src - FreeBSD source tree

diff options


context:
space:
mode:

author	Doug Barton <dougb@FreeBSD.org>	2010-03-02 19:49:55 +0000
committer	Doug Barton <dougb@FreeBSD.org>	2010-03-02 19:49:55 +0000
commit	841024d54f1f0a07feccf84d8938b00bc1f362b5 (patch)
tree	c470abc978aa6ca4f6b0033d7e09c8b7b09cd629 /doc/arm/Bv9ARM-book.xml
parent	51917575cfd35d6a201b010726ea7404a0f9bb7e (diff)
download	src-841024d54f1f0a07feccf84d8938b00bc1f362b5.tar.gz src-841024d54f1f0a07feccf84d8938b00bc1f362b5.zip

Vendor import of BIND 9.6.2vendor/bind9/9.6.2

Notes

Notes: svn path=/vendor/bind9/dist/; revision=204599 svn path=/vendor/bind9/9.6.2/; revision=204600; tag=vendor/bind9/9.6.2

Diffstat (limited to 'doc/arm/Bv9ARM-book.xml')

-rw-r--r--

doc/arm/Bv9ARM-book.xml

137

1 files changed, 95 insertions, 42 deletions

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 0875e57ff09b..44e30b16da96 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml

@@ -2,7 +2,7 @@

"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

[<!ENTITY mdash "—">]>

<!--

- Permission to use, copy, modify, and/or distribute this software for any

@@ -18,7 +18,7 @@

- PERFORMANCE OF THIS SOFTWARE.

-->

-

+

<title>BIND 9 Administrator Reference Manual</title>

@@ -30,6 +30,7 @@

+ <year>2010</year>

<holder>Internet Systems Consortium, Inc. ("ISC")</holder>

</copyright>

@@ -1679,6 +1680,11 @@ controls {

each dynamic update, because that would be too slow when a large

zone is updated frequently. Instead, the dump is delayed by

up to 15 minutes, allowing additional updates to take place.

+ During the dump process, transient files will be created

+ with the extensions <filename>.jnw</filename> and

+ <filename>.jbk</filename>; under ordinary circumstances, these

+ will be removed when the dump is complete, and can be safely

+ ignored.

</para>

<para>

@@ -2053,17 +2059,16 @@ nameserver 172.16.72.4

<sect3>

<title>Automatic Generation</title>

<para>

- The following command will generate a 128-bit (16 byte) HMAC-MD5

+ The following command will generate a 128-bit (16 byte) HMAC-SHA256

key as described above. Longer keys are better, but shorter keys

- are easier to read. Note that the maximum key length is 512 bits;

- keys longer than that will be digested with MD5 to produce a

- 128-bit key.

+ are easier to read. Note that the maximum key length is the digest

+ length, here 256 bits.

</para>

<para>

- <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>

+ <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>

</para>

<para>

- The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.

+ The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.

Nothing directly uses this file, but the base-64 encoded string

following "<literal>Key:</literal>"

can be extracted from the file and used as a shared secret:

@@ -2105,18 +2110,16 @@ nameserver 172.16.72.4

key host1-host2. {

- algorithm hmac-md5;

+ algorithm hmac-sha256;

secret "La/E5CjG9O+os1jq0a2jdA==";

};

</programlisting>

<para>

- The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.

The secret is the one generated above. Since this is a secret, it

- is recommended that either <filename>named.conf</filename> be non-world

- readable, or the key directive be added to a non-world readable

- file that is included by

- <filename>named.conf</filename>.

+ is recommended that either <filename>named.conf</filename> be

+ non-world readable, or the key directive be added to a non-world

+ readable file that is included by <filename>named.conf</filename>.

</para>

<para>

At this point, the key is recognized. This means that if the

@@ -2445,14 +2448,17 @@ allow-update { key host1-host2. ;};

To enable <command>named</command> to respond appropriately

to DNS requests from DNSSEC aware clients,

<command>dnssec-enable</command> must be set to yes.

+ (This is the default setting.)

</para>

<para>

To enable <command>named</command> to validate answers from

- other servers both <command>dnssec-enable</command> and

- <command>dnssec-validation</command> must be set and some

- <command>trusted-keys</command> must be configured

- into <filename>named.conf</filename>.

+ other servers, the <command>dnssec-enable</command> and

+ <command>dnssec-validation</command> options must both be

+ set to yes (the default setting in <acronym>BIND</acronym> 9.5

+ and later), and at least one trust anchor must be configured

+ with a <command>trusted-keys</command> statement in

+ <filename>named.conf</filename>.

</para>

<para>

@@ -2531,6 +2537,41 @@ options {

the root key is not valid.

</note>

+ <para>

+ When DNSSEC validation is enabled and properly configured,

+ the resolver will reject any answers from signed, secure zones

+ which fail to validate, and will return SERVFAIL to the client.

+ </para>

+ <para>

+ Responses may fail to validate for any of several reasons,

+ including missing, expired, or invalid signatures, a key which

+ does not match the DS RRset in the parent zone, or an insecure

+ response from a zone which, according to its parent, should have

+ been secure.

+ </para>

+ <note>

+ <para>

+ When the validator receives a response from an unsigned zone

+ that has a signed parent, it must confirm with the parent

+ that the zone was intentionally left unsigned. It does

+ this by verifying, via signed and validated NSEC/NSEC3 records,

+ that the parent zone contains no DS records for the child.

+ </para>

+ <para>

+ If the validator <emphasis>can</emphasis> prove that the zone

+ is insecure, then the response is accepted. However, if it

+ cannot, then it must assume an insecure response to be a

+ forgery; it rejects the response and logs an error.

+ </para>

+ <para>

+ The logged error reads "insecurity proof failed" and

+ "got insecure response; parent indicates it should be secure".

+ (Prior to BIND 9.7, the logged error was "not insecure".

+ This referred to the zone, not the response.)

+ </para>

+ </note>

</sect2>

</sect1>

@@ -2539,10 +2580,9 @@ options {

<para>

<acronym>BIND</acronym> 9 fully supports all currently

- defined forms of IPv6

- name to address and address to name lookups. It will also use

- IPv6 addresses to make queries when running on an IPv6 capable

- system.

+ defined forms of IPv6 name to address and address to name

+ lookups. It will also use IPv6 addresses to make queries when

+ running on an IPv6 capable system.

</para>

<para>

@@ -4324,8 +4364,7 @@ category notify { null; };

<para>

Lame servers. These are misconfigurations

in remote servers, discovered by BIND 9 when trying to

- query

- those servers during resolution.

+ query those servers during resolution.

</para>

</entry>

</row>

@@ -4785,7 +4824,7 @@ category notify { null; };

<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>

<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>

- <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>

+ <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>

<optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>

<optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>

<optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>

@@ -4826,7 +4865,7 @@ category notify { null; };

<optional> lame-ttl <replaceable>number</replaceable>; </optional>

<optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>

<optional> max-cache-ttl <replaceable>number</replaceable>; </optional>

- <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>

+ <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>

<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>

<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>

<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>

@@ -4909,11 +4948,12 @@ category notify { null; };

<para>

When performing dynamic update of secure zones, the

- directory where the public and private key files should be

- found,

- if different than the current working directory. The

- directory specified

- must be an absolute path.

+ directory where the public and private DNSSEC key files

+ should be found, if different than the current working

+ directory. The directory specified must be an absolute

+ path. (Note that this option has no effect on the paths

+ for files containing non-DNSSEC keys such as the

+ <filename>rndc.key</filename>.

</para>

</listitem>

</varlistentry>

@@ -5874,13 +5914,15 @@ options {

If <userinput>yes</userinput>, then an

IPv4-mapped IPv6 address will match any address match

list entries that match the corresponding IPv4 address.

- Enabling this option is sometimes useful on IPv6-enabled

- Linux

- systems, to work around a kernel quirk that causes IPv4

- TCP connections such as zone transfers to be accepted

- on an IPv6 socket using mapped addresses, causing

- address match lists designed for IPv4 to fail to match.

- The use of this option for any other purpose is discouraged.

+ </para>

+ <para>

+ This option was introduced to work around a kernel quirk

+ in some operating systems that causes IPv4 TCP

+ connections, such as zone transfers, to be accepted on an

+ IPv6 socket using mapped addresses. This caused address

+ match lists designed for IPv4 to fail to match. However,

+ <command>named</command> now solves this problem

+ internally. The use of this option is discouraged.

</para>

</listitem>

</varlistentry>

@@ -7919,7 +7961,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

<para>

The delay, in seconds, between sending sets of notify

- messages for a zone. The default is zero.

+ messages for a zone. The default is five (5) seconds.

</para>

</listitem>

</varlistentry>

@@ -8271,7 +8313,7 @@ XXX: end of RFC1918 addresses #defined out -->

<optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>

<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>

<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>

- <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>

+ <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>

};

</programlisting>

@@ -8751,7 +8793,7 @@ view "external" {

<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>

<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>

<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>

- <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>

+ <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>

<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>

<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>

<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>

@@ -11206,6 +11248,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea

and <command>$TTL.</command>

</para>

<sect3>

+ <title>The <command>@</command> (at-sign)</title>

+ <para>

+ When used in the label (or name) field, the asperand or

+ at-sign (@) symbol represents the current origin.

+ At the start of the zone file, it is the

+ <<varname>zone_name</varname>> (followed by

+ trailing dot).

+ </para>

+ </sect3>

+ <sect3>

<title>The <command>$ORIGIN</command> Directive</title>

<para>

Syntax: <command>$ORIGIN</command>

@@ -11216,7 +11268,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea

sets the domain name that will be appended to any

unqualified records. When a zone is first read in there

is an implicit <command>$ORIGIN</command>

- <<varname>zone-name</varname>><command>.</command>

+ <<varname>zone_name</varname>><command>.</command>

+ (followed by trailing dot).

The current <command>$ORIGIN</command> is appended to

the domain specified in the <command>$ORIGIN</command>

argument if it is not absolute.