) {
@@ -918,6 +932,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto invalid_option;
}
break;
+ case 'o':
+ FULLCHECK("onesoa");
+ onesoa = state;
+ break;
case 'q':
switch (cmd[1]) {
case 'r': /* qr */
@@ -948,8 +966,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
- lookup->retries = parse_uint(value, "retries",
- MAXTRIES - 1);
+ result = parse_uint(&lookup->retries, value,
+ MAXTRIES - 1, "retries");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse retries");
lookup->retries++;
break;
default:
@@ -1025,7 +1045,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
- timeout = parse_uint(value, "timeout", MAXTIMEOUT);
+ result = parse_uint(&timeout, value, MAXTIMEOUT,
+ "timeout");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse timeout");
if (timeout == 0)
timeout = 1;
break;
@@ -1058,8 +1081,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
- lookup->retries = parse_uint(value, "tries",
- MAXTRIES);
+ result = parse_uint(&lookup->retries, value,
+ MAXTRIES, "tries");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse tries");
if (lookup->retries == 0)
lookup->retries = 1;
break;
@@ -1125,6 +1150,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
struct in6_addr in6;
in_port_t srcport;
char *hash, *cmd;
+ isc_uint32_t num;
while (strpbrk(option, single_dash_opts) == &option[0]) {
/*
@@ -1140,6 +1166,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
have_ipv6 = ISC_FALSE;
} else {
fatal("can't find IPv4 networking");
+ /* NOTREACHED */
return (ISC_FALSE);
}
break;
@@ -1149,6 +1176,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
have_ipv4 = ISC_FALSE;
} else {
fatal("can't find IPv6 networking");
+ /* NOTREACHED */
return (ISC_FALSE);
}
break;
@@ -1199,9 +1227,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
case 'b':
hash = strchr(value, '#');
if (hash != NULL) {
- srcport = (in_port_t)
- parse_uint(hash + 1,
- "port number", MAXPORT);
+ result = parse_uint(&num, hash + 1, MAXPORT,
+ "port number");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse port number");
+ srcport = num;
*hash = '\0';
} else
srcport = 0;
@@ -1245,7 +1275,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
keyfile[sizeof(keyfile)-1]=0;
return (value_from_next);
case 'p':
- port = (in_port_t) parse_uint(value, "port number", MAXPORT);
+ result = parse_uint(&num, value, MAXPORT, "port number");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse port number");
+ port = num;
return (value_from_next);
case 'q':
if (!config_only) {
@@ -1288,11 +1321,14 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
"extra type option\n");
}
if (rdtype == dns_rdatatype_ixfr) {
+ isc_uint32_t serial;
(*lookup)->rdtype = dns_rdatatype_ixfr;
(*lookup)->rdtypeset = ISC_TRUE;
- (*lookup)->ixfr_serial =
- parse_uint(&value[5], "serial number",
- MAXSERIAL);
+ result = parse_uint(&serial, &value[5],
+ MAXSERIAL, "serial number");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse serial number");
+ (*lookup)->ixfr_serial = serial;
(*lookup)->section_question = plusquest;
(*lookup)->comments = pluscomm;
(*lookup)->tcp_mode = ISC_TRUE;
@@ -1320,65 +1356,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
usage();
ptr3 = next_token(&value,":"); /* secret or NULL */
if (ptr3 != NULL) {
- if (strcasecmp(ptr, "hmac-md5") == 0) {
- hmacname = DNS_TSIG_HMACMD5_NAME;
- digestbits = 0;
- } else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
- hmacname = DNS_TSIG_HMACMD5_NAME;
- digestbits = parse_uint(&ptr[9],
- "digest-bits [0..128]",
- 128);
- digestbits = (digestbits + 7) & ~0x7U;
- } else if (strcasecmp(ptr, "hmac-sha1") == 0) {
- hmacname = DNS_TSIG_HMACSHA1_NAME;
- digestbits = 0;
- } else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
- hmacname = DNS_TSIG_HMACSHA1_NAME;
- digestbits = parse_uint(&ptr[10],
- "digest-bits [0..160]",
- 160);
- digestbits = (digestbits + 7) & ~0x7U;
- } else if (strcasecmp(ptr, "hmac-sha224") == 0) {
- hmacname = DNS_TSIG_HMACSHA224_NAME;
- digestbits = 0;
- } else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA224_NAME;
- digestbits = parse_uint(&ptr[12],
- "digest-bits [0..224]",
- 224);
- digestbits = (digestbits + 7) & ~0x7U;
- } else if (strcasecmp(ptr, "hmac-sha256") == 0) {
- hmacname = DNS_TSIG_HMACSHA256_NAME;
- digestbits = 0;
- } else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA256_NAME;
- digestbits = parse_uint(&ptr[12],
- "digest-bits [0..256]",
- 256);
- digestbits = (digestbits + 7) & ~0x7U;
- } else if (strcasecmp(ptr, "hmac-sha384") == 0) {
- hmacname = DNS_TSIG_HMACSHA384_NAME;
- digestbits = 0;
- } else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA384_NAME;
- digestbits = parse_uint(&ptr[12],
- "digest-bits [0..384]",
- 384);
- digestbits = (digestbits + 7) & ~0x7U;
- } else if (strcasecmp(ptr, "hmac-sha512") == 0) {
- hmacname = DNS_TSIG_HMACSHA512_NAME;
- digestbits = 0;
- } else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA512_NAME;
- digestbits = parse_uint(&ptr[12],
- "digest-bits [0..512]",
- 512);
- digestbits = (digestbits + 7) & ~0x7U;
- } else {
- fprintf(stderr, ";; Warning, ignoring "
- "invalid TSIG algorithm %s\n", ptr);
- return (value_from_next);
- }
+ parse_hmac(ptr);
ptr = ptr2;
ptr2 = ptr3;
} else {
@@ -1422,6 +1400,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
fprintf(stderr, "Invalid option: -%s\n", option);
usage();
}
+ /* NOTREACHED */
return (ISC_FALSE);
}
@@ -1626,13 +1605,18 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
"extra type option\n");
}
if (rdtype == dns_rdatatype_ixfr) {
+ isc_uint32_t serial;
lookup->rdtype =
dns_rdatatype_ixfr;
lookup->rdtypeset = ISC_TRUE;
- lookup->ixfr_serial =
- parse_uint(&rv[0][5],
- "serial number",
- MAXSERIAL);
+ result = parse_uint(&serial,
+ &rv[0][5],
+ MAXSERIAL,
+ "serial number");
+ if (result != ISC_R_SUCCESS)
+ fatal("Couldn't parse "
+ "serial number");
+ lookup->ixfr_serial = serial;
lookup->section_question =
plusquest;
lookup->comments = pluscomm;
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index d8e358644c9c..19e2ca2afbf3 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dig.docbook,v 1.42.44.3 2009-02-02 04:42:48 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.47 2010-03-04 23:50:34 tbox Exp $ -->
<refentry id="man.dig">
<refentryinfo>
@@ -44,6 +44,7 @@
<year>2007</year>
<year>2008</year>
<year>2009</year>
+ <year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -766,6 +767,17 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>+[no]onesoa</option></term>
+ <listitem>
+ <para>
+ Print only one (starting) SOA record when performing
+ an AXFR. The default is to print both the starting and
+ ending SOA records.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>+[no]fail</option></term>
<listitem>
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index 17fd5bb3bc75..c9ce8f0e254c 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dig.html,v 1.45.44.3 2009-07-11 01:55:20 tbox Exp $ -->
+<!-- $Id: dig.html,v 1.49 2010-03-05 01:14:15 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -34,7 +34,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543518"></a><h2>DESCRIPTION</h2>
+<a name="id2543522"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -80,7 +80,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543592"></a><h2>SIMPLE USAGE</h2>
+<a name="id2543595"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@@ -126,7 +126,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543683"></a><h2>OPTIONS</h2>
+<a name="id2543686"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@@ -230,7 +230,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544032"></a><h2>QUERY OPTIONS</h2>
+<a name="id2544035"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -499,6 +499,12 @@
each record on a single line, to facilitate machine parsing
of the <span><strong class="command">dig</strong></span> output.
</p></dd>
+<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
+<dd><p>
+ Print only one (starting) SOA record when performing
+ an AXFR. The default is to print both the starting and
+ ending SOA records.
+ </p></dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd><p>
Do not try the next server if you receive a SERVFAIL. The
@@ -555,7 +561,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545166"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545184"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@@ -601,7 +607,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545228"></a><h2>IDN SUPPORT</h2>
+<a name="id2545245"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -615,14 +621,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545251"></a><h2>FILES</h2>
+<a name="id2545336"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545336"></a><h2>SEE ALSO</h2>
+<a name="id2545353"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -630,7 +636,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545373"></a><h2>BUGS</h2>
+<a name="id2545390"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index df5a0c09f5fc..e92bc6edceec 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dighost.c,v 1.311.70.17 2010-12-09 01:12:54 marka Exp $ */
+/* $Id: dighost.c,v 1.336 2010-12-09 00:54:33 marka Exp $ */
/*! \file
* \note
@@ -53,6 +53,7 @@
#include <ctype.h>
#endif
#include <dns/fixedname.h>
+#include <dns/log.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/rdata.h>
@@ -71,10 +72,12 @@
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/lang.h>
+#include <isc/log.h>
#include <isc/netaddr.h>
#ifdef DIG_SIGCHASE
#include <isc/netdb.h>
#endif
+#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/result.h>
@@ -84,6 +87,8 @@
#include <isc/types.h>
#include <isc/util.h>
+#include <isccfg/namedconf.h>
+
#include <lwres/lwres.h>
#include <lwres/net.h>
@@ -121,6 +126,7 @@ in_port_t port = 53;
unsigned int timeout = 0;
unsigned int extrabytes;
isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
isc_taskmgr_t *taskmgr = NULL;
isc_task_t *global_task = NULL;
isc_timermgr_t *timermgr = NULL;
@@ -393,7 +399,7 @@ count_dots(char *string) {
static void
hex_dump(isc_buffer_t *b) {
- unsigned int len;
+ unsigned int len, i;
isc_region_t r;
isc_buffer_usedregion(b, &r);
@@ -401,11 +407,29 @@ hex_dump(isc_buffer_t *b) {
printf("%d bytes\n", r.length);
for (len = 0; len < r.length; len++) {
printf("%02x ", r.base[len]);
- if (len % 16 == 15)
+ if (len % 16 == 15) {
+ fputs(" ", stdout);
+ for (i = len - 15; i <= len; i++) {
+ if (r.base[i] >= '!' && r.base[i] <= '}')
+ putchar(r.base[i]);
+ else
+ putchar('.');
+ }
printf("\n");
+ }
}
- if (len % 16 != 0)
+ if (len % 16 != 0) {
+ for (i = len; (i % 16) != 0; i++)
+ fputs(" ", stdout);
+ fputs(" ", stdout);
+ for (i = ((len>>4)<<4); i < len; i++) {
+ if (r.base[i] >= '!' && r.base[i] <= '}')
+ putchar(r.base[i]);
+ else
+ putchar('.');
+ }
printf("\n");
+ }
}
/*%
@@ -903,9 +927,7 @@ setup_text_key(void) {
secretsize = isc_buffer_usedlength(&secretbuf);
- result = dns_name_fromtext(&keyname, namebuf,
- dns_rootname, ISC_FALSE,
- namebuf);
+ result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
if (result != ISC_R_SUCCESS)
goto failure;
@@ -924,14 +946,164 @@ setup_text_key(void) {
isc_buffer_free(&namebuf);
}
+isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+ const char *desc) {
+ isc_uint32_t n;
+ isc_result_t result = isc_parse_uint32(&n, value, 10);
+ if (result == ISC_R_SUCCESS && n > max)
+ result = ISC_R_RANGE;
+ if (result != ISC_R_SUCCESS) {
+ printf("invalid %s '%s': %s\n", desc,
+ value, isc_result_totext(result));
+ return (result);
+ }
+ *uip = n;
+ return (ISC_R_SUCCESS);
+}
+
+static isc_uint32_t
+parse_bits(char *arg, const char *desc, isc_uint32_t max) {
+ isc_result_t result;
+ isc_uint32_t tmp;
+
+ result = parse_uint(&tmp, arg, max, desc);
+ if (result != ISC_R_SUCCESS)
+ fatal("couldn't parse digest bits");
+ tmp = (tmp + 7) & ~0x7U;
+ return (tmp);
+}
+
+
+/*
+ * Parse HMAC algorithm specification
+ */
+void
+parse_hmac(const char *hmac) {
+ char buf[20];
+ int len;
+
+ REQUIRE(hmac != NULL);
+
+ len = strlen(hmac);
+ if (len >= (int) sizeof(buf))
+ fatal("unknown key type '%.*s'", len, hmac);
+ strncpy(buf, hmac, sizeof(buf));
+
+ digestbits = 0;
+
+ if (strcasecmp(buf, "hmac-md5") == 0) {
+ hmacname = DNS_TSIG_HMACMD5_NAME;
+ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
+ hmacname = DNS_TSIG_HMACMD5_NAME;
+ digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
+ } else if (strcasecmp(buf, "hmac-sha1") == 0) {
+ hmacname = DNS_TSIG_HMACSHA1_NAME;
+ digestbits = 0;
+ } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
+ hmacname = DNS_TSIG_HMACSHA1_NAME;
+ digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
+ } else if (strcasecmp(buf, "hmac-sha224") == 0) {
+ hmacname = DNS_TSIG_HMACSHA224_NAME;
+ } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
+ hmacname = DNS_TSIG_HMACSHA224_NAME;
+ digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
+ } else if (strcasecmp(buf, "hmac-sha256") == 0) {
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
+ } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
+ digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
+ } else if (strcasecmp(buf, "hmac-sha384") == 0) {
+ hmacname = DNS_TSIG_HMACSHA384_NAME;
+ } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
+ hmacname = DNS_TSIG_HMACSHA384_NAME;
+ digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
+ } else if (strcasecmp(buf, "hmac-sha512") == 0) {
+ hmacname = DNS_TSIG_HMACSHA512_NAME;
+ } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
+ hmacname = DNS_TSIG_HMACSHA512_NAME;
+ digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
+ } else {
+ fprintf(stderr, ";; Warning, ignoring "
+ "invalid TSIG algorithm %s\n", buf);
+ }
+}
+
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_confkey(void) {
+ isc_log_t *lctx = NULL;
+ cfg_parser_t *pctx = NULL;
+ cfg_obj_t *file = NULL;
+ const cfg_obj_t *key = NULL;
+ const cfg_obj_t *secretobj = NULL;
+ const cfg_obj_t *algorithmobj = NULL;
+ const char *keyname;
+ const char *secretstr;
+ const char *algorithm;
+ isc_result_t result;
+
+ if (! isc_file_exists(keyfile))
+ return (ISC_R_FILENOTFOUND);
+
+ result = cfg_parser_create(mctx, lctx, &pctx);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
+ &file);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ result = cfg_map_get(file, "key", &key);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+
+ (void) cfg_map_get(key, "secret", &secretobj);
+ (void) cfg_map_get(key, "algorithm", &algorithmobj);
+ if (secretobj == NULL || algorithmobj == NULL)
+ fatal("key must have algorithm and secret");
+
+ keyname = cfg_obj_asstring(cfg_map_getname(key));
+ secretstr = cfg_obj_asstring(secretobj);
+ algorithm = cfg_obj_asstring(algorithmobj);
+
+ strncpy(keynametext, keyname, sizeof(keynametext));
+ strncpy(keysecret, secretstr, sizeof(keysecret));
+ parse_hmac(algorithm);
+ setup_text_key();
+
+ cleanup:
+ if (pctx != NULL) {
+ if (file != NULL)
+ cfg_obj_destroy(pctx, &file);
+ cfg_parser_destroy(&pctx);
+ }
+
+ return (result);
+}
+
static void
setup_file_key(void) {
isc_result_t result;
dst_key_t *dstkey = NULL;
debug("setup_file_key()");
- result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY,
- mctx, &dstkey);
+
+ /* Try reading the key from a K* pair */
+ result = dst_key_fromnamedfile(keyfile, NULL,
+ DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
+ &dstkey);
+
+ /* If that didn't work, try reading it as a session.key keyfile */
+ if (result != ISC_R_SUCCESS) {
+ result = read_confkey();
+ if (result == ISC_R_SUCCESS)
+ return;
+ }
+
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Couldn't read key from %s: %s\n",
keyfile, isc_result_totext(result));
@@ -1119,6 +1291,7 @@ set_search_domain(char *domain) {
void
setup_libs(void) {
isc_result_t result;
+ isc_logconfig_t *logconfig = NULL;
debug("setup_libs()");
@@ -1135,6 +1308,18 @@ setup_libs(void) {
result = isc_mem_create(0, 0, &mctx);
check_result(result, "isc_mem_create");
+ result = isc_log_create(mctx, &lctx, &logconfig);
+ check_result(result, "isc_log_create");
+
+ isc_log_setcontext(lctx);
+ dns_log_init(lctx);
+ dns_log_setcontext(lctx);
+
+ result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+ check_result(result, "isc_log_usechannel");
+
+ isc_log_setdebuglevel(lctx, 0);
+
result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
check_result(result, "isc_taskmgr_create");
@@ -1871,7 +2056,7 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&b, lookup->origin->origin, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
- ISC_FALSE, &lookup->onamebuf);
+ 0, &lookup->onamebuf);
if (result != ISC_R_SUCCESS) {
dns_message_puttempname(lookup->sendmsg,
&lookup->name);
@@ -1888,7 +2073,7 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&b, lookup->textname, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->name, &b,
- lookup->oname, ISC_FALSE,
+ lookup->oname, 0,
&lookup->namebuf);
}
if (result != ISC_R_SUCCESS) {
@@ -1912,16 +2097,14 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&b, idn_textname, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->name, &b,
- dns_rootname,
- ISC_FALSE,
+ dns_rootname, 0,
&lookup->namebuf);
#else
len = strlen(lookup->textname);
isc_buffer_init(&b, lookup->textname, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->name, &b,
- dns_rootname,
- ISC_FALSE,
+ dns_rootname, 0,
&lookup->namebuf);
#endif
}
@@ -3549,9 +3732,11 @@ destroy_libs(void) {
free_name(&chase_signame, mctx);
#endif
- debug("Destroy memory");
-
#endif
+ debug("Removing log context");
+ isc_log_destroy(&lctx);
+
+ debug("Destroy memory");
if (memdebugging != 0)
isc_mem_stats(mctx, stderr);
if (mctx != NULL)
@@ -4041,7 +4226,7 @@ get_trusted_key(isc_mem_t *mctx)
return (ISC_R_FAILURE);
}
fclose(fptemp);
- result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC,
+ result = dst_key_fromnamedfile(filetemp, NULL, DST_TYPE_PUBLIC,
mctx, &key);
removetmpkey(mctx, filetemp);
isc_mem_free(mctx, filetemp);
@@ -4075,7 +4260,7 @@ nameFromString(const char *str, dns_name_t *p_ret) {
dns_fixedname_init(&fixedname);
result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
- dns_rootname, ISC_TRUE, NULL);
+ dns_rootname, DNS_NAME_DOWNCASE, NULL);
check_result(result, "nameFromString");
if (dns_name_dynamic(p_ret))
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index 1573effc8f2a..464d517a0b3d 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: host.1,v 1.29.114.2 2009-07-11 01:55:20 tbox Exp $
+.\" $Id: host.1,v 1.31 2009-07-11 01:12:45 tbox Exp $
.\"
.hy 0
.ad l
diff --git a/bin/dig/host.c b/bin/dig/host.c
index ab0be99cd4bd..13569f63ac98 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: host.c,v 1.116.216.5 2010-10-19 23:45:58 tbox Exp $ */
+/* $Id: host.c,v 1.124 2010-11-16 05:38:30 marka Exp $ */
/*! \file */
@@ -141,6 +141,9 @@ rcode_totext(dns_rcode_t rcode)
return totext.deconsttext;
}
+ISC_PLATFORM_NORETURN_PRE static void
+show_usage(void) ISC_PLATFORM_NORETURN_POST;
+
static void
show_usage(void) {
fputs(
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 41175aaffb2c..9ffd8e6ffb11 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: host.docbook,v 1.18.114.2 2009-01-22 23:47:05 tbox Exp $ -->
+<!-- $Id: host.docbook,v 1.20 2009-01-20 23:47:56 tbox Exp $ -->
<refentry id="man.host">
<refentryinfo>
diff --git a/bin/dig/host.html b/bin/dig/host.html
index de4b5797de99..531fc1d78968 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: host.html,v 1.28.114.2 2009-07-11 01:55:20 tbox Exp $ -->
+<!-- $Id: host.html,v 1.30 2009-07-11 01:12:45 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index 3d696c70bb8f..c0f778b5f142 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dig.h,v 1.107.120.2 2009-01-06 23:47:26 tbox Exp $ */
+/* $Id: dig.h,v 1.111 2009-09-29 15:06:06 fdupont Exp $ */
#ifndef DIG_H
#define DIG_H
@@ -292,8 +292,9 @@ isc_result_t
get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
isc_boolean_t strict);
-void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
void
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@@ -325,6 +326,13 @@ setup_libs(void);
void
setup_system(void);
+isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+ const char *desc);
+
+void
+parse_hmac(const char *hmacstr);
+
dig_lookup_t *
requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
index a8331f9b4c64..e97ee1f9ba39 100644
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: nslookup.1,v 1.14.354.2 2010-02-23 01:56:02 tbox Exp $
+.\" $Id: nslookup.1,v 1.16 2010-02-23 01:14:31 tbox Exp $
.\"
.hy 0
.ad l
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 8a166fd05535..0d368b15c800 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nslookup.c,v 1.117.334.5 2009-10-20 01:11:22 marka Exp $ */
+/* $Id: nslookup.c,v 1.127 2010-11-17 23:47:08 tbox Exp $ */
#include <config.h>
@@ -541,22 +541,6 @@ safecpy(char *dest, char *src, int size) {
dest[size-1] = 0;
}
-static isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
- const char *desc) {
- isc_uint32_t n;
- isc_result_t result = isc_parse_uint32(&n, value, 10);
- if (result == ISC_R_SUCCESS && n > max)
- result = ISC_R_RANGE;
- if (result != ISC_R_SUCCESS) {
- printf("invalid %s '%s': %s\n", desc,
- value, isc_result_totext(result));
- return result;
- }
- *uip = n;
- return (ISC_R_SUCCESS);
-}
-
static void
set_port(const char *value) {
isc_uint32_t n;
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index fb6e70652c50..9c4789d4cb18 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nslookup.docbook,v 1.16.334.2 2010-02-22 23:47:53 tbox Exp $ -->
+<!-- $Id: nslookup.docbook,v 1.18 2010-02-22 23:49:11 tbox Exp $ -->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index bff35282a79e..bae63bd0fd3d 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nslookup.html,v 1.21.354.2 2010-02-23 01:56:02 tbox Exp $ -->
+<!-- $Id: nslookup.html,v 1.23 2010-02-23 01:14:31 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 50429be61337..0f5e4e842c20 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.35 2008-11-07 02:28:49 marka Exp $
+# $Id: Makefile.in,v 1.42 2009-12-05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -25,11 +25,12 @@ top_srcdir = @top_srcdir@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
-CDEFINES = -DVERSION=\"${VERSION}\"
+CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
@@ -38,44 +39,56 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
# Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@
+ dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
+ dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@
OBJS = dnssectool.@O@
SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
- dnssec-signzone.c dnssectool.c
+ dnssec-revoke.c dnssec-settime.c dnssec-signzone.c dnssectool.c
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
- dnssec-signzone.8
+ dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
- dnssec-keygen.html dnssec-signzone.html
+ dnssec-keygen.html dnssec-revoke.html \
+ dnssec-settime.html dnssec-signzone.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- dnssec-dsfromkey.@O@ ${OBJS} ${LIBS}
+ export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS}
+ export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- dnssec-keygen.@O@ ${OBJS} ${LIBS}
+ export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
+dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ dnssec-revoke.@O@ ${OBJS} ${LIBS}
+
+dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- dnssec-signzone.@O@ ${OBJS} ${LIBS}
+ dnssec-settime.@O@ ${OBJS} ${LIBS}
doc man:: ${MANOBJS}
diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8
index c49ccdc82377..25aa2bf831fc 100644
--- a/bin/dnssec/dnssec-dsfromkey.8
+++ b/bin/dnssec/dnssec-dsfromkey.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -12,18 +12,18 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-dsfromkey.8,v 1.5.14.1 2010-05-19 02:06:11 tbox Exp $
+.\" $Id: dnssec-dsfromkey.8,v 1.13 2010-12-24 01:14:20 tbox Exp $
.\"
.hy 0
.ad l
.\" Title: dnssec\-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\" Date: November 29, 2008
+.\" Date: August 26, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
-.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -32,9 +32,9 @@
dnssec\-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP 17
-\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] {keyfile}
.HP 17
-\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname}
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
.SH "DESCRIPTION"
.PP
\fBdnssec\-dsfromkey\fR
@@ -55,31 +55,49 @@ Use SHA\-256 as the digest algorithm.
.RS 4
Select the digest algorithm. The value of
\fBalgorithm\fR
-must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive.
.RE
.PP
-\-v \fIlevel\fR
+\-K \fIdirectory\fR
.RS 4
-Sets the debugging level.
+Look for key files (or, in keyset mode,
+\fIkeyset\-\fR
+files) in
+\fBdirectory\fR.
+.RE
+.PP
+\-f \fIfile\fR
+.RS 4
+Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
+\fBfile\fR. If the zone name is the same as
+\fBfile\fR, then it may be omitted.
+.RE
+.PP
+\-A
+.RS 4
+Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
+.RE
+.PP
+\-l \fIdomain\fR
+.RS 4
+Generate a DLV set instead of a DS set. The specified
+\fBdomain\fR
+is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
.RE
.PP
\-s
.RS 4
-Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
.RE
.PP
\-c \fIclass\fR
.RS 4
-Specifies the DNS class (default is IN), useful only in the keyset mode.
+Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
.RE
.PP
-\-d \fIdirectory\fR
+\-v \fIlevel\fR
.RS 4
-Look for
-\fIkeyset\fR
-files in
-\fBdirectory\fR
-as the directory, ignored when not in the keyset mode.
+Sets the debugging level.
.RE
.SH "EXAMPLE"
.PP
@@ -115,10 +133,11 @@ A keyfile error can give a "file not found" even if the file exists.
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 3658,
+RFC 4431.
RFC 4509.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC")
.br
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 934d25bd35ab..b7f84a041110 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-dsfromkey.c,v 1.2.14.6 2010-01-11 23:47:22 tbox Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.19 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
@@ -36,6 +36,8 @@
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/log.h>
+#include <dns/keyvalues.h>
+#include <dns/master.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
@@ -48,54 +50,40 @@
#include "dnssectool.h"
+#ifndef PATH_MAX
+#define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */
+#endif
+
const char *program = "dnssec-dsfromkey";
int verbose;
static dns_rdataclass_t rdclass;
-static dns_fixedname_t fixed;
-static dns_name_t *name = NULL;
-static dns_db_t *db = NULL;
-static dns_dbnode_t *node = NULL;
-static dns_rdataset_t keyset;
-static isc_mem_t *mctx = NULL;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static isc_mem_t *mctx = NULL;
-static void
-loadkeys(char *dirname, char *setname)
-{
- isc_result_t result;
- char filename[1024];
- isc_buffer_t buf;
+static isc_result_t
+initname(char *setname) {
+ isc_result_t result;
+ isc_buffer_t buf;
- dns_rdataset_init(&keyset);
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
isc_buffer_init(&buf, setname, strlen(setname));
isc_buffer_add(&buf, strlen(setname));
- result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
- if (result != ISC_R_SUCCESS)
- fatal("can't convert DNS name %s", setname);
+ result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+ return (result);
+}
- isc_buffer_init(&buf, filename, sizeof(filename));
- if (dirname != NULL) {
- if (isc_buffer_availablelength(&buf) < strlen(dirname))
- fatal("directory name '%s' too long", dirname);
- isc_buffer_putstr(&buf, dirname);
- if (dirname[strlen(dirname) - 1] != '/') {
- if (isc_buffer_availablelength(&buf) < 1)
- fatal("directory name '%s' too long", dirname);
- isc_buffer_putstr(&buf, "/");
- }
- }
+static isc_result_t
+loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
+ isc_result_t result;
+ dns_db_t *db = NULL;
+ dns_dbnode_t *node = NULL;
+ char setname[DNS_NAME_FORMATSIZE];
- if (isc_buffer_availablelength(&buf) < strlen("keyset-"))
- fatal("directory name '%s' too long", dirname);
- isc_buffer_putstr(&buf, "keyset-");
- result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
- check_result(result, "dns_name_tofilenametext()");
- if (isc_buffer_availablelength(&buf) == 0)
- fatal("name %s too long", setname);
- isc_buffer_putuint8(&buf, 0);
+ dns_name_format(name, setname, sizeof(setname));
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
rdclass, 0, NULL, &db);
@@ -111,11 +99,49 @@ loadkeys(char *dirname, char *setname)
fatal("can't find %s node in %s", setname, filename);
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
- 0, 0, &keyset, NULL);
+ 0, 0, rdataset, NULL);
+
if (result == ISC_R_NOTFOUND)
fatal("no DNSKEY RR for %s in %s", setname, filename);
else if (result != ISC_R_SUCCESS)
fatal("dns_db_findrdataset");
+
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+ if (db != NULL)
+ dns_db_detach(&db);
+ return (result);
+}
+
+static isc_result_t
+loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
+ isc_result_t result;
+ char filename[PATH_MAX + 1];
+ isc_buffer_t buf;
+
+ dns_rdataset_init(rdataset);
+
+ isc_buffer_init(&buf, filename, sizeof(filename));
+ if (dirname != NULL) {
+ /* allow room for a trailing slash */
+ if (strlen(dirname) >= isc_buffer_availablelength(&buf))
+ return (ISC_R_NOSPACE);
+ isc_buffer_putstr(&buf, dirname);
+ if (dirname[strlen(dirname) - 1] != '/')
+ isc_buffer_putstr(&buf, "/");
+ }
+
+ if (isc_buffer_availablelength(&buf) < 7)
+ return (ISC_R_NOSPACE);
+ isc_buffer_putstr(&buf, "keyset-");
+
+ result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
+ check_result(result, "dns_name_tofilenametext()");
+ if (isc_buffer_availablelength(&buf) == 0)
+ return (ISC_R_NOSPACE);
+ isc_buffer_putuint8(&buf, 0);
+
+ return (loadsetfromfile(filename, rdataset));
}
static void
@@ -127,20 +153,20 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
isc_buffer_t keyb;
isc_region_t r;
- dns_rdataset_init(&keyset);
dns_rdata_init(rdata);
isc_buffer_init(&keyb, key_buf, key_buf_size);
- result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key);
+ result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
+ mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("invalid keyfile name %s: %s",
filename, isc_result_totext(result));
if (verbose > 2) {
- char keystr[KEY_FORMATSIZE];
+ char keystr[DST_KEY_FORMATSIZE];
- key_format(key, keystr, sizeof(keystr));
+ dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
}
@@ -169,7 +195,7 @@ logkey(dns_rdata_t *rdata)
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t buf;
- char keystr[KEY_FORMATSIZE];
+ char keystr[DST_KEY_FORMATSIZE];
isc_buffer_init(&buf, rdata->data, rdata->length);
isc_buffer_add(&buf, rdata->length);
@@ -177,89 +203,132 @@ logkey(dns_rdata_t *rdata)
if (result != ISC_R_SUCCESS)
return;
- key_format(key, keystr, sizeof(keystr));
+ dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
dst_key_free(&key);
}
static void
-emitds(unsigned int dtype, dns_rdata_t *rdata)
+emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
+ dns_rdata_t *rdata)
{
- isc_result_t result;
- unsigned char buf[DNS_DS_BUFFERSIZE];
- char text_buf[DST_KEY_MAXTEXTSIZE];
- char class_buf[10];
- isc_buffer_t textb, classb;
- isc_region_t r;
- dns_rdata_t ds;
+ isc_result_t result;
+ unsigned char buf[DNS_DS_BUFFERSIZE];
+ char text_buf[DST_KEY_MAXTEXTSIZE];
+ char name_buf[DNS_NAME_MAXWIRE];
+ char class_buf[10];
+ isc_buffer_t textb, nameb, classb;
+ isc_region_t r;
+ dns_rdata_t ds;
+ dns_rdata_dnskey_t dnskey;
isc_buffer_init(&textb, text_buf, sizeof(text_buf));
+ isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
isc_buffer_init(&classb, class_buf, sizeof(class_buf));
dns_rdata_init(&ds);
+ result = dns_rdata_tostruct(rdata, &dnskey, NULL);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't convert DNSKEY");
+
+ if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
+ return;
+
result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
if (result != ISC_R_SUCCESS)
- fatal("can't build DS");
+ fatal("can't build record");
+
+ result = dns_name_totext(name, ISC_FALSE, &nameb);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't print name");
+
+ /* Add lookaside origin, if set */
+ if (lookaside != NULL) {
+ if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
+ fatal("DLV origin '%s' is too long", lookaside);
+ isc_buffer_putstr(&nameb, lookaside);
+ if (lookaside[strlen(lookaside) - 1] != '.') {
+ if (isc_buffer_availablelength(&nameb) < 1)
+ fatal("DLV origin '%s' is too long", lookaside);
+ isc_buffer_putstr(&nameb, ".");
+ }
+ }
result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
if (result != ISC_R_SUCCESS)
- fatal("can't print DS rdata");
+ fatal("can't print rdata");
result = dns_rdataclass_totext(rdclass, &classb);
if (result != ISC_R_SUCCESS)
- fatal("can't print DS class");
+ fatal("can't print class");
- result = dns_name_print(name, stdout);
- if (result != ISC_R_SUCCESS)
- fatal("can't print DS name");
+ isc_buffer_usedregion(&nameb, &r);
+ isc_util_fwrite(r.base, 1, r.length, stdout);
putchar(' ');
isc_buffer_usedregion(&classb, &r);
isc_util_fwrite(r.base, 1, r.length, stdout);
- printf(" DS ");
+ if (lookaside == NULL)
+ printf(" DS ");
+ else
+ printf(" DLV ");
isc_buffer_usedregion(&textb, &r);
isc_util_fwrite(r.base, 1, r.length, stdout);
putchar('\n');
}
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
static void
usage(void) {
fprintf(stderr, "Usage:\n");
- fprintf(stderr, " %s options keyfile\n\n", program);
- fprintf(stderr, " %s options [-c class] [-d dir] -s dnsname\n\n",
+ fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
+ fprintf(stderr, " %s options [-K dir] [-c class] -s dnsname\n\n",
program);
+ fprintf(stderr, " %s options -f zonefile (as zone name)\n\n", program);
+ fprintf(stderr, " %s options -f zonefile zonename\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -v <verbose level>\n");
+ fprintf(stderr, " -K <directory>: directory in which to find "
+ "key file or keyset file\n");
+ fprintf(stderr, " -a algorithm: digest algorithm "
+ "(SHA-1, SHA-256 or GOST)\n");
fprintf(stderr, " -1: use SHA-1\n");
fprintf(stderr, " -2: use SHA-256\n");
- fprintf(stderr, " -a algorithm: use algorithm\n");
- fprintf(stderr, "Keyset options:\n");
- fprintf(stderr, " -s: keyset mode\n");
- fprintf(stderr, " -c class\n");
- fprintf(stderr, " -d directory\n");
- fprintf(stderr, "Output: DS RRs\n");
+ fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
+ fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
+ fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
+ fprintf(stderr, " -f file: read keyset from zone file\n");
+ fprintf(stderr, " -A: when used with -f, "
+ "include all keys in DS set, not just KSKs\n");
+ fprintf(stderr, "Output: DS or DLV RRs\n");
exit (-1);
}
int
main(int argc, char **argv) {
- char *algname = NULL, *classname = NULL, *dirname = NULL;
- char *endp;
- int ch;
- unsigned int dtype = DNS_DSDIGEST_SHA1;
- isc_boolean_t both = ISC_TRUE;
- isc_boolean_t usekeyset = ISC_FALSE;
- isc_result_t result;
- isc_log_t *log = NULL;
- isc_entropy_t *ectx = NULL;
- dns_rdata_t rdata;
+ char *algname = NULL, *classname = NULL;
+ char *filename = NULL, *dir = NULL, *namestr;
+ char *lookaside = NULL;
+ char *endp;
+ int ch;
+ unsigned int dtype = DNS_DSDIGEST_SHA1;
+ isc_boolean_t both = ISC_TRUE;
+ isc_boolean_t usekeyset = ISC_FALSE;
+ isc_boolean_t showall = ISC_FALSE;
+ isc_result_t result;
+ isc_log_t *log = NULL;
+ isc_entropy_t *ectx = NULL;
+ dns_rdataset_t rdataset;
+ dns_rdata_t rdata;
dns_rdata_init(&rdata);
@@ -275,7 +344,7 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
- "12a:c:d:sv:h")) != -1) {
+ "12Aa:c:d:Ff:K:l:sv:h")) != -1) {
switch (ch) {
case '1':
dtype = DNS_DSDIGEST_SHA1;
@@ -285,6 +354,9 @@ main(int argc, char **argv) {
dtype = DNS_DSDIGEST_SHA256;
both = ISC_FALSE;
break;
+ case 'A':
+ showall = ISC_TRUE;
+ break;
case 'a':
algname = isc_commandline_argument;
both = ISC_FALSE;
@@ -293,7 +365,21 @@ main(int argc, char **argv) {
classname = isc_commandline_argument;
break;
case 'd':
- dirname = isc_commandline_argument;
+ fprintf(stderr, "%s: the -d option is deprecated; "
+ "use -K\n", program);
+ /* fall through */
+ case 'K':
+ dir = isc_commandline_argument;
+ if (strlen(dir) == 0U)
+ fatal("directory must be non-empty string");
+ break;
+ case 'f':
+ filename = isc_commandline_argument;
+ break;
+ case 'l':
+ lookaside = isc_commandline_argument;
+ if (strlen(lookaside) == 0U)
+ fatal("lookaside must be a non-empty string");
break;
case 's':
usekeyset = ISC_TRUE;
@@ -303,11 +389,14 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
+ case 'F':
+ /* Reserved for FIPS mode */
+ /* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
- /* Falls into */
+ /* FALLTHROUGH */
case 'h':
usage();
@@ -325,13 +414,24 @@ main(int argc, char **argv) {
else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256;
+#ifdef HAVE_OPENSSL_GOST
+ else if (strcasecmp(algname, "GOST") == 0)
+ dtype = DNS_DSDIGEST_GOST;
+#endif
else
fatal("unknown algorithm %s", algname);
}
rdclass = strtoclass(classname);
- if (argc < isc_commandline_index + 1)
+ if (usekeyset && filename != NULL)
+ fatal("cannot use both -s and -f");
+
+ /* When not using -f, -A is implicit */
+ if (filename == NULL)
+ showall = ISC_TRUE;
+
+ if (argc < isc_commandline_index + 1 && filename == NULL)
fatal("the key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
@@ -344,28 +444,50 @@ main(int argc, char **argv) {
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
- fatal("could not initialize dst");
+ fatal("could not initialize dst: %s",
+ isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
setup_logging(verbose, mctx, &log);
- if (usekeyset) {
- loadkeys(dirname, argv[isc_commandline_index]);
+ dns_rdataset_init(&rdataset);
+
+ if (usekeyset || filename != NULL) {
+ if (argc < isc_commandline_index + 1 && filename != NULL) {
+ /* using zone name as the zone file name */
+ namestr = filename;
+ } else
+ namestr = argv[isc_commandline_index];
- for (result = dns_rdataset_first(&keyset);
+ result = initname(namestr);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not initialize name %s", namestr);
+
+ if (usekeyset)
+ result = loadkeyset(dir, &rdataset);
+ else
+ result = loadsetfromfile(filename, &rdataset);
+
+ if (result != ISC_R_SUCCESS)
+ fatal("could not load DNSKEY set: %s\n",
+ isc_result_totext(result));
+
+ for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&keyset)) {
+ result = dns_rdataset_next(&rdataset)) {
dns_rdata_init(&rdata);
- dns_rdataset_current(&keyset, &rdata);
+ dns_rdataset_current(&rdataset, &rdata);
if (verbose > 2)
logkey(&rdata);
if (both) {
- emitds(DNS_DSDIGEST_SHA1, &rdata);
- emitds(DNS_DSDIGEST_SHA256, &rdata);
+ emit(DNS_DSDIGEST_SHA1, showall, lookaside,
+ &rdata);
+ emit(DNS_DSDIGEST_SHA256, showall, lookaside,
+ &rdata);
} else
- emitds(dtype, &rdata);
+ emit(dtype, showall, lookaside, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
@@ -374,18 +496,14 @@ main(int argc, char **argv) {
DST_KEY_MAXSIZE, &rdata);
if (both) {
- emitds(DNS_DSDIGEST_SHA1, &rdata);
- emitds(DNS_DSDIGEST_SHA256, &rdata);
+ emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
+ emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
} else
- emitds(dtype, &rdata);
+ emit(dtype, showall, lookaside, &rdata);
}
- if (dns_rdataset_isassociated(&keyset))
- dns_rdataset_disassociate(&keyset);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- if (db != NULL)
- dns_db_detach(&db);
+ if (dns_rdataset_isassociated(&rdataset))
+ dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
dst_lib_destroy();
isc_hash_destroy();
diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
index c4ea38d68d94..36410d5f35c1 100644
--- a/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -17,10 +17,10 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008-11-07 13:54:11 jreed Exp $ -->
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.12 2010-12-23 23:47:08 tbox Exp $ -->
<refentry id="man.dnssec-dsfromkey">
<refentryinfo>
- <date>November 29, 2008</date>
+ <date>August 26, 2009</date>
</refentryinfo>
<refmeta>
@@ -37,6 +37,8 @@
<docinfo>
<copyright>
<year>2008</year>
+ <year>2009</year>
+ <year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -48,17 +50,22 @@
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+ <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>dnssec-dsfromkey</command>
<arg choice="req">-s</arg>
- <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+ <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+ <arg><option>-s</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
- <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
+ <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
+ <arg><option>-A</option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">dnsname</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -99,17 +106,55 @@
<listitem>
<para>
Select the digest algorithm. The value of
- <option>algorithm</option> must be one of SHA-1 (SHA1) or
- SHA-256 (SHA256). These values are case insensitive.
+ <option>algorithm</option> must be one of SHA-1 (SHA1),
+ SHA-256 (SHA256) or GOST. These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-v <replaceable class="parameter">level</replaceable></term>
+ <term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
- Sets the debugging level.
+ Look for key files (or, in keyset mode,
+ <filename>keyset-</filename> files) in
+ <option>directory</option>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f <replaceable class="parameter">file</replaceable></term>
+ <listitem>
+ <para>
+ Zone file mode: in place of the keyfile name, the argument is
+ the DNS domain name of a zone master file, which can be read
+ from <option>file</option>. If the zone name is the same as
+ <option>file</option>, then it may be omitted.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-A</term>
+ <listitem>
+ <para>
+ Include ZSK's when generating DS records. Without this option,
+ only keys which have the KSK flag set will be converted to DS
+ records and printed. Useful only in zone file mode.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l <replaceable class="parameter">domain</replaceable></term>
+ <listitem>
+ <para>
+ Generate a DLV set instead of a DS set. The specified
+ <option>domain</option> is appended to the name for each
+ record in the set.
+ The DNSSEC Lookaside Validation (DLV) RR is described
+ in RFC 4431.
</para>
</listitem>
</varlistentry>
@@ -119,8 +164,7 @@
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
- the DNS domain name of a keyset file. Following options make sense
- only in this mode.
+ the DNS domain name of a keyset file.
</para>
</listitem>
</varlistentry>
@@ -129,23 +173,20 @@
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
- Specifies the DNS class (default is IN), useful only
- in the keyset mode.
+ Specifies the DNS class (default is IN). Useful only
+ in keyset or zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-d <replaceable class="parameter">directory</replaceable></term>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
- Look for <filename>keyset</filename> files in
- <option>directory</option> as the directory, ignored when
- not in the keyset mode.
+ Sets the debugging level.
</para>
</listitem>
</varlistentry>
-
</variablelist>
</refsect1>
@@ -197,6 +238,7 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle>,
+ <citetitle>RFC 4431</citetitle>.
<citetitle>RFC 4509</citetitle>.
</para>
</refsect1>
diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html
index 618648118dd6..54cc1ab61ca2 100644
--- a/bin/dnssec/dnssec-dsfromkey.html
+++ b/bin/dnssec/dnssec-dsfromkey.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-dsfromkey.html,v 1.5.14.1 2010-05-19 02:06:11 tbox Exp $ -->
+<!-- $Id: dnssec-dsfromkey.html,v 1.13 2010-12-24 01:14:19 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -28,18 +28,18 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543424"></a><h2>DESCRIPTION</h2>
+<a name="id2543464"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543435"></a><h2>OPTIONS</h2>
+<a name="id2543476"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
@@ -53,34 +53,54 @@
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
- <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
- SHA-256 (SHA256). These values are case insensitive.
+ <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
+ SHA-256 (SHA256) or GOST. These values are case insensitive.
</p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
- Sets the debugging level.
+ Look for key files (or, in keyset mode,
+ <code class="filename">keyset-</code> files) in
+ <code class="option">directory</code>.
+ </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
+<dd><p>
+ Zone file mode: in place of the keyfile name, the argument is
+ the DNS domain name of a zone master file, which can be read
+ from <code class="option">file</code>. If the zone name is the same as
+ <code class="option">file</code>, then it may be omitted.
+ </p></dd>
+<dt><span class="term">-A</span></dt>
+<dd><p>
+ Include ZSK's when generating DS records. Without this option,
+ only keys which have the KSK flag set will be converted to DS
+ records and printed. Useful only in zone file mode.
+ </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+ Generate a DLV set instead of a DS set. The specified
+ <code class="option">domain</code> is appended to the name for each
+ record in the set.
+ The DNSSEC Lookaside Validation (DLV) RR is described
+ in RFC 4431.
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
- the DNS domain name of a keyset file. Following options make sense
- only in this mode.
+ the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
- Specifies the DNS class (default is IN), useful only
- in the keyset mode.
+ Specifies the DNS class (default is IN). Useful only
+ in keyset or zone file mode.
</p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
- Look for <code class="filename">keyset</code> files in
- <code class="option">directory</code> as the directory, ignored when
- not in the keyset mode.
+ Sets the debugging level.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543563"></a><h2>EXAMPLE</h2>
+<a name="id2543662"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -95,7 +115,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543593"></a><h2>FILES</h2>
+<a name="id2543692"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -109,22 +129,23 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543628"></a><h2>CAVEAT</h2>
+<a name="id2543728"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543638"></a><h2>SEE ALSO</h2>
+<a name="id2543737"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em>,
+ <em class="citetitle">RFC 4431</em>.
<em class="citetitle">RFC 4509</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543674"></a><h2>AUTHOR</h2>
+<a name="id2543777"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index 45fc0877b725..d8c19f2e527a 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.6.14.3 2010-01-16 01:55:32 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.18.14.1.2.1 2011-06-09 03:41:05 tbox Exp $
.\"
.hy 0
.ad l
@@ -32,18 +32,22 @@
dnssec\-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 20
-\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
+.PP
+The
+\fBname\fR
+of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or DH (Diffie Hellman). These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
@@ -56,9 +60,19 @@ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA
Note 2: DH automatically sets the \-k flag.
.RE
.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pkcs11".
+.RE
+.PP
\-l \fIlabel\fR
.RS 4
-Specifies the label of keys in the crypto hardware (PKCS#11 device).
+Specifies the label of the key pair in the crypto hardware. The label may be preceded by an optional OpenSSL engine name, separated by a colon, as in "pkcs11:keylabel".
.RE
.PP
\-n \fInametype\fR
@@ -68,6 +82,15 @@ Specifies the owner type of the key. The value of
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
.RE
.PP
+\-C
+.RS 4
+Compatibility mode: generates an old\-style key, without any metadata. By default,
+\fBdnssec\-keyfromlabel\fR
+will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
+\fB\-C\fR
+option suppresses them.
+.RE
+.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
@@ -75,13 +98,23 @@ Indicates that the DNS record containing the key should have the specified class
.PP
\-f \fIflag\fR
.RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
+.RE
+.PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
-\fBdnssec\-keygen\fR.
+\fBdnssec\-keyfromlabel\fR.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to be written.
.RE
.PP
\-k
@@ -91,7 +124,7 @@ Generate KEY records rather than DNSKEY records.
.PP
\-p \fIprotocol\fR
.RS 4
-Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
.RE
.PP
\-t \fItype\fR
@@ -105,6 +138,39 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
.RS 4
Sets the debugging level.
.RE
+.PP
+\-y
+.RS 4
+Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.)
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+.RE
.SH "GENERATED KEY FILES"
.PP
When
@@ -138,7 +204,7 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o
.PP
The
\fI.private\fR
-file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
+file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
@@ -149,5 +215,5 @@ RFC 4034.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC")
.br
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 8e9a53bb798e..323f9187c64a 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,12 +14,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keyfromlabel.c,v 1.4.50.2 2010-01-15 23:47:31 tbox Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.32 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
#include <config.h>
+#include <ctype.h>
#include <stdlib.h>
#include <isc/buffer.h>
@@ -27,9 +28,11 @@
#include <isc/entropy.h>
#include <isc/mem.h>
#include <isc/region.h>
+#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
+#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
@@ -47,35 +50,60 @@
const char *program = "dnssec-keyfromlabel";
int verbose;
+#define DEFAULT_ALGORITHM "RSASHA1"
+#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
+
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
- " RSASHA256 | RSASHA512";
+ " RSASHA256 | RSASHA512 | ECCGOST";
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
- fprintf(stderr, " %s -a alg -l label [options] name\n\n",
+ fprintf(stderr, " %s -l label [options] name\n\n",
program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Required options:\n");
- fprintf(stderr, " -a algorithm: %s\n", algs);
- fprintf(stderr, " -l label: label of the key\n");
+ fprintf(stderr, " -l label: label of the key pair\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
+ fprintf(stderr, " -a algorithm: %s\n", algs);
+ fprintf(stderr, " (default: RSASHA1, or "
+ "NSEC3RSASHA1 if using -3)\n");
+ fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
+ fprintf(stderr, " -c class (default: IN)\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E enginename (default: pkcs11)\n");
+#else
+ fprintf(stderr, " -E enginename\n");
+#endif
+ fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
+ fprintf(stderr, " -K directory: directory in which to place "
+ "key files\n");
+ fprintf(stderr, " -k: generate a TYPE=KEY key\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
- fprintf(stderr, " -c <class> (default: IN)\n");
- fprintf(stderr, " -f keyflag: KSK\n");
- fprintf(stderr, " -t <type>: "
+ fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
+ fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
- fprintf(stderr, " -p <protocol>: "
- "default: 3 [dnssec]\n");
- fprintf(stderr, " -v <verbose level>\n");
- fprintf(stderr, " -k : generate a TYPE=KEY key\n");
+ fprintf(stderr, " -y: permit keys that might collide\n");
+ fprintf(stderr, " -v verbose level\n");
+ fprintf(stderr, "Date options:\n");
+ fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
+ fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
+ fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
+ fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
+ fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
+ fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
+ fprintf(stderr, " -C: generate a backward-compatible key, omitting"
+ " all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
- "K<name>+<alg>+<id>.private\n");
+ "K<name>+<alg>+<id>.private\n");
exit (-1);
}
@@ -83,14 +111,20 @@ usage(void) {
int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
+ const char *directory = NULL;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
char *classname = NULL;
char *endp;
- dst_key_t *key = NULL, *oldkey;
+ dst_key_t *key = NULL;
dns_fixedname_t fname;
dns_name_t *name;
- isc_uint16_t flags = 0, ksk = 0;
+ isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
dns_secalg_t alg;
- isc_boolean_t null_key = ISC_FALSE;
+ isc_boolean_t oldstyle = ISC_FALSE;
isc_mem_t *mctx = NULL;
int ch;
int protocol = -1, signatory = 0;
@@ -103,6 +137,20 @@ main(int argc, char **argv) {
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL;
+ isc_stdtime_t publish = 0, activate = 0, revoke = 0;
+ isc_stdtime_t inactive = 0, delete = 0;
+ isc_stdtime_t now;
+ isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
+ isc_boolean_t setdel = ISC_FALSE;
+ isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+ isc_boolean_t unsetdel = ISC_FALSE;
+ isc_boolean_t genonly = ISC_FALSE;
+ isc_boolean_t use_nsec3 = ISC_FALSE;
+ isc_boolean_t avoid_collisions = ISC_TRUE;
+ isc_boolean_t exact;
+ unsigned char c;
if (argc == 1)
usage();
@@ -113,28 +161,49 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
+ isc_stdtime_get(&now);
+
while ((ch = isc_commandline_parse(argc, argv,
- "a:c:f:kl:n:p:t:v:h")) != -1)
+ "3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
{
switch (ch) {
+ case '3':
+ use_nsec3 = ISC_TRUE;
+ break;
case 'a':
algname = isc_commandline_argument;
break;
+ case 'C':
+ oldstyle = ISC_TRUE;
+ break;
case 'c':
classname = isc_commandline_argument;
break;
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
case 'f':
- if (strcasecmp(isc_commandline_argument, "KSK") == 0)
- ksk = DNS_KEYFLAG_KSK;
+ c = (unsigned char)(isc_commandline_argument[0]);
+ if (toupper(c) == 'K')
+ kskflag = DNS_KEYFLAG_KSK;
+ else if (toupper(c) == 'R')
+ revflag = DNS_KEYFLAG_REVOKE;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
break;
+ case 'K':
+ directory = isc_commandline_argument;
+ ret = try_dir(directory);
+ if (ret != ISC_R_SUCCESS)
+ fatal("cannot open directory %s: %s",
+ directory, isc_result_totext(ret));
+ break;
case 'k':
options |= DST_TYPE_KEY;
break;
case 'l':
- label = isc_commandline_argument;
+ label = isc_mem_strdup(mctx, isc_commandline_argument);
break;
case 'n':
nametype = isc_commandline_argument;
@@ -153,11 +222,80 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
-
+ case 'y':
+ avoid_collisions = ISC_FALSE;
+ break;
+ case 'G':
+ genonly = ISC_TRUE;
+ break;
+ case 'P':
+ if (setpub || unsetpub)
+ fatal("-P specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setpub = ISC_TRUE;
+ publish = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetpub = ISC_TRUE;
+ }
+ break;
+ case 'A':
+ if (setact || unsetact)
+ fatal("-A specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setact = ISC_TRUE;
+ activate = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetact = ISC_TRUE;
+ }
+ break;
+ case 'R':
+ if (setrev || unsetrev)
+ fatal("-R specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setrev = ISC_TRUE;
+ revoke = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetrev = ISC_TRUE;
+ }
+ break;
+ case 'I':
+ if (setinact || unsetinact)
+ fatal("-I specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setinact = ISC_TRUE;
+ inactive = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetinact = ISC_TRUE;
+ }
+ break;
+ case 'D':
+ if (setdel || unsetdel)
+ fatal("-D specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setdel = ISC_TRUE;
+ delete = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetdel = ISC_TRUE;
+ }
+ break;
+ case 'F':
+ /* Reserved for FIPS mode */
+ /* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
+ /* FALLTHROUGH */
case 'h':
usage();
@@ -170,10 +308,11 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- ret = dst_lib_init(mctx, ectx,
- ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ ret = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
- fatal("could not initialize dst");
+ fatal("could not initialize dst: %s",
+ isc_result_totext(ret));
setup_logging(verbose, mctx, &log);
@@ -184,8 +323,30 @@ main(int argc, char **argv) {
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
- if (algname == NULL)
- fatal("no algorithm was specified");
+ if (strchr(label, ':') == NULL &&
+ engine != NULL && strlen(engine) != 0U) {
+ char *l;
+ int len;
+
+ len = strlen(label) + strlen(engine) + 2;
+ l = isc_mem_allocate(mctx, len);
+ if (l == NULL)
+ fatal("cannot allocate memory");
+ snprintf(l, len, "%s:%s", engine, label);
+ isc_mem_free(mctx, label);
+ label = l;
+ }
+
+ if (algname == NULL) {
+ if (use_nsec3)
+ algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+ else
+ algname = strdup(DEFAULT_ALGORITHM);
+ if (verbose > 0)
+ fprintf(stderr, "no algorithm specified; "
+ "defaulting to %s\n", algname);
+ }
+
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please "
@@ -201,6 +362,14 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY;
}
+ if (use_nsec3 &&
+ alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+ alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
+ alg != DST_ALG_ECCGOST) {
+ fatal("%s is incompatible with NSEC3; "
+ "do not use the -3 option", algname);
+ }
+
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
@@ -234,10 +403,15 @@ main(int argc, char **argv) {
rdclass = strtoclass(classname);
+ if (directory == NULL)
+ directory = ".";
+
if ((options & DST_TYPE_KEY) != 0) /* KEY */
flags |= signatory;
- else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
- flags |= ksk;
+ else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+ flags |= kskflag;
+ flags |= revflag;
+ }
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
@@ -260,53 +434,108 @@ main(int argc, char **argv) {
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
- ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+ ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
if (ret != ISC_R_SUCCESS)
fatal("invalid key name %s: %s", argv[isc_commandline_index],
isc_result_totext(ret));
- if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
- null_key = ISC_TRUE;
-
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol,
- rdclass, "", label, NULL, mctx, &key);
+ rdclass, engine, label, NULL, mctx, &key);
isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
- char algstr[ALG_FORMATSIZE];
+ char algstr[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
- alg_format(alg, algstr, sizeof(algstr));
- fatal("failed to generate key %s/%s: %s\n",
+ dns_secalg_format(alg, algstr, sizeof(algstr));
+ fatal("failed to get key %s/%s: %s\n",
namestr, algstr, isc_result_totext(ret));
+ /* NOTREACHED */
exit(-1);
}
/*
- * Try to read a key with the same name, alg and id from disk.
- * If there is one we must continue generating a new one
- * unless we were asked to generate a null key, in which
- * case we return failure.
+ * Set key timing metadata (unless using -C)
+ *
+ * Publish and activation dates are set to "now" by default, but
+ * can be overridden. Creation date is always set to "now".
*/
- ret = dst_key_fromfile(name, dst_key_id(key), alg,
- DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
- /* do not overwrite an existing key */
- if (ret == ISC_R_SUCCESS) {
+ if (!oldstyle) {
+ dst_key_settime(key, DST_TIME_CREATED, now);
+
+ if (genonly && (setpub || setact))
+ fatal("cannot use -G together with -P or -A options");
+
+ if (setpub)
+ dst_key_settime(key, DST_TIME_PUBLISH, publish);
+ else if (setact)
+ dst_key_settime(key, DST_TIME_PUBLISH, activate);
+ else if (!genonly && !unsetpub)
+ dst_key_settime(key, DST_TIME_PUBLISH, now);
+
+ if (setact)
+ dst_key_settime(key, DST_TIME_ACTIVATE, activate);
+ else if (!genonly && !unsetact)
+ dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
+ if (setrev) {
+ if (kskflag == 0)
+ fprintf(stderr, "%s: warning: Key is "
+ "not flagged as a KSK, but -R "
+ "was used. Revoking a ZSK is "
+ "legal, but undefined.\n",
+ program);
+ dst_key_settime(key, DST_TIME_REVOKE, revoke);
+ }
+
+ if (setinact)
+ dst_key_settime(key, DST_TIME_INACTIVE, inactive);
+
+ if (setdel)
+ dst_key_settime(key, DST_TIME_DELETE, delete);
+ } else {
+ if (setpub || setact || setrev || setinact ||
+ setdel || unsetpub || unsetact ||
+ unsetrev || unsetinact || unsetdel || genonly)
+ fatal("cannot use -C together with "
+ "-P, -A, -R, -I, -D, or -G options");
+ /*
+ * Compatibility mode: Private-key-format
+ * should be set to 1.2.
+ */
+ dst_key_setprivateformat(key, 1, 2);
+ }
+
+ /*
+ * Do not overwrite an existing key. Warn LOUDLY if there
+ * is a risk of ID collision due to this key or another key
+ * being revoked.
+ */
+ if (key_collision(dst_key_id(key), name, directory, alg, mctx, &exact))
+ {
isc_buffer_clear(&buf);
- ret = dst_key_buildfilename(key, 0, NULL, &buf);
- fprintf(stderr, "%s: %s already exists\n",
- program, filename);
- dst_key_free(&key);
- exit (1);
+ ret = dst_key_buildfilename(key, 0, directory, &buf);
+ if (exact)
+ fatal("%s: %s already exists\n", program, filename);
+
+ if (avoid_collisions)
+ fatal("%s: %s could collide with another key upon "
+ "revokation\n", program, filename);
+
+ fprintf(stderr, "%s: WARNING: Key %s could collide with "
+ "another key upon revokation. If you plan "
+ "to revoke keys, destroy this key and "
+ "generate a different one.\n",
+ program, filename);
}
- ret = dst_key_tofile(key, options, NULL);
+ ret = dst_key_tofile(key, options, directory);
if (ret != ISC_R_SUCCESS) {
- char keystr[KEY_FORMATSIZE];
- key_format(key, keystr, sizeof(keystr));
+ char keystr[DST_KEY_FORMATSIZE];
+ dst_key_format(key, keystr, sizeof(keystr));
fatal("failed to write key %s: %s\n", keystr,
isc_result_totext(ret));
}
@@ -322,6 +551,7 @@ main(int argc, char **argv) {
dns_name_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
+ isc_mem_free(mctx, label);
isc_mem_destroy(&mctx);
return (0);
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index a2fff5a0d4b5..be38a2465785 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6.14.2 2010-01-15 23:47:31 tbox Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.18.14.1.2.1 2011-06-02 23:47:27 tbox Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
@@ -37,7 +37,9 @@
<docinfo>
<copyright>
<year>2008</year>
+ <year>2009</year>
<year>2010</year>
+ <year>2011</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -45,15 +47,25 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-keyfromlabel</command>
- <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+ <arg><option>-3</option></arg>
+ <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+ <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+ <arg><option>-G</option></arg>
+ <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-k</option></arg>
+ <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+ <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+ <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-y</option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -65,6 +77,11 @@
key files for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034.
</para>
+ <para>
+ The <option>name</option> of the key is specified on the command
+ line. This must match the name of the zone for which the key is
+ being generated.
+ </para>
</refsect1>
<refsect1>
@@ -76,9 +93,8 @@
<listitem>
<para>
Selects the cryptographic algorithm. The value of
- <option>algorithm</option> must be one of RSAMD5,
- RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
- RSASHA512 or DH (Diffie Hellman).
+ <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
These values are case insensitive.
</para>
<para>
@@ -99,11 +115,34 @@
</varlistentry>
<varlistentry>
+ <term>-3</term>
+ <listitem>
+ <para>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used and no algorithm is explicitly
+ set on the command line, NSEC3RSASHA1 will be used by
+ default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the name of the crypto hardware (OpenSSL engine).
+ When compiled with PKCS#11 support it defaults to "pkcs11".
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
- Specifies the label of keys in the crypto hardware
- (PKCS#11 device).
+ Specifies the label of the key pair in the crypto hardware.
+ The label may be preceded by an optional OpenSSL engine name,
+ separated by a colon, as in "pkcs11:keylabel".
</para>
</listitem>
</varlistentry>
@@ -117,8 +156,22 @@
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are
- case insensitive.
+ These values are case insensitive.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-C</term>
+ <listitem>
+ <para>
+ Compatibility mode: generates an old-style key, without
+ any metadata. By default, <command>dnssec-keyfromlabel</command>
+ will include the key's creation date in the metadata stored
+ with the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include
+ this data may be incompatible with older versions of BIND; the
+ <option>-C</option> option suppresses them.
</para>
</listitem>
</varlistentry>
@@ -138,7 +191,17 @@
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
- The only recognized flag is KSK (Key Signing Key) DNSKEY.
+ The only recognized flags are KSK (Key Signing Key) and REVOKE.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-G</term>
+ <listitem>
+ <para>
+ Generate a key, but do not publish it or sign with it. This
+ option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
@@ -148,7 +211,16 @@
<listitem>
<para>
Prints a short summary of the options and arguments to
- <command>dnssec-keygen</command>.
+ <command>dnssec-keyfromlabel</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-K <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
@@ -166,7 +238,7 @@
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
- Sets the protocol value for the generated key. The protocol
+ Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
@@ -195,6 +267,93 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-y</term>
+ <listitem>
+ <para>
+ Allows DNSSEC key files to be generated even if the key ID
+ would collide with that of an existing key, in the event of
+ either key being revoked. (This is only safe to use if you
+ are sure you won't be using RFC 5011 trust anchor maintenance
+ with either of the keys involved.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>TIMING OPTIONS</title>
+
+ <para>
+ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+ If the argument begins with a '+' or '-', it is interpreted as
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>-P <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which a key is to be published to the zone.
+ After that date, the key will be included in the zone but will
+ not be used to sign it. If not set, and if the -G option has
+ not been used, the default is "now".
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-A <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be activated. After that
+ date, the key will be included in the zone and used to sign
+ it. If not set, and if the -G option has not been used, the
+ default is "now".
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-R <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be revoked. After that
+ date, the key will be flagged as revoked. It will be included
+ in the zone and will be used to sign it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-I <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-D <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be deleted. After that
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -214,8 +373,7 @@
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
- of the
- algorithm.
+ of the algorithm.
</para>
</listitem>
<listitem>
@@ -229,8 +387,7 @@
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
- private
- key.
+ private key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record
@@ -239,8 +396,8 @@
statement).
</para>
<para>
- The <filename>.private</filename> file contains algorithm
- specific
+ The <filename>.private</filename> file contains
+ algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index ad2a5621ba99..2b1b23690bb1 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.html,v 1.5.44.3 2010-01-16 01:55:32 tbox Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.html,v 1.17.14.1.2.1 2011-06-09 03:41:05 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -28,26 +28,30 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543416"></a><h2>DESCRIPTION</h2>
+<a name="id2543494"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034.
</p>
+<p>
+ The <code class="option">name</code> of the key is specified on the command
+ line. This must match the name of the zone for which the key is
+ being generated.
+ </p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543428"></a><h2>OPTIONS</h2>
+<a name="id2543512"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. The value of
- <code class="option">algorithm</code> must be one of RSAMD5,
- RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
- RSASHA512 or DH (Diffie Hellman).
+ <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
These values are case insensitive.
</p>
<p>
@@ -65,10 +69,23 @@
Note 2: DH automatically sets the -k flag.
</p>
</dd>
+<dt><span class="term">-3</span></dt>
+<dd><p>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used and no algorithm is explicitly
+ set on the command line, NSEC3RSASHA1 will be used by
+ default.
+ </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+ Specifies the name of the crypto hardware (OpenSSL engine).
+ When compiled with PKCS#11 support it defaults to "pkcs11".
+ </p></dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd><p>
- Specifies the label of keys in the crypto hardware
- (PKCS#11 device).
+ Specifies the label of the key pair in the crypto hardware.
+ The label may be preceded by an optional OpenSSL engine name,
+ separated by a colon, as in "pkcs11:keylabel".
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
@@ -77,8 +94,17 @@
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are
- case insensitive.
+ These values are case insensitive.
+ </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+ Compatibility mode: generates an old-style key, without
+ any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
+ will include the key's creation date in the metadata stored
+ with the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include
+ this data may be incompatible with older versions of BIND; the
+ <code class="option">-C</code> option suppresses them.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
@@ -88,12 +114,21 @@
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
- The only recognized flag is KSK (Key Signing Key) DNSKEY.
+ The only recognized flags are KSK (Key Signing Key) and REVOKE.
+ </p></dd>
+<dt><span class="term">-G</span></dt>
+<dd><p>
+ Generate a key, but do not publish it or sign with it. This
+ option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
- <span><strong class="command">dnssec-keygen</strong></span>.
+ <span><strong class="command">dnssec-keyfromlabel</strong></span>.
+ </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
@@ -101,7 +136,7 @@
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
- Sets the protocol value for the generated key. The protocol
+ Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
@@ -117,10 +152,65 @@
<dd><p>
Sets the debugging level.
</p></dd>
+<dt><span class="term">-y</span></dt>
+<dd><p>
+ Allows DNSSEC key files to be generated even if the key ID
+ would collide with that of an existing key, in the event of
+ either key being revoked. (This is only safe to use if you
+ are sure you won't be using RFC 5011 trust anchor maintenance
+ with either of the keys involved.)
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543876"></a><h2>TIMING OPTIONS</h2>
+<p>
+ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+ If the argument begins with a '+' or '-', it is interpreted as
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which a key is to be published to the zone.
+ After that date, the key will be included in the zone but will
+ not be used to sign it. If not set, and if the -G option has
+ not been used, the default is "now".
+ </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be activated. After that
+ date, the key will be included in the zone and used to sign
+ it. If not set, and if the -G option has not been used, the
+ default is "now".
+ </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be revoked. After that
+ date, the key will be flagged as revoked. It will be included
+ in the zone and will be used to sign it.
+ </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
+ </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be deleted. After that
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
+ </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543632"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2544042"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@@ -132,8 +222,7 @@
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
- of the
- algorithm.
+ of the algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
@@ -144,8 +233,7 @@
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
- private
- key.
+ private key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
@@ -154,14 +242,14 @@
statement).
</p>
<p>
- The <code class="filename">.private</code> file contains algorithm
- specific
+ The <code class="filename">.private</code> file contains
+ algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543704"></a><h2>SEE ALSO</h2>
+<a name="id2544115"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -169,7 +257,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543737"></a><h2>AUTHOR</h2>
+<a name="id2544148"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index c4be24eba0cf..ea4690eb71a1 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-keygen.8,v 1.40.44.4 2010-01-16 01:55:32 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.55 2010-12-24 01:14:19 tbox Exp $
.\"
.hy 0
.ad l
@@ -33,11 +33,11 @@
dnssec\-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 14
-\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
-generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
+generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
.PP
The
\fBname\fR
@@ -48,16 +48,28 @@ of the key is specified on the command line. For DNSSEC keys, this must match th
.RS 4
Selects the cryptographic algorithm. For DNSSEC keys, the value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
+.sp
+If no algorithm is specified, then RSASHA1 will be used by default, unless the
+\fB\-3\fR
+option is specified, in which case NSEC3RSASHA1 will be used instead. (If
+\fB\-3\fR
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
.sp
-Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
+Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.
+.sp
+The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
+\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
+\fB\-a\fR, then there is no default key size, and the
+\fB\-b\fR
+must be used.
.RE
.PP
\-n \fInametype\fR
@@ -67,11 +79,30 @@ Specifies the owner type of the key. The value of
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
.RE
.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable.
+.RE
+.PP
+\-C
+.RS 4
+Compatibility mode: generates an old\-style key, without any metadata. By default,
+\fBdnssec\-keygen\fR
+will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
+\fB\-C\fR
+option suppresses them.
+.RE
+.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
.RE
.PP
+\-E \fIengine\fR
+.RS 4
+Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.PP
\-e
.RS 4
If generating an RSAMD5/RSASHA1 key, use a large exponent.
@@ -79,7 +110,12 @@ If generating an RSAMD5/RSASHA1 key, use a large exponent.
.PP
\-f \fIflag\fR
.RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
+.RE
+.PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
.RE
.PP
\-g \fIgenerator\fR
@@ -93,9 +129,14 @@ Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR.
.RE
.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to be written.
+.RE
+.PP
\-k
.RS 4
-Generate KEY records rather than DNSKEY records.
+Deprecated in favor of \-T KEY.
.RE
.PP
\-p \fIprotocol\fR
@@ -103,6 +144,15 @@ Generate KEY records rather than DNSKEY records.
Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
.RE
.PP
+\-q
+.RS 4
+Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when
+\fBdnssec\-keygen\fR
+is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
+\fIstderr\fR
+indicating the progress of the key generation. A '.' indicates that a random number has been found which passed an initial sieve test; '+' means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key.
+.RE
+.PP
\-r \fIrandomdev\fR
.RS 4
Specifies the source of randomness. If the operating system does not provide a
@@ -114,11 +164,24 @@ specifies the name of a character device or file containing random data to be us
indicates that keyboard input should be used.
.RE
.PP
+\-S \fIkey\fR
+.RS 4
+Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+.RE
+.PP
\-s \fIstrength\fR
.RS 4
Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
.RE
.PP
+\-T \fIrrtype\fR
+.RS 4
+Specifies the resource record type to use for the key.
+\fBrrtype\fR
+must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
+Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
+.RE
+.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key.
@@ -130,6 +193,43 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
.RS 4
Sets the debugging level.
.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+.RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+.sp
+If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+.sp
+As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+.RE
.SH "GENERATED KEYS"
.PP
When
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 21841227d439..f369326aaf82 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -29,13 +29,15 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.81.48.2 2010-01-15 23:47:31 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.115 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
#include <config.h>
+#include <ctype.h>
#include <stdlib.h>
+#include <unistd.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
@@ -45,6 +47,7 @@
#include <isc/string.h>
#include <isc/util.h>
+#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
@@ -62,103 +65,224 @@
const char *program = "dnssec-keygen";
int verbose;
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | RSASHA256 |"
- " RSASHA512 | NSEC3DSA | NSEC3RSASHA1 | HMAC-MD5 |"
- " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |"
- " HMAC-SHA384 | HMAC-SHA512";
+#define DEFAULT_ALGORITHM "RSASHA1"
+#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
-static isc_boolean_t
-dsa_size_ok(int size) {
- return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void progress(int p);
static void
usage(void) {
fprintf(stderr, "Usage:\n");
- fprintf(stderr, " %s -a alg -b bits [-n type] [options] name\n\n",
- program);
+ fprintf(stderr, " %s [options] name\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
- fprintf(stderr, "Required options:\n");
- fprintf(stderr, " -a algorithm: %s\n", algs);
- fprintf(stderr, " -b key size, in bits:\n");
- fprintf(stderr, " RSAMD5:\t\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " RSASHA1:\t\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
+ fprintf(stderr, " name: owner of the key\n");
+ fprintf(stderr, "Options:\n");
+ fprintf(stderr, " -K <directory>: write keys into directory\n");
+ fprintf(stderr, " -a <algorithm>:\n");
+ fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
+ " | NSEC3DSA |\n");
+ fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
+ fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
+ "HMAC-SHA256 | \n");
+ fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
+ fprintf(stderr, " (default: RSASHA1, or "
+ "NSEC3RSASHA1 if using -3)\n");
+ fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
+ fprintf(stderr, " -b <key size in bits>:\n");
+ fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
- fprintf(stderr, " NSEC3DSA:\t\t[512..1024] and divisible by 64\n");
+ fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
+ "by 64\n");
+ fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
- fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
- fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
- fprintf(stderr, " name: owner of the key\n");
- fprintf(stderr, "Other options:\n");
- fprintf(stderr, " -c <class> (default: IN)\n");
+ fprintf(stderr, " (if using the default algorithm, key size\n"
+ " defaults to 2048 for KSK, or 1024 for all "
+ "others)\n");
+ fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
+ "USER | OTHER\n");
+ fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
+ fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
- fprintf(stderr, " -e use large exponent (RSAMD5/RSASHA1 only)\n");
- fprintf(stderr, " -f keyflag: KSK\n");
- fprintf(stderr, " -g <generator> use specified generator "
- "(DH only)\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E <engine name> (default \"pkcs11\")\n");
+#else
+ fprintf(stderr, " -E <engine name>\n");
+#endif
+ fprintf(stderr, " -e: use large exponent (RSAMD5/RSASHA1 only)\n");
+ fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
+ fprintf(stderr, " -g <generator>: use specified generator "
+ "(DH only)\n");
+ fprintf(stderr, " -p <protocol>: (default: 3 [dnssec])\n");
+ fprintf(stderr, " -s <strength>: strength value this key signs DNS "
+ "records with (default: 0)\n");
+ fprintf(stderr, " -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
+ "use KEY for SIG(0))\n");
+ fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " -t <type>: "
- "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
- "(default: AUTHCONF)\n");
- fprintf(stderr, " -p <protocol>: "
- "default: 3 [dnssec]\n");
- fprintf(stderr, " -s <strength> strength value this key signs DNS "
- "records with (default: 0)\n");
+ "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+ "(default: AUTHCONF)\n");
fprintf(stderr, " -r <randomdev>: a file containing random data\n");
- fprintf(stderr, " -v <verbose level>\n");
- fprintf(stderr, " -k : generate a TYPE=KEY key\n");
+
+ fprintf(stderr, " -h: print usage and exit\n");
+ fprintf(stderr, " -m <memory debugging mode>:\n");
+ fprintf(stderr, " usage | trace | record | size | mctx\n");
+ fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
+ fprintf(stderr, "Timing options:\n");
+ fprintf(stderr, " -P date/[+-]offset/none: set key publication date "
+ "(default: now)\n");
+ fprintf(stderr, " -A date/[+-]offset/none: set key activation date "
+ "(default: now)\n");
+ fprintf(stderr, " -R date/[+-]offset/none: set key "
+ "revocation date\n");
+ fprintf(stderr, " -I date/[+-]offset/none: set key "
+ "inactivation date\n");
+ fprintf(stderr, " -D date/[+-]offset/none: set key deletion date\n");
+ fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
+ fprintf(stderr, " -C: generate a backward-compatible key, omitting "
+ "all dates\n");
+ fprintf(stderr, " -S <key>: generate a successor to an existing "
+ "key\n");
+ fprintf(stderr, " -i <interval>: prepublication interval for "
+ "successor key "
+ "(default: 30 days)\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
- "K<name>+<alg>+<id>.private\n");
+ "K<name>+<alg>+<id>.private\n");
exit (-1);
}
+static isc_boolean_t
+dsa_size_ok(int size) {
+ return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
+static void
+progress(int p)
+{
+ char c = '*';
+
+ switch (p) {
+ case 0:
+ c = '.';
+ break;
+ case 1:
+ c = '+';
+ break;
+ case 2:
+ c = '*';
+ break;
+ case 3:
+ c = ' ';
+ break;
+ default:
+ break;
+ }
+ (void) putc(c, stderr);
+ (void) fflush(stderr);
+}
+
int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
char *classname = NULL;
char *endp;
- dst_key_t *key = NULL, *oldkey;
+ dst_key_t *key = NULL;
dns_fixedname_t fname;
dns_name_t *name;
- isc_uint16_t flags = 0, ksk = 0;
+ isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
dns_secalg_t alg;
isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE;
+ isc_boolean_t oldstyle = ISC_FALSE;
isc_mem_t *mctx = NULL;
int ch, rsa_exp = 0, generator = 0, param = 0;
int protocol = -1, size = -1, signatory = 0;
isc_result_t ret;
isc_textregion_t r;
char filename[255];
+ const char *directory = NULL;
+ const char *predecessor = NULL;
+ dst_key_t *prevkey = NULL;
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
+ isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
+ isc_stdtime_t publish = 0, activate = 0, revoke = 0;
+ isc_stdtime_t inactive = 0, delete = 0;
+ isc_stdtime_t now;
+ int prepub = -1;
+ isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
+ isc_boolean_t setdel = ISC_FALSE;
+ isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+ isc_boolean_t unsetdel = ISC_FALSE;
+ isc_boolean_t genonly = ISC_FALSE;
+ isc_boolean_t quiet = ISC_FALSE;
+ isc_boolean_t show_progress = ISC_FALSE;
+ unsigned char c;
if (argc == 1)
usage();
- RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
- while ((ch = isc_commandline_parse(argc, argv,
- "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
- {
+ /*
+ * Process memory debugging argument first.
+ */
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:km:n:P:p:qR:r:S:s:T:t:v:"
+ while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+ switch (ch) {
+ case 'm':
+ if (strcasecmp(isc_commandline_argument, "record") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+ if (strcasecmp(isc_commandline_argument, "trace") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+ if (strcasecmp(isc_commandline_argument, "usage") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+ if (strcasecmp(isc_commandline_argument, "size") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+ if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+ break;
+ default:
+ break;
+ }
+ }
+ isc_commandline_reset = ISC_TRUE;
+
+ RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+ isc_stdtime_get(&now);
+
+ while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
+ case '3':
+ use_nsec3 = ISC_TRUE;
+ break;
case 'a':
algname = isc_commandline_argument;
break;
@@ -167,6 +291,9 @@ main(int argc, char **argv) {
if (*endp != '\0' || size < 0)
fatal("-b requires a non-negative number");
break;
+ case 'C':
+ oldstyle = ISC_TRUE;
+ break;
case 'c':
classname = isc_commandline_argument;
break;
@@ -175,12 +302,18 @@ main(int argc, char **argv) {
if (*endp != '\0' || dbits < 0)
fatal("-d requires a non-negative number");
break;
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
case 'e':
rsa_exp = 1;
break;
case 'f':
- if (strcasecmp(isc_commandline_argument, "KSK") == 0)
- ksk = DNS_KEYFLAG_KSK;
+ c = (unsigned char)(isc_commandline_argument[0]);
+ if (toupper(c) == 'K')
+ kskflag = DNS_KEYFLAG_KSK;
+ else if (toupper(c) == 'R')
+ revflag = DNS_KEYFLAG_REVOKE;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
@@ -191,14 +324,22 @@ main(int argc, char **argv) {
if (*endp != '\0' || generator <= 0)
fatal("-g requires a positive number");
break;
+ case 'K':
+ directory = isc_commandline_argument;
+ ret = try_dir(directory);
+ if (ret != ISC_R_SUCCESS)
+ fatal("cannot open directory %s: %s",
+ directory, isc_result_totext(ret));
+ break;
case 'k':
- options |= DST_TYPE_KEY;
+ fatal("The -k option has been deprecated.\n"
+ "To generate a key-signing key, use -f KSK.\n"
+ "To generate a key with TYPE=KEY, use -T KEY.\n");
break;
case 'n':
nametype = isc_commandline_argument;
break;
- case 't':
- type = isc_commandline_argument;
+ case 'm':
break;
case 'p':
protocol = strtol(isc_commandline_argument, &endp, 10);
@@ -206,6 +347,12 @@ main(int argc, char **argv) {
fatal("-p must be followed by a number "
"[0..255]");
break;
+ case 'q':
+ quiet = ISC_TRUE;
+ break;
+ case 'r':
+ setup_entropy(mctx, isc_commandline_argument, &ectx);
+ break;
case 's':
signatory = strtol(isc_commandline_argument,
&endp, 10);
@@ -213,8 +360,19 @@ main(int argc, char **argv) {
fatal("-s must be followed by a number "
"[0..15]");
break;
- case 'r':
- setup_entropy(mctx, isc_commandline_argument, &ectx);
+ case 'T':
+ if (strcasecmp(isc_commandline_argument, "KEY") == 0)
+ options |= DST_TYPE_KEY;
+ else if (strcasecmp(isc_commandline_argument,
+ "DNSKEY") == 0)
+ /* default behavior */
+ ;
+ else
+ fatal("unknown type '%s'",
+ isc_commandline_argument);
+ break;
+ case 't':
+ type = isc_commandline_argument;
break;
case 'v':
endp = NULL;
@@ -222,11 +380,86 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
-
+ case 'z':
+ /* already the default */
+ break;
+ case 'G':
+ genonly = ISC_TRUE;
+ break;
+ case 'P':
+ if (setpub || unsetpub)
+ fatal("-P specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setpub = ISC_TRUE;
+ publish = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetpub = ISC_TRUE;
+ }
+ break;
+ case 'A':
+ if (setact || unsetact)
+ fatal("-A specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setact = ISC_TRUE;
+ activate = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetact = ISC_TRUE;
+ }
+ break;
+ case 'R':
+ if (setrev || unsetrev)
+ fatal("-R specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setrev = ISC_TRUE;
+ revoke = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetrev = ISC_TRUE;
+ }
+ break;
+ case 'I':
+ if (setinact || unsetinact)
+ fatal("-I specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setinact = ISC_TRUE;
+ inactive = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetinact = ISC_TRUE;
+ }
+ break;
+ case 'D':
+ if (setdel || unsetdel)
+ fatal("-D specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setdel = ISC_TRUE;
+ delete = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetdel = ISC_TRUE;
+ }
+ break;
+ case 'S':
+ predecessor = isc_commandline_argument;
+ break;
+ case 'i':
+ prepub = strtottl(isc_commandline_argument);
+ break;
+ case 'F':
+ /* Reserved for FIPS mode */
+ /* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
+ /* FALLTHROUGH */
case 'h':
usage();
@@ -237,73 +470,219 @@ main(int argc, char **argv) {
}
}
+ if (!isatty(0))
+ quiet = ISC_TRUE;
+
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- ret = dst_lib_init(mctx, ectx,
- ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ ret = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
- fatal("could not initialize dst");
+ fatal("could not initialize dst: %s",
+ isc_result_totext(ret));
setup_logging(verbose, mctx, &log);
- if (argc < isc_commandline_index + 1)
- fatal("the key name was not specified");
- if (argc > isc_commandline_index + 1)
- fatal("extraneous arguments");
-
- if (algname == NULL)
- fatal("no algorithm was specified");
- if (strcasecmp(algname, "RSA") == 0) {
- fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
- "If you still wish to use RSA (RSAMD5) please "
- "specify \"-a RSAMD5\"\n");
- return (1);
- } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACMD5;
- } else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA1;
- } else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA224;
- } else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA256;
- } else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA384;
- } else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA512;
- } else {
- r.base = algname;
- r.length = strlen(algname);
- ret = dns_secalg_fromtext(&alg, &r);
+ if (predecessor == NULL) {
+ if (prepub == -1)
+ prepub = 0;
+
+ if (argc < isc_commandline_index + 1)
+ fatal("the key name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("extraneous arguments");
+
+ dns_fixedname_init(&fname);
+ name = dns_fixedname_name(&fname);
+ isc_buffer_init(&buf, argv[isc_commandline_index],
+ strlen(argv[isc_commandline_index]));
+ isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+ ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
if (ret != ISC_R_SUCCESS)
- fatal("unknown algorithm %s", algname);
- if (alg == DST_ALG_DH)
- options |= DST_TYPE_KEY;
- }
+ fatal("invalid key name %s: %s",
+ argv[isc_commandline_index],
+ isc_result_totext(ret));
+
+ if (algname == NULL) {
+ use_default = ISC_TRUE;
+ if (use_nsec3)
+ algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+ else
+ algname = strdup(DEFAULT_ALGORITHM);
+ if (verbose > 0)
+ fprintf(stderr, "no algorithm specified; "
+ "defaulting to %s\n", algname);
+ }
- if (type != NULL && (options & DST_TYPE_KEY) != 0) {
- if (strcasecmp(type, "NOAUTH") == 0)
- flags |= DNS_KEYTYPE_NOAUTH;
- else if (strcasecmp(type, "NOCONF") == 0)
- flags |= DNS_KEYTYPE_NOCONF;
- else if (strcasecmp(type, "NOAUTHCONF") == 0) {
- flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
- if (size < 0)
- size = 0;
+ if (strcasecmp(algname, "RSA") == 0) {
+ fprintf(stderr, "The use of RSA (RSAMD5) is not "
+ "recommended.\nIf you still wish to "
+ "use RSA (RSAMD5) please specify "
+ "\"-a RSAMD5\"\n");
+ return (1);
+ } else if (strcasecmp(algname, "HMAC-MD5") == 0)
+ alg = DST_ALG_HMACMD5;
+ else if (strcasecmp(algname, "HMAC-SHA1") == 0)
+ alg = DST_ALG_HMACSHA1;
+ else if (strcasecmp(algname, "HMAC-SHA224") == 0)
+ alg = DST_ALG_HMACSHA224;
+ else if (strcasecmp(algname, "HMAC-SHA256") == 0)
+ alg = DST_ALG_HMACSHA256;
+ else if (strcasecmp(algname, "HMAC-SHA384") == 0)
+ alg = DST_ALG_HMACSHA384;
+ else if (strcasecmp(algname, "HMAC-SHA512") == 0)
+ alg = DST_ALG_HMACSHA512;
+ else {
+ r.base = algname;
+ r.length = strlen(algname);
+ ret = dns_secalg_fromtext(&alg, &r);
+ if (ret != ISC_R_SUCCESS)
+ fatal("unknown algorithm %s", algname);
+ if (alg == DST_ALG_DH)
+ options |= DST_TYPE_KEY;
}
- else if (strcasecmp(type, "AUTHCONF") == 0)
- /* nothing */;
- else
- fatal("invalid type %s", type);
- }
- if (size < 0)
- fatal("key size not specified (-b option)");
+ if (use_nsec3 &&
+ alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+ alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
+ alg != DST_ALG_ECCGOST) {
+ fatal("%s is incompatible with NSEC3; "
+ "do not use the -3 option", algname);
+ }
+
+ if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+ if (strcasecmp(type, "NOAUTH") == 0)
+ flags |= DNS_KEYTYPE_NOAUTH;
+ else if (strcasecmp(type, "NOCONF") == 0)
+ flags |= DNS_KEYTYPE_NOCONF;
+ else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+ flags |= (DNS_KEYTYPE_NOAUTH |
+ DNS_KEYTYPE_NOCONF);
+ if (size < 0)
+ size = 0;
+ }
+ else if (strcasecmp(type, "AUTHCONF") == 0)
+ /* nothing */;
+ else
+ fatal("invalid type %s", type);
+ }
+
+ if (size < 0) {
+ if (use_default) {
+ if ((kskflag & DNS_KEYFLAG_KSK) != 0)
+ size = 2048;
+ else
+ size = 1024;
+ if (verbose > 0)
+ fprintf(stderr, "key size not "
+ "specified; defaulting "
+ "to %d\n", size);
+ } else if (alg != DST_ALG_ECCGOST)
+ fatal("key size not specified (-b option)");
+ }
+
+ if (!oldstyle && prepub > 0) {
+ if (setpub && setact && (activate - prepub) < publish)
+ fatal("Activation and publication dates "
+ "are closer together than the\n\t"
+ "prepublication interval.");
+
+ if (!setpub && !setact) {
+ setpub = setact = ISC_TRUE;
+ publish = now;
+ activate = now + prepub;
+ } else if (setpub && !setact) {
+ setact = ISC_TRUE;
+ activate = publish + prepub;
+ } else if (setact && !setpub) {
+ setpub = ISC_TRUE;
+ publish = activate - prepub;
+ }
+
+ if ((activate - prepub) < now)
+ fatal("Time until activation is shorter "
+ "than the\n\tprepublication interval.");
+ }
+ } else {
+ char keystr[DST_KEY_FORMATSIZE];
+ isc_stdtime_t when;
+ int major, minor;
+
+ if (prepub == -1)
+ prepub = (30 * 86400);
+
+ if (algname != NULL)
+ fatal("-S and -a cannot be used together");
+ if (size >= 0)
+ fatal("-S and -b cannot be used together");
+ if (nametype != NULL)
+ fatal("-S and -n cannot be used together");
+ if (type != NULL)
+ fatal("-S and -t cannot be used together");
+ if (setpub || unsetpub)
+ fatal("-S and -P cannot be used together");
+ if (setact || unsetact)
+ fatal("-S and -A cannot be used together");
+ if (use_nsec3)
+ fatal("-S and -3 cannot be used together");
+ if (oldstyle)
+ fatal("-S and -C cannot be used together");
+ if (genonly)
+ fatal("-S and -G cannot be used together");
+
+ ret = dst_key_fromnamedfile(predecessor, directory,
+ DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+ mctx, &prevkey);
+ if (ret != ISC_R_SUCCESS)
+ fatal("Invalid keyfile %s: %s",
+ filename, isc_result_totext(ret));
+ if (!dst_key_isprivate(prevkey))
+ fatal("%s is not a private key", filename);
+
+ name = dst_key_name(prevkey);
+ alg = dst_key_alg(prevkey);
+ size = dst_key_size(prevkey);
+ flags = dst_key_flags(prevkey);
+
+ dst_key_format(prevkey, keystr, sizeof(keystr));
+ dst_key_getprivateformat(prevkey, &major, &minor);
+ if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+ fatal("Key %s has incompatible format version %d.%d\n\t"
+ "It is not possible to generate a successor key.",
+ keystr, major, minor);
+
+ ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+ if (ret != ISC_R_SUCCESS)
+ fatal("Key %s has no activation date.\n\t"
+ "You must use dnssec-settime -A to set one "
+ "before generating a successor.", keystr);
+
+ ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
+ if (ret != ISC_R_SUCCESS)
+ fatal("Key %s has no inactivation date.\n\t"
+ "You must use dnssec-settime -I to set one "
+ "before generating a successor.", keystr);
+
+ publish = activate - prepub;
+ if (publish < now)
+ fatal("Key %s becomes inactive\n\t"
+ "sooner than the prepublication period "
+ "for the new key ends.\n\t"
+ "Either change the inactivation date with "
+ "dnssec-settime -I,\n\t"
+ "or use the -i option to set a shorter "
+ "prepublication interval.", keystr);
+
+ ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+ if (ret != ISC_R_SUCCESS)
+ fprintf(stderr, "%s: WARNING: Key %s has no removal "
+ "date;\n\t it will remain in the zone "
+ "indefinitely after rollover.\n\t "
+ "You can use dnssec-settime -D to "
+ "change this.\n", program, keystr);
+
+ setpub = setact = ISC_TRUE;
+ }
switch (alg) {
case DNS_KEYALG_RSAMD5:
@@ -326,7 +705,10 @@ main(int argc, char **argv) {
if (size != 0 && !dsa_size_ok(size))
fatal("invalid DSS key size: %d", size);
break;
+ case DST_ALG_ECCGOST:
+ break;
case DST_ALG_HMACMD5:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
fatal("HMAC-MD5 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 128))
@@ -336,6 +718,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA1:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 160)
fatal("HMAC-SHA1 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 160))
@@ -345,6 +728,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA224:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 224)
fatal("HMAC-SHA224 key size %d out of range", size);
if (dbits != 0 && (dbits < 112 || dbits > 224))
@@ -354,6 +738,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA256:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 256)
fatal("HMAC-SHA256 key size %d out of range", size);
if (dbits != 0 && (dbits < 128 || dbits > 256))
@@ -363,6 +748,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA384:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 384)
fatal("HMAC-384 key size %d out of range", size);
if (dbits != 0 && (dbits < 192 || dbits > 384))
@@ -372,6 +758,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA512:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
fatal("HMAC-SHA512 key size %d out of range", size);
if (dbits != 0 && (dbits < 256 || dbits > 512))
@@ -384,7 +771,8 @@ main(int argc, char **argv) {
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
- alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
+ alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST) &&
+ rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
@@ -409,10 +797,15 @@ main(int argc, char **argv) {
rdclass = strtoclass(classname);
+ if (directory == NULL)
+ directory = ".";
+
if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
flags |= signatory;
- else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
- flags |= ksk;
+ else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+ flags |= kskflag;
+ flags |= revflag;
+ }
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
@@ -435,16 +828,6 @@ main(int argc, char **argv) {
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
- dns_fixedname_init(&fname);
- name = dns_fixedname_name(&fname);
- isc_buffer_init(&buf, argv[isc_commandline_index],
- strlen(argv[isc_commandline_index]));
- isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
- ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
- if (ret != ISC_R_SUCCESS)
- fatal("invalid key name %s: %s", argv[isc_commandline_index],
- isc_result_totext(ret));
-
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
@@ -452,12 +835,19 @@ main(int argc, char **argv) {
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
param = rsa_exp;
+ show_progress = ISC_TRUE;
break;
+
case DNS_KEYALG_DH:
param = generator;
break;
+
case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
+ case DST_ALG_ECCGOST:
+ show_progress = ISC_TRUE;
+ /* fall through */
+
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
@@ -475,62 +865,136 @@ main(int argc, char **argv) {
do {
conflict = ISC_FALSE;
- oldkey = NULL;
- /* generate the key */
- ret = dst_key_generate(name, alg, size, param, flags, protocol,
- rdclass, mctx, &key);
+ if (!quiet && show_progress) {
+ fprintf(stderr, "Generating key pair.");
+ ret = dst_key_generate2(name, alg, size, param, flags,
+ protocol, rdclass, mctx, &key,
+ &progress);
+ putc('\n', stderr);
+ fflush(stderr);
+ } else {
+ ret = dst_key_generate2(name, alg, size, param, flags,
+ protocol, rdclass, mctx, &key,
+ NULL);
+ }
+
isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
- char algstr[ALG_FORMATSIZE];
+ char algstr[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
- alg_format(alg, algstr, sizeof(algstr));
+ dns_secalg_format(alg, algstr, sizeof(algstr));
fatal("failed to generate key %s/%s: %s\n",
namestr, algstr, isc_result_totext(ret));
+ /* NOTREACHED */
exit(-1);
}
dst_key_setbits(key, dbits);
/*
- * Try to read a key with the same name, alg and id from disk.
- * If there is one we must continue generating a new one
- * unless we were asked to generate a null key, in which
- * case we return failure.
+ * Set key timing metadata (unless using -C)
+ *
+ * Creation date is always set to "now".
+ *
+ * For a new key without an explicit predecessor, publish
+ * and activation dates are set to "now" by default, but
+ * can both be overridden.
+ *
+ * For a successor key, activation is set to match the
+ * predecessor's inactivation date. Publish is set to 30
+ * days earlier than that (XXX: this should be configurable).
+ * If either of the resulting dates are in the past, that's
+ * an error; the inactivation date of the predecessor key
+ * must be updated before a successor key can be created.
*/
- ret = dst_key_fromfile(name, dst_key_id(key), alg,
- DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
- /* do not overwrite an existing key */
- if (ret == ISC_R_SUCCESS) {
- dst_key_free(&oldkey);
+ if (!oldstyle) {
+ dst_key_settime(key, DST_TIME_CREATED, now);
+
+ if (genonly && (setpub || setact))
+ fatal("cannot use -G together with "
+ "-P or -A options");
+
+ if (setpub)
+ dst_key_settime(key, DST_TIME_PUBLISH, publish);
+ else if (setact)
+ dst_key_settime(key, DST_TIME_PUBLISH,
+ activate);
+ else if (!genonly && !unsetpub)
+ dst_key_settime(key, DST_TIME_PUBLISH, now);
+
+ if (setact)
+ dst_key_settime(key, DST_TIME_ACTIVATE,
+ activate);
+ else if (!genonly && !unsetact)
+ dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
+ if (setrev) {
+ if (kskflag == 0)
+ fprintf(stderr, "%s: warning: Key is "
+ "not flagged as a KSK, but -R "
+ "was used. Revoking a ZSK is "
+ "legal, but undefined.\n",
+ program);
+ dst_key_settime(key, DST_TIME_REVOKE, revoke);
+ }
+
+ if (setinact)
+ dst_key_settime(key, DST_TIME_INACTIVE,
+ inactive);
+
+ if (setdel)
+ dst_key_settime(key, DST_TIME_DELETE, delete);
+ } else {
+ if (setpub || setact || setrev || setinact ||
+ setdel || unsetpub || unsetact ||
+ unsetrev || unsetinact || unsetdel || genonly)
+ fatal("cannot use -C together with "
+ "-P, -A, -R, -I, -D, or -G options");
+ /*
+ * Compatibility mode: Private-key-format
+ * should be set to 1.2.
+ */
+ dst_key_setprivateformat(key, 1, 2);
+ }
+
+ /*
+ * Do not overwrite an existing key, or create a key
+ * if there is a risk of ID collision due to this key
+ * or another key being revoked.
+ */
+ if (key_collision(dst_key_id(key), name, directory,
+ alg, mctx, NULL)) {
conflict = ISC_TRUE;
- if (null_key)
+ if (null_key) {
+ dst_key_free(&key);
break;
- }
- if (conflict == ISC_TRUE) {
+ }
+
if (verbose > 0) {
isc_buffer_clear(&buf);
- ret = dst_key_buildfilename(key, 0, NULL, &buf);
+ dst_key_buildfilename(key, 0, directory, &buf);
fprintf(stderr,
- "%s: %s already exists, "
- "generating a new key\n",
+ "%s: %s already exists, or might "
+ "collide with another key upon "
+ "revokation. Generating a new key\n",
program, filename);
}
+
dst_key_free(&key);
}
-
} while (conflict == ISC_TRUE);
if (conflict)
- fatal("cannot generate a null key when a key with id 0 "
- "already exists");
+ fatal("cannot generate a null key due to possible key ID "
+ "collision");
- ret = dst_key_tofile(key, options, NULL);
+ ret = dst_key_tofile(key, options, directory);
if (ret != ISC_R_SUCCESS) {
- char keystr[KEY_FORMATSIZE];
- key_format(key, keystr, sizeof(keystr));
+ char keystr[DST_KEY_FORMATSIZE];
+ dst_key_format(key, keystr, sizeof(keystr));
fatal("failed to write key %s: %s\n", keystr,
isc_result_totext(ret));
}
@@ -539,6 +1003,8 @@ main(int argc, char **argv) {
ret = dst_key_buildfilename(key, 0, NULL, &buf);
printf("%s\n", filename);
dst_key_free(&key);
+ if (prevkey != NULL)
+ dst_key_free(&prevkey);
cleanup_logging(&log);
cleanup_entropy(&ectx);
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 5c7d1649fe67..dc140ebfe386 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.22.44.4 2010-01-15 23:47:33 tbox Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.36 2010-12-23 04:07:59 marka Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@@ -57,20 +57,34 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-keygen</command>
- <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
- <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
- <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
+ <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+ <arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+ <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+ <arg><option>-3</option></arg>
+ <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-C</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+ <arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
+ <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+ <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k</option></arg>
+ <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+ <arg><option>-q</option></arg>
+ <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-z</option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -80,7 +94,8 @@
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
- TSIG (Transaction Signatures), as defined in RFC 2845.
+ TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
+ (Transaction Key) as defined in RFC 2930.
</para>
<para>
The <option>name</option> of the key is specified on the command
@@ -99,19 +114,27 @@
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
- For TSIG/TKEY, the value must
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
+ For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
+ If no algorithm is specified, then RSASHA1 will be used by
+ default, unless the <option>-3</option> option is specified,
+ in which case NSEC3RSASHA1 will be used instead. (If
+ <option>-3</option> is used and an algorithm is specified,
+ that algorithm will be checked for compatibility with NSEC3.)
+ </para>
+ <para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</para>
<para>
- Note 2: HMAC-MD5 and DH automatically set the -k flag.
+ Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
+ automatically set the -T KEY option.
</para>
</listitem>
</varlistentry>
@@ -127,6 +150,15 @@
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
</para>
+ <para>
+ The key size does not need to be specified if using a default
+ algorithm. The default key size is 1024 bits for zone signing
+ keys (ZSK's) and 2048 bits for key signing keys (KSK's,
+ generated with <option>-f KSK</option>). However, if an
+ algorithm is explicitly specified with the <option>-a</option>,
+ then there is no default key size, and the <option>-b</option>
+ must be used.
+ </para>
</listitem>
</varlistentry>
@@ -146,6 +178,34 @@
</varlistentry>
<varlistentry>
+ <term>-3</term>
+ <listitem>
+ <para>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used and no algorithm is explicitly
+ set on the command line, NSEC3RSASHA1 will be used by
+ default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
+ are NSEC3-capable.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-C</term>
+ <listitem>
+ <para>
+ Compatibility mode: generates an old-style key, without
+ any metadata. By default, <command>dnssec-keygen</command>
+ will include the key's creation date in the metadata stored
+ with the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include
+ this data may be incompatible with older versions of BIND; the
+ <option>-C</option> option suppresses them.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
@@ -156,6 +216,18 @@
</varlistentry>
<varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Uses a crypto hardware (OpenSSL engine) for random number
+ and, when supported, key generation. When compiled with PKCS#11
+ support it defaults to pkcs11; the empty name resets it to
+ no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-e</term>
<listitem>
<para>
@@ -169,7 +241,17 @@
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
- The only recognized flag is KSK (Key Signing Key) DNSKEY.
+ The only recognized flags are KSK (Key Signing Key) and REVOKE.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-G</term>
+ <listitem>
+ <para>
+ Generate a key, but do not publish it or sign with it. This
+ option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
@@ -197,10 +279,19 @@
</varlistentry>
<varlistentry>
+ <term>-K <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Sets the directory in which the key files are to be written.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-k</term>
<listitem>
<para>
- Generate KEY records rather than DNSKEY records.
+ Deprecated in favor of -T KEY.
</para>
</listitem>
</varlistentry>
@@ -218,6 +309,25 @@
</varlistentry>
<varlistentry>
+ <term>-q</term>
+ <listitem>
+ <para>
+ Quiet mode: Suppresses unnecessary output, including
+ progress indication. Without this option, when
+ <command>dnssec-keygen</command> is run interactively
+ to generate an RSA or DSA key pair, it will print a string
+ of symbols to <filename>stderr</filename> indicating the
+ progress of the key generation. A '.' indicates that a
+ random number has been found which passed an initial
+ sieve test; '+' means a number has passed a single
+ round of the Miller-Rabin primality test; a space
+ means that the number has passed all the tests and is
+ a satisfactory key.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
@@ -235,6 +345,21 @@
</varlistentry>
<varlistentry>
+ <term>-S <replaceable class="parameter">key</replaceable></term>
+ <listitem>
+ <para>
+ Create a new key which is an explicit successor to an
+ existing key. The name, algorithm, size, and type of the
+ key will be set to match the existing key. The activation
+ date of the new key will be set to the inactivation date of
+ the existing one. The publication date will be set to the
+ activation date minus the prepublication interval, which
+ defaults to 30 days.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
@@ -246,6 +371,22 @@
</varlistentry>
<varlistentry>
+ <term>-T <replaceable class="parameter">rrtype</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the resource record type to use for the key.
+ <option>rrtype</option> must be either DNSKEY or KEY. The
+ default is DNSKEY when using a DNSSEC algorithm, but it can be
+ overridden to KEY for use with SIG(0).
+ <para>
+ </para>
+ Using any TSIG algorithm (HMAC-* or DH) forces this option
+ to KEY.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
@@ -270,6 +411,109 @@
</refsect1>
<refsect1>
+ <title>TIMING OPTIONS</title>
+
+ <para>
+ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+ If the argument begins with a '+' or '-', it is interpreted as
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>-P <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which a key is to be published to the zone.
+ After that date, the key will be included in the zone but will
+ not be used to sign it. If not set, and if the -G option has
+ not been used, the default is "now".
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-A <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be activated. After that
+ date, the key will be included in the zone and used to sign
+ it. If not set, and if the -G option has not been used, the
+ default is "now".
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-R <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be revoked. After that
+ date, the key will be flagged as revoked. It will be included
+ in the zone and will be used to sign it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-I <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-D <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be deleted. After that
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i <replaceable class="parameter">interval</replaceable></term>
+ <listitem>
+ <para>
+ Sets the prepublication interval for a key. If set, then
+ the publication and activation dates must be separated by at least
+ this much time. If the activation date is specified but the
+ publication date isn't, then the publication date will default
+ to this much time before the activation date; conversely, if
+ the publication date is specified but activation date isn't,
+ then activation will be set to this much time after publication.
+ </para>
+ <para>
+ If the key is being created as an explicit successor to another
+ key, then the default prepublication interval is 30 days;
+ otherwise it is zero.
+ </para>
+ <para>
+ As with date offsets, if the argument is followed by one of
+ the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+ interval is measured in years, months, weeks, days, hours,
+ or minutes, respectively. Without a suffix, the interval is
+ measured in seconds.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+
+ <refsect1>
<title>GENERATED KEYS</title>
<para>
When <command>dnssec-keygen</command> completes
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 7ca7d577e8fb..2f3a69b9a2fd 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.html,v 1.32.44.4 2010-01-16 01:55:32 tbox Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.47 2010-12-24 01:14:20 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,14 +29,15 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543483"></a><h2>DESCRIPTION</h2>
+<a name="id2543578"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
- TSIG (Transaction Signatures), as defined in RFC 2845.
+ TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
+ (Transaction Key) as defined in RFC 2930.
</p>
<p>
The <code class="option">name</code> of the key is specified on the command
@@ -45,37 +46,56 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543501"></a><h2>OPTIONS</h2>
+<a name="id2543596"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
- For TSIG/TKEY, the value must
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
+ For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
+ If no algorithm is specified, then RSASHA1 will be used by
+ default, unless the <code class="option">-3</code> option is specified,
+ in which case NSEC3RSASHA1 will be used instead. (If
+ <code class="option">-3</code> is used and an algorithm is specified,
+ that algorithm will be checked for compatibility with NSEC3.)
+ </p>
+<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
<p>
- Note 2: HMAC-MD5 and DH automatically set the -k flag.
+ Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
+ automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
+<dd>
+<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
- </p></dd>
+ </p>
+<p>
+ The key size does not need to be specified if using a default
+ algorithm. The default key size is 1024 bits for zone signing
+ keys (ZSK's) and 2048 bits for key signing keys (KSK's,
+ generated with <code class="option">-f KSK</code>). However, if an
+ algorithm is explicitly specified with the <code class="option">-a</code>,
+ then there is no default key size, and the <code class="option">-b</code>
+ must be used.
+ </p>
+</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
@@ -86,11 +106,36 @@
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
+<dt><span class="term">-3</span></dt>
+<dd><p>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used and no algorithm is explicitly
+ set on the command line, NSEC3RSASHA1 will be used by
+ default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
+ are NSEC3-capable.
+ </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+ Compatibility mode: generates an old-style key, without
+ any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
+ will include the key's creation date in the metadata stored
+ with the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include
+ this data may be incompatible with older versions of BIND; the
+ <code class="option">-C</code> option suppresses them.
+ </p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+ Uses a crypto hardware (OpenSSL engine) for random number
+ and, when supported, key generation. When compiled with PKCS#11
+ support it defaults to pkcs11; the empty name resets it to
+ no engine.
+ </p></dd>
<dt><span class="term">-e</span></dt>
<dd><p>
If generating an RSAMD5/RSASHA1 key, use a large exponent.
@@ -98,7 +143,12 @@
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
- The only recognized flag is KSK (Key Signing Key) DNSKEY.
+ The only recognized flags are KSK (Key Signing Key) and REVOKE.
+ </p></dd>
+<dt><span class="term">-G</span></dt>
+<dd><p>
+ Generate a key, but do not publish it or sign with it. This
+ option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
@@ -112,9 +162,13 @@
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
</p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ Sets the directory in which the key files are to be written.
+ </p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
- Generate KEY records rather than DNSKEY records.
+ Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
@@ -123,6 +177,20 @@
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+ Quiet mode: Suppresses unnecessary output, including
+ progress indication. Without this option, when
+ <span><strong class="command">dnssec-keygen</strong></span> is run interactively
+ to generate an RSA or DSA key pair, it will print a string
+ of symbols to <code class="filename">stderr</code> indicating the
+ progress of the key generation. A '.' indicates that a
+ random number has been found which passed an initial
+ sieve test; '+' means a number has passed a single
+ round of the Miller-Rabin primality test; a space
+ means that the number has passed all the tests and is
+ a satisfactory key.
+ </p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
@@ -135,12 +203,37 @@
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
+<dd><p>
+ Create a new key which is an explicit successor to an
+ existing key. The name, algorithm, size, and type of the
+ key will be set to match the existing key. The activation
+ date of the new key will be set to the inactivation date of
+ the existing one. The publication date will be set to the
+ activation date minus the prepublication interval, which
+ defaults to 30 days.
+ </p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
+<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
+<dd>
+<p>
+ Specifies the resource record type to use for the key.
+ <code class="option">rrtype</code> must be either DNSKEY or KEY. The
+ default is DNSKEY when using a DNSSEC algorithm, but it can be
+ overridden to KEY for use with SIG(0).
+ </p>
+<p>
+ </p>
+<p>
+ Using any TSIG algorithm (HMAC-* or DH) forces this option
+ to KEY.
+ </p>
+</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
@@ -155,7 +248,78 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543836"></a><h2>GENERATED KEYS</h2>
+<a name="id2544301"></a><h2>TIMING OPTIONS</h2>
+<p>
+ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+ If the argument begins with a '+' or '-', it is interpreted as
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which a key is to be published to the zone.
+ After that date, the key will be included in the zone but will
+ not be used to sign it. If not set, and if the -G option has
+ not been used, the default is "now".
+ </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be activated. After that
+ date, the key will be included in the zone and used to sign
+ it. If not set, and if the -G option has not been used, the
+ default is "now".
+ </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be revoked. After that
+ date, the key will be flagged as revoked. It will be included
+ in the zone and will be used to sign it.
+ </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
+ </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be deleted. After that
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
+ </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+ Sets the prepublication interval for a key. If set, then
+ the publication and activation dates must be separated by at least
+ this much time. If the activation date is specified but the
+ publication date isn't, then the publication date will default
+ to this much time before the activation date; conversely, if
+ the publication date is specified but activation date isn't,
+ then activation will be set to this much time after publication.
+ </p>
+<p>
+ If the key is being created as an explicit successor to another
+ key, then the default prepublication interval is 30 days;
+ otherwise it is zero.
+ </p>
+<p>
+ As with date offsets, if the argument is followed by one of
+ the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+ interval is measured in years, months, weeks, days, hours,
+ or minutes, respectively. Without a suffix, the interval is
+ measured in seconds.
+ </p>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544491"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@@ -201,7 +365,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543918"></a><h2>EXAMPLE</h2>
+<a name="id2544642"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -222,7 +386,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544030"></a><h2>SEE ALSO</h2>
+<a name="id2544685"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
@@ -231,7 +395,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544061"></a><h2>AUTHOR</h2>
+<a name="id2544716"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-revoke.8 b/bin/dnssec/dnssec-revoke.8
new file mode 100644
index 000000000000..d57b6aa09de2
--- /dev/null
+++ b/bin/dnssec/dnssec-revoke.8
@@ -0,0 +1,83 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-revoke.8,v 1.9 2010-05-19 01:14:14 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: dnssec\-revoke
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: June 1, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
+.SH "SYNOPSIS"
+.HP 14
+\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] {keyfile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-revoke\fR
+reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
+.SH "OPTIONS"
+.PP
+\-h
+.RS 4
+Emit usage message and exit.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside.
+.RE
+.PP
+\-r
+.RS 4
+After writing the new keyset files remove the original keyset files.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.PP
+\-f
+.RS 4
+Force overwrite: Causes
+\fBdnssec\-revoke\fR
+to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
new file mode 100644
index 000000000000..90e905c4d0b0
--- /dev/null
+++ b/bin/dnssec/dnssec-revoke.c
@@ -0,0 +1,269 @@
+/*
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-revoke.c,v 1.22 2010-05-06 23:50:56 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <libgen.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-revoke";
+int verbose;
+
+static isc_mem_t *mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s [options] keyfile\n\n", program);
+ fprintf(stderr, "Version: %s\n", VERSION);
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E engine: specify OpenSSL engine "
+ "(default \"pkcs11\")\n");
+#else
+ fprintf(stderr, " -E engine: specify OpenSSL engine\n");
+#endif
+ fprintf(stderr, " -f: force overwrite\n");
+ fprintf(stderr, " -K directory: use directory for key files\n");
+ fprintf(stderr, " -h: help\n");
+ fprintf(stderr, " -r: remove old keyfiles after "
+ "creating revoked version\n");
+ fprintf(stderr, " -v level: set level of verbosity\n");
+ fprintf(stderr, "Output:\n");
+ fprintf(stderr, " K<name>+<alg>+<new id>.key, "
+ "K<name>+<alg>+<new id>.private\n");
+
+ exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+ isc_result_t result;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
+ char *filename = NULL, *dir = NULL;
+ char newname[1024], oldname[1024];
+ char keystr[DST_KEY_FORMATSIZE];
+ char *endp;
+ int ch;
+ isc_entropy_t *ectx = NULL;
+ dst_key_t *key = NULL;
+ isc_uint32_t flags;
+ isc_buffer_t buf;
+ isc_boolean_t force = ISC_FALSE;
+ isc_boolean_t remove = ISC_FALSE;
+
+ if (argc == 1)
+ usage();
+
+ result = isc_mem_create(0, 0, &mctx);
+ if (result != ISC_R_SUCCESS)
+ fatal("Out of memory");
+
+ dns_result_register();
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
+ switch (ch) {
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
+ case 'f':
+ force = ISC_TRUE;
+ break;
+ case 'K':
+ /*
+ * We don't have to copy it here, but do it to
+ * simplify cleanup later
+ */
+ dir = isc_mem_strdup(mctx, isc_commandline_argument);
+ if (dir == NULL) {
+ fatal("Failed to allocate memory for "
+ "directory");
+ }
+ break;
+ case 'r':
+ remove = ISC_TRUE;
+ break;
+ case 'v':
+ verbose = strtol(isc_commandline_argument, &endp, 0);
+ if (*endp != '\0')
+ fatal("-v must be followed by a number");
+ break;
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ /* Falls into */
+ case 'h':
+ usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ if (argc < isc_commandline_index + 1 ||
+ argv[isc_commandline_index] == NULL)
+ fatal("The key file name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("Extraneous arguments");
+
+ if (dir != NULL) {
+ filename = argv[isc_commandline_index];
+ } else {
+ result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+ &dir, &filename);
+ if (result != ISC_R_SUCCESS)
+ fatal("cannot process filename %s: %s",
+ argv[isc_commandline_index],
+ isc_result_totext(result));
+ if (strcmp(dir, ".") == 0) {
+ isc_mem_free(mctx, dir);
+ dir = NULL;
+ }
+ }
+
+ if (ectx == NULL)
+ setup_entropy(mctx, NULL, &ectx);
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize hash");
+ result = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize dst: %s",
+ isc_result_totext(result));
+ isc_entropy_stopcallbacksources(ectx);
+
+ result = dst_key_fromnamedfile(filename, dir,
+ DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+ mctx, &key);
+ if (result != ISC_R_SUCCESS)
+ fatal("Invalid keyfile name %s: %s",
+ filename, isc_result_totext(result));
+
+ dst_key_format(key, keystr, sizeof(keystr));
+
+ if (verbose > 2)
+ fprintf(stderr, "%s: %s\n", program, keystr);
+
+ if (force)
+ set_keyversion(key);
+ else
+ check_keyversion(key, keystr);
+
+
+ flags = dst_key_flags(key);
+ if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+ isc_stdtime_t now;
+
+ if ((flags & DNS_KEYFLAG_KSK) == 0)
+ fprintf(stderr, "%s: warning: Key is not flagged "
+ "as a KSK. Revoking a ZSK is "
+ "legal, but undefined.\n",
+ program);
+
+ isc_stdtime_get(&now);
+ dst_key_settime(key, DST_TIME_REVOKE, now);
+
+ dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
+
+ isc_buffer_init(&buf, newname, sizeof(newname));
+ dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+
+ if (access(newname, F_OK) == 0 && !force) {
+ fatal("Key file %s already exists; "
+ "use -f to force overwrite", newname);
+ }
+
+ result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+ dir);
+ if (result != ISC_R_SUCCESS) {
+ dst_key_format(key, keystr, sizeof(keystr));
+ fatal("Failed to write key %s: %s", keystr,
+ isc_result_totext(result));
+ }
+
+ isc_buffer_clear(&buf);
+ dst_key_buildfilename(key, 0, dir, &buf);
+ printf("%s\n", newname);
+
+ /*
+ * Remove old key file, if told to (and if
+ * it isn't the same as the new file)
+ */
+ if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
+ isc_buffer_init(&buf, oldname, sizeof(oldname));
+ dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
+ dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
+ if (strcmp(oldname, newname) == 0)
+ goto cleanup;
+ if (access(oldname, F_OK) == 0)
+ unlink(oldname);
+ isc_buffer_clear(&buf);
+ dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+ if (access(oldname, F_OK) == 0)
+ unlink(oldname);
+ }
+ } else {
+ dst_key_format(key, keystr, sizeof(keystr));
+ fatal("Key %s is already revoked", keystr);
+ }
+
+cleanup:
+ dst_key_free(&key);
+ dst_lib_destroy();
+ isc_hash_destroy();
+ cleanup_entropy(&ectx);
+ if (verbose > 10)
+ isc_mem_stats(mctx, stdout);
+ if (dir != NULL)
+ isc_mem_free(mctx, dir);
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
diff --git a/bin/dnssec/dnssec-revoke.docbook b/bin/dnssec/dnssec-revoke.docbook
new file mode 100644
index 000000000000..b7b562021308
--- /dev/null
+++ b/bin/dnssec/dnssec-revoke.docbook
@@ -0,0 +1,149 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-revoke.docbook,v 1.7 2009-11-03 21:44:46 each Exp $ -->
+<refentry id="man.dnssec-revoke">
+ <refentryinfo>
+ <date>June 1, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-revoke</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-revoke</application></refname>
+ <refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-revoke</command>
+ <arg><option>-hr</option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+ <arg><option>-f</option></arg>
+ <arg choice="req">keyfile</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>dnssec-revoke</command>
+ reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+ in RFC 5011, and creates a new pair of key files containing the
+ now-revoked key.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Emit usage message and exit.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-K <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Sets the directory in which the key files are to reside.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r</term>
+ <listitem>
+ <para>
+ After writing the new keyset files remove the original keyset
+ files.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pkcs11; the empty name resets it to no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f</term>
+ <listitem>
+ <para>
+ Force overwrite: Causes <command>dnssec-revoke</command> to
+ write the new key pair even if a file already exists matching
+ the algorithm and key ID of the revoked key.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 5011</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-revoke.html b/bin/dnssec/dnssec-revoke.html
new file mode 100644
index 000000000000..fad9ac520196
--- /dev/null
+++ b/bin/dnssec/dnssec-revoke.html
@@ -0,0 +1,87 @@
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: dnssec-revoke.html,v 1.9 2010-05-19 01:14:14 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-revoke</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543373"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-revoke</strong></span>
+ reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+ in RFC 5011, and creates a new pair of key files containing the
+ now-revoked key.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543385"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Emit usage message and exit.
+ </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ Sets the directory in which the key files are to reside.
+ </p></dd>
+<dt><span class="term">-r</span></dt>
+<dd><p>
+ After writing the new keyset files remove the original keyset
+ files.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level.
+ </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pkcs11; the empty name resets it to no engine.
+ </p></dd>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+ Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
+ write the new key pair even if a file already exists matching
+ the algorithm and key ID of the revoked key.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543491"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 5011</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543515"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
new file mode 100644
index 000000000000..4390494474ce
--- /dev/null
+++ b/bin/dnssec/dnssec-settime.8
@@ -0,0 +1,166 @@
+.\" Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-settime.8,v 1.14 2010-08-17 01:15:26 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: dnssec\-settime
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: July 15, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-settime \- Set the key timing metadata for a DNSSEC key
+.SH "SYNOPSIS"
+.HP 15
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-settime\fR
+reads a DNSSEC private key file and sets the key timing metadata as specified by the
+\fB\-P\fR,
+\fB\-A\fR,
+\fB\-R\fR,
+\fB\-I\fR, and
+\fB\-D\fR
+options. The metadata can then be used by
+\fBdnssec\-signzone\fR
+or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
+.PP
+If none of these options is set on the command line, then
+\fBdnssec\-settime\fR
+simply prints the key timing metadata already stored in the key.
+.PP
+When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
+and
+\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file.
+.SH "OPTIONS"
+.PP
+\-f
+.RS 4
+Force an update of an old\-format key with no metadata fields. Without this option,
+\fBdnssec\-settime\fR
+will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside.
+.RE
+.PP
+\-h
+.RS 4
+Emit usage message and exit.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+.RE
+.PP
+\-S \fIpredecessor key\fR
+.RS 4
+Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified. The activation date of the successor key will be set to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+.RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+.sp
+If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+.sp
+As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+.RE
+.SH "PRINTING OPTIONS"
+.PP
+\fBdnssec\-settime\fR
+can also be used to print the timing metadata associated with a key.
+.PP
+\-u
+.RS 4
+Print times in UNIX epoch format.
+.RE
+.PP
+\-p \fIC/P/A/R/I/D/all\fR
+.RS 4
+Print a specific metadata value or set of metadata values. The
+\fB\-p\fR
+option may be followed by one or more of the following letters to indicate which value or values to print:
+\fBC\fR
+for the creation date,
+\fBP\fR
+for the publication date,
+\fBA\fR
+for the activation date,
+\fBR\fR
+for the revocation date,
+\fBI\fR
+for the inactivation date, or
+\fBD\fR
+for the deletion date. To print all of the metadata, use
+\fB\-p all\fR.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
new file mode 100644
index 000000000000..364e2ab59268
--- /dev/null
+++ b/bin/dnssec/dnssec-settime.c
@@ -0,0 +1,576 @@
+/*
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-settime.c,v 1.28 2010-12-19 07:29:36 each Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <libgen.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <time.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-settime";
+int verbose;
+
+static isc_mem_t *mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s [options] keyfile\n\n", program);
+ fprintf(stderr, "Version: %s\n", VERSION);
+ fprintf(stderr, "General options:\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E engine: specify OpenSSL engine "
+ "(default \"pkcs11\")\n");
+#else
+ fprintf(stderr, " -E engine: specify OpenSSL engine\n");
+#endif
+ fprintf(stderr, " -f: force update of old-style "
+ "keys\n");
+ fprintf(stderr, " -K directory: set key file location\n");
+ fprintf(stderr, " -v level: set level of verbosity\n");
+ fprintf(stderr, " -h: help\n");
+ fprintf(stderr, "Timing options:\n");
+ fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
+ "publication date\n");
+ fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
+ "activation date\n");
+ fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
+ "revocation date\n");
+ fprintf(stderr, " -I date/[+-]offset/none: set/unset key "
+ "inactivation date\n");
+ fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
+ "deletion date\n");
+ fprintf(stderr, "Printing options:\n");
+ fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time "
+ "value or values "
+ "[default: all]\n");
+ fprintf(stderr, " -u: print times in unix epoch "
+ "format\n");
+ fprintf(stderr, "Output:\n");
+ fprintf(stderr, " K<name>+<alg>+<new id>.key, "
+ "K<name>+<alg>+<new id>.private\n");
+
+ exit (-1);
+}
+
+static void
+printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
+ FILE *stream)
+{
+ isc_result_t result;
+ const char *output = NULL;
+ isc_stdtime_t when;
+
+ if (tag != NULL)
+ fprintf(stream, "%s: ", tag);
+
+ result = dst_key_gettime(key, type, &when);
+ if (result == ISC_R_NOTFOUND) {
+ fprintf(stream, "UNSET\n");
+ } else if (epoch) {
+ fprintf(stream, "%d\n", (int) when);
+ } else {
+ time_t time = when;
+ output = ctime(&time);
+ fprintf(stream, "%s", output);
+ }
+}
+
+int
+main(int argc, char **argv) {
+ isc_result_t result;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
+ char *filename = NULL, *directory = NULL;
+ char newname[1024];
+ char keystr[DST_KEY_FORMATSIZE];
+ char *endp, *p;
+ int ch;
+ isc_entropy_t *ectx = NULL;
+ const char *predecessor = NULL;
+ dst_key_t *prevkey = NULL;
+ dst_key_t *key = NULL;
+ isc_buffer_t buf;
+ dns_name_t *name = NULL;
+ dns_secalg_t alg = 0;
+ unsigned int size = 0;
+ isc_uint16_t flags = 0;
+ int prepub = -1;
+ isc_stdtime_t now;
+ isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
+ isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
+ isc_boolean_t setdel = ISC_FALSE;
+ isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+ isc_boolean_t unsetdel = ISC_FALSE;
+ isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
+ isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
+ isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
+ isc_boolean_t force = ISC_FALSE;
+ isc_boolean_t epoch = ISC_FALSE;
+ isc_boolean_t changed = ISC_FALSE;
+
+ if (argc == 1)
+ usage();
+
+ result = isc_mem_create(0, 0, &mctx);
+ if (result != ISC_R_SUCCESS)
+ fatal("Out of memory");
+
+ dns_result_register();
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ isc_stdtime_get(&now);
+
+#define CMDLINE_FLAGS "A:D:E:fhI:i:K:P:p:R:S:uv:"
+ while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+ switch (ch) {
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
+ case 'f':
+ force = ISC_TRUE;
+ break;
+ case 'p':
+ p = isc_commandline_argument;
+ if (!strcasecmp(p, "all")) {
+ printcreate = ISC_TRUE;
+ printpub = ISC_TRUE;
+ printact = ISC_TRUE;
+ printrev = ISC_TRUE;
+ printinact = ISC_TRUE;
+ printdel = ISC_TRUE;
+ break;
+ }
+
+ do {
+ switch (*p++) {
+ case 'C':
+ printcreate = ISC_TRUE;
+ break;
+ case 'P':
+ printpub = ISC_TRUE;
+ break;
+ case 'A':
+ printact = ISC_TRUE;
+ break;
+ case 'R':
+ printrev = ISC_TRUE;
+ break;
+ case 'I':
+ printinact = ISC_TRUE;
+ break;
+ case 'D':
+ printdel = ISC_TRUE;
+ break;
+ case ' ':
+ break;
+ default:
+ usage();
+ break;
+ }
+ } while (*p != '\0');
+ break;
+ case 'u':
+ epoch = ISC_TRUE;
+ break;
+ case 'K':
+ /*
+ * We don't have to copy it here, but do it to
+ * simplify cleanup later
+ */
+ directory = isc_mem_strdup(mctx,
+ isc_commandline_argument);
+ if (directory == NULL) {
+ fatal("Failed to allocate memory for "
+ "directory");
+ }
+ break;
+ case 'v':
+ verbose = strtol(isc_commandline_argument, &endp, 0);
+ if (*endp != '\0')
+ fatal("-v must be followed by a number");
+ break;
+ case 'P':
+ if (setpub || unsetpub)
+ fatal("-P specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetpub = ISC_TRUE;
+ } else {
+ setpub = ISC_TRUE;
+ pub = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'A':
+ if (setact || unsetact)
+ fatal("-A specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetact = ISC_TRUE;
+ } else {
+ setact = ISC_TRUE;
+ act = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'R':
+ if (setrev || unsetrev)
+ fatal("-R specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetrev = ISC_TRUE;
+ } else {
+ setrev = ISC_TRUE;
+ rev = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'I':
+ if (setinact || unsetinact)
+ fatal("-I specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetinact = ISC_TRUE;
+ } else {
+ setinact = ISC_TRUE;
+ inact = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'D':
+ if (setdel || unsetdel)
+ fatal("-D specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetdel = ISC_TRUE;
+ } else {
+ setdel = ISC_TRUE;
+ del = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'S':
+ predecessor = isc_commandline_argument;
+ break;
+ case 'i':
+ prepub = strtottl(isc_commandline_argument);
+ break;
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ /* Falls into */
+ case 'h':
+ usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ if (argc < isc_commandline_index + 1 ||
+ argv[isc_commandline_index] == NULL)
+ fatal("The key file name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("Extraneous arguments");
+
+ if (ectx == NULL)
+ setup_entropy(mctx, NULL, &ectx);
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize hash");
+ result = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize dst: %s",
+ isc_result_totext(result));
+ isc_entropy_stopcallbacksources(ectx);
+
+ if (predecessor != NULL) {
+ char keystr[DST_KEY_FORMATSIZE];
+ isc_stdtime_t when;
+ int major, minor;
+
+ if (prepub == -1)
+ prepub = (30 * 86400);
+
+ if (setpub || unsetpub)
+ fatal("-S and -P cannot be used together");
+ if (setact || unsetact)
+ fatal("-S and -A cannot be used together");
+
+ result = dst_key_fromnamedfile(predecessor, directory,
+ DST_TYPE_PUBLIC |
+ DST_TYPE_PRIVATE,
+ mctx, &prevkey);
+ if (result != ISC_R_SUCCESS)
+ fatal("Invalid keyfile %s: %s",
+ filename, isc_result_totext(result));
+ if (!dst_key_isprivate(prevkey))
+ fatal("%s is not a private key", filename);
+
+ name = dst_key_name(prevkey);
+ alg = dst_key_alg(prevkey);
+ size = dst_key_size(prevkey);
+ flags = dst_key_flags(prevkey);
+
+ dst_key_format(prevkey, keystr, sizeof(keystr));
+ dst_key_getprivateformat(prevkey, &major, &minor);
+ if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+ fatal("Predecessor has incompatible format "
+ "version %d.%d\n\t", major, minor);
+
+ result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+ if (result != ISC_R_SUCCESS)
+ fatal("Predecessor has no activation date. "
+ "You must set one before\n\t"
+ "generating a successor.");
+
+ result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
+ if (result != ISC_R_SUCCESS)
+ fatal("Predecessor has no inactivation date. "
+ "You must set one before\n\t"
+ "generating a successor.");
+
+ pub = act - prepub;
+ if (pub < now && prepub != 0)
+ fatal("Predecessor will become inactive before the\n\t"
+ "prepublication period ends. Either change "
+ "its inactivation date,\n\t"
+ "or use the -i option to set a shorter "
+ "prepublication interval.");
+
+ result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+ if (result != ISC_R_SUCCESS)
+ fprintf(stderr, "%s: WARNING: Predecessor has no "
+ "removal date;\n\t"
+ "it will remain in the zone "
+ "indefinitely after rollover.\n",
+ program);
+
+ changed = setpub = setact = ISC_TRUE;
+ dst_key_free(&prevkey);
+ } else {
+ if (prepub < 0)
+ prepub = 0;
+
+ if (prepub > 0) {
+ if (setpub && setact && (act - prepub) < pub)
+ fatal("Activation and publication dates "
+ "are closer together than the\n\t"
+ "prepublication interval.");
+
+ if (setpub && !setact) {
+ setact = ISC_TRUE;
+ act = pub + prepub;
+ } else if (setact && !setpub) {
+ setpub = ISC_TRUE;
+ pub = act - prepub;
+ }
+
+ if ((act - prepub) < now)
+ fatal("Time until activation is shorter "
+ "tha