aboutsummaryrefslogtreecommitdiffstats
path: root/doc/arm/Bv9ARM-book.xml
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2010-03-02 19:49:55 +0000
committerDoug Barton <dougb@FreeBSD.org>2010-03-02 19:49:55 +0000
commit841024d54f1f0a07feccf84d8938b00bc1f362b5 (patch)
treec470abc978aa6ca4f6b0033d7e09c8b7b09cd629 /doc/arm/Bv9ARM-book.xml
parent51917575cfd35d6a201b010726ea7404a0f9bb7e (diff)
downloadsrc-841024d54f1f0a07feccf84d8938b00bc1f362b5.tar.gz
src-841024d54f1f0a07feccf84d8938b00bc1f362b5.zip
Vendor import of BIND 9.6.2vendor/bind9/9.6.2
Notes
Notes: svn path=/vendor/bind9/dist/; revision=204599 svn path=/vendor/bind9/9.6.2/; revision=204600; tag=vendor/bind9/9.6.2
Diffstat (limited to 'doc/arm/Bv9ARM-book.xml')
-rw-r--r--doc/arm/Bv9ARM-book.xml137
1 files changed, 95 insertions, 42 deletions
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 0875e57ff09b..44e30b16da96 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.15 2009/06/02 05:56:27 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.24 2010/01/23 23:47:52 tbox Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -30,6 +30,7 @@
<year>2007</year>
<year>2008</year>
<year>2009</year>
+ <year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -1679,6 +1680,11 @@ controls {
each dynamic update, because that would be too slow when a large
zone is updated frequently. Instead, the dump is delayed by
up to 15 minutes, allowing additional updates to take place.
+ During the dump process, transient files will be created
+ with the extensions <filename>.jnw</filename> and
+ <filename>.jbk</filename>; under ordinary circumstances, these
+ will be removed when the dump is complete, and can be safely
+ ignored.
</para>
<para>
@@ -2053,17 +2059,16 @@ nameserver 172.16.72.4
<sect3>
<title>Automatic Generation</title>
<para>
- The following command will generate a 128-bit (16 byte) HMAC-MD5
+ The following command will generate a 128-bit (16 byte) HMAC-SHA256
key as described above. Longer keys are better, but shorter keys
- are easier to read. Note that the maximum key length is 512 bits;
- keys longer than that will be digested with MD5 to produce a
- 128-bit key.
+ are easier to read. Note that the maximum key length is the digest
+ length, here 256 bits.
</para>
<para>
- <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
+ <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
</para>
<para>
- The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
+ The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
Nothing directly uses this file, but the base-64 encoded string
following "<literal>Key:</literal>"
can be extracted from the file and used as a shared secret:
@@ -2105,18 +2110,16 @@ nameserver 172.16.72.4
<programlisting>
key host1-host2. {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "La/E5CjG9O+os1jq0a2jdA==";
};
</programlisting>
<para>
- The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
- is recommended that either <filename>named.conf</filename> be non-world
- readable, or the key directive be added to a non-world readable
- file that is included by
- <filename>named.conf</filename>.
+ is recommended that either <filename>named.conf</filename> be
+ non-world readable, or the key directive be added to a non-world
+ readable file that is included by <filename>named.conf</filename>.
</para>
<para>
At this point, the key is recognized. This means that if the
@@ -2445,14 +2448,17 @@ allow-update { key host1-host2. ;};
To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC aware clients,
<command>dnssec-enable</command> must be set to yes.
+ (This is the default setting.)
</para>
<para>
To enable <command>named</command> to validate answers from
- other servers both <command>dnssec-enable</command> and
- <command>dnssec-validation</command> must be set and some
- <command>trusted-keys</command> must be configured
- into <filename>named.conf</filename>.
+ other servers, the <command>dnssec-enable</command> and
+ <command>dnssec-validation</command> options must both be
+ set to yes (the default setting in <acronym>BIND</acronym> 9.5
+ and later), and at least one trust anchor must be configured
+ with a <command>trusted-keys</command> statement in
+ <filename>named.conf</filename>.
</para>
<para>
@@ -2531,6 +2537,41 @@ options {
the root key is not valid.
</note>
+ <para>
+ When DNSSEC validation is enabled and properly configured,
+ the resolver will reject any answers from signed, secure zones
+ which fail to validate, and will return SERVFAIL to the client.
+ </para>
+
+ <para>
+ Responses may fail to validate for any of several reasons,
+ including missing, expired, or invalid signatures, a key which
+ does not match the DS RRset in the parent zone, or an insecure
+ response from a zone which, according to its parent, should have
+ been secure.
+ </para>
+
+ <note>
+ <para>
+ When the validator receives a response from an unsigned zone
+ that has a signed parent, it must confirm with the parent
+ that the zone was intentionally left unsigned. It does
+ this by verifying, via signed and validated NSEC/NSEC3 records,
+ that the parent zone contains no DS records for the child.
+ </para>
+ <para>
+ If the validator <emphasis>can</emphasis> prove that the zone
+ is insecure, then the response is accepted. However, if it
+ cannot, then it must assume an insecure response to be a
+ forgery; it rejects the response and logs an error.
+ </para>
+ <para>
+ The logged error reads "insecurity proof failed" and
+ "got insecure response; parent indicates it should be secure".
+ (Prior to BIND 9.7, the logged error was "not insecure".
+ This referred to the zone, not the response.)
+ </para>
+ </note>
</sect2>
</sect1>
@@ -2539,10 +2580,9 @@ options {
<para>
<acronym>BIND</acronym> 9 fully supports all currently
- defined forms of IPv6
- name to address and address to name lookups. It will also use
- IPv6 addresses to make queries when running on an IPv6 capable
- system.
+ defined forms of IPv6 name to address and address to name
+ lookups. It will also use IPv6 addresses to make queries when
+ running on an IPv6 capable system.
</para>
<para>
@@ -4324,8 +4364,7 @@ category notify { null; };
<para>
Lame servers. These are misconfigurations
in remote servers, discovered by BIND 9 when trying to
- query
- those servers during resolution.
+ query those servers during resolution.
</para>
</entry>
</row>
@@ -4785,7 +4824,7 @@ category notify { null; };
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
- <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
+ <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
<optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
<optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
<optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
@@ -4826,7 +4865,7 @@ category notify { null; };
<optional> lame-ttl <replaceable>number</replaceable>; </optional>
<optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
<optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
- <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+ <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
@@ -4909,11 +4948,12 @@ category notify { null; };
<listitem>
<para>
When performing dynamic update of secure zones, the
- directory where the public and private key files should be
- found,
- if different than the current working directory. The
- directory specified
- must be an absolute path.
+ directory where the public and private DNSSEC key files
+ should be found, if different than the current working
+ directory. The directory specified must be an absolute
+ path. (Note that this option has no effect on the paths
+ for files containing non-DNSSEC keys such as the
+ <filename>rndc.key</filename>.
</para>
</listitem>
</varlistentry>
@@ -5874,13 +5914,15 @@ options {
If <userinput>yes</userinput>, then an
IPv4-mapped IPv6 address will match any address match
list entries that match the corresponding IPv4 address.
- Enabling this option is sometimes useful on IPv6-enabled
- Linux
- systems, to work around a kernel quirk that causes IPv4
- TCP connections such as zone transfers to be accepted
- on an IPv6 socket using mapped addresses, causing
- address match lists designed for IPv4 to fail to match.
- The use of this option for any other purpose is discouraged.
+ </para>
+ <para>
+ This option was introduced to work around a kernel quirk
+ in some operating systems that causes IPv4 TCP
+ connections, such as zone transfers, to be accepted on an
+ IPv6 socket using mapped addresses. This caused address
+ match lists designed for IPv4 to fail to match. However,
+ <command>named</command> now solves this problem
+ internally. The use of this option is discouraged.
</para>
</listitem>
</varlistentry>
@@ -7919,7 +7961,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem>
<para>
The delay, in seconds, between sending sets of notify
- messages for a zone. The default is zero.
+ messages for a zone. The default is five (5) seconds.
</para>
</listitem>
</varlistentry>
@@ -8271,7 +8313,7 @@ XXX: end of RFC1918 addresses #defined out -->
<optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
- <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
+ <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
};
</programlisting>
@@ -8751,7 +8793,7 @@ view "external" {
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
- <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+ <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
@@ -11206,6 +11248,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
and <command>$TTL.</command>
</para>
<sect3>
+ <title>The <command>@</command> (at-sign)</title>
+ <para>
+ When used in the label (or name) field, the asperand or
+ at-sign (@) symbol represents the current origin.
+ At the start of the zone file, it is the
+ &lt;<varname>zone_name</varname>&gt; (followed by
+ trailing dot).
+ </para>
+ </sect3>
+ <sect3>
<title>The <command>$ORIGIN</command> Directive</title>
<para>
Syntax: <command>$ORIGIN</command>
@@ -11216,7 +11268,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
sets the domain name that will be appended to any
unqualified records. When a zone is first read in there
is an implicit <command>$ORIGIN</command>
- &lt;<varname>zone-name</varname>&gt;<command>.</command>
+ &lt;<varname>zone_name</varname>&gt;<command>.</command>
+ (followed by trailing dot).
The current <command>$ORIGIN</command> is appended to
the domain specified in the <command>$ORIGIN</command>
argument if it is not absolute.